Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps

273 visualizaciones

Publicado el

As IT organizations build and release software continuously, how do security teams become enablers of this pace? How can you ensure that the higher rate of change is not leading to lesser security?

Join our webinar to learn how Pivotal and Signal Sciences work together to make app deployments faster *and* safer in cloud-native environments.

This webinar will cover:
- Best practices for implementing new security programs and incentivizing their adoption
- How to simplify application layer security deployments across a variety of apps, teams and cloud infrastructures
- How threat visibility and real time attack telemetry brings security context into DevOps teams, and improves response times.

Presenters: Zane Lackey, Signal Sciences and Kamala Dasika, Pivotal

Publicado en: Tecnología
  • Sé el primero en comentar

Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps

  1. 1. Strategies on How to Overcome Security Challenges Unique to Cloud- Native Apps Zane Lackey @ZaneLackey Kamala Dasika @DasikaKN
  2. 2. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Transform how the world builds software. Modern Software Methodology | Modern Cloud-Native Platform About Pivotal
  3. 3. © Copyright 2017 Pivotal Software, Inc. All rights reserved. 76% 35% 100- 150 * April 2017 Internet Security Threat Report + Web Applications Security Statistics Report 2016 Websites with Vulnerabilities* Increase in Ransomeware* Days to Patch/Fix in Enterprises+ Security Matters to All of Us
  4. 4. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Bespoke Application Process Drives Complex, Manual Deploys & Waterfall Release Cycles
  5. 5. © Copyright 2017 Pivotal Software, Inc. All rights reserved. The brittle stack. The long accreditation cycle. The culture of no. The unpatched server. The un-versioned application. The inconsistent configuration The leaked credential. Security Tradition
  6. 6. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Security Tradition Reduce risk by slowing down.
  7. 7. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Reduce risk by going faster.Cloud Native Security
  8. 8. © Copyright 2017 Pivotal Software, Inc. All rights reserved. CORE PILLARS Turn-key Compliance Repair Repave Rotate Starve Resources Needed for Attacks Time/Delays, Misconfigured/Unpatched Software, Leaked Credentials Address vlnerabilities caused by
  9. 9. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Immutable consistent infrastructure 2-layer scheduler Hardened container boundary Constant, full-stack patching Ephemeral servers Fully encrypted network Ubiquitous policy enforcement Control of software supply chain Monitoring and scanning integration Turn-key compliance Platform Security Concepts
  10. 10. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Everything to Deploy and Manage the App 4. Health management 2. Metrics 3. Log Aggregation 1. Roles and Policy 5. Security and Isolation 7. Scaling 6. Blue- Green deploymentü  Consistent Contracts ü  Fully Automated, Repeatable platform managed DevOps processes ü  Developer + Ops + Security Friendly Constructs ü  Infrastructure Failure Agnostic Structured Automation
  11. 11. © Copyright 2017 Pivotal Software, Inc. All rights reserved. 12 Deployment & Buildpacks cf push cf push –b <buildpack> Deployed Artifact Detect (Buildpack) Compile (Dependencies) Release (Execution config & command) Community Buildpacks Custom Buildpacks Partner Buildpacks Built-In Code Artifacts
  12. 12. © Copyright 2017 Pivotal Software, Inc. All rights reserved. 13 Deployment & Buildpacks cf push cf push –b <buildpack> Deployed Artifact Detect (Buildpack) Compile (Dependencies) Release (Execution config & command) Community Buildpacks Custom Buildpacks Partner Buildpacks Built-In Code Artifacts Detect Compile Release
  13. 13. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Stemcell Hardening •  Stemcell = Bare minimal OS + PCF specific utilities and configuration files •  Hardening guidance from commercial and govt. sources •  BOSH Add Ons –  Ensure certain software runs on all VMs managed by the Director. –  E.g. security agents like Tripwire, IPsec, etc., anti- viruses like McAfee, health monitoring agents l and logging agents BOSH/ Ops Manager Stemcell VM VMVM VM VM VM Release Manifest (simplified to illustrate the point)
  14. 14. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Stemcell Hardening •  Stemcell = Bare minimal OS + PCF specific utilities and configuration files •  Hardening guidance from commercial and govt. sources •  BOSH Add Ons –  Ensure certain software runs on all VMs managed by the Director. –  E.g. security agents like Tripwire, IPsec, etc., anti- viruses like McAfee, health monitoring agents l and logging agents BOSH/ Ops Manager Stemcell VM VMVM VM VM VM Release Manifest (simplified to illustrate the point)
