Multi Security Checkpoints on DevOps Platform
59
November 15, 2016 Multi Security Checkpoints on DevOps platform Hasan Yasar, Technical Manager Secure Lifecycle Solutions, Software Engineering Institute, Carnegie Mellon University
Transcript of Multi Security Checkpoints on DevOps Platform
November15,2016
MultiSecurity CheckpointsonDevOpsplatform
Hasan Yasar, Technical ManagerSecure Lifecycle Solutions, Software Engineering Institute, Carnegie Mellon University
November15,2016
Copyright2016CarnegieMellonUniversity
ThismaterialisbaseduponworkfundedandsupportedbytheDepartmentofDefenseunderContractNo.FA8721-05-C-0003withCarnegieMellonUniversityfortheoperationoftheSoftwareEngineeringInstitute,afederallyfundedresearchanddevelopmentcenter.
Anyopinions,findingsandconclusionsorrecommendationsexpressedinthismaterialarethoseoftheauthor(s)anddonotnecessarilyreflecttheviewsoftheUnitedStatesDepartmentofDefense.
NOWARRANTY.THISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIALISFURNISHEDONAN“AS-IS”BASIS.CARNEGIEMELLONUNIVERSITYMAKESNOWARRANTIESOFANYKIND,EITHEREXPRESSEDORIMPLIED,ASTOANYMATTERINCLUDING,BUTNOTLIMITEDTO,WARRANTYOFFITNESSFORPURPOSEORMERCHANTABILITY,EXCLUSIVITY,ORRESULTSOBTAINEDFROMUSEOFTHEMATERIAL.CARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITHRESPECTTOFREEDOMFROMPATENT,TRADEMARK,ORCOPYRIGHTINFRINGEMENT.
[DistributionStatementA]Thismaterialhasbeenapprovedforpublicreleaseandunlimiteddistribution.PleaseseeCopyrightnoticefornon-USGovernmentuseanddistribution.
Thismaterialmaybereproducedinitsentirety,withoutmodification,andfreelydistributedinwrittenorelectronicformwithoutrequestingformalpermission.Permissionisrequiredforanyotheruse.RequestsforpermissionshouldbedirectedtotheSoftwareEngineeringInstituteatpermission@sei.cmu.edu.
CarnegieMellon® and CERT® areregisteredmarksofCarnegieMellonUniversity.
DM-0004210
November15,2016
MultiSecurity Checkpoints
Fundamentals- Process
November15,2016
WhatWikipediasays…
• DevOps (a portmanteau of "development" and "operations”)emphasizes communication, collaboration, and integrationbetween software developers and information technology(IT) operations personnel. [1]
[1]http://en.wikipedia.org/wiki/DevOps
November15,2016
Jez Humble,https://youtu.be/L1w2_AY82WYDaveWest,http://sdtimes.com/analyst-watch-water-scrum-fall-is-the-reality-of-agile/
Business
Research
Budget
Document
WaterDevelopment
Scrum
Integrate
Test
Release
QAOperations
Fall- -
November15,2016
DevOps isanExtensionofAgileThinking
• Embrace constantchange
• EmbedCustomer inteamtointernalizeexpertiseonrequirementsanddomain
Agile
Embraceconstanttesting,delivery
EmbedOperations inteamtointernalizeexpertiseondeploymentandmaintenance
DevOps
November15,2016
SharedGoals CollaborationBusinessNeeds
DevOps
November15,2016
Multiple DimensionsofDevOpsCulture• Developer and Ops collaborate
(Ops includes security)• Developers and Operations
support releases beyond deployment
• Dev and Ops have access to stakeholders who understand business and mission goals
Culture
ProcessandPractices
SystemandArchitecture
Automationand
MeasurementAutomation/Measurement• Automaterepetitiveanderror-
pronetasks(e.g.,build,testing,anddeploymentmaintainconsistentenvironments)
• Staticanalysisautomation(architecturehealth)
• Performancedashboards
Process and Practices• Pipeline streamlining• Continuous-delivery practices
(e.g., continuous integration; test automation; script-driven, automated deployment; virtualized, self-service environments)
System and Architecture• Architected to support test
automation and continuous-integration goals
• Applications that support changes without release (e.g., late binding)
• Scalable, secure, reliable, etc.
