does devsecops really exist?
TRANSCRIPT
DoesDev’Sec’Ops ReallyExistAlexManly
ComplianceReport- Verizon
Outof10000companiesthatweresurveyed1in5werenon-complianttoregulation
Challenge– abilitykeepupwithamovingtarget.Requirementschangebyanaverageof18%overayear.
Non-compliantbreachedcompanies:45%- patchmanagementanddevelopmentsecurity72%- logmanagementandmonitoring73%- firewallconfiguration
Challenge- abilitytocontinuouslymonitortheirenvironmentsforchanges
© 2014 451 Research, LLC. www.451research.com
Cloud Computing Pain Points
Q. What are your top cloud computing-related pain points? Select up to three. n=163. Source: Cloud Computing – Wave 7 |
2% 2% 2% 2% 2%
2.5% 2.5%
3.1% 3% 3%
4% 4% 4%
4% 5% 5%
7% 7% 7%
7.4% 8%
9% 10%
11% 11%
12% 17%
31%
Business Continuity/Disaster RecoveryInteroperability
Lack of Provider CompetencePerception and Internal Resistance
StorageData Movement
GovernanceCapacity Planning/Management
Legacy ApplicationsTechnology Immaturity
ComplexityLimited Transparency and Management
Service-level ManagementLack of Standards
NetworkService Reliability/Availability
Contractual/Legal IssuesOrganizational Challenges
Vendor/Provider IssuesLack of Internal Process
ManagementInternal Resources/Expertise
Migration/IntegrationCompliance
Security of Data, Control of Data Locality, SovereigntyHuman Change Management
Pricing/Budget/CostSecurity
Other Pain Points Mentioned Automated Provisioning
Automation Billing/Chargeback/Show-back
Ease of Transfer Between Private and Public Cloud
Integration of Private and Public Cloud Lack of Control
Lack of Flexibility Licensing
Orchestration Performance
Platform/Provider Selection Support
Time to Deployment
Q. What are your top cloud computing-related pain points?Source: Cloud Computing –. www.451research.com
CloudPainPoints
SharedSecurityModel
ComplianceDrag
Emergingtechnologieschangingallthetime
Lackofresources
Accesstodataandsystems
Scaleoftheproblem
Movingtarget– Regulationfrequentlychanges
Reactiveratherthanproactive
Dragonvelocity
“Theproblemforthesecuritypersonwhoisusedtoturningaroundsecurityreviewsinamonthortwoweeksisthey'rejustbeingshovedoutofthegame.There'snowaywithhowInfosec iscurrentlyconfiguredthattheycankeepupwiththat.So,Infosecgetsallthecomplaintsaboutbeingmarginalizedandgettinginthewayofdoingwhatneedsgettingdone.”
GeneKim,formerCTOofTripwireAuthorof“ThePhoenixProject:ANovelAbout IT,DevOps”&“HelpingYourBusinessWin”
InfoSecEndsUpBeingMarginalised
If you think compliance is expensive,
try non-complianceFormer US Deputy Attorney General, Paul McNulty
HighVelocityIT
InfrastructureonDemand
DevOps
DevOps isaprimarymovementinthegrowingtrendto industrialize
ITservicedevelopmentandproduction.
IDCexpectsDevOps strategieswillincreasinglydominateenterpriseand
serviceproviderstrategies.
By2016,DevOpswillbeemployedby25%ofGlobal2000organizations.
DevOps technologieswillachieverevenueof$4Bby2018.
ConfigurationManagement
AutomateatScale
DesiredStateConfiguration
InfrastructureasCode
Efficient&Repeatable
CattlenotPets
AutomationandConvergentInfrastructure
MarkBurgess,creatorofCFEngineAuthorof“InSearchofCertainty”
“Asystem’sdesiredconfigurationstatecanbesaidtobedefinedbyfixedpoints.Mostconfigurationmanagementsystems(e.g.:CFEngine,Chef,Puppet,PowerShellDCS)arebasedonthisidea:theyprovidemeanstodeclarewhatmusthappeninsteadofrequiringimperativeworkflowsthatprescribewhatwedo.”
DrivingTowardsImmutableInfrastructures
“ThisiswhatIcalldisposablecomputing.Throwawayabrokenprocessratherthantrytofixit.Machinescanbemade
expendableaslongasthetotalsoftwareisdesignedforit.Notmuchofitistoday,butwe’regettingthere.Natureshowsthat
thisisagoodwayofscalingservices.”
