Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
-
Upload
perforce -
Category
Technology
-
view
108 -
download
0
Transcript of Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
![Page 1: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/1.jpg)
Secure DevOps: Overcoming the Risks of Modern Service Delivery
Kurt Bittner & Rick Holland
Forrester Research
![Page 2: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/2.jpg)
Featuring:
2
Agenda
The DevOps Revolution Threat Landscape Best Practices for Secure DevOps Q&A
Chris HooverGVP, Products & Marketing
Perforce Software
![Page 3: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/3.jpg)
Featuring:
3
Today’s Presenters
Kurt BittnerPrincipal Analyst
Application Development and Delivery
Rick HollandPrincipal AnalystSecurity & Risk
![Page 4: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/4.jpg)
Featuring:
4
Agenda
The DevOps Revolution Threat Landscape Best Practices for Secure DevOps Q&A
![Page 5: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/5.jpg)
5
http://www.linkconstructiongroup.net/project.cfm?id=42© Golden Gate Bridge, Highway and Transportation District
Why DevOps?
It’s simple: intense, and increasing competition.
“We don’t compete with other banks. We compete with Apple, Paypal, and Google.” (CIO, Large Banking organization)
![Page 6: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/6.jpg)
Featuring:
6
Fast application delivery = better business results
Less risk Less waste Lower cost Happier customers
October 20, 2014, “The Software-Powered Business”© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 7: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/7.jpg)
Featuring:
7
Seven Habits Of Highly Successful DevOpsEstablish Trust and Transparency Between Dev And Ops
Streamline Your Application Delivery Pipeline
See Everything Through The Eyes Of The Customer
Adopt A Loosely-Coupled Service-Oriented Architecture
Reward Solution Simplicity and Reliability
Adapt And Improve Using Customer Experience Data
Measure Everyone On Customer Outcomes Achieved
1
2
3
4
5
6
7
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 8: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/8.jpg)
Featuring:
The future is already here — it's just not very evenly distributed.
William Gibson
![Page 9: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/9.jpg)
Featuring:
Could you manually deploy an airbag?
What if a hacker deployed your airbag when you are driving at highway speed?
Source: https://farm4.staticflickr.com/3570/3654967093_8181dff16c_o.jpg
![Page 10: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/10.jpg)
10http://blogs-images.forbes.com/sethporges/files/2014/05/googlecar-e1401261602733.jpg
What about kidnapping by hacking an autonomous vehicle?
![Page 11: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/11.jpg)
Featuring:
Software is eating the world
![Page 12: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/12.jpg)
Featuring:
Companies in every industry need toassume a software revolution is coming
![Page 13: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/13.jpg)
Featuring:
13
But security missed the memo
CONTINUOUS FRICTION
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 14: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/14.jpg)
Featuring:
14
But security missed the memo
CONTINUOUS NAGGING
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 15: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/15.jpg)
Featuring:
15
Agenda
The DevOps Revolution Threat Landscape Best Practices for Secure DevOps Q&A
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 16: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/16.jpg)
Featuring:
16
Companies & agencies are overwhelmed
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 17: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/17.jpg)
Featuring:
17
>75% of compromises occurred in days
Source: http://www.verizonenterprise.com/DBIR/2014
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 18: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/18.jpg)
Featuring:
18
Yet only 25% were discovered in days
Source: http://www.verizonenterprise.com/DBIR/2014/
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 19: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/19.jpg)
Featuring:
19
Code Spaces goes out of business Deleted EBS snapshots, S3 buckets, all AMIs
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 20: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/20.jpg)
Featuring:
20
The 90s called, wants its security approach back
Static and dynamic code analysis can take days
Bolt on security cannot keep pace with DevOps
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 21: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/21.jpg)
21
http://media-cdn.tripadvisor.com/media/photo-s/02/ce/93/e8/auditorium-theatre.jpg
Manual security processes are often little more than Risk Management
Theater
![Page 22: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/22.jpg)
Instead of bright ideas
We have broken bulbsSource: https://farm2.staticflickr.com/1105/1471414696_b7e134d097_o.jpg
![Page 23: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/23.jpg)
23
The perimeter is dead!
https://www.flickr.com/photos/23879276@N00/3318932796
![Page 24: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/24.jpg)
Featuring:
24
Except for the perimeters between our teams Development is the “Department of No.” Operations is the “Department of No” as well. Security is the “Department of Hell No!”
