際際滷

際際滷Share a Scribd company logo

VSLive Las Vegas - The Shift to Rugged DevOps

Rene Van Osnabrugge
Rene Van Osnabrugge

Putting Developers and IT-Pros in one team does not make it a DevOps team. And even when they work smoothly together there is always Security that needs to be addressed. Build and Release Pipelines take care of building and deploying your application, but are your pipelines secure? And the code that you are deploying? With many releases a day, security officers will not be able to verify each release. Rugged DevOps is all about securing your assets and your pipeline and really embed Security in to your DevOps process. In this talk I will guide you through the concepts of Rugged DevOps, the risks companies are currently facing and talk about some strategies and tools which can help you embed security in to your DevOps processes. You will learn: About the concepts of Rugged DevOps How to embed security in your pipelines How to detect, respond and recover in production

1 of 35
2/13/2020 1 THE SHIFT TO RUGGED DEVOPS SECURITY IN YOUR PIPELINES RENVAN OSNABRUGGE @RENEVO Ren辿 van Osnabrugge Xpirit Netherlands @renevo rvanosnabrugge@xpirit.com https://roadtoalm.com 3 4
2/13/2020 2 COMPLIANCY COMPLIANCY 5 6
2/13/2020 3 IMPOSSIBLE TO UNDERSTAND IMPOSSIBLE TO IMPLEMENT IMPOSSIBLE TO VALIDATE IMPOSSIBLE TO MAINTAIN THE BATTLE WITH CISO 7 8
2/13/2020 4 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec SECURITY LEVEL - CURRENT Security Level - Current Audit coming up ! Audit coming up ! THE CLASSIC SECURITY MODEL 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec SECURITY LEVEL - CURRENT Security Level - Current Audit coming up ! Audit coming up ! THE CLASSIC SECURITY MODEL 9 10
2/13/2020 5 ISO 27001 COBIT SOX PCI AUTHORITIES ETC. BANG HEAD HERE 11 12
2/13/2020 6 CONFIDENTIALITY INTEGRITY AVAILABILITY COMPLIANCE CHECKING IS THE OPPOSITE OF SECURITY ENGINEERING James Wicket The DevOps Handbook 13 15
2/13/2020 7 Health is a state of complete physical, mental and social well-being, and not merely the absence of disease or infirmity. World Health Organization, 1948 16 17
2/13/2020 8 THIS WAS ALL VERY SECURE! Unbreachable walls Indestructible Machines Watchful security guards UNTIL IT WAS NOT! 18 19
2/13/2020 9 COMPLIANT SECURE RUGGED FUNDAMENTALLY, IF SOMEBODY WANTS TO GET IN, THEY'RE GETTING INACCEPT THAT. NUMBER ONE, YOU'RE IN THE FIGHT, WHETHER YOU THOUGHT YOU WERE OR NOT. NUMBER TWO, YOU ALMOST CERTAINLY ARE PENETRATED. WE NEED TO SHIFT FROM PREVENT TO ASSUME BREACH! Michael Hayden Former Director of NSA & CIA 20 21
2/13/2020 10 BETTER CHEAPER FASTER 22 23
2/13/2020 11 STATE OF DEVOPShttps://cloudplatformonline.com/2018-state-of-devops.html 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec SECURITY LEVEL - CURRENT Security Level - Current Audit coming up ! Audit coming up ! WE NEED TO MOVE FROM MANUAL. 24 25
2/13/2020 12 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Security Level - Current Desired Audit coming up ! Audit coming up ! .TO AUTOMATED SECURITY IS THE NEXT SILO TO TEAR DOWN 26 27
2/13/2020 13 WHERE TO START? ITSTARTSWITHAWARENESS! 28 29
2/13/2020 14 Make them part of your team! SHIFT LEFT SECURITYYOU BUILD IT YOU RUN IT Make them part of your team! SHIFT LEFT SECURITY 30 31
2/13/2020 15 CREATIVE THINKING HACKERS DO NOT PLAY BY THE RULES ALREADY USE CONTINUOUS DELIVERY ARE ALWAYS AHEAD OF YOU USE ALL MEANS POSSIBLE THINK OUT OF THE BOX 32 33
2/13/2020 16 HOW DO WE DO THAT? IDENTIFY PREVENT REACT BUILD RUN NOT ORBUT AND! IDENTIFY PREVENT REACT PREVENT BREACH ASSUME BREACH 34 35
2/13/2020 17 PREVENT BREACH CODE STORE BUILD DEPLOY RELEASE SECURE PIPELINES SECURE AND COMPLIANT ALL THE WAY 36 37
2/13/2020 18 Identity & Access Servers & Containers Firewalls & Network Passwords & Secrets Libraries & Licenses Application Code Build & Delivery Pipelines WHAT NEEDS TO BE SECURE? CODING PHASE In the coding phase, an idea transforms into code 38 39
2/13/2020 19 CODING PHASE - IDENTIFY Bad coding practicesresulting in Technical Debt Non Deployable code Untested code and therefore unintended consequences Passwords/Secretsetc. exposed in code WE ALL NEED SOME PROTECTION FROM OURSELVES 40 41
