securing the container devops pipeline by william henry
TRANSCRIPT
Join the conversation #devseccon
SECURING THE CONTAINER DEVOPS PIPELINE
By WILLIAM HENRY
WHY DO WE NEED THE TERM DEVSECOPS?
● DevOps “purists” point out that security was always part of DevOps.
● Did people just not read the book? Are practitioners skipping security?
● DevSecOps practitioners say it’s about how to better integrate or automate security.○ Incorporating security at scale○ Making security infrastructure more adaptive and programmable ○ Think of it as Continuous Security
WHY HAS DEVSECOPS BECOME SO IMPORTANT?“... we estimate that fewer than 20% of enterprise security architects have
engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have
achieved the high degrees of security automation required to qualify as DevSecOps.”
“By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for
open source components and commercial packages, up from less than 10% in 2016.”
DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016
DEVELOPING AND DEPLOYING CODE TODAY
DEVOPSLIFECYCLE
SAAS/APP
PAAS
IAAS
API
Modern Architectures are API driven.DEVOPS + API
Cloud Based Services
CI/CD
DEVOPS BASED CI/CD PROCESS
ProjectRepo
AssetRepo
Monitor
Build Test Review/Appr Deliver Deploy
3rd Party
AUTOMATE ACROSS ENVIRONMENTS
CI/CD PIPELINE
ARTIFACT REPOSITORY
src repo
Dev./Build QA Productionin OHC
WHAT ARE CONTAINERS?It depends on who you ask...
7
● Sandboxed application processes on a shared Linux OS kernel
● Simpler, lighter, and denser than virtual machines
● Portable across different environments
● Package my application and all of its dependencies
● Deploy to any environment in seconds and enable CI/CD
● Easily access and share containerized components
INFRASTRUCTURE APPLICATIONS
SECURING CONTAINERS: LAYERS AND LIFECYCLE
6. Container Platform 7. Network Isolation8. Storage9. API Management
10. Federated Clusters
1. Container Host & Multi-tenancy
2. Container Content3. Container Registries4. Building Containers5. Deploying Containers
CONTAINER HOST & MULTI-TENANCY
Minimized host environment tuned for running Linux containers while maintaining the built-in security features of Red Hat Enterprise Linux..
A stable, reliable host environment with built-in security features that allow you to isolate containers from other containers and from the kernel.
SELinux Kernel namespaces Cgroups Seccomp
THE FOUNDATION FOR SECURE, SCALABLE CONTAINERS
CONTAINER CONTENT: WHAT IS INSIDE?
● What’s inside the containers matters.
● Are there known vulnerabilities in the application layer?
● Are the runtime and OS layers up to date?
CONTAINER
OS
RUNTIME
APPLICATION
REGISTRIES: WHERE DO YOUR CONTAINERS COME FROM?
● Policies to control who can deploy which containers
● Certification Catalog
● Trusted content with security updates HOST OS
CONTAINER
OS
RUNTIME
APP
HOST OS
CONTAINER
OS
RUNTIME
APP
11
Public and private registries
● What security meta-data is available for your images?
● Are the images in the registry updated regularly?
● Are there access controls on the registry? How strong are they?
MANAGING CONTAINER BUILDS
Security & continuous integration
● Layered packaging model supports separation of concerns
● Integrate security testing into your build / CI process
● Use automated policies to flag builds with issues
● Trigger automated rebuilds Operations Architects Application developers
MANAGING CONTAINER DEPLOYMENT
Code
Build
Deploy
Security & continuous deployment
● Monitor image registry to automatically replace affected images
● Use policies to gate what can be deployed: e.g. if a container requires root access, prevent deployment
CONTAINER ORCHESTRATIONAUTHENTICATION & AUTHORISATIONUse a container orchestration platform with integrated security features including
● Role-based Access Controls with LDAP and OAuth integration
● Integrated Registry● Integrated CI/CD with configurable policies● Integrated host OS with embedded
security features● Network management● Storage plug-ins● API management
NETWORK DEFENCE
Use network namespaces to
● Isolate applications from other applications within a cluster
● Isolate environments (Dev / Test / Prod) from other environments within a cluster
SECURE ATTACHED STORAGE
Secure storage by using
● SELinux access controls● Secure mounts● Supplemental group IDs
for shared storage
API MANAGEMENT
Container platform & application APIs
● Service based● Public versus private● Authentication and authorization● LDAP integration● End-point access controls● Rate limiting
FEDERATED CLUSTERS ROLES & ACCESS CONTROLS
Securing federated clusters across data centers or environments
● Authentication and authorization
● API endpoints● Secrets● Namespaces
BRING IT ALL TOGETHER
19
Container
BusinessAutomation
Container
Integration
Container
Data &Storage
Contaner
Web &Mobile
Application Lifecycle Management(CI/CD)
Build Automation Deployment Automation
Service Catalog(Language Runtimes, Middleware, Databases)
Self-Service
Infrastructure Automation
Networking Storage Registry Logs & Metrics
Security
Container Orchestration & Cluster Management
Container Runtime & Packaging(OCI/Docker)
Enterprise Container Host
RH Enterprise LinuxAtomic Host
Physical
Virtual
Private cloud
Public cloud