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 25: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/25.jpg)
Featuring:
26
Agenda
The DevOps Revolution Threat Landscape Best Practices for Secure DevOps Q&A
![Page 26: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/26.jpg)
Ford’s great innovation: the assembly line
https://upload.wikimedia.org/wikipedia/commons/2/29/Ford_assembly_line_-_1913.jpg
![Page 27: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/27.jpg)
28
Lean Value Stream Mapping
http://en.wikipedia.org/wiki/Value_stream_mapping© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 28: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/28.jpg)
Featuring:
29
Faster Delivery = Faster Remediation
IdeaUnderstand
NeedsDevelop Test Deploy
Customer Value
3 days 5 days 5 days 3 days
10 days7 days 4 days 9 days
Total = 47 days
1 day
feedback
July 25, 2014 “Define A Software Delivery Strategy For Business Innovation”© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 29: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/29.jpg)
30
Idea proposed
Understand Needs &
Invent Solutions
Functional Testing
Deploy Solution
Customer Value
Load, Performance, Security, …
Testing
UAT/Exploratory
Testing
ReleaseDecision
Ensure only authorized changes
Automate and control deployments
Make release decisions
based on test data
Provide standard, secure
environments
Develop, Commit & Build
Detect vulnerabilities
Eliminate the “console”
Detect intrusions
Feedback
New Capabilities
Prevention is better than remediation
![Page 30: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/30.jpg)
31
Idea proposed
Understand Needs &
Invent Solutions
Functional Testing
Deploy Solution
Customer Value
Load, Performance, Security, …
Testing
UAT/Exploratory
Testing
ReleaseDecision
Automate and control deployments
Make release decisions
based on test data
Provide standard, secure
environments
Detect vulnerabilities
Eliminate the “console”
Detect intrusions
Feedback
New Capabilities
Ensure only authorized changes
Develop, Commit & Build
![Page 31: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/31.jpg)
Featuring:
32
Don’t forget about the insider threats CERT 2014 US State of Cybercrime Survey
Base: 557 respondents. Software Engineering Institute https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=298318
Insiders commit:
Fraud
Theft of IP
Sabotage
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 32: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/32.jpg)
Featuring:
33
Terminated worker cripples employer Deleted 88 virtual servers in seconds
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 33: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/33.jpg)
Featuring:
34
Ensure authorized changes with analytics
Quickly identifying unauthorized changes is paramount.
Behavioral analytics can detect a myriad of anomalous or unauthorized changes
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 34: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/34.jpg)
Featuring:
35
Identify anomalous/malicious behavior over time: Is Rick accessing code he has never accessed before?
Is Rick accessing code that his peers don’t access?
Are Rick’s work hours unusual? (8-5 CST, but now 2am)
Why is Rick suddenly uploading code to Dropbox?
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 35: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/35.jpg)
Featuring:
36
http
://b
log.
jki.n
et/n
ews/
niw
eek-
2012
-fire
-and
-for
get-
bulle
tpro
of-b
uild
s-us
ing-
cont
inuo
us-
inte
grat
ion-
with
-labv
iew
-vid
eo-s
lides
-now
-ava
ilabl
e/
Ensure only authorized changes
Continuous integration ensures healthy code
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 36: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/36.jpg)
37
Idea proposed
Understand Needs &
Invent Solutions
Functional Testing
Deploy Solution
Customer Value
Load, Performance, Security, …
Testing
UAT/Exploratory
Testing
ReleaseDecision
Ensure only authorized changes
Automate and control deployments
Make release decisions
based on test data
Develop, Commit &
Build
Detect vulnerabilities
Eliminate the “console”
Detect intrusions
Feedback
New Capabilities
Provide standard, secure environments
* * *
![Page 37: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/37.jpg)
38
http
://w
ww
.flic
kr.c
om/p
hoto
s/38
3924
83@
N00
/385
9128
58
“Infrastructure As Art”
Every hand-crafted environment is unique No auditability of changes Often, no control over change access No repeatability “It works fine in my environment.”
