why security needs to be at the ... - cyber security summit · •!teaches security as code,...
TRANSCRIPT
![Page 1: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/1.jpg)
Why Security needs to be at the DevOps Table Chris Perkins, Sr. Principal Security Technologist. Medtronic, PLC
![Page 2: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/2.jpg)
Evolution of Compute and Development Methodologies
• Both processes evolved over time, with a similar pathway
• Technology advances helped drive speed in both arenas
• Pivotal concepts also helped “break norms”
![Page 3: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/3.jpg)
![Page 4: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/4.jpg)
![Page 5: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/5.jpg)
!"#$%&#'&()"")"(**#•! Each application was “racked
and stacked”
•! Each box housed a dedicated database, dedicated service •! Web Services •! Email •! Authentication
![Page 6: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/6.jpg)
Waterfall
![Page 7: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/7.jpg)
• Introduced the Theory of Constraints (TOC) concept
• Process of Ongoing Improvement • Critical Chain Project Management
(CCPM) • First published in 1984
![Page 8: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/8.jpg)
ThencameVirtualiza4on• The process of creating logical computing resources
from available physical resources • Layer of abstraction between workloads and the
underlying physical hardware via Hypervisor • Allowed for many to one, physical server usage
optimized
![Page 9: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/9.jpg)
![Page 10: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/10.jpg)
Agile
![Page 11: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/11.jpg)
65"$-)"&07#,5"4"1&8#$%&#,5",&9$7#
![Page 12: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/12.jpg)
%:9;<<===*$%&92->50.*"&$<?@AB<@C<?C<%9,D7,%&812&07D7"-9D$5D85,E&0<#
![Page 13: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/13.jpg)
![Page 14: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/14.jpg)
The Phoenix Project 3 Ways of DevOps
Strategies for Improving Operations
![Page 15: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/15.jpg)
Container Threat Modeling Container Threat Modeling
![Page 16: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/16.jpg)
● Authen4ca4onA:acksagainstHost● DockerDaemonDirectAccess● TrojanizedDockerImages● ExposureofPrivateDocker Registry● ARPSpoofing● DockerRegistryCer4ficateSpoofing● InsecureDockerAPIconfigura4on
Spoofing
![Page 17: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/17.jpg)
● TrojanizedDockerImage● DockerDaemonDirectAccess● DockerDaemonConfigura4onA:acks● DockerRegistryCer4ficateSpoofing● ContentTrust● HostFileSystemIntegrityBreaches● DockerDaemonTamperingHostNetwork Configura4ons
Tampering
![Page 18: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/18.jpg)
Repudiation
● NoAudit/DeleteAuditDocker Images
● DockerDaemonAPILogs- Compromise
● HostFileSystemIntegrityBreaches
![Page 19: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/19.jpg)
Information Disclosure
● Secretsbeingdisclosedtooutsideen44es
● ExposedPortsand Services
● NetworkTrafficCompromise
![Page 20: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/20.jpg)
Denial of Service
● CPU/MemoryExhaust
● NetworkExhaust
● HDDExhaust
![Page 21: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/21.jpg)
Elevation of Privileges
● ContainerBreakout
● ContainerPrivileges
● ContainerServices-Compromise
![Page 22: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/22.jpg)
DevOps
![Page 23: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/23.jpg)
Containers managed individually..
![Page 24: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/24.jpg)
Led to Orchestration
![Page 25: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/25.jpg)
![Page 26: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/26.jpg)
![Page 27: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/27.jpg)
And Finally, Serverless!
![Page 28: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/28.jpg)
![Page 29: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/29.jpg)
![Page 30: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/30.jpg)
![Page 31: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/31.jpg)
DevSecOps
![Page 32: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/32.jpg)
Continuous Build, Integration and Delivery– Foundational and Automated (CI/CD)
![Page 33: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/33.jpg)
Example CI/CD pipeline with AppSec addition
![Page 34: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline](https://reader034.vdocuments.us/reader034/viewer/2022042802/5f425a101fb12f4ae9282feb/html5/thumbnails/34.jpg)
Great place to start! DevSecOps Studio is one of its kind, self contained DevSecOps environment/distribution to help individuals in learning DevSecOps concepts. It takes lots of efforts to setup the environment for training/demos and more often, its error prone when done manually. DevSecOps Studio is easy to get started and is mostly automatic. DevSecOps Studio project aims to reduce the time to bootstrap the environment and help you in concentrating on learning/teaching DevSecOps practices. Features: •!Easy to setup environment with just one command “vagrant up” •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline •!OS hardening using ansible •!Compliance as code using Inspec •!QA security using ZAP, BDD-Security and Gauntlt •!Static tools like bandit, brakeman, windbags, gitrob, gitsecrets •!Security Monitoring using ELK stack.
%:97;<<===*5=-79*50(<)"8&K*9%9<Z[FQM\H&NQ&,Z97\Q$18)5\M05I&,$#