2/13/2020 20 42 43
2/13/2020 21 CODING PHASE - PREVENT Secure Development Lifecycle (SDL) Compiling / Syntax Checking First stage - Static Code Analysis Ruleset selection is key ! Unit Tests Secure Assets Approvedtemplates Secure shared Packages Credential and Secret Scanning Do we really need secrets? Use of keyvaults 44 45
2/13/2020 22 CREDENTIAL SCANNING DEMO STORING PHASE In the storing phase you make your code our code and ensure it is safe 46 47
2/13/2020 23 STORING PHASE - IDENTIFY Everything from Coding phase ! Unknown committers to Git Repository Suspicious code is committed to the code repository Code is deployed without 4-eyes principle Code contains secrets/passwordsetc. STORING PHASE - PREVENT Protect Git Repo to ensure pusher is known Use Pull Requests and protect the master branch Run Continuous IntegrationBuilds Enforce 4-eyes on every code change Enforce CI checks on every code change Static Code Analysis CredScans Compiling Syntax Checking Unit Tests 48 49
2/13/2020 24 BUILD PHASE In the build phase we transform the product from code and script into an immutable and versioned package BUILD PHASE - IDENTIFY Package can be unintentionallymodified Code can contain vulnerabilities/ Technical Debt Code can contain secrets Code is untested/unstable Unauthorized modification of build process Code can use unsecure libraries Code can use unlicensed / wrongly licensed libraries 50 51
2/13/2020 25 REMEMBER HEARTBLEED? 52 53
2/13/2020 26 Components 80 90 % Original Code 10-20% (max) YOUR CODE VS. THEIR CODE COPYLEFT GPL LGPL AGPL Permissive Restrictive ANDTHENTHEREISLICENSING 54 55
2/13/2020 27 BUILD PHASE - PREVENT Build activities from Storing Phase Second stage - Static Code Analysis Vulnerabilityand dependency scanning License Scanning Securely storing the Build Artifact Protectingthe Build History DEPENDENCY MANAGEMENT DEMO 56 57
2/13/2020 28 DEPLOY / RELEASE PHASE THIS IS THE PHASE WHERE THE ARTIFACTS MOVE FROM YOUR PROTECTED ENVIRONMENT INTO THE OPEN DEPLOY / RELEASE PHASE - IDENTIFY Unauthorized change in the release steps Target environment accessible by multiple process Deployed application has obvious vulnerabilities Deployed application has unexpected consequences on availability etc. Secrets are exposed during deployment process 58 59
2/13/2020 29 DEPLOY / RELEASE PHASE - PREVENT Run Dynamic Security Tests on Infrastructure Run Tests that require a deployed application Monitor key metrics after deployment Set up secure Endpointsto target environment Secret Management in the pipeline Build in a mechanism to separate functional from technical release Enforce 4 eyes-principle on the release pipeline RELEASE GATES DEMO 60 61
2/13/2020 30 ASSUME BREACH / RUN IDENTIFY PREVENT REACT PREVENT BREACH ASSUME BREACH Monitor REACT MTTR Baselines Pipelines Alerts Continuous Delivery You build it / You run it Post Mortem Share Experience Rebuilt Everything as Code DETECT RESPOND RECOVER 62 63
2/13/2020 31 Monitor Detect Fix Bleeding Scan & Fix Locally Embed in Pipeline Set new Baseline Continuous Assurance DEMO DETECT , RESPOND, RECOVER 64 65
2/13/2020 32 ADD MORE RUGGED-NESS 67 68
2/13/2020 33 RED TEAM vs. BLUE TEAM Red Team Model real-world attacks Identify gaps in security story Demonstrable impact Blue Team Exercises ability to detect & respond Enhances situational awareness Measures readiness & impact AND COMPLIANCY? 69 70
2/13/2020 34 COMPLIANT BY DEFAULT 1 2 3 AVAILABILITY INTEGRITY CONFIDENTIALITY 71 72
2/13/2020 35 Ren辿 van Osnabrugge Xpirit Netherlands @renevo rvanosnabrugge@xpirit.com https://roadtoalm.com Ren辿 van Osnabrugge Xpirit Netherlands @renevo rvanosnabrugge@xpirit.com https://roadtoalm.com Attributions Pictures: https://unsplash.com / https://www.flickr.com/photos/wocintechchat Gifs: https://giphy.com Music: https://open.spotify.com/user/rvanosnabrugge/playlist/ 0BWgsNPM5iwgk8ZGlMHeoY?si=l9-tV8FTR8S1J7AbKBz-KA Video: https://www.youtube.com/watch?v=47u3n1kX0wE Thanks: Geert, Marcel, Alex, Jasper, Xpirit 73 74