November15,2016
MultiSecurity Checkpoints
DevOpsPlatform- Platform
November15,2016
ContinuousIntegration(CI)Model
November15,2016
Integrationandcommunication,evenamongtools,isthekey!
November15,2016
November15,2016
Humanactions/inputstothesoftwaredevelopmentprocess
November15,2016
Actionsperformedbyautonomoussystems
November15,2016
MultiSecurity Checkpoints
TeamIntegration- People
November15,2016
DevOpsandSecurity
November15,2016
DevOpsandSecurity
November15,2016
Rugged{Secure}Dev{Sec}Ops
• DevOpsisaRiskMitigationstrategy,builtonSituationalAwareness,Automation,and Repetition• ButsecurityiswherealotofDevOpsimplementationsfalldown
• Goal:– Protectingprivateuserdata– Restrictingaccesstodata/systems– Protectingcompanydata/IP– Standardscompliance– Safeguardingdisposition/transition
November15,2016
TeamComposition
Developers
• Features• Quality
Attributes• Efficiency• Performance• Users• Authentication• Authorization
ITOps
• Deployment• Maintenance• Updates• Changepolicy• Failure• Dataloss• Risk
prevention
QA
• Testable• Issue
tracking• Bug
Reports• Usability• HelpDesk
SecurityTeam
• DataPrivacy• Intrusion
detection• Threatvectors• CVEs• Package
security• Authentication• Authorization• Security
StandardsCompliance
November15,2016
DevOps:MultipleTeamIntegrations
November15,2016
DevOps:MultipleTeamIntegrations+WithSecurityTeam
November15,2016
DevOps:MultipleTeamIntegrations+WithSecurityTeam
November15,2016
MultiSecurity Checkpoints
PlatformSecurityinDevOps
November15,2016
Evolutionofsoftwaredevelopment
• Customdevelopment– context:• Softwarewaslimited
§ Size§ Function§ Audience
• Eachorganizationemployeddevelopers• Eachorganizationcreatedtheirown
software
• Shareddevelopment– ISVs(COTS)–context:
• Functionlargelyunderstood§ Automatingexistingprocesses
• Grownbeyondabilityforusingorganizationtodevelopeconomically
• Outsideofcorecompetitivenessbyacquirers
Supplychain:practicallynone Supplychain:softwaresupplier
Olddays… Inthesedays…
November15,2016
Developmentisnowassembly
GeneralLedger
SQLServer WebSphere
HTTPserver
XMLParser
OracleDB SIPservletcontainer
GIFlibrary
Like“PlugNPlay”
Note:hypotheticalapplicationcomposition
Collectivedevelopment– context:• Toolargeforsingle
organization• Toomuchspecialization• Toolittlevalueinindividual
components
Supplychain:long
November15,2016
Softwaresupplychainforassembledsoftware
• Complexityofacquisition,developmentanddeployment
• Visibility&awareness
Source:“ScopeofSupplierExpansionandForeignInvolvement”graphicinDACSwww.softwaretechnews.com SecureSoftwareEngineering,July2005article“SoftwareDevelopmentSecurity:ARiskManagementPerspective”synopsisofMay 2004GAO-04-678report“DefenseAcquisition:KnowledgeofSoftwareSuppliersNeededtoManageRisks”
November15,2016
Reducingsoftwaresupplychainriskfactors
Softwaresupplychainriskforaproductneedstobereducedtoacceptablelevel
Supplierfollowspracticesthatreducesupplychainrisks
Deliveredorupdatedproductisacceptablysecure
Product
Distribution
Operational Product Control
Productisusedinasecuremanner
Methodsoftransmittingtheproducttothepurchaserguardagaintampering
ProductSecurity
Supplier Capability
November15,2016
SupplyChainHygiene:Recommendations• Suppliersecuritycommitmentevidence
• Supplieremployeesareeducatedastosecurityengineeringpractices• Supplierfollowssuitablesecuritydesignpractices
• Evaluateaproduct’sthreatresistance• Whatproductcharacteristicsminimizeopportunitiestoenterandchangethe
product’ssecuritycharacteristics?
