DevOps purists may chafe at the DevSecOps term given that security and other important practices are supposed to already be an integral part of routine DevOps workflows. But the reality is that security often gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats.
The extensive use of modular open source software from third-parties, distributed development teams, and rapid iterative releases require a commitment to security and the adoption of security approaches that are continuous, adaptive, and heavily automated.
In this session, Red Hat Technology Evangelist Gordon Haff look at successful practices that distributed and diverse teams use to iterate rapidly. While still reacting quickly to threats and minimizing business risk. I'll discuss how a container platform can serve as the foundation for DevSecOps in your organization. I'll also consider the risk management associated with integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning. Finally, I'll show ways by which automation and repeatable trusted delivery of code can be built directly into a DevOps pipeline.
3. “In the past 12 months at Gartner, how to securely integrate
security into DevOps — delivering DevSecOps — has been one of
the fastest-growing areas of interest of clients, with more than
600 inquiries across multiple Gartner analysts in that time frame”
- Ian Head & Neil MacDonald, Dec 2017.
https://sdtimes.com/developers/gartners-guide-to-successful-devsecops/
6. OWASP TOP 10
2017 RC2
Injection
Broken authentication
Sensitive data exposure
XML External Entities (XXE)
Broken access control
Security misconfiguration
Cross-site scripting (XSS)
Insecure deserialization
Using components with known vulnerabilities
Insufficient logging & monitoring
2007
Cross-site scripting (XSS)
Injection flaws
Malicious file execution
Insecure direct object reference
Cross-site request forgery (CSRF)
Information leakage & improper error handling
Broken authentication & session management
Insecure cryptographic storage
Insecure communications
Failure to restrict URL access
7. “Education and awareness are
not the only answer for security.
You need to design around
humans. ”
- Theresa Payton, former
White House CIO and star of
Hunted. Nov. 2018
11. DevSecOps the open source way
APPLICATION PIPELINE
DEPLOYMENT INFRASTRUCTURE PIPELINE
DEVELOPMENT TEST ENVS. PRODUCTION
DEV
MONITORINGANDLOGGING
SUPPLY CHAIN IMAGES & ARTIFACTS
Write App
Code
Build App Unit Test
Package
App
Deploy
App
Write Infa
Code
Build
Images
Validate
Infra
Automate
Infra
Deploy
Infra
OPS
19. IMMUTABLE CONTAINER INFRASTRUCTURE
● Minimal Linux distribution
● Optimized for running containers
● Decreased attack surface
● Over-the-air automated updates
● Bare-metal and cloud host configuration
DEPLOYMENTENV.
20. Security features include
● Role-based Access Controls with
LDAP and OAuth integration
● Secure communication
● Logging, Monitoring, Metrics
SECURING THE CONTAINER PLATFORM
101010101010101010
101010101010101010
101010101010101010
10101011010
● Multitenancy via Project namespaces and
integrated SDN (Kube CNI plug-in)
● Integrated & extensible secrets management
DEPLOYMENTENV.
21. ● Secure mechanism for holding sensitive data e.g.
○ Passwords and credentials
○ SSH Keys
○ Certificates
● Secrets are made available as
○ Environment variables
○ Volume mounts
○ Interaction with external systems (e.g. vaults)
● Encrypted in transit and at rest
● Never rest on the nodes
SECRETS MANAGEMENT
DEPLOYMENTENV.
22. DEPLOYMENTENV.
NETWORK DEFENSE
NETWORK SERVICES
STORAGE SERVICES
APPLICATION NETWORKOPERATIONS NETWORKPUBLIC NETWORK
CLOUD PLATFORM SERVICES
DNS LOAD BALANCING DIRECTORY SERVICES
CONTAINER PLATFORM
APPLICATION NODESMASTER NODES INFRASTRUCTURE NODESBASTION HOST
Internet-accessible network that
supports user workloads
Private network for administration
and operations
Private network for inter-app and
inter-container communications
26. ● Secure the deployment pipeline
● Secure the supply chain
● Secure the deployment environment
● Log and monitor all the things
● Stop blaming the people
27. Follow me on twitter at @ghaff
http://www.bitmasons.com