Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Join the conversation #DevSecCon
BY ALINA RADU
Permitting agility while enforcing
security - a story of making Docker a
wi...
Overview
• PaaSTA: Yelp’s open source Platform as a service
• Microservices in Docker containers
• Jenkins
• build pipelin...
whoami
• Alina
• Software Engineer at Yelp London
• Security team: Infrastructure security
• Politehnica University of Buc...
Yelp’s Mission
Connecting people with great
local businesses.
PaaSTA: Platform as a Service
Mesos, Marathon & Chronos
• Platform as a Service
• Mesos
• distributed job scheduler
• Mara...
PaaSTA: Platform as a Service
Mesos, Marathon & Chronos
• Mesos
• distributed job scheduler
• master & agents
• offers com...
PaaSTA: Platform as a Service
Mesos, Marathon & Chronos
• Marathon
• Mesos framework for long running tasks
• upstart at d...
PaaSTA: Platform as a Service
Mesos, Marathon & Chronos
• Chronos
• Mesos framework to schedule batch jobs
PaaSTA: Platform as a Service
• microservices in Docker containers
• autoscaling cluster & resource specification
• move f...
PaaSTA contract
• service: 1 git repo and 1 Dockerfile
• Docker image
• runs the service
• same image multiple use cases: ...
Build Pipeline of a Service
• configuration repository
• Jenkins
• orchestrates build and deployment
• pipelines of sequen...
PaaSTA security-check
• security status of the service
• run a set of tests at every build
• high level security health of...
Security tests
• Ubuntu packages up to date
• Docker container best practices
• Well known vulnerabilities
• No secrets in...
Ubuntu packages up to date
• Check if the latest packages are installed against our apt
repositories
• apt-get update && a...
Docker container best practices
• container not running as user root
• Dockerfile
• Yelp maintained Docker images, no publ...
Whitelisting
• Certain version(s) of a package
• Docker images
• public images for open source projects
• non-standard Yel...
Well known vulnerabilities
• bash shellshock
• extending the list in the future
• heartbleed - server side applications
No secrets into the service repo
• detect and prevent high entropy strings from entering our code
base
• assumes the exist...
Package vulnerability checking
• look for known vulnerabilities in python/Java packages
• Docker container scanning
• vuln...
Failures & alerts
• Solves: ticket creation to track failures that need to be fixed
• security-check failed?
• email
• Jir...
How we got here
• run bash tests with goss
• get around the libc incompatibilities with rspec
• moving everything to pytho...
You can do it too
• You don’t have to
• run our PaaS (PaaSTA)
• use our containerisation solution (Docker)
• write high-le...
Take aways
• PaaSTA
• PaaS
• microservices in Docker containers
• build pipeline: multiple steps
• security-check
• runs a...
@YelpEngineering
fb.com/YelpEngineers
engineeringblog.yelp.com
github.com/yelp
www.yelp.com/careers/
We're Hiring!
Join the conversation #DevSecCon
Thank you
Join the conversation #DevSecCon
Q & A
Próxima SlideShare
Cargando en…5
×

DevSecCon London 2017: Permitting agility whilst enforcing security by Alina Radu

193 visualizaciones

Publicado el

DevSecCon London 2017: Permitting agility whilst enforcing security by Alina Radu

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

DevSecCon London 2017: Permitting agility whilst enforcing security by Alina Radu

  1. 1. Join the conversation #DevSecCon BY ALINA RADU Permitting agility while enforcing security - a story of making Docker a win-win proposition
  2. 2. Overview • PaaSTA: Yelp’s open source Platform as a service • Microservices in Docker containers • Jenkins • build pipelines • multiple steps • security-check step • runs a suite of security tests • Notification system for failures & runbook • Take aways
  3. 3. whoami • Alina • Software Engineer at Yelp London • Security team: Infrastructure security • Politehnica University of Bucharest Alumni • Avid traveller
  4. 4. Yelp’s Mission Connecting people with great local businesses.
  5. 5. PaaSTA: Platform as a Service Mesos, Marathon & Chronos • Platform as a Service • Mesos • distributed job scheduler • Marathon • Mesos framework for long running tasks • Chronos • Mesos framework to schedule batch jobs
  6. 6. PaaSTA: Platform as a Service Mesos, Marathon & Chronos • Mesos • distributed job scheduler • master & agents • offers compute resources to frameworks • frameworks provide task - schedules it on an agent
  7. 7. PaaSTA: Platform as a Service Mesos, Marathon & Chronos • Marathon • Mesos framework for long running tasks • upstart at datacenter level
  8. 8. PaaSTA: Platform as a Service Mesos, Marathon & Chronos • Chronos • Mesos framework to schedule batch jobs
  9. 9. PaaSTA: Platform as a Service • microservices in Docker containers • autoscaling cluster & resource specification • move from: • hundreds of specialized servers to • heterogenous Mesos agents • SOA architecture • operational ownership of individual services • from operations team to the service authors
  10. 10. PaaSTA contract • service: 1 git repo and 1 Dockerfile • Docker image • runs the service • same image multiple use cases: worker daemon vs web task • contains all the code necessary for the service • Service: • stateless • filesystem I/O but ephemeral disk • log to external processors (Yelp: Scribe or Kafka) • all checked, all good
  11. 11. Build Pipeline of a Service • configuration repository • Jenkins • orchestrates build and deployment • pipelines of sequential steps • security-check step
  12. 12. PaaSTA security-check • security status of the service • run a set of tests at every build • high level security health of the service • something changed? • actionable alerts for failures • faster response time from team
  13. 13. Security tests • Ubuntu packages up to date • Docker container best practices • Well known vulnerabilities • No secrets in the service repo • Python/Java dependency check
  14. 14. Ubuntu packages up to date • Check if the latest packages are installed against our apt repositories • apt-get update && apt-get --simulate dist-upgrade
  15. 15. Docker container best practices • container not running as user root • Dockerfile • Yelp maintained Docker images, no public images • Latest images • no packages pinned to certain versions • .dockerignore contains .git
  16. 16. Whitelisting • Certain version(s) of a package • Docker images • public images for open source projects • non-standard Yelp images
  17. 17. Well known vulnerabilities • bash shellshock • extending the list in the future • heartbleed - server side applications
  18. 18. No secrets into the service repo • detect and prevent high entropy strings from entering our code base • assumes the existing code has no secrets • checks only the new code • solution loosely based off truffleHog
  19. 19. Package vulnerability checking • look for known vulnerabilities in python/Java packages • Docker container scanning • vulnerabilities in Ubuntu packages • classified by severity • weekly report via email
  20. 20. Failures & alerts • Solves: ticket creation to track failures that need to be fixed • security-check failed? • email • Jira ticket • sensu • Runbook
  21. 21. How we got here • run bash tests with goss • get around the libc incompatibilities with rspec • moving everything to python • race condition between the Ubuntu packages that are updated upstream and the Docker base images we build daily • some services are not built regularly
  22. 22. You can do it too • You don’t have to • run our PaaS (PaaSTA) • use our containerisation solution (Docker) • write high-level security tests • integrate them in your build pipeline • open source our security tests suite next year
  23. 23. Take aways • PaaSTA • PaaS • microservices in Docker containers • build pipeline: multiple steps • security-check • runs a set of tests and send notifications • most important - service owners: • more aware of the security of their service • involved in keeping it safe
  24. 24. @YelpEngineering fb.com/YelpEngineers engineeringblog.yelp.com github.com/yelp
  25. 25. www.yelp.com/careers/ We're Hiring!
  26. 26. Join the conversation #DevSecCon Thank you
  27. 27. Join the conversation #DevSecCon Q & A

×