OWASP Kyiv 27-05-2017 chapter meeting talk. Video: https://www.youtube.com/watch?v=EYEwhwsVjJ0 Additional materials: https://drive.google.com/open?id=0BzJY1aS7ycPzd2VUb2JmUWdvRW8

1. Application Security
automation with
DevOps tools and clouds
OWASP Kyiv 2017

2. Agenda
• Problematics
• SecOps vs Pentester needs
• HW VM vs Container
• How to select the tool
• Docker as universal solution
• Security of “Citadel”
• Conclusion
• Practice demonstration

3. Problematics
• Administration routine
• Inventory
• Configuration management
• Backup and recovery
• Classic enterprise or qualified team?
• Auditor probes of server configs:)

4. SecOps vs Pentester needs
SecOps Pentester Admins
Scanners
Permanent with ticketing
service!
Temporary and scalable
One more scan — one
more damage:)
Monitoring Fullest
Terminal bells can be
enough:)
Zabbix our ALL
Backups
Full with strong plan and
copies
Evidences for report Sometimes we need it
Data encryption
Secured by vendor and
checked by auditor
Always if responsible for
customer security
Once more that keys
entering…%(
Cloud&
Virtualization
Own DC is preferred Ideal surround
Automation NO, Enterprise…
Any deployment with
tools and scripts
It’s for DevOps:)
But automation is your time! For recovery, incident response, project time
and money.

5. HW VM vs Container
VM Container
Perfomance More resources are taken for each
VM
Sharing single kernel resources
Management Need additional mgmt systems Simple scripting
Provisioning OpenStack, … Native swarm, kubernetes
Automation Different for each VM Can be done by Host machines
Select depending on tasks and plans!

6. How to select the tool
Chef and Puppet are oldest, more established options, making them good for larger enterprises
and environments that value maturity and stability over simplicity.
Ansible and SaltStack are good options for those looking for fast and simple solutions while
working in environments that don’t need support for quirky features or lots of OSs.
If RedHat only distributions good option is Spacewalk
Chef Puppet SaltStack Ansible
Architecture Client/Server Client/Server
Client/Server
Client mode
Client Only
Parallelization Full Full Partial One-by-one
Licensing Fully paid
Open
Paid Enterprise
Open
Paid Enterprise
Open
Paid Tower
Container
support
Native docker
module
Docker by
external module
Native docker
module
Native docker
module
Cloud
support
Full in
Enterprise
Full in
Enterprise
Full Full

7. SaltStack vs Ansible
SaltStack Ansible
Architecture
salt-master(servers)/salt-minion(clients)
over own TCP connection
SSH access only from
anywhere(configured host) to servers
Speed Fast paralilysed execution
Very slow for big scopes: server by server
execution
Code
structure
Mostly general modules for any platform
(better tested and included on client side)
Exact modules for each feature/platform
(execution of imported code — more fails)
Orchestration
More featured and have monitoring:
events&reactors — responses on minion
events
Very simple structuring of roles and
playbooks
Security
Use TCP connections with own AES protocol
using PyCrypto package
Flexible SSH configuration and more
tested protocol
Sensitive data Secured master machine
Secured admin’s or dedicated VM
mashine
Deployment
Complex server deployment but very
scalable and distributed
Very simple installation, update, scaling
and migration

8. Docker as universal solution
• Implement docker-engine at any cloud provider
• HW&Security limitation now out-the-box
• Kali on AWS?:) — import-export your container anywhere
• Scanner limits — scale anywhere your own or pulled
containers (Sn1per for recon for example)
• Manage docker hosts&containers with saltstack or
ansible
• Need visualization — try kubernetes

9. Main docker features
• Rapid application deployment – containers include the minimal runtime requirements
of the application, reducing their size and allowing them to be deployed quickly.
• Portability across machines – an application and all its dependencies can be bundled
into a single container that is independent from the host version of Linux kernel,
platform distribution, or deployment model. This container can be transfered to
another machine that runs Docker, and executed there without compatibility issues.
• Version control and component reuse – you can track successive versions of a
container, inspect differences, or roll-back to previous versions. Containers reuse
components from the preceding layers, which makes them noticeably lightweight.
• Sharing – you can use a remote repository to share your container with others. And it
is also possible to configure your own private repository.
• Lightweight footprint and minimal overhead – Docker images are typically very
small, which facilitates rapid delivery and reduces the time to deploy new
application containers.
• Simplified maintenance – Docker reduces effort and risk of problems with application
dependencies.
• Security&resource limitations – Docker has flexible features of security and HW
resources limitations and network segmentation.

10. Security of “Citadel”
• FDE as must (LUKS for key container at least)
• Security monitoring (ossec+ELK or Splunk)
• No ssh passwords — key access only
• ACL limitation or VPN
• ansible-vault and salt shadow.set_password

11. Conclusion
• DevOps is not only the next level of admins —
it’s strong solution for any IT&Dev&Security