SlideShare una empresa de Scribd logo

DevSecOps: The Open Source Way

Gordon Haff
Gordon Haff

Amsterdam, May 2018 Even DevOps purists are now embracing the DevSecOps term as they’ve recognized how siloed security often remains. Security still gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats. Distributed development teams and rapid iterative releases require a commitment to security approaches that are continuous, adaptive, and heavily automated. In this session, Red Hat Technology Evangelist Gordon Haff will discuss successful practices for using a rich ecosystem of open source and other software to bake security into the development and deployment pipeline to both iterate quickly and minimize business risk. He’ll discuss how container platforms and other cloud-native tooling can serve as the foundation for DevSecOps. Finally, he’ll look at good practices for integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning.

Software
1 de 35
Descargar para leer sin conexión
DevSecOps: The Open Source Way Gordon Haff, Technology Evangelist, Red Hat @ghaff
Who am I? Technology Evangelist at Red Hat Reformed analyst Former big systems guy Photographer, hiker, traveler, etc. See also http://www.bitmasons.com
DevOps: Extending Agile ● Culture of collaboration valuing openness and transparency ● Automation of process from development through ongoing operations ● Platforms and tools drawing from innovative open source communities
Why DevSecOps? ● DevOps “purists” point out that security was always part of DevOps ● Did people just not read the book? ● Did people not understand the book? ● Are practitioners just skipping security anyway?
(Dysfunctional) silos Dev skills? Containerization New app dev patterns Rethinking the pipeline
Silos
SEC
An alternate view: Separation of concerns You do not, in fact, want to communicate with a bank teller more efficiently Build and operate a platform and get out of the way Source: Flickr/cc Ning Ham https://www.flickr.com/photos/ningham/525770546
Skills and security awareness
OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access PROCESS / TOOLS
Containerization
Containers change how we develop, deploy, and manage applications ● Sandboxed application processes on a shared Linux kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components ● Portable across environments INFRASTRUCTURE APPLICATIONS
A simplified container stack Red Hat Enterprise LinuxAnsible / CloudForms RHEL Container Runtime & Packaging (SELinux and SCC) Enterprise Container Host OCI-compliant runtime Partners Projects
Secure the platform Use a container orchestration platform with integrated security features including ● Role-based Access Controls with LDAP and OAuth integration ● Platform multi-tenant security ● Integrated & extensible secrets management ● Logging, Monitoring, Metrics ● Enable integration with the security ecosystem
Monitoring and metrics ● Log (most) things ● Alarm few things ● Establish relevant metrics ● Root cause analysis (reactive) ● Detect patterns/trends (proactive) ● Context and distributions matter ● Incentives drive behavior
New App Dev Patterns
What’s new? Microservices Rapid tech churn Pervasive access Speed! Iterative development Two-pizza teams Bounded context Single/limited function services External service interfaces Open source Public repos Component reuse Container builds
● Do you trust the container source? ● Does the container force you to run as root? ● Microservices have special networking and governance needs ● Decouple build tools, container runtimes, and orchestration Container build, pipeline, and runtime concerns
…utilizing billions of available libraries, frameworks and utilities ● Not all are created equal, some are healthy and some are not ● All go bad over time, they age like milk, not like wine ● Enterprises consume an average 229,000 software components annually, of which 17,000 had a known security vulnerability Applications are assembled
Obligatory xkcd but even thoughtful integration pulls in a huge number of dependencies
● Traffic Management ● Observability ● Policies and enforcement ● Service identity and security Istio and microservices: Connect, manage, and secure network of microservices (service mesh)
● Authentication and authorization ● LDAP integration ● End-point access controls ● Rate limiting API management and microservices: Container platform and application APIs
Security must be continuous… and integrated throughout the entire application lifecycle SECURITY CHECKLIST Security policy, process & procedures DESIGN BUILD RUN MANAGE ADAPT
Rethinking the pipeline
A simplified CI/CD pipeline CI Private Registry External Images Trusted Content CD Unknown Content Git
Integrating security into CI/CD CI Private Registry External Images Trusted Content CD Unknown Content Git
Integrating security into CI/CD CI Private Registry External Images Trusted Content CD Unknown Content Git
Automated security throughout pipeline ● Integrate security testing into your build / CI process ● Use automated policies to flag builds with issues ● Trigger automated rebuilds ● Sign your custom container images ● Design for separation of concerns 33 UNIT TEST CODE QUAL VULN SCAN INT TEST QA UAT OPENSHIFT CI/CD PIPELINE (JENKINS) PROMOTE TO PROD ☒ PROMOTE TO UAT PROMOTE TO TEST IMAGE BUILD & DEPLOY MODIFY FOR BLACK DUCK
Glass half-empty. Glass half-full. “... we estimate that fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.” “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.” DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016
Thank You! Gordon Haff Technology Evangelist, Red Hat @ghaff Cloudy Chat podcast www.redhat.com www.bitmasons.com

