SlideShare una empresa de Scribd logo

DevSecOps: The open source way

Gordon Haff
Gordon Haff

DevOps purists may chafe at the DevSecOps term given that security and other important practices are supposed to already be an integral part of routine DevOps workflows. But the reality is that security often gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats. In this session, we’ll look at successful practices that distributed and diverse teams use to iterate rapidly. We’ll discuss how a container platform can serve as the foundation for DevSecOps in your organization. We'll also consider the risk management associated with integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning. Finally, we'll show ways by which automation and repeatable trusted delivery of code can be built directly into a DevOps pipeline.

Software
1 de 39
Descargar para leer sin conexión
DevSecOps: The Open Source Way Gordon Haff, Technology Evangelist, Red Hat @ghaff
● DevOps “purists” point out that security was always part of DevOps ● Did people just not read the book? ● Did people not understand the book? ● Are practitioners just skipping security anyway? WHY DevSecOps?
Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.
Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.
But Now it’s 2017. Right?
● A new silo ● Devs (often) don’t grok (even) traditional security ● Assembled applications and supply chains ● Security not integrated into pipeline What’s the Problem?
SEC
OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
…utilizing billions of available libraries, frameworks and utilities ● Not all are created equal, some are healthy and some are not ● All go bad over time, they age like milk, not like wine ● Enterprises consume an average 229,000 software components annually, of which 17,000 had a known security vulnerability Applications are ‘assembled’...
A typical DevOps pipeline
How security integrates
● Better organizations ● Containers ● Secured supply chain ● Secured pipeline ● Secured operations Opportunities! }Managed approach to risk
Better Organizations
Kids programming: Esti Alvarez cc license CULTURE of collaboration valuing openness and transparency
Culture = f (l, o, i, t, …) Where: l = leadership o = organization i = incentives t = trust … = many other things Open source offers guidance
Containers
What are containers? ● Sandboxed application processes on a shared Linux OS kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components Sys-Admins / Ops Developers It Depends on Who You Ask
Containers technical timeline LXC Initial release Aug ‘08 OpenShift online May ‘11 Docker Initial release Mar ‘13 OpenShift Enterprise 3.0 Jun‘ 15 Open Container Initiative Initial release, Buildah Jun ‘17 Moby Apr ‘17 Sep ‘17 CRI-O
Open source, leadership, and standards ● Docker/Moby ● Kubernetes/OpenShift ● OCI Specifications ● Cloud Native Technical Leadership ● Vendor/partner ecosystem The community landscape
● Docker, Red Hat et al. June 2015 ● Two Specifications ● Runtime ○ How to run a “filesystem bundle” that is unpacked on disk ● Image Format ○ How to create an OCI Image that contains sufficient information to launch the application on the target platform Open Container Initiative (OCI)
“Containers are an easy way to get a reasonable percentage of security built in.” John Willis co-Author, DevOps Handbook ServerlessConf 2017
Manage Risk
MANA Reuse AutomationMicroservices Immutability Pervasive access Speed Rapid tech churn Flexible deploys Containers Software-defined MANAGED RISK Dev Ops
Securing the assets ● Building code ○ Watching for changes in how things get built ○ Signing the builds ● Built assets ○ Scripts, binaries, packages (RPMs), containers (OCI images), machine images (ISOs, etc.) ○ Registries (Service, Container, App) ○ Repositories (Local on host images assets) Safe at Titan Missile Museum https://upload.wikimedia.org/wikipedia/commons/5/59/Red_Safe%2C_Titan_Missile_Museum.jpg
Registries ● Do you require a private registry? ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? Who can push images to the registry?
● Potentially lots of parallel builds ● Source code ● Where is it coming from? ● Who is it coming from? ● Supply Chain Tooling ● CI tools (e.g. Jenkins) ● Testing tools ● Scanning Tools (e.g. Black Duck) Securing the development process Boeing's Everett factory near Seattle https://upload.wikimedia.org/wikipedia/commons/c/c8/At_Boeing%27s_Everett_factory_near_Seattle_%289130160595%29.jpg Creative Commons
Ensure the application code is compliant Ensure the pipeline is not compromised Systematic, on-going, and automated Securing the development process Repo Scan Image Build Scan Dev Deploy Test
● How do ensure that all these variations are working and supported together? ● Containers and container ecosystems help vendors to continuously secure their software Track third-party development technologies
● Trusted registries and repos ● Signature authenticating and authorizing ● Image scanning ● Policies ● Ongoing assessment with automated remediation Securing the operations: Deployment Mission Control - Apollo 13 https://c1.staticflickr.com/4/3717/9460197822_9f6ab3f30c_b.jpg
● Blue Green or A/B or Canary, continuous deployments ● Monitoring deployments ● Possibly multiple environments Securing the operations: Lifecycle
● Log (most) things ● Alarm few things ● Establish relevant metrics ● Root cause analysis (reactive) ● Detect patterns/trends (proactive) ● Context and distributions matter ● Incentives drive behavior Securing the operations: Monitoring and metrics
“... we estimate that fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.” “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.” How are we doing? DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016
Thank You! Gordon Haff Technology Evangelist, Red Hat @ghaff Cloudy Chat podcast www.redhat.com www.bitmasons.com

