DevOps is not just about deploying software, it’s about reducing bottlenecks and bringing value to the business. By utilizing DevOps techniques we can build a strong security practice that everybody is invested in, even your Developers and Operations Teams!

1. This
Page
Left
Intentionally
Blank

2. This
Page
Also Left
Intentionally
Blank

3. © Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0
Paul Czarkowski
@pczarkowski
Transform your Security
Team with DevOps

4. © Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0
Paul Czarkowski
@pczarkowski
Transform your DevOps
Practice with Security

6. Cover w/ Image
Agenda
■ Who I Am
■ Compliance
■ DevOps
■ DevOps + Compliance
■ Q+A

7. Compliance ?

8. What is Compliance ?
Self Imposed
● CIS Controls / Benchmarks
● Security Technical Implementation Guide (STIG)
● Allowed opensource licenses
Regulatory
● PCI (US)
● HIPAA (US)
● Sarbanes-Oxley (US)
● EU GDPR
● NZ Information Security Manual (NZISM)

9. Verification
Validation of compliance based on
Controls in place.
● Checklists
● External Auditors
Checklists
Practice, Policy or Procedure
established to meet compliance
requirements.
● Spreadsheets
● Checklists
● Sharepoint Pages
Specifications
Documentation of requirements that
need to be met in order to be
compliant.
● PDFs
● Verbose
Compliance Controls Audit

10. Example of Compliance Specifications

11. Example of Compliance Specifications

13. Compliance
Officer
Operations
Security
Officer Auditor

14. DevOps

21. http://blog.d2-si.fr/2016/02/22/devopsconnection/

23. Rugged DevOps
DevSecOps
Secure DevOps

24. https://www.devsecopsdays.com/articles/its-just-a-name

27. DevOps + Compliance

28. Embedded OS
(Windows & Linux)
NSX-T
CPI (15 methods)
v1
v2
v3
...
CVEs
Product Updates
Java | .NET | NodeJS
Pivotal Application
Service (PAS)
Application Code & Frameworks
Buildpacks | Spring Boot | Spring Cloud |
Steeltoe
Elastic | Packaged Software | Spark
Pivotal Container
Service (PKS)
>cf push >kubectl run
YOU build the containerWE build the container
vSphere
Azure &
Azure StackGoogle CloudAWSOpenstack
Pivotal
Network
“3Rs”
Github
Concourse
Concourse
Pivotal Services
Marketplace
Pivotal and
Partner Products
Continuous
delivery
Public Cloud
Services
Customer
Managed
Services
OpenServiceBrokerAPI
Repair
— CVEs
Repave Rotate
— Credhub

29. PIVOTAL CLOUD FOUNDRY OPS
Powered by BOSH
BOSH is an open source tool
for release engineering,
deployment, lifecycle
management, and monitoring
of distributed systems.
BOSH
Packaging w/ embedded OS
Server provisioning on any IaaS
Software deployment across availability
zones
Health monitoring (server AND processes)
Self-healing w/ Resurrector
Storage management
Rolling upgrades via canaries
Easy scaling of clusters

30. PIVOTAL CLOUD FOUNDRY OPS
Powered by BOSH
BOSH is an open source tool
for release engineering,
deployment, lifecycle
management, and monitoring
of distributed systems.
BOSH
Packaging w/ embedded OS
Server provisioning on any IaaS
Software deployment across availability
zones
Health monitoring (server AND processes)
Self-healing w/ Resurrector
Storage management
Rolling upgrades via canaries
Easy scaling of clusters

31. PIVOTAL CLOUD FOUNDRY OPS
Powered by BOSH
BOSH is an open source tool
for release engineering,
deployment, lifecycle
management, and monitoring
of distributed systems.
BOSH
Packaging w/ embedded OS
Server provisioning on any IaaS
Software deployment across availability
zones
Health monitoring (server AND processes)
Self-healing w/ Resurrector
Storage management
Rolling upgrades via canaries
Easy scaling of clusters

39. Culture

41. Adopting a DevOps culture
Despite varying approaches to describing high-performance teams
there is a set of common characteristics that are recognised to lead to
success.
● Participative leadership – using a democratic leadership style that involves and engages team members
● Effective decision-making – using a blend of rational and intuitive decision making methods, depending on that
nature of the decision task
● Open and clear communication – ensuring that the team mutually constructs shared meaning, using effective
communication methods and channels
● Valued diversity – valuing a diversity of experience and background in team, contributing to a diversity of
viewpoints, leading to better decision making and solutions
● Mutual trust – trusting in other team members and trusting in the team as an entity
● Clear goals – goals that are developed using SMART criteria; also each goal must have personal meaning and
resonance for each team member, building commitment and engagement
● Defined roles and responsibilities – each team member understands what they must do (and what they must not
do) to demonstrate their commitment to the team and to support team success
● Positive atmosphere – an overall team culture that is open, transparent, positive, future-focused and able to
deliver success
https://en.wikipedia.org/wiki/High-performance_teams

42. Lean

43. https://imgur.com/gallery/kMJWs

44. https://www.slideshare.net/KarenMartinGroup/value-stream-mapping-in-office-service-setttings

45. Mappable Processes that include Security / Compliance
Application Release
● Vulnerability Scanning
● Security Scanning (sql
injection etc)
● License Scanning
● Attribution
Compliance Audits
● Vulnerability Scanning
● Security Scanning (sql
injection etc)
● Package updates
● OS inspection
Infrastructure Provisioning
● OS Hardening
● Firewalling
● User Management
● Remote logging and auditing
● Intrusion Detection
● Vulnerability Scanning

46. Value Stream map for Provisioning a New Server
Current State
Prepare
Request
Network
/ VLANs
Launch VM
/ Install OS
Test
Compliance
Deliver
1-5
days
1-5
days
1-5
days
1-5
days
1-2
days
1-2
days
1-2
days
1-2
days

47. Value Stream map for Provisioning a New Server
Future State
Deploy
VM
Configure
VM
Test
Compliance
Deliver
1-5
days
1-5
days
1-5
days
1-2
hours
1-2
hours
1-2
Hours

48. Value Stream map for Provisioning a New Server
Future State

50. Automation

52. ● Implements STIG controls via Ansible playbooks
● Opensource project started at Rackspace
● Plays well with existing config management
● Easily override problematic controls
● Extends RSPEC for Compliance testing
● Similar to Serverspec, but better.
● Easy to go from serverspec to inspec
● Inspec-STIG is all of STIG already written into
inspec tests.

53. Source: @petecheslock

54. Example of Compliance Specifications

63. Measurement

66. Sharing

68. What’s Next ?

69. Other Security / Compliance tools
● Gauntlt ( Security Testing Framework )
● Metasploit ( Penetration Testing)
● Syntribos ( API security testing)
● Pivotal LicenseFinder ( Scanning licenses of dependencies )
● Snort ( Intrusion Detection )
● Fossology ( license compliance )
● OpenVAS ( vulnerability scanning )
● OSSEC ( Intrustion Detection )

70. Questions ?

71. Transforming How The World Builds Software
© Copyright 2018 Pivotal Software, Inc. All rights Reserved.