DevSecOps: Taking a DevOps Approach to Security
9 likes10,807 views
The document discusses the challenges of integrating security within DevOps practices, emphasizing the need for automation and a collaborative approach to overcome traditional security barriers. It highlights the importance of vulnerability management, continuous monitoring, and the implementation of secure, immutable systems to enhance cloud security. Additionally, it outlines strategies for effectively embedding security into development pipelines and improving communication between development, operations, and security teams.
DevSecOps: Taking a DevOps Approach to Security
- 1. DevSecOps: Taking a DevOps Approach to Security Alert Logic & Chef discuss overcoming security challenges in DevOps
- 2. Before We Begin Housekeeping • Turn on your system’s sound to hear the streaming presentation • Questions? Submit them to the presenter at anytime into the question box • The presentation slides will be available to download from the attachment tab after the webinar • The webinar will be recorded and published on BrightTalk • Technical Problems? Click “Help” Agenda • Security Challenges • High Velocity IT • Vulnerability Management • Securing the Platform • Continuous Monitoring • Questions
- 3. Speaker Introduction James Brown • Director of Cloud Computing & Security Architecture • Alert Logic Alex Manly • Solution Architect • Chef
- 5. Security Remains #1 Pain Point For Cloud Deployments Cloud Computing Pain Points 2% 2.5% 2.5% 3.1% 3% 3% 4% 4% 4% 4% 5% 5% 7% 7% 7% 7.4% 8% 9% 10% 11% 11% 12% 17% 31% Storage Data Movement Governance Capacity Planning/Management Legacy Applications Technology Immaturity Complexity Limited Transparency and Management Service-level Management Lack of Standards Network Service Reliability/Availability Contractual/Legal Issues Organizational Challenges Vendor/Provider Issues Lack of Internal Process Management Internal Resources/Expertise Migration/Integration Compliance Security of Data, Control of Data Locality, Sovereignty Human Change Management Pricing/Budget/Cost Security Other Pain Poin Automated P Autom Billing/Chargeba Ease of Transfer Between Integration of Private Lack of C Lack of F Licen Orchest Perform Platform/Provid Supp Q. What are your top cloud computing-related pain points? Source: Cloud Computing – Wave 7 | © 2014 451 Research, LLC. www.451research.com
- 7. Application Security Technology Challenges Network Changes Host Identity Auto-Scaling Why do traditional security tools struggle in the cloud
- 8. Security at Odds with DevOps Velocity Traditional Security/Compliance is Slow • Bolted on at the end • Manual processes • Long cycle times Mature DevOps Velocity is Fast Security Practice does not Keep Up • Traditional Security Tools are not automated • Continuous deployment stalls without security automation
- 9. InfoSec Ends Up Being Marginalized “The problem for the security person who is used to turning around security reviews in a month or two weeks is they're just being shoved out of the game. There's no way with how Infosec is currently configured that they can keep up with that. So, Infosec gets all the complaints about being marginalized and getting in the way of doing what needs getting done.” Gene Kim, former CTO of Tripwire Author of “The Phoenix Project: A Novel About IT, DevOps” & “Helping Your Business Win”
- 10. Alert Logic Survey Findings Good communications between Development and Operations Teams Poor communication between DevOps, Security and Compliance teams Security Infrastructure had been poorly managed or needed significant improvement Admitted to not implementing security into their continuous process
- 11. High velocity IT • Web scale IT • Software is eating the world • The Rise of Coded business • Every business is an IT business • Software defined everything • Deliver change faster and safer
- 12. Infrastructure on demand • Cheap • Secure • Elastically Scalable • Self Service
- 13. DevOps
- 16. Architecture
- 17. Compliance Drag
- 18. If you think compliance is expensive, try non-compliance Former US Deputy Attorney General, Paul McNulty
- 19. • Many hats ** • Not just Dev, not just Ops. • Security is not and has never been, it’s just a check box. • Security as Code - Software defined Security • Embed security tests into the pipeline. • Test security early. DevSecOps – Don’t shoot me its just a word ** Hat tip to Ben Hughes (@benjammingh) from who I stole this slide from https://speakerdeck.com/barnbarn/handmade-security-at-etsy
- 20. The changing role of the compliance officer
- 21. 2015 Compliance Report - Verizon
- 23. Vulnerability Management Vulnerability management is key to maintaining a secure system. Most IT environments use a mix of patch management and vulnerability scanning. However • Scanning is not run frequently enough • Dealing with large numbers of potential vulnerabilities in one go introduces significant risk to the application stability
- 24. Manage Vulnerabilities with Base Images + CI Manage Vulnerabilities • Conduct normal vulnerability scanning • Identify Vulnerabilities that exist in Base Images versus Application specific packages • Remediate at appropriate level as part of Continuous Delivery process • Start with Hardened “secure by default” base Results • Less work, done more reliably • Patching fits naturally into Phoenix Upgrades • Continuous Delivery allow frequent scanning in test environments to have real value • Fixes potential vulnerabilities systematically
- 25. Adopt Phoenix upgrade strategy Embrace Phoenix Upgrades • Stand up new instances, don’t upgrade • Route traffic between old and new instances • Rich service metrics and automate rollback • Advanced routing can enable selective rollout Results • Creates evergreen systems, avoiding configuration drift and technical debt • Enforces refresh of all system components as complete artifact, tested as a holistic system • Greatly reduces security risks when combine with immutable instances and configuration management
- 26. Real World Case – Patching Shellshock
- 28. Securing the platform Aside from ensuring that an application and server is fully patched, it is key to start from a position where a server has been fully locked down. In the cloud, have the developers take the base OS versions that are made available to them and used them? You may be in a position where: • Cannot change permissions on servers without risking breaking the application • Base OS images used without any specific security implemented • Different standard across different server types.
