securing devops
TRANSCRIPT
SecDevOpssecuring DevOps
Area4110.6.2016 Zürich
Aarno AukiaVSHN AG - The DevOps Company
10.6.2016 VSHN AG | http://vshn.ch 2
About me
● MSc Computer Science ETH
● Security Operations @ Google
● Co-Founder & CTO @ Atrila (Security Operations)
● Co-Founder & CTO @ VSHN (DevOps)
● Spare Time: Event Networks/WiFi at Area41
● @aarnoaukia
● http://about.me/aarno
10.6.2016 VSHN AG | http://vshn.ch 3
Agenda
● DevOps ?
● Where is the security ?
● Customer example 1
● Customer example 2
● Discussion
10.6.2016 VSHN AG | http://vshn.ch 4
DevOps?
● Collaboration: Development (Dev) and Operations (Ops)
● Bring agile software engineering methods to operations
– Automation: infrastructure as a code, versioning/rollback
– Testing: continuous integration/testing/deployment● Bring operations engineering experience to developers
– Scalability: independent microservices
– Production insight: monitoring/logging/metrics● Together: make the application's owner happier
10.6.2016 VSHN AG | http://vshn.ch 5
Dev + Ops collaboration
● Bring together Developers & Operations
● Practice agile Operations Engineering
● Counter fear of change with (automated) testing
● Provide developer and development infrastructure
– Tools for developers, preferably self-served
10.6.2016 VSHN AG | http://vshn.ch 6
Infrastructure as code
● Change from hand-groomed servers to Operations Engineering (from pets to cattle)
● Speed & reliability
● Versioning & rollback
● Prerequisite for self-service
– Give each developer a full stack
– No manual changes in production
– As many testing instances as needed
10.6.2016 VSHN AG | http://vshn.ch 7
Infrastructure tools
● Packaging code & dependencies for atomic deployment/rollback
– Deb/rpm, Docker● Infrastructure state management (configuration mgmt)
– Puppet, Salt, Chef, Ansible● Continuous Integration/Testing/Deployment
– Jenkins/TravisCI/GitlabCI/Atlassian Bamboo● Self-Service
– Vagrant/Docker or through Continuous Deployment
10.6.2016 VSHN AG | http://vshn.ch 8
Infrastructure testing
● Bring software engineering best practice to operations
● Large complex infrastructure (as code) → many moving parts
– Unit testing each module (webserver setup, database setup, cache setup, etc)
– Functional end-to-end testing of full stack (request to cache delivers content from database)
● Basically the same thing as production service monitoring but for each change
10.6.2016 VSHN AG | http://vshn.ch 9
Infrastructure feedback
● Collect all logs in ELK (Elasticsearch, Logstash & Kibana)
– Let the developers search for prod error root cause
– No sudo/root access to production needed
– Added value: merged & indexed● Collect Server & Application Metrics
– Correlate with deployments & site traffic
10.6.2016 VSHN AG | http://vshn.ch 10
Software Delivery Automation
10.6.2016 VSHN AG | http://vshn.ch 11
Where is the security ?
10.6.2016 VSHN AG | http://vshn.ch 12
Developers● Duh!
● Education, education, education
● Concept/architecture/code audits
● Use proven libraries
● ...
10.6.2016 VSHN AG | http://vshn.ch 13
Configuration management● Declare target state
● Enforce state every x minutes, e.g. 15min
● Establish baseline system security
– Services enabled/disabled
– System (admin) users, groups, keys, hashes, sudoers
– AAA (AD/LDAP) for 'normal users'
– Host firewall (e.g. iptables)
– Installed software
10.6.2016 VSHN AG | http://vshn.ch 14
Logging● Audit logging (who changed what when)
● Application/request log
● As WORM as feasible for the customer
– Generally read-only for 'normal users'
– Restricted admin access● ELK-Stack
– Transport, parsing, ingest: Logstash
– Storage & Indexing: Elasticsearch
– Querying & Dashboard: Kibana
10.6.2016 VSHN AG | http://vshn.ch 15
Service Monitoring● Layer 7: HTTP, SMTP, etc
● Layer 6: SSL, certificates, protocols, ciphers, etc
● System parameters
● Updates
● Backup
● Tool: Icinga2
10.6.2016 VSHN AG | http://vshn.ch 16
Backup● As WORM as feasible
– Restricted admin access, no access for customer staf
– Only new data can be pushed● Servers are enrolled automatically by configuration
management
– Enforcing the backup target will not be in the same location/infrastructure
● Data encrypted at source server using multiple keys
● Control connections use SSL/TLS
● Continuously monitored, regularly restore-tested
10.6.2016 VSHN AG | http://vshn.ch 17
Version Management● Everything is in version management = GIT
– Customer code
– Configuration management code & config● Changes/commits feed into audit log
● Shared or dedicated service
– Shared: github.com, bitbucket.com, gitlab.com
– Dedicated: Atlassian Bitbucket, Gitlab● AAA through AD/LDAP
● Since all Devs have offline copies: no credentials in code !