Recomendados

Perforce on Tour 2015 - DVCS in the Enterprise: Introducing Helix DVCS and Gi...
Perforce on Tour 2015 - DVCS in the Enterprise: Introducing Helix DVCS and Gi...Perforce on Tour 2015 - DVCS in the Enterprise: Introducing Helix DVCS and Gi...
Perforce on Tour 2015 - DVCS in the Enterprise: Introducing Helix DVCS and Gi...Perforce
 
Introducing GitSwarm: Pure Git with Globally Scalable DevOps
Introducing GitSwarm: Pure Git with Globally Scalable DevOpsIntroducing GitSwarm: Pure Git with Globally Scalable DevOps
Introducing GitSwarm: Pure Git with Globally Scalable DevOpsPerforce
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Perforce Helix Git Swarm: Enterprise Git Ecosystem
Perforce Helix Git Swarm: Enterprise Git EcosystemPerforce Helix Git Swarm: Enterprise Git Ecosystem
Perforce Helix Git Swarm: Enterprise Git EcosystemPerforce
 
Making the Transition from Suite to the Hub
Making the Transition from Suite to the HubMaking the Transition from Suite to the Hub
Making the Transition from Suite to the HubBlack Duck by Synopsys
 
Comparison of Current Service Mesh Architectures
Comparison of Current Service Mesh ArchitecturesComparison of Current Service Mesh Architectures
Comparison of Current Service Mesh ArchitecturesMirantis
 
Identity Server on Azure: A Reference Architecture
Identity Server on Azure: A Reference ArchitectureIdentity Server on Azure: A Reference Architecture
Identity Server on Azure: A Reference ArchitectureWSO2
 
What's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesWhat's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesMirantis
 

Recomendados

Perforce on Tour 2015 - DVCS in the Enterprise: Introducing Helix DVCS and Gi...
Perforce on Tour 2015 - DVCS in the Enterprise: Introducing Helix DVCS and Gi...Perforce on Tour 2015 - DVCS in the Enterprise: Introducing Helix DVCS and Gi...
Perforce on Tour 2015 - DVCS in the Enterprise: Introducing Helix DVCS and Gi...Perforce
 
Introducing GitSwarm: Pure Git with Globally Scalable DevOps
Introducing GitSwarm: Pure Git with Globally Scalable DevOpsIntroducing GitSwarm: Pure Git with Globally Scalable DevOps
Introducing GitSwarm: Pure Git with Globally Scalable DevOpsPerforce
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Perforce Helix Git Swarm: Enterprise Git Ecosystem
Perforce Helix Git Swarm: Enterprise Git EcosystemPerforce Helix Git Swarm: Enterprise Git Ecosystem
Perforce Helix Git Swarm: Enterprise Git EcosystemPerforce
 