• Createacentralizedprivaterepositoriesofvetted3rd partycomponentsforalldevelopers
• Establishgoodproductdistributionpractices• Recognizethatsupplychainrisksareaccumulated• Monitorfornewvulnerabilitiesandknowwheretheyareintheenterprisetofix
• Minimizevariationofcomponentstomakethingseasier(multipleversions,duplicatedutility)
November15,2016
• Development,operations, teamsengineerinfrastructureandapplication
• Operationsmaintainscontinuousdeliveryprocess• Developerswriteandpushcode
• Continuousintegrationserverinternallydeployscode• Docker run/VMprovision• Build• Test
• QAteamevaluatestheapplicationforcorrectness• Continuousdeliveryprocessdeployscodetoproductionservers• Operationsmaintainsproductionservers
PlatformSecurityOverview
November15,2016
PlatformSecurityOverviewwithSecurityHighlights
• Development,operations,andsecurityteamsengineerinfrastructureandapplication
• Operationsmaintainscontinuousdeliveryprocess• Developerswriteandpushcode• Codepushtriggerssecurityanalysisviasecuritycontroller• Continuousintegrationserverinternallydeployscode
• Docker run/VMprovision• Build• Test• Automatedsecurityscan
• QAteamevaluatestheapplicationforcorrectness• Continuousdeliveryprocessdeployscodetoproductionservers• Operationsmaintainsproductionservers
November15,2016
MultiSecurity CheckpointsAppSec andDevOps- IntegratingSecuritypracticesintoDevOps
November15,2016
DevLifecycle
November15,2016
Dev+BusinesLifecycle
November15,2016
DevOpsLifecycle
November15,2016
Whereareopportunitiesforsecurityprocesses?
November15,2016
DevOpsLifecycle
ThreatModeling,Securityasaqualityattribute
November15,2016
DevOpsLifecycle
Secure/hardenedenvironments
November15,2016
DevOpsLifecycle
Security-focusedcodereview
November15,2016
DevOpsLifecycle
AutomatedSecurityTesting(Staticanalysis,etc)
November15,2016
DevOpsLifecycle
MoreSecurityTesting(PenTesting,FuzzTesting)
November15,2016
DevOpsLifecycle
Securityreview/acceptancetesting
November15,2016
SecureDevOpsLifecycle
November15,2016
Securitymustbeaddressedwithoutbreakingtherapiddelivery,continuous
feedbackmodel
November15,2016
SecureDevOpsLifecycle
Devs
November15,2016
SecureDevOpsLifecycle
Devs
ConstantFeedbacktoDev
November15,2016
Automation(CI/CD)andSecurity§ Noteverythingcanbe,needstobe,orshouldbe,automated§ Drawperimetersaroundthingsyoutrustandletthatguidewhere
humaninteractionandverificationisneeded
§ Keeptrackofsecurityassessments
§ Regimentedcodemanagement§ Knowwhatsourcecodecontributedtoabuildthat’sin
productionsopatchesarefastandconfident
§ Performmanualreviewsasleastaspossible(NOTtoblockCD)§ staticanalysis§ (peer)Codereview§ Penntesting(oranysecuritytestingtools)
November15,2016
Post-ProductionMonitoringwithSecurityMindset
• MonitorauditlogsproducedbyCI/CDforanomalies
• Monitorproductionapplicationstoassurenothingchangesoutsideofthenormalchangeprocess
• Monitorfornewvulnerabilities/threats(acatalogofrunningcomponentshelps!)
November15,2016
MultiSecurity CheckpointsPracticalSecurityintegrationScenariosCI/CD
November15,2016
SecureDevOpsLifecycle
• Pausingformanualstepsistypical
• Optimizethemanualwork!
• Persisttheoutputofanytools/work
November15,2016
Scenario -1
November15,2016
Scenario -1
November15,2016
Scenario -2
November15,2016
Scenario -2
November15,2016
Scenario -3
November15,2016
MultiSecurity Checkpoints
Demo
AllvideosareinSEIYouTubechannelhttps://www.youtube.com/user/TheSEICMU/featuredOrinSecureDevOpssectionhttps://www.youtube.com/playlist?list=PLSNlEg26NNpx3fYrfZokWuye9RVMCnCsc
November15,2016
Section (optional)Picture
(optional)
MoreonSEIDevOpsBloghttps://insights.sei.cmu.edu/devops
November15,2016
ContactInformation
HasanYasarTechnicalManager,[email protected]@securelifecycle
WebResources(CERT/SEI)
http://www.cert.org/
http://www.sei.cmu.edu/
November15,2016
November15,2016