More Related Content

VSLive Las Vegas - The Shift to Rugged DevOps

  • 1. 2/13/2020 1 THE SHIFT TO RUGGED DEVOPS SECURITY IN YOUR PIPELINES RENVAN OSNABRUGGE @RENEVO Ren辿 van Osnabrugge Xpirit Netherlands @renevo rvanosnabrugge@xpirit.com https://roadtoalm.com 3 4
  • 3. 2/13/2020 3 IMPOSSIBLE TO UNDERSTAND IMPOSSIBLE TO IMPLEMENT IMPOSSIBLE TO VALIDATE IMPOSSIBLE TO MAINTAIN THE BATTLE WITH CISO 7 8
  • 4. 2/13/2020 4 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec SECURITY LEVEL - CURRENT Security Level - Current Audit coming up ! Audit coming up ! THE CLASSIC SECURITY MODEL 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec SECURITY LEVEL - CURRENT Security Level - Current Audit coming up ! Audit coming up ! THE CLASSIC SECURITY MODEL 9 10
  • 6. 2/13/2020 6 CONFIDENTIALITY INTEGRITY AVAILABILITY COMPLIANCE CHECKING IS THE OPPOSITE OF SECURITY ENGINEERING James Wicket The DevOps Handbook 13 15
  • 7. 2/13/2020 7 Health is a state of complete physical, mental and social well-being, and not merely the absence of disease or infirmity. World Health Organization, 1948 16 17
  • 8. 2/13/2020 8 THIS WAS ALL VERY SECURE! Unbreachable walls Indestructible Machines Watchful security guards UNTIL IT WAS NOT! 18 19
  • 9. 2/13/2020 9 COMPLIANT SECURE RUGGED FUNDAMENTALLY, IF SOMEBODY WANTS TO GET IN, THEY'RE GETTING INACCEPT THAT. NUMBER ONE, YOU'RE IN THE FIGHT, WHETHER YOU THOUGHT YOU WERE OR NOT. NUMBER TWO, YOU ALMOST CERTAINLY ARE PENETRATED. WE NEED TO SHIFT FROM PREVENT TO ASSUME BREACH! Michael Hayden Former Director of NSA & CIA 20 21
  • 11. 2/13/2020 11 STATE OF DEVOPShttps://cloudplatformonline.com/2018-state-of-devops.html 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec SECURITY LEVEL - CURRENT Security Level - Current Audit coming up ! Audit coming up ! WE NEED TO MOVE FROM MANUAL. 24 25
  • 12. 2/13/2020 12 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Security Level - Current Desired Audit coming up ! Audit coming up ! .TO AUTOMATED SECURITY IS THE NEXT SILO TO TEAR DOWN 26 27
  • 14. 2/13/2020 14 Make them part of your team! SHIFT LEFT SECURITYYOU BUILD IT YOU RUN IT Make them part of your team! SHIFT LEFT SECURITY 30 31
  • 15. 2/13/2020 15 CREATIVE THINKING HACKERS DO NOT PLAY BY THE RULES ALREADY USE CONTINUOUS DELIVERY ARE ALWAYS AHEAD OF YOU USE ALL MEANS POSSIBLE THINK OUT OF THE BOX 32 33
  • 16. 2/13/2020 16 HOW DO WE DO THAT? IDENTIFY PREVENT REACT BUILD RUN NOT ORBUT AND! IDENTIFY PREVENT REACT PREVENT BREACH ASSUME BREACH 34 35
  • 17. 2/13/2020 17 PREVENT BREACH CODE STORE BUILD DEPLOY RELEASE SECURE PIPELINES SECURE AND COMPLIANT ALL THE WAY 36 37
  • 18. 2/13/2020 18 Identity & Access Servers & Containers Firewalls & Network Passwords & Secrets Libraries & Licenses Application Code Build & Delivery Pipelines WHAT NEEDS TO BE SECURE? CODING PHASE In the coding phase, an idea transforms into code 38 39
  • 19. 2/13/2020 19 CODING PHASE - IDENTIFY Bad coding practicesresulting in Technical Debt Non Deployable code Untested code and therefore unintended consequences Passwords/Secretsetc. exposed in code WE ALL NEED SOME PROTECTION FROM OURSELVES 40 41
  • 21. 2/13/2020 21 CODING PHASE - PREVENT Secure Development Lifecycle (SDL) Compiling / Syntax Checking First stage - Static Code Analysis Ruleset selection is key ! Unit Tests Secure Assets Approvedtemplates Secure shared Packages Credential and Secret Scanning Do we really need secrets? Use of keyvaults 44 45
  • 22. 2/13/2020 22 CREDENTIAL SCANNING DEMO STORING PHASE In the storing phase you make your code our code and ensure it is safe 46 47