Making the Transition from Suite to the Hub
Making the Transition from Suite to the HubMaking the Transition from Suite to the Hub
Making the Transition from Suite to the HubBlack Duck by Synopsys
 
Comparison of Current Service Mesh Architectures
Comparison of Current Service Mesh ArchitecturesComparison of Current Service Mesh Architectures
Comparison of Current Service Mesh ArchitecturesMirantis
 
Identity Server on Azure: A Reference Architecture
Identity Server on Azure: A Reference ArchitectureIdentity Server on Azure: A Reference Architecture
Identity Server on Azure: A Reference ArchitectureWSO2
 
What's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesWhat's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesMirantis
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-ServiceNGINX, Inc.
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataMirantis
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignSynopsys Software Integrity Group
 
Application Security with NGINX
Application Security with NGINXApplication Security with NGINX
Application Security with NGINXNGINX, Inc.
 
How to Build a Basic Edge Cloud
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge CloudMirantis
 
Spring boot-vault
Spring boot-vaultSpring boot-vault
Spring boot-vaultJan Dittberner
 
PKI for DevOps
PKI for DevOpsPKI for DevOps
PKI for DevOpsDevOps.com
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLpqrs1234
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armorDevOps Indonesia
 
GitHub Gone Wrong - Lessons learned from organic open source
GitHub Gone Wrong - Lessons learned from organic open sourceGitHub Gone Wrong - Lessons learned from organic open source
GitHub Gone Wrong - Lessons learned from organic open sourceAll Things Open
 
NGINX Unit at Scale: Use Cases and the Future of Unit
NGINX Unit at Scale: Use Cases and the Future of UnitNGINX Unit at Scale: Use Cases and the Future of Unit
NGINX Unit at Scale: Use Cases and the Future of UnitNGINX, Inc.
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesMirantis
 
NGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX, Inc.
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersUsing Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersMirantis
 
Nginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkNginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkJuraj Hantak
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 
Kubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress ControllerKubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress ControllerKatherine Bagood
 
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAPSecuring Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAPOlivia LaMar
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source WayBlack Duck by Synopsys
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenryDevSecCon
 

Más contenido relacionado

La actualidad más candente

Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-ServiceNGINX, Inc.
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataMirantis
 
Application Security with NGINX
Application Security with NGINXApplication Security with NGINX
Application Security with NGINXNGINX, Inc.
 
How to Build a Basic Edge Cloud
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge CloudMirantis
 
PKI for DevOps
PKI for DevOpsPKI for DevOps
PKI for DevOpsDevOps.com
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLpqrs1234
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armorDevOps Indonesia
 
GitHub Gone Wrong - Lessons learned from organic open source
GitHub Gone Wrong - Lessons learned from organic open sourceGitHub Gone Wrong - Lessons learned from organic open source
GitHub Gone Wrong - Lessons learned from organic open sourceAll Things Open
 
NGINX Unit at Scale: Use Cases and the Future of Unit
NGINX Unit at Scale: Use Cases and the Future of UnitNGINX Unit at Scale: Use Cases and the Future of Unit
NGINX Unit at Scale: Use Cases and the Future of UnitNGINX, Inc.
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesMirantis
 
NGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX, Inc.
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersUsing Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersMirantis
 
Nginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkNginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkJuraj Hantak
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 
Kubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress ControllerKubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress ControllerKatherine Bagood
 
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAPSecuring Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAPOlivia LaMar
 

La actualidad más candente (20)

Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-Service
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps Environment
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container Data
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
 
Application Security with NGINX
Application Security with NGINXApplication Security with NGINX
Application Security with NGINX
 
How to Build a Basic Edge Cloud
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge Cloud
 
Spring boot-vault
Spring boot-vaultSpring boot-vault
Spring boot-vault
 
PKI for DevOps
PKI for DevOpsPKI for DevOps
PKI for DevOps
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armor
 