Recomendados

Artificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine LearningArtificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine LearningGordon Haff
 
Blockchains for Business 101
Blockchains for Business 101Blockchains for Business 101
Blockchains for Business 101Gordon Haff
 
Preserving privacy while sharing data
Preserving privacy while sharing dataPreserving privacy while sharing data
Preserving privacy while sharing dataGordon Haff
 
Lightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising PrivacyLightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising PrivacyGordon Haff
 
Free and Open:An Historical Perspective
Free and Open:An Historical PerspectiveFree and Open:An Historical Perspective
Free and Open:An Historical PerspectiveGordon Haff
 
Why do we contribute (to open source)?
Why do we contribute (to open source)?Why do we contribute (to open source)?
Why do we contribute (to open source)?Gordon Haff
 
How do you get started in AI?
How do you get started in AI?How do you get started in AI?
How do you get started in AI?Gordon Haff
 
The good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AIThe good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AIGordon Haff
 

Recomendados

Artificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine LearningArtificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine LearningGordon Haff
 
Blockchains for Business 101
Blockchains for Business 101Blockchains for Business 101
Blockchains for Business 101Gordon Haff
 
Preserving privacy while sharing data
Preserving privacy while sharing dataPreserving privacy while sharing data
Preserving privacy while sharing dataGordon Haff
 
Lightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising PrivacyLightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising PrivacyGordon Haff
 
Free and Open:An Historical Perspective
Free and Open:An Historical PerspectiveFree and Open:An Historical Perspective
Free and Open:An Historical PerspectiveGordon Haff
 
Why do we contribute (to open source)?
Why do we contribute (to open source)?Why do we contribute (to open source)?
Why do we contribute (to open source)?Gordon Haff
 
How do you get started in AI?
How do you get started in AI?How do you get started in AI?
How do you get started in AI?Gordon Haff
 
The good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AIThe good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AIGordon Haff
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionGordon Haff
 
Containers: Don't Skeu Them Up
Containers: Don't Skeu Them UpContainers: Don't Skeu Them Up
Containers: Don't Skeu Them UpGordon Haff
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionGordon Haff
 
DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018Gordon Haff
 
AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018Gordon Haff
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source WayGordon Haff
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
That's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successThat's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successGordon Haff
 
The Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsThe Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsGordon Haff
 
A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)Gordon Haff
 
Optimizing the Ops in DevOps
Optimizing the Ops in DevOpsOptimizing the Ops in DevOps
Optimizing the Ops in DevOpsGordon Haff
 
Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Gordon Haff
 
Fail Fast, Fail Often
Fail Fast, Fail OftenFail Fast, Fail Often
Fail Fast, Fail OftenGordon Haff
 