- 29. Prevent Attacks with Immutable Systems Build secure base images that are representative of your infrastructure system base Design file system layout to separate code from data, and lock down to minimum required permissions. Should expand to network as well Leverage SANS Checklist and CIS Benchmark resources for system level security best practices and guidance Leverage configuration management tools to standardized all software versions and configurations Design Secure Immutable Infrastructure
- 30. • This example will identify any code that tries to mount disk volumes. If code is identified, it will be audited and then workflow can control the action of this deviation to standards. Example – Static Control Analysis
- 31. Example – Infrastructure Testing Tests Chef cookbooks using cloud instances and virtual machines Lets you create a realistic multi-server test environment Uses Chef and supports everything Chef supports (OSs, VMs, Languages, etc) Supports multiple test runners (Bats, Minitest, Rspec, ServerSpec, etc.)
- 33. Chef Analytics Provides Visibility in Three Ways • Record changes to Chef Server or any Chef Nodes • Tracks changes from any sources (Chef UI, command line, knife) • Built-in messaging and email integration • Trivially integrates with your existing systems • Simple dashboard with search, filters and sorting options • Integrate with existing tools via API
- 34. Example
- 35. • PCI 2.3 - Encrypt all non-console administrative access such as browser/Web-based management tools. rules ’PCI 2.3 – Confirm telnet port not available' rule on run_control when name = 'should be listening' resource_type = 'port' resource_name = '23' status != 'success' then audit:error("PCI 2.3 - Encrypt all non-console administrative access such as browser/Web-based management tools.") notify("[email protected]", "A machine is listening for connections on port 23/telnet!") end end RuleControl controls 'port compliance' do control port(23) do it "has nothing listening" expect(port(23)).to_not be_listening end end end Example – PCI Compliance
- 36. • SOX Section 302.4.B – Establish verifiable controls to track data access. rules 'force key based auth' rule on run_control when name = 'is disabled' resource_type = 'File' resource_name = '/etc/ssh/sshd_config' status = 'failed' then audit:error("SOX Section 302.4.B – Establish verifiable controls to track data access.") notify(‘[email protected]’, "A machine has password login enabled!") end end RuleControl controls 'password authentication' do control file('/etc/ssh/sshd_config') do it "is disabled" expect(file('/etc/ssh/sshd_config')) .to_not match(/^s*PasswordAuthentications+yes/i) end end end Example - SOX Compliance
- 37. How Cloud Defender Works A L E R T L O G I C C L O U D D E F E N D E R Identify Attacks & Protect Customers Big Data Analytics Platform Threat Intelligence & Security Content 24 x 7 Monitoring & Escalation Alert Logic ActiveAnalytics Alert Logic ActiveIntelligence Alert Logic ActiveWatch Cloud, Hybrid On-Premises Customer IT Environment Web application events Log data Network incidents
- 38. Alert Logic Cloud Defender Threat Manager: Network Intrusion Detection • Detects suspicious activities across your networks • Uncovers vulnerabilities in your networks, systems, and applications Log Manager: Log Management & Analysis • Protects your networks, systems, and applications through log analysis • Collects, aggregates, and normalizes logs for easy searching and long term storage Web Security Manager: Web Application Protection • Built to protect web applications from web specific attacks • Learning engine adapts to normal behavior, ensuring application uptime -Simple Unified Deployment -
- 39. Questions and Resources Resources All available under the “Attachments” tab of the webinar: • DevOps: The Security Gap • Key findings from Alert Logic’s recent Dev-”Sec”-Ops Survey • Chef’s Whitepaper: Compliance at Velocity • Alert Logic Blog • Top 10 tips for Security Professionals Blog Questions • Questions? Submit them to the presenter at anytime into the question box
- 41. Contact Us James Brown Director of Cloud Computing & Security Architecture Alert Logic [email protected] Alex Manly Solution Architect Chef [email protected] Thank you!