GitHub Gone Wrong - Lessons learned from organic open source
GitHub Gone Wrong - Lessons learned from organic open sourceGitHub Gone Wrong - Lessons learned from organic open source
GitHub Gone Wrong - Lessons learned from organic open source
 
NGINX Unit at Scale: Use Cases and the Future of Unit
NGINX Unit at Scale: Use Cases and the Future of UnitNGINX Unit at Scale: Use Cases and the Future of Unit
NGINX Unit at Scale: Use Cases and the Future of Unit
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
 
NGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX DevSecOps Workshop
NGINX DevSecOps Workshop
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersUsing Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M users
 
Nginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkNginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lk
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
 
Kubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress ControllerKubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress Controller
 
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAPSecuring Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
 

Similar a DevSecOps: The Open Source Way

Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenryDevSecCon
 
Optimizing the Ops in DevOps
Optimizing the Ops in DevOpsOptimizing the Ops in DevOps
Optimizing the Ops in DevOpsGordon Haff
 
IBM Multicloud Management on the OpenShift Container Platform
IBM Multicloud Management on the OpenShift Container PlatformIBM Multicloud Management on the OpenShift Container Platform
IBM Multicloud Management on the OpenShift Container PlatformMichael Elder
 
DevOps State of the Union 2015
DevOps State of the Union 2015DevOps State of the Union 2015
DevOps State of the Union 2015Ernest Mueller
 
15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdfNilesh Gule
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...DevOps.com
 
Why and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud futureWhy and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud futureStefan van Oirschot
 
OpenShift Overview - Red Hat Open House 2017
OpenShift Overview - Red Hat Open House 2017OpenShift Overview - Red Hat Open House 2017
OpenShift Overview - Red Hat Open House 2017Rodolfo Carvalho
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaSService Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaSSoftware Guru
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
A Connector, A Container and an API Walk into a Bar… Microservices Edition
A Connector, A Container and an API Walk into a Bar… Microservices EditionA Connector, A Container and an API Walk into a Bar… Microservices Edition
A Connector, A Container and an API Walk into a Bar… Microservices Edition3scale
 
A Connector, A Container and an API Walk into a Bar… Microservices Edition
A Connector, A Container and an API Walk into a Bar… Microservices EditionA Connector, A Container and an API Walk into a Bar… Microservices Edition
A Connector, A Container and an API Walk into a Bar… Microservices EditionSteven Willmott
 

Similar a DevSecOps: The Open Source Way (20)

DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
 
Optimizing the Ops in DevOps
Optimizing the Ops in DevOpsOptimizing the Ops in DevOps
Optimizing the Ops in DevOps
 
IBM Multicloud Management on the OpenShift Container Platform
IBM Multicloud Management on the OpenShift Container PlatformIBM Multicloud Management on the OpenShift Container Platform
IBM Multicloud Management on the OpenShift Container Platform
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
 
DevOps State of the Union 2015
DevOps State of the Union 2015DevOps State of the Union 2015
DevOps State of the Union 2015
 
15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdf
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
 
Why and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud futureWhy and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud future
 
OpenShift Overview - Red Hat Open House 2017
OpenShift Overview - Red Hat Open House 2017OpenShift Overview - Red Hat Open House 2017
OpenShift Overview - Red Hat Open House 2017
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
12-Factor Apps
12-Factor Apps12-Factor Apps
12-Factor Apps
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 
Modern application development with heroku
Modern application development with herokuModern application development with heroku
Modern application development with heroku
 
Containerization Strategy
Containerization StrategyContainerization Strategy
Containerization Strategy
 
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaSService Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
A Connector, A Container and an API Walk into a Bar… Microservices Edition
A Connector, A Container and an API Walk into a Bar… Microservices EditionA Connector, A Container and an API Walk into a Bar… Microservices Edition
A Connector, A Container and an API Walk into a Bar… Microservices Edition
 