MarkBurgess,creatorofCFEngineAuthorof“InSearchofCertainty”
•Programmaticallyprovisionandconfigurecomponents
•Treatitlikeanyothercodebase
•Reconstructbusinessfromcoderepository,databackup,andcomputeresources
InfrastructureasCode
Security&ComplianceImplications
Automateallthethings…
Architecture
Conways Law– It’stheLaw
MonolithsSOAMicroservices
Designfor
Deployability
Testability
Operationability
Changability– Evolveyourarchitecture
Cloud
• SecurityasCode- SoftwaredefinedSecurity
• Embedsecuritytestsintothepipeline
• Testsecurityearly
Dev’Sec’Ops
ShiftSecurityLeft
ContinuousSecurity
SecurityPosture
End-to-endVisibility
ContinuousDetection/Prevention
AutomatedConfigurationandScaling
Remediation&Fast
Resolution
DisasterRecoveryandBusinessContinuity
Audit&Compliance
Buildsecurebaseimages thatarerepresentativeofyourinfrastructuresystembase
Designfilesystemlayouttoseparatecodefromdata,and
lockdowntominimumrequiredpermissions.Shouldexpandto
networkaswell
LeverageSANSChecklistandCISBenchmarkresourcesforsystemlevelsecuritybestpracticesandguidance
Leverageconfigurationmanagementtoolsto
standardizedall softwareversionsandconfigurations
DesignSecureImmutableInfrastructure
PreventAttackswithImmutable
ManageVulnerabilitieswithBaseImages
Manage Vulnerabilities• Conduct normal vulnerability scanning• Identify Vulnerabilities that exist in Base Images
versus Application specific packages• Remediate at appropriate level as part of Continuous
Delivery process• Start with Hardened “secure by default” base
Results• Less work, done more reliably• Patching fits naturally into Phoenix Upgrades• Continuous Delivery allow frequent scanning in test
environments to have real value• Fixes potential vulnerabilities systematically
Embrace Phoenix Upgrades• Stand up new instances, don’t upgrade• Route traffic between old and new instances• Rich service metrics and automate rollback• Advanced routing can enable selective rollout
Results• Creates evergreen systems, avoiding configuration drift and technical debt
• Enforces refresh of all system components as complete artifact, tested as a holistic system
• Greatly reduces security risks when combine with immutable instances and configuration management
AdoptPhoenixUpgradeStrategy
Thisexamplewillidentifyanycodethattriestomountdiskvolumes.Ifcodeisidentified,itwillbeauditedandthenworkflowcancontroltheactionofthisdeviationtostandards.
Example- StaticCodeAnalysis
Example– PCICompliance
PCI2.3 - Encryptallnon-consoleadministrativeaccesssuchasbrowser/Web-basedmanagementtools.
rules ’PCI 2.3 – Confirm telnet port not available'rule on run_controlwhen
name = 'should be listening'resource_type = 'port'resource_name = '23'status != 'success'
thenaudit:error("PCI 2.3 - Encrypt all non-console
administrative access such as browser/Web-based management tools.")
notify("[email protected]", "A machine is listening for connections on port 23/telnet!")
endend
RuleControlcontrols 'port compliance' do
control port(23) doit "has nothing listening"expect(port(23)).to_not
be_listeningend
endend
Example– SOXCompliance
SOXSection302.4.B– Establishverifiablecontrolstotrackdataaccess.
rules 'force key based auth'rule on run_controlwhen
name = 'is disabled'resource_type = 'File'resource_name = '/etc/ssh/sshd_config'status = 'failed'
thenaudit:error("SOX Section 302.4.B – Establish
verifiable controls to track data access.")notify(‘[email protected]’, "A
machine has password login enabled!")end
end
RuleControlcontrols 'password authentication' do
control file('/etc/ssh/sshd_config') doit "is disabled”
expect(file('/etc/ssh/sshd_config')).to_notmatch(/^\s*PasswordAuthentication\s+yes/i)
endend
end
WeCanHelp
Wehelpourclientsadoptamoderncomposable stackoftechnologies
Microservices
ConfigurationManagement&InfrastructureAutomation
ContainerTechnology
CloudInfrastructureWeareDocker PremierPartners
Contino helpstotransformthesoftwaredevelopmentfactoryOrganisations havetomodernise theirwaysofworking, theirinfrastructureandtheirapplicationsdeliverypipelines topreventindustrydisruption andmovetoafasterandleanerITmodel.
OLDWORLDARCHITECTURE:Complexinterconnectedlegacysystems
DELIVERYMODEL:Big,risky,infrequent,heavyweightsoftwarereleases
ORGANISATIONALSTRUCTURE:Siloed organisationalstructures
INFRASTRUCTURE:TraditionalphysicalorvirtualisedinfrastructureprovisionedbyIToperations
PRIORITIES:Efficient,predictable,risk-averseITengine
NEWWORLD:ARCHITECTURE:Looselycoupledmicroservicearchitectures
DELIVERYMODEL:Continualstreamofchangethroughcontinuous delivery
ORGANISATIONAL STRUCTURE:Crossfunctionalempoweredteams
INFRASTRUCTURE:Cloudbasedinfrastructureprovisionedbydevelopmentteams
PRIORITIES:Fast,agileandinnovativeITengine
OneOfUK’sTop3LargestRetailBanksAdoptingDockerContainerTechnologyRationalising developmenttoolchainIntroducingMoreAutomationIntoDeliveryPipelineAdvisingOnStrategyForGlobalTransformation
OneOfUK’sTop3LargestRetailersImplementingPublicCloud
ConfigurationManagingOnDemandEnvironments
InfrastructureAsCodeDefinition
Upskilling&TrainingGlobalEngineeringWorkforce
OneOfUK’sTop3LargestTelecomsProvidersIntegratingCloudBrokerAcrossPrivateandPublicCloud
ConfigurationManagingOnDemandEnvironments
ImprovingContinuous DeliveryPipelineandImprovingRigour OfSoftwareDevelopmentLifecycle
Organisations acrossindustriesneedtotransformtheirsoftwaredeliveryengines. Weareworkingwithmanyofthelargestenterprisebrandsacrossverticals.
Contino helptotransformthesoftwaredevelopmentfactory
Howwedrivetransformationandculturalchange
Culturalchangeemergesfrommanysmallsteps.Wehelp todeliveronkeywaysofworkingandtechnologymodernisation initiatives.....
Whilstalsohelping tocreateathrivingandmorevibranttechnology cultureaskeydeliverable.
Process
KeyITProcesses
KPIs
Agile&Lean
People
Organisational Design
Skills
Incentives
Technology
Infrastructure
Architecture
ApplicationDelivery
Whoweworkwith
