Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

DevSecOps: Bringing security to the DevOps pipeline

41 Aufrufe

Veröffentlicht am

Talk held at the Swiss Association for Quality Event June 4th 2019 in Zürich, Switzerland

Veröffentlicht in: Software
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

DevSecOps: Bringing security to the DevOps pipeline

  1. 1. VSHN - The DevOps Company DevSecOps Security in DevOps Aarno Aukia, CTO @ VSHN - The DevOps Company 4.6.2019 Swiss Association for Quality
  2. 2. VSHN - The DevOps Company ● About Aarno & VSHN.ch ● From Dev to DevOps to DevSecOps ● DevOps/AppSec/DevSecOps/SecOps? ● Automating Operations to include security ○ Build ○ Test ○ Deployment ○ Ops ■ Software containers & container orchestration: Docker & Kubernetes ■ Cloud Native Computing ● IT Governance improvements 22 Agenda
  3. 3. VSHN - The DevOps Company @aarnoaukia http://about.me/aarno aarno.aukia@vshn.ch ETH → Google → Atrila → VSHN VSHN - The DevOps Company Since 2014, currently 37 VSHNeers in Zürich, Switzerland Helping Developers run applications on any infrastructure making both visitors happy with stability and developers happy with agility 33 About Aarno & VSHN.ch
  4. 4. VSHN - The DevOps Company Software Project Management Requirements Design Implementation Validation Maintenance
  5. 5. VSHN - The DevOps Company Software Project Management Requirements Design Implementation Validation Maintenance
  6. 6. VSHN - The DevOps Company Software Project Management Requirements Design Implementation Validation Maintenance
  7. 7. VSHN - The DevOps Company Software Project Management Requirements Design Implementation Testing Release Biz
  8. 8. VSHN - The DevOps Company Software Project Management: Dev vs. Ops Requirements Design Implementation Testing Release Ops Biz
  9. 9. VSHN - The DevOps Company 9 OPS = Firefighting-as-a-Service ? 9
  10. 10. VSHN - The DevOps Company Capability Maturity Model Integration (CMMI) 1010 Operations 2014 How to get to this level?
  11. 11. VSHN - The DevOps Company DevOps: People, Processes & Tools 1111
  12. 12. VSHN - The DevOps Company Collaboration between software developers and operations: ● Teamwork ● Continuous improvement ● Efficient and lean ● Agile: being able to react to new requirements ● Automate as much as possible (“Infrastructure as code”) 1212 DevOps: People, Processes & Tools
  13. 13. VSHN - The DevOps Company Software Project Management: DevOps Requirements Design Implementation Testing ReleaseDeployOperateMonitor
  14. 14. VSHN - The DevOps Company Software Project Management: DevOps Requirements Design Implementation Testing ReleaseDeployOperateMonitor SECURITY
  15. 15. VSHN - The DevOps Company Software Project Management: DevSecOps Requirements Design Implementation Testing ReleaseDeployOperateMonitor Todo-List Data & Risks Secure Practices Validation traceabilityauditabilityAnomalies Availability
  16. 16. VSHN - The DevOps Company ● Developer education, requirements engineering, design review -> AppSec ● Software Build/Deployment/Operations -> DevSecOps ● Incident detection & management -> SecOps 1616 Areas of security improvement
  17. 17. VSHN - The DevOps Company DevSecOps principles 1717
  18. 18. VSHN - The DevOps Company ● static code analysis automatically for each commit ● Dependency Management ● (base) container image scanning 1818 Build
  19. 19. VSHN - The DevOps Company Code analysis: sonarqube 1919
  20. 20. VSHN - The DevOps Company 2020 Dependency updates: https://dependabot.com
  21. 21. VSHN - The DevOps Company Container scanning: aquasec 2121
  22. 22. VSHN - The DevOps Company ● smoke tests ● test envs “à discretion” 2222 Test
  23. 23. VSHN - The DevOps Company ● atomic container deployment ● every deployment (and rollback) is a “normal deployment” ● deployment automation removes need for (all) devs root prod access and/or waiting for ops to deploy new dev version 2323 Deployment
  24. 24. VSHN - The DevOps Company ● standardization on (minimal, hardened) OS and container orchestrator ● immutable (application) infrastructure using containers ● process/storage/network separation of applications/environments ● detect/prevent configuration drift between dev/test/stage/prod envs ● documentation & automatic backup of all volumes ● documentation & monitoring of routes/loadbalancers/ingresspoints with enforcing SSL/TLS ● AAI for admin & application ● key & secrets management ● audit logging of control & application planes 2424 Ops
  25. 25. VSHN - The DevOps Company Container isolation 2525 ● Kernel namespacing (process & network) ● Control groups (resource quota to prevent DoS) ● SELinux (additional syscall filter) ● prevent running as root inside container, no user-provided privileged containers (enforce best practice) ● readonly container filesystem (harder to persist exploit at runtime)
  26. 26. VSHN - The DevOps Company ● “Full Stack Audit” ● Review design document ● Every layer was custom built ○ physical hardware ○ handcrafted servers ○ manual application deployment ● Review each layer ● Review each layer again next year... 4747 Traditional IT governance
  27. 27. VSHN - The DevOps Company ● Standardized components ○ already audited, some even externally certified ○ re-used, economies of scale, CMMI level 5 ○ tech controls (AAI, RBAC, logs/SIEM) implemented once ○ financial controls implemented once ● Infrastructure: private/public cloud ● Ops: Container orchestration platform ● Review design document & platform configuration 4848 Cloud native IT governance
  28. 28. VSHN - The DevOps Company ● prevent configuration drift ○ immutable (application) infrastructure using containers ○ deploy dev/test/stage/prod envs from CI/CD ● prevent manual errors ○ validate configuration in CI/CD before deployment ○ standardization on (minimal, hardened) OS and container orchestrator ○ deployment automation removes need for (most) root prod access ● security by default ○ image scanning, dependency vulnerability management ○ process/storage/network separation of applications/environments ○ volumes & ingresspoints best practice (documentation, monitoring, backup, SSL/TLS/WAF) ○ AAI for admin & application, audit trail logging of CI/CD, control & application planes ○ key & secrets management ● 4949 IT governance controls in container platforms
  29. 29. VSHN - The DevOps Company ● Please get in touch with feedback ● Twitter: @aarnoaukia ● Linkedin: https://www.linkedin.com/in/aukia/ ● Email: aarno.aukia@vshn.ch DevSecOps Forum: https://www.sig-switzerland.ch/devsecops_forum/ 5050 Thank you
  30. 30. Come visit us for a coffee! VSHN AG - Neugasse 10 - CH-8005 Zürich - +41 44 545 53 00 - https://vshn.ch/ - info@vshn.ch https://vshn.ch/kontakt/ Follow us on Twitter! @vshn_ch 51

×