10.6.2016 VSHN AG | http://vshn.ch 18
Continuous integration● Trigger Build/Package/Test/Deploy on each commit
– Targets configurable per repository, branch, tag
– Manual 'promote' e.g. of production release
– Feed into audit log
– Store completed build/package artifacts● Artifactory● (private) docker registry● Deb/RPM repository
● Feed back status to Git-GUI, dashboard, monitoring
● AAA through AD/LDAP
10.6.2016 VSHN AG | http://vshn.ch 19
Automated testing● All code is tested automatically
– Customer code
– Config management code & parameters● Testing depth depends on customer...
– Syntax, coding style (lint), static code analysis
– Unit tests● 'Does this module do what it is supposed to do?'
– Functional tests● 'Does the application behave correctly end-to-end?'● detect changes in nikto/sqlmap output ?
10.6.2016 VSHN AG | http://vshn.ch 20
Databases & Backends● Growing list of 'standard software' needed as backends for
customer applications
– MySQL/MariaDB/Galera/MaxScale, PostgreSQL, Redis, MongoDB, RabbitMQ, Memcached, Solr, Elasticsearch, NFS/DRBD, Ceph
● All services automatically deployed by configuration management
● Provide each service with sane config, clustering, credential management, firewall config, backup config, monitoring config
10.6.2016 VSHN AG | http://vshn.ch 21
Web & Application Servers● Growing list of application servers
– PHP, Python, Ruby, Java/Tomcat, Java/Wildfly, Java/Play, Coldfusion, Docker
● Provide each service with sane config, firewall config, backup config, monitoring config
● Provide backend credentials through environment variables
– http://12factor.net● Other standard components:
– Apache, Nginx, Varnish, mod_security, HAproxy, OpenVPN, iptables, pacemaker, keepalived
10.6.2016 VSHN AG | http://vshn.ch 22
Customer case 1● Server stack (Puppet)
– Nginx, Varnish
– PHP versions 5.6 and 7
– MySQL/MariaDB-Galera-Cluster
– Memcached/Redis/Solr/Elasticsearch● Application Deployment/update (Ansible/SSH)
● Bundle know-how (settings, tunings, etc.) in common module, override if necessary per customer through YAML-File in Git-Repository
● Docker image for local testing/developing
10.6.2016 VSHN AG | http://vshn.ch 23
Case1
10.6.2016 VSHN AG | http://vshn.ch 24
Customer case 2● OpenShift: PaaS Plattform as a Service
● Docker, Kubernetes (Google), Openshift (Redhat)
● 100% Opensource, enterprise support available
● Swiss public PaaS: appuio.ch
● EU/US public: AWS
● Dedicated/private available worldwide
– AWS
– Enterprise on-premises
10.6.2016 VSHN AG | http://vshn.ch 25
OpenShift
10.6.2016 VSHN AG | http://vshn.ch 26
About VSHN
● Swiss DevOps & Ops Company, 17 people in Zürich
● Building the tools and workflows for self-service
● Managing web applications in any cloud
– We are cloud-agnostic: we run on AWS, MSA, GCE, DO, Hetzner, OVH, SafeSwissCloud, Cloudscale, Exoscale and on any on-premises Enterprise private cloud
● We work for Amazee Labs, Liip, Mercedes Benz Switzerland,Migros, SaltCinema, SIX Group, Sherpany, Sobrado, Starticket, Suisa, Taskfleet, zurichopenair.ch, etc.
● How can we help YOU?
10.6.2016 VSHN AG | http://vshn.ch 28
Thanks
● Questions ?
● We're hiring System and Software Engineers @vshn_ch !
● Get in touch with @aarnoaukia, @tobruzh or @vshnemanuel