  15. 15. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Each Layer Upgradable with No Downtime App Runtime* File system mapping Application Linux host & kernel Blue-Green deploy Canary style deploy * e.g. Embedded webserver, app configurations, JRE, agents for services packaged as buildpacks C o n t a i n e r
  16. 16. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Upgrade and patch with rolling “canary” deploys X YM NA B Update introduced. If the tests pass, keep going X YM NA B X YM NA B Apps redeployed to clear VMs A,B,M,N,X,Y - Application instances - VM prior to update
  17. 17. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Upgrade and patch with rolling “canary” deploys X YM NA B X YM NA B X YM N X YM NA B X YM NA B Automated, No downtime Atomic rolling update X YM NA B A B
  18. 18. 19 “The first time ever we fully upgraded Cloud Infrastructure with Zero Impact. In Production. During Business Hours. During Peak Business Hours.” Source: Internal Feedback Shown by Greg Otto, Executive Director@Comcast at Cloud Foundry Summit 2016
  19. 19. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Guest Speaker: Zane Lackey •  Started out in offense –  iSEC Partners / NCC Group •  Moved to defense –  First head of security at Etsy, built and lead the four security groups •  Now scaling defense for many orgs –  Co-founder / CSO at Signal Sciences, delivering a product that defends web applications in the DevOps/Cloud world
  20. 20. Lessons learned being at the forefront of the shift to DevOps/Cloud
  21. 21. Spoiler: Security shifts from being a gatekeeper to enabling teams to be secure by default
  22. 22. What has changed?
  23. 23. The new realities in a DevSecOps world: 1.  Changes happen multiple orders of magnitude faster than previously 2.  Security only becomes successful if it can bake in to the Development/DevOps process 3.  For many apps, cost of attack is so low you will be attacked even if you’re not a brand name
  24. 24. The new realities in a DevSecOps world: 1.  Changes happen multiple orders of magnitude faster than previously 2.  Security only becomes successful if it can bake in to the Development/DevOps process 3.  For many apps, cost of attack is so low you will be attacked even if you’re not a brand name
  25. 25. The new realities in a DevSecOps world: 1.  Changes happen multiple orders of magnitude faster than previously 2.  Security only becomes successful if it can bake in to the Development/DevOps process 3.  For many apps, cost of attack is so low you will be attacked even if you’re not a brand name
  26. 26. Let’s change our approach
  27. 27. What new concepts should security focus on?
  28. 28. What new concepts should security focus on? Visibility + Feedback
  29. 29. Except… These aren’t new concepts!
  30. 30. Performance monitoring, data analytics, A/B testing are all about visibility + feedback
  31. 31. The same hard lessons are slowly shifting to security
  32. 32. First, a story from the old days…
  33. 33. How can we improve?
  34. 34. Ex: Which of these is a quicker way to spot an attack?
  35. 35. Surface security visibility for everyone, not just the security team (if the security team even exists)
  36. 36. Obtaining be3er feedback
  37. 37. Three keys to modern feedback loops: 1.  Combination of bug bounty + pentests 2.  Bounty is not a replacement for pentest, it augments pentest 3.  Bounty gives general but more real time feedback, pentest shifts to giving more directed but less frequent feedback
  38. 38. Three keys to modern feedback loops: 1.  Combination of bug bounty + pentests 2.  Bounty is not a replacement for pentest, it augments pentest 3.  Bounty gives general but more real time feedback, pentest shifts to giving more directed but less frequent feedback
  39. 39. Three keys to modern feedback loops: 1.  Combination of bug bounty + pentests 2.  Bounty is not a replacement for pentest, it augments pentest 3.  Bounty gives general but more real time feedback, pentest shifts to giving more directed but less frequent feedback
  40. 40. Visibility + Feedback success story: “I discovered the vulnerability late Friday afternoon and wasn't quite ready to email it to them … [Etsy] had detected my requests and pushed a patch Saturday morning before I could email them. This was by far the fastest response time by any company I've reported to.” - Source: https://www.reddit.com/r/netsec/comments/vbrzg/ etsy_has_been_one_of_the_best_companies_ive
  41. 41. Embrace DevOps, Cloud, and other means of increasing velocity. But do safely by obtaining: Visibility + Feedback
  42. 42. Thanks!
  43. 43. Strategies on How to Overcome Security Challenges Unique to Cloud- Native Apps Zane Lackey @ZaneLackey Kamala Dasika @DasikaKN

×