A Connector, A Container and an API Walk into a Bar… Microservices Edition
A Connector, A Container and an API Walk into a Bar… Microservices EditionA Connector, A Container and an API Walk into a Bar… Microservices Edition
A Connector, A Container and an API Walk into a Bar… Microservices Edition
 

Más de Gordon Haff

Artificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine LearningArtificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine LearningGordon Haff
 
Blockchains for Business 101
Blockchains for Business 101Blockchains for Business 101
Blockchains for Business 101Gordon Haff
 
Preserving privacy while sharing data
Preserving privacy while sharing dataPreserving privacy while sharing data
Preserving privacy while sharing dataGordon Haff
 
Lightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising PrivacyLightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising PrivacyGordon Haff
 
Free and Open:An Historical Perspective
Free and Open:An Historical PerspectiveFree and Open:An Historical Perspective
Free and Open:An Historical PerspectiveGordon Haff
 
Why do we contribute (to open source)?
Why do we contribute (to open source)?Why do we contribute (to open source)?
Why do we contribute (to open source)?Gordon Haff
 
How do you get started in AI?
How do you get started in AI?How do you get started in AI?
How do you get started in AI?Gordon Haff
 
The good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AIThe good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AIGordon Haff
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionGordon Haff
 
Containers: Don't Skeu Them Up
Containers: Don't Skeu Them UpContainers: Don't Skeu Them Up
Containers: Don't Skeu Them UpGordon Haff
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionGordon Haff
 
DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018Gordon Haff
 
AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018Gordon Haff
 
That's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successThat's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successGordon Haff
 
The Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsThe Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsGordon Haff
 
A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)Gordon Haff
 
Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Gordon Haff
 
Fail Fast, Fail Often
Fail Fast, Fail OftenFail Fast, Fail Often
Fail Fast, Fail OftenGordon Haff
 
The New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetThe New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetGordon Haff
 
The New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureThe New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureGordon Haff
 

Más de Gordon Haff (20)

Artificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine LearningArtificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine Learning
 
Blockchains for Business 101
Blockchains for Business 101Blockchains for Business 101
Blockchains for Business 101
 
Preserving privacy while sharing data
Preserving privacy while sharing dataPreserving privacy while sharing data
Preserving privacy while sharing data
 
Lightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising PrivacyLightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising Privacy
 
Free and Open:An Historical Perspective
Free and Open:An Historical PerspectiveFree and Open:An Historical Perspective
Free and Open:An Historical Perspective
 
Why do we contribute (to open source)?
Why do we contribute (to open source)?Why do we contribute (to open source)?
Why do we contribute (to open source)?
 
How do you get started in AI?
How do you get started in AI?How do you get started in AI?
How do you get started in AI?
 
The good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AIThe good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AI
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into Production
 
Containers: Don't Skeu Them Up
Containers: Don't Skeu Them UpContainers: Don't Skeu Them Up
Containers: Don't Skeu Them Up
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into Production
 
DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018
 
AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018
 
That's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successThat's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native success
 
The Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsThe Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing Operations
 
A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)
 
Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.
 
Fail Fast, Fail Often
Fail Fast, Fail OftenFail Fast, Fail Often
Fail Fast, Fail Often
 
The New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetThe New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing Yet
 
The New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureThe New Open Distributed Application Architecture
The New Open Distributed Application Architecture
 

Último

Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 

Último (20)

Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 

DevSecOps: The Open Source Way

  • 1. DevSecOps: The Open Source Way Gordon Haff, Technology Evangelist, Red Hat @ghaff
  • 2. Who am I? Technology Evangelist at Red Hat Reformed analyst Former big systems guy Photographer, hiker, traveler, etc. See also http://www.bitmasons.com
  • 3. DevOps: Extending Agile ● Culture of collaboration valuing openness and transparency ● Automation of process from development through ongoing operations ● Platforms and tools drawing from innovative open source communities
  • 4. Why DevSecOps? ● DevOps “purists” point out that security was always part of DevOps ● Did people just not read the book? ● Did people not understand the book? ● Are practitioners just skipping security anyway?
  • 5.
  • 6. (Dysfunctional) silos Dev skills? Containerization New app dev patterns Rethinking the pipeline
  • 8.
  • 9.
  • 10. SEC
  • 11. An alternate view: Separation of concerns You do not, in fact, want to communicate with a bank teller more efficiently Build and operate a platform and get out of the way Source: Flickr/cc Ning Ham https://www.flickr.com/photos/ningham/525770546
  • 12. Skills and security awareness
  • 13. OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
  • 14. 2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
  • 15. 2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access PROCESS / TOOLS
  • 17. Containers change how we develop, deploy, and manage applications ● Sandboxed application processes on a shared Linux kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components ● Portable across environments INFRASTRUCTURE APPLICATIONS
  • 18. A simplified container stack Red Hat Enterprise LinuxAnsible / CloudForms RHEL Container Runtime & Packaging (SELinux and SCC) Enterprise Container Host OCI-compliant runtime Partners Projects
  • 19. Secure the platform Use a container orchestration platform with integrated security features including ● Role-based Access Controls with LDAP and OAuth integration ● Platform multi-tenant security ● Integrated & extensible secrets management ● Logging, Monitoring, Metrics ● Enable integration with the security ecosystem
  • 20. Monitoring and metrics ● Log (most) things ● Alarm few things ● Establish relevant metrics ● Root cause analysis (reactive) ● Detect patterns/trends (proactive) ● Context and distributions matter ● Incentives drive behavior
  • 21. New App Dev Patterns
  • 22. What’s new? Microservices Rapid tech churn Pervasive access Speed! Iterative development Two-pizza teams Bounded context Single/limited function services External service interfaces Open source Public repos Component reuse Container builds
  • 23. ● Do you trust the container source? ● Does the container force you to run as root? ● Microservices have special networking and governance needs ● Decouple build tools, container runtimes, and orchestration Container build, pipeline, and runtime concerns
  • 24. …utilizing billions of available libraries, frameworks and utilities ● Not all are created equal, some are healthy and some are not ● All go bad over time, they age like milk, not like wine ● Enterprises consume an average 229,000 software components annually, of which 17,000 had a known security vulnerability Applications are assembled
  • 26. ● Traffic Management ● Observability ● Policies and enforcement ● Service identity and security Istio and microservices: Connect, manage, and secure network of microservices (service mesh)
  • 27. ● Authentication and authorization ● LDAP integration ● End-point access controls ● Rate limiting API management and microservices: Container platform and application APIs
  • 28. Security must be continuous… and integrated throughout the entire application lifecycle SECURITY CHECKLIST Security policy, process & procedures DESIGN BUILD RUN MANAGE ADAPT
  • 30. A simplified CI/CD pipeline CI Private Registry External Images Trusted Content CD Unknown Content Git
  • 31. Integrating security into CI/CD CI Private Registry External Images Trusted Content CD Unknown Content Git
  • 32. Integrating security into CI/CD CI Private Registry External Images Trusted Content CD Unknown Content Git
  • 33. Automated security throughout pipeline ● Integrate security testing into your build / CI process ● Use automated policies to flag builds with issues ● Trigger automated rebuilds ● Sign your custom container images ● Design for separation of concerns 33 UNIT TEST CODE QUAL VULN SCAN INT TEST QA UAT OPENSHIFT CI/CD PIPELINE (JENKINS) PROMOTE TO PROD ☒ PROMOTE TO UAT PROMOTE TO TEST IMAGE BUILD & DEPLOY MODIFY FOR BLACK DUCK
  • 34. Glass half-empty. Glass half-full. “... we estimate that fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.” “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.” DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016
  • 35. Thank You! Gordon Haff Technology Evangelist, Red Hat @ghaff Cloudy Chat podcast www.redhat.com www.bitmasons.com