The New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetThe New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetGordon Haff
 
The New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureThe New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureGordon Haff
 
DevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open SourceDevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open SourceGordon Haff
 
The New Distributed Application Infrastructure
The New Distributed Application InfrastructureThe New Distributed Application Infrastructure
The New Distributed Application InfrastructureGordon Haff
 
Manufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOpsManufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOpsGordon Haff
 
Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)Gordon Haff
 
How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015Gordon Haff
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessEnvertis Software Solutions
 

Más contenido relacionado

Más de Gordon Haff

Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionGordon Haff
 
Containers: Don't Skeu Them Up
Containers: Don't Skeu Them UpContainers: Don't Skeu Them Up
Containers: Don't Skeu Them UpGordon Haff
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionGordon Haff
 
DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018Gordon Haff
 
AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018Gordon Haff
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source WayGordon Haff
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
That's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successThat's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successGordon Haff
 
The Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsThe Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsGordon Haff
 
A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)Gordon Haff
 
Optimizing the Ops in DevOps
Optimizing the Ops in DevOpsOptimizing the Ops in DevOps
Optimizing the Ops in DevOpsGordon Haff
 
Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Gordon Haff
 
Fail Fast, Fail Often
Fail Fast, Fail OftenFail Fast, Fail Often
Fail Fast, Fail OftenGordon Haff
 
The New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetThe New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetGordon Haff
 
The New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureThe New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureGordon Haff
 
DevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open SourceDevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open SourceGordon Haff
 
The New Distributed Application Infrastructure
The New Distributed Application InfrastructureThe New Distributed Application Infrastructure
The New Distributed Application InfrastructureGordon Haff
 
Manufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOpsManufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOpsGordon Haff
 
Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)Gordon Haff
 
How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015Gordon Haff
 

Más de Gordon Haff (20)

Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into Production
 
Containers: Don't Skeu Them Up
Containers: Don't Skeu Them UpContainers: Don't Skeu Them Up
Containers: Don't Skeu Them Up
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into Production
 
DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018
 
AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
 
That's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successThat's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native success
 
The Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsThe Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing Operations
 
A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)
 
Optimizing the Ops in DevOps
Optimizing the Ops in DevOpsOptimizing the Ops in DevOps
Optimizing the Ops in DevOps
 
Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.
 
Fail Fast, Fail Often
Fail Fast, Fail OftenFail Fast, Fail Often
Fail Fast, Fail Often
 
The New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetThe New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing Yet
 
The New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureThe New Open Distributed Application Architecture
The New Open Distributed Application Architecture
 
DevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open SourceDevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open Source
 
The New Distributed Application Infrastructure
The New Distributed Application InfrastructureThe New Distributed Application Infrastructure
The New Distributed Application Infrastructure
 
Manufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOpsManufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOps
 
Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)
 
How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015
 

Último

SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 

Último (20)

SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 

DevSecOps: The open source way

  • 1. DevSecOps: The Open Source Way Gordon Haff, Technology Evangelist, Red Hat @ghaff
  • 2. ● DevOps “purists” point out that security was always part of DevOps ● Did people just not read the book? ● Did people not understand the book? ● Are practitioners just skipping security anyway? WHY DevSecOps?
  • 3. Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.
  • 4. Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.
  • 5. But Now it’s 2017. Right?
  • 6.
  • 7. ● A new silo ● Devs (often) don’t grok (even) traditional security ● Assembled applications and supply chains ● Security not integrated into pipeline What’s the Problem?
  • 8.
  • 9.
  • 10. SEC
  • 11. OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
  • 12. 2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
  • 13. 2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
  • 14. …utilizing billions of available libraries, frameworks and utilities ● Not all are created equal, some are healthy and some are not ● All go bad over time, they age like milk, not like wine ● Enterprises consume an average 229,000 software components annually, of which 17,000 had a known security vulnerability Applications are ‘assembled’...
  • 15. A typical DevOps pipeline
  • 17. ● Better organizations ● Containers ● Secured supply chain ● Secured pipeline ● Secured operations Opportunities! }Managed approach to risk
  • 19. Kids programming: Esti Alvarez cc license CULTURE of collaboration valuing openness and transparency
  • 20. Culture = f (l, o, i, t, …) Where: l = leadership o = organization i = incentives t = trust … = many other things Open source offers guidance
  • 22. What are containers? ● Sandboxed application processes on a shared Linux OS kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components Sys-Admins / Ops Developers It Depends on Who You Ask
  • 23. Containers technical timeline LXC Initial release Aug ‘08 OpenShift online May ‘11 Docker Initial release Mar ‘13 OpenShift Enterprise 3.0 Jun‘ 15 Open Container Initiative Initial release, Buildah Jun ‘17 Moby Apr ‘17 Sep ‘17 CRI-O
  • 24. Open source, leadership, and standards ● Docker/Moby ● Kubernetes/OpenShift ● OCI Specifications ● Cloud Native Technical Leadership ● Vendor/partner ecosystem The community landscape
  • 25. ● Docker, Red Hat et al. June 2015 ● Two Specifications ● Runtime ○ How to run a “filesystem bundle” that is unpacked on disk ● Image Format ○ How to create an OCI Image that contains sufficient information to launch the application on the target platform Open Container Initiative (OCI)
  • 26. “Containers are an easy way to get a reasonable percentage of security built in.” John Willis co-Author, DevOps Handbook ServerlessConf 2017
  • 28.
  • 29. MANA Reuse AutomationMicroservices Immutability Pervasive access Speed Rapid tech churn Flexible deploys Containers Software-defined MANAGED RISK Dev Ops
  • 30. Securing the assets ● Building code ○ Watching for changes in how things get built ○ Signing the builds ● Built assets ○ Scripts, binaries, packages (RPMs), containers (OCI images), machine images (ISOs, etc.) ○ Registries (Service, Container, App) ○ Repositories (Local on host images assets) Safe at Titan Missile Museum https://upload.wikimedia.org/wikipedia/commons/5/59/Red_Safe%2C_Titan_Missile_Museum.jpg
  • 31. Registries ● Do you require a private registry? ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? Who can push images to the registry?
  • 32. ● Potentially lots of parallel builds ● Source code ● Where is it coming from? ● Who is it coming from? ● Supply Chain Tooling ● CI tools (e.g. Jenkins) ● Testing tools ● Scanning Tools (e.g. Black Duck) Securing the development process Boeing's Everett factory near Seattle https://upload.wikimedia.org/wikipedia/commons/c/c8/At_Boeing%27s_Everett_factory_near_Seattle_%289130160595%29.jpg Creative Commons
  • 33. Ensure the application code is compliant Ensure the pipeline is not compromised Systematic, on-going, and automated Securing the development process Repo Scan Image Build Scan Dev Deploy Test
  • 34. ● How do ensure that all these variations are working and supported together? ● Containers and container ecosystems help vendors to continuously secure their software Track third-party development technologies
  • 35. ● Trusted registries and repos ● Signature authenticating and authorizing ● Image scanning ● Policies ● Ongoing assessment with automated remediation Securing the operations: Deployment Mission Control - Apollo 13 https://c1.staticflickr.com/4/3717/9460197822_9f6ab3f30c_b.jpg
  • 36. ● Blue Green or A/B or Canary, continuous deployments ● Monitoring deployments ● Possibly multiple environments Securing the operations: Lifecycle
  • 37. ● Log (most) things ● Alarm few things ● Establish relevant metrics ● Root cause analysis (reactive) ● Detect patterns/trends (proactive) ● Context and distributions matter ● Incentives drive behavior Securing the operations: Monitoring and metrics
  • 38. “... we estimate that fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.” “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.” How are we doing? DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016
  • 39. Thank You! Gordon Haff Technology Evangelist, Red Hat @ghaff Cloudy Chat podcast www.redhat.com www.bitmasons.com