Amsterdam, May 2018
Even DevOps purists are now embracing the DevSecOps term as they’ve recognized how siloed security often remains. Security still gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats. Distributed development teams and rapid iterative releases require a commitment to security approaches that are continuous, adaptive, and heavily automated.
In this session, Red Hat Technology Evangelist Gordon Haff will discuss successful practices for using a rich ecosystem of open source and other software to bake security into the development and deployment pipeline to both iterate quickly and minimize business risk. He’ll discuss how container platforms and other cloud-native tooling can serve as the foundation for DevSecOps. Finally, he’ll look at good practices for integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning.
2. Who am I?
Technology Evangelist at Red Hat
Reformed analyst
Former big systems guy
Photographer, hiker, traveler, etc.
See also http://www.bitmasons.com
3. DevOps: Extending Agile
● Culture of collaboration valuing openness and
transparency
● Automation of process from development through
ongoing operations
● Platforms and tools drawing from innovative open
source communities
4. Why DevSecOps?
● DevOps “purists” point out that security was
always part of DevOps
● Did people just not read the book?
● Did people not understand the book?
● Are practitioners just skipping security anyway?
11. An alternate view:
Separation of concerns
You do not, in fact, want to communicate
with a bank teller more efficiently
Build and operate a platform and get out of
the way
Source: Flickr/cc Ning Ham
https://www.flickr.com/photos/ningham/525770546
17. Containers change how we develop, deploy, and manage applications
● Sandboxed application
processes on a shared
Linux kernel
● Simpler, lighter, and denser
than virtual machines
● Portable across different
environments
● Package my application and all
of its dependencies
● Deploy to any environment in
seconds and enable CI/CD
● Easily access and share
containerized components
● Portable across environments
INFRASTRUCTURE APPLICATIONS
18. A simplified container stack
Red Hat Enterprise LinuxAnsible / CloudForms
RHEL Container Runtime & Packaging
(SELinux and SCC)
Enterprise Container Host
OCI-compliant runtime
Partners
Projects
19. Secure the platform
Use a container orchestration platform with
integrated security features including
● Role-based Access Controls with
LDAP and OAuth integration
● Platform multi-tenant security
● Integrated & extensible secrets management
● Logging, Monitoring, Metrics
● Enable integration with the security ecosystem
20. Monitoring and metrics
● Log (most) things
● Alarm few things
● Establish relevant metrics
● Root cause analysis (reactive)
● Detect patterns/trends (proactive)
● Context and distributions matter
● Incentives drive behavior
22. What’s new?
Microservices
Rapid tech churn Pervasive access
Speed!
Iterative development
Two-pizza teams
Bounded context
Single/limited function services
External service interfaces
Open source
Public repos
Component reuse
Container builds
23. ● Do you trust the container source?
● Does the container force you to run
as root?
● Microservices have special
networking and governance needs
● Decouple build tools, container
runtimes, and orchestration
Container build, pipeline, and runtime concerns
24. …utilizing billions of available libraries,
frameworks and utilities
● Not all are created equal, some are healthy and
some are not
● All go bad over time, they age like milk, not like
wine
● Enterprises consume an average 229,000 software
components annually, of which 17,000 had a known
security vulnerability
Applications are assembled
26. ● Traffic Management
● Observability
● Policies and enforcement
● Service identity and security
Istio and microservices:
Connect, manage, and secure network of microservices (service mesh)
27. ● Authentication and authorization
● LDAP integration
● End-point access controls
● Rate limiting
API management and microservices:
Container platform and application APIs
28. Security must be continuous…
and integrated throughout the entire application lifecycle
SECURITY
CHECKLIST
Security
policy,
process &
procedures
DESIGN
BUILD
RUN
MANAGE
ADAPT
30. A simplified CI/CD pipeline
CI
Private
Registry
External
Images
Trusted
Content
CD
Unknown
Content
Git
31. Integrating security into CI/CD
CI
Private
Registry
External
Images
Trusted
Content
CD
Unknown
Content
Git
32. Integrating security into CI/CD
CI
Private
Registry
External
Images
Trusted
Content
CD
Unknown
Content
Git
33. Automated security throughout pipeline
● Integrate security testing
into your build / CI process
● Use automated policies to
flag builds with issues
● Trigger automated rebuilds
● Sign your custom container
images
● Design for separation of
concerns
33
UNIT
TEST
CODE
QUAL
VULN
SCAN
INT
TEST
QA
UAT
OPENSHIFT
CI/CD PIPELINE
(JENKINS) PROMOTE
TO PROD
☒
PROMOTE
TO UAT
PROMOTE
TO TEST
IMAGE BUILD
& DEPLOY
MODIFY FOR BLACK DUCK
34. Glass half-empty. Glass half-full.
“... we estimate that fewer than 20% of enterprise security architects have engaged
with their DevOps initiatives to actively and systematically incorporate information
security into their DevOps initiatives; and fewer still have achieved the high degrees of
security automation required to qualify as DevSecOps.”
“By 2019, more than 70% of enterprise DevOps initiatives will have incorporated
automated security vulnerability and configuration scanning for open source
components and commercial packages, up from less than 10% in 2016.”
DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016