Inconsistency Creates Vulnerability
![Page 38: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/38.jpg)
39
Complexity leads to vulnerability
https://sndrs.ca/page/2/
![Page 39: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/39.jpg)
40
http://www.datacenterknowledge.com/wp-content/uploads/2011/05/ITPAC-Servers-470.jpg
› Standard VM/Container configurations
› Configurations version controlled
› Managed Change authorization
› Changes automated, repeatable, auditable
“Infrastructure As Code”
VersionedRepository
Configuration Info
Configured Environment
TestData
TestData
Configuration Info
ServiceVirtualization
Test Data Management
Deployment Automation
![Page 40: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/40.jpg)
Featuring:
41
Standardized environments make security scalable, finally
Security pros must leverage IT automation tools
Ensure consistent configurations and eliminate drift
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 41: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/41.jpg)
Featuring:
42
Standardization made Heartbleed less painful
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 42: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/42.jpg)
43
Idea proposed
Understand Needs &
Invent Solutions
Deploy Solution
Customer Value
ReleaseDecision
Ensure only authorized changes
Automate and control deployments
Make release
decisions based on test data
Provide standard, secure
environments
Develop, Commit &
Build
Eliminate the “console”
Detect intrusions
Feedback
New Capabilities
Detect vulnerabilities
Functional Testing
Load, Performance, Security, …
Testing
UAT/Exploratory
Testing
![Page 43: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/43.jpg)
44
Ensure only authorized changes
Automate and control deployments
Provide standard, secure
environments
Develop, Commit &
Build
Detect vulnerabilities
Eliminate the “console”
Detect intrusions
Feedback
New Capabilities
Idea proposed
Understand Needs &
Invent Solutions
Functional Testing
Deploy Solution
Customer Value
Load, Performance, Security, …
Testing
UAT/Exploratory
Testing
Make release decisions based on test data
ReleaseDecision
![Page 44: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/44.jpg)
45
Benefits of basing release decisions on test data
Increased Confidence Reduced Risk
Fewer Incidents
Simplified Release Decisions
![Page 45: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/45.jpg)
46
Idea proposed
Understand Needs &
Invent Solutions
Functional Testing
Deploy Solution
Customer Value
Load, Performance, Security, …
Testing
UAT/Exploratory
Testing
ReleaseDecision
Ensure only authorized changes
Make release decisions
based on test data
Provide standard, secure
environments
Develop, Commit &
Build
Detect vulnerabilities
Eliminate the “console”
Detect intrusions
Feedback
New Capabilities
Automate and control deployments
Automating deployment reduces vulnerability
![Page 46: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/46.jpg)
47
Add slides on ARA– what it is, how it works
htt
p://
h3
049
9.w
ww
3.h
p.c
om/t
5/G
roun
de
d-in
-th
e-C
lou
d/T
ran
sfo
rm-D
evO
ps-
with
-A
pplic
atio
n-R
ele
ase
-Au
tom
atio
n/b
a-p
/59
52
497
#.V
TZ
73
c5G
ceo
Benefits of Automating Deployment
Increase reliabilityEliminate manual errors
A typical quarterly release at one company consisted of a spreadsheet of over 1000 changes that needed to be made to deploy the software.
A THOUSAND OPPORTUNITIES FOR SOMETHING TO GO WRONG.
Increase speed
Reduce cost
![Page 47: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/47.jpg)
Featuring:
48
Three Teams, One Goal
Development, Operations and Security must work together to win, serve and retain customers.
Deliver consistency• Secure customer experiences
• Trustworthy configurations
• Minimize human error
• Few surprises
© 2015 Forrester Research, Inc. Reproduction Prohibited
![Page 48: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/48.jpg)
Q&A
![Page 49: Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery](https://reader036.fdocuments.net/reader036/viewer/2022062420/55b6f664bb61ebe86e8b4702/html5/thumbnails/49.jpg)
Featuring:
50
Thank you
Kurt BittnerPrincipal [email protected]@ksbittner
Rick HollandPrincipal [email protected]@rickhholland