  • 23. 2/13/2020 23 STORING PHASE - IDENTIFY Everything from Coding phase ! Unknown committers to Git Repository Suspicious code is committed to the code repository Code is deployed without 4-eyes principle Code contains secrets/passwordsetc. STORING PHASE - PREVENT Protect Git Repo to ensure pusher is known Use Pull Requests and protect the master branch Run Continuous IntegrationBuilds Enforce 4-eyes on every code change Enforce CI checks on every code change Static Code Analysis CredScans Compiling Syntax Checking Unit Tests 48 49
  • 24. 2/13/2020 24 BUILD PHASE In the build phase we transform the product from code and script into an immutable and versioned package BUILD PHASE - IDENTIFY Package can be unintentionallymodified Code can contain vulnerabilities/ Technical Debt Code can contain secrets Code is untested/unstable Unauthorized modification of build process Code can use unsecure libraries Code can use unlicensed / wrongly licensed libraries 50 51
  • 26. 2/13/2020 26 Components 80 90 % Original Code 10-20% (max) YOUR CODE VS. THEIR CODE COPYLEFT GPL LGPL AGPL Permissive Restrictive ANDTHENTHEREISLICENSING 54 55
  • 27. 2/13/2020 27 BUILD PHASE - PREVENT Build activities from Storing Phase Second stage - Static Code Analysis Vulnerabilityand dependency scanning License Scanning Securely storing the Build Artifact Protectingthe Build History DEPENDENCY MANAGEMENT DEMO 56 57
  • 28. 2/13/2020 28 DEPLOY / RELEASE PHASE THIS IS THE PHASE WHERE THE ARTIFACTS MOVE FROM YOUR PROTECTED ENVIRONMENT INTO THE OPEN DEPLOY / RELEASE PHASE - IDENTIFY Unauthorized change in the release steps Target environment accessible by multiple process Deployed application has obvious vulnerabilities Deployed application has unexpected consequences on availability etc. Secrets are exposed during deployment process 58 59
  • 29. 2/13/2020 29 DEPLOY / RELEASE PHASE - PREVENT Run Dynamic Security Tests on Infrastructure Run Tests that require a deployed application Monitor key metrics after deployment Set up secure Endpointsto target environment Secret Management in the pipeline Build in a mechanism to separate functional from technical release Enforce 4 eyes-principle on the release pipeline RELEASE GATES DEMO 60 61
  • 30. 2/13/2020 30 ASSUME BREACH / RUN IDENTIFY PREVENT REACT PREVENT BREACH ASSUME BREACH Monitor REACT MTTR Baselines Pipelines Alerts Continuous Delivery You build it / You run it Post Mortem Share Experience Rebuilt Everything as Code DETECT RESPOND RECOVER 62 63
  • 31. 2/13/2020 31 Monitor Detect Fix Bleeding Scan & Fix Locally Embed in Pipeline Set new Baseline Continuous Assurance DEMO DETECT , RESPOND, RECOVER 64 65
  • 33. 2/13/2020 33 RED TEAM vs. BLUE TEAM Red Team Model real-world attacks Identify gaps in security story Demonstrable impact Blue Team Exercises ability to detect & respond Enhances situational awareness Measures readiness & impact AND COMPLIANCY? 69 70
  • 34. 2/13/2020 34 COMPLIANT BY DEFAULT 1 2 3 AVAILABILITY INTEGRITY CONFIDENTIALITY 71 72
  • 35. 2/13/2020 35 Ren辿 van Osnabrugge Xpirit Netherlands @renevo rvanosnabrugge@xpirit.com https://roadtoalm.com Ren辿 van Osnabrugge Xpirit Netherlands @renevo rvanosnabrugge@xpirit.com https://roadtoalm.com Attributions Pictures: https://unsplash.com / https://www.flickr.com/photos/wocintechchat Gifs: https://giphy.com Music: https://open.spotify.com/user/rvanosnabrugge/playlist/ 0BWgsNPM5iwgk8ZGlMHeoY?si=l9-tV8FTR8S1J7AbKBz-KA Video: https://www.youtube.com/watch?v=47u3n1kX0wE Thanks: Geert, Marcel, Alex, Jasper, Xpirit 73 74