With the rise of DevOps, containers are at the brink of becoming a pervasive technology in Enterprise IT to accelerate application delivery for the business. When it comes to adopting containers in the enterprise, Security is the highest adoption barrier.
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Security with DevSecOps + Containers
1. A DevOps State of Mind:
Continuous Security with
DevSecOps + Containers
Chris Van Tuin
Chief Technologist, NA West / Silicon Valley
cvantuin@redhat.com
4. DEV QA OPS
Walled off people, walled off processes, walled off technologies
“THROW IT OVER THE WALL”
5. Time to Value
Months to
Years
Weeks and
Months
Days
and
Weeks
IT MUST EVOLVE TO STAY AHEAD OF DEMANDS
6.
7.
8. DEV QA OPS
Open organization +
cross-functional teams
Software factory
automation
Linux + Containers
IaaS
Orchestration
CI/CD
Source Control Management
Collaboration
Build and Artifact Management
Testing
Frameworks
OpenSource
CI/CD pipelines
with feedback
Culture Process Technology
+ +
BREAKING DOWN THE WALLS WITH DEVOPS
9. DEV QA OPS
SECURITY IS AN AFTERTHOUGHT
| SECURITY |
“Patch?
The servers are behind the firewall.”
- Anonymous (far too many to name), 2005 - …
11. DevSecOps
End to End Security
+ +
SECURITY
DEV
QA OPS
Linux + Containers
IaaS
Orchestration
CI/CD
Source Control Management
Collaboration
Build and Artifact Management
Testing
Frameworks
OpenSource
Culture Process Technology
16. 4
● Are there known vulnerabilities in
the application layer?
● Are the runtime and OS layers up
to date?
● How frequently will the container
be updated and how will I know
when it’s updated?
CONTENT: EACH LAYER MATTERS
CONTAINER
OS
RUNTIME
APPLICATION
Are there known vulnerabilities
in each application layer?
Are the runtime and OS layers
up to date?
How frequently will the container
be updated and how will I know
when its updated?
IS THE CONTAINER ENVIRONMENT SECURE?
Is the image from a trusted source?
Can I quickly deploy a security update at scale?
Is my multi-tenant host secure?
22. 4
● Are there known vulnerabilities in
the application layer?
● Are the runtime and OS layers up
to date?
● How frequently will the container
be updated and how will I know
when it’s updated?
CONTENT: EACH LAYER MATTERS
CONTAINER
OS
RUNTIME
APPLICATION
CONTENT: EACH LAYER MATTERS
AYER MATTERS
CONTAINER
OS
RUNTIME
APPLICATION
JAR CONTAINER
28. 64% of official images in Docker Hub
contain high priority security vulnerabilities
examples:
ShellShock (bash)
Heartbleed (OpenSSL)
Poodle (OpenSSL)
Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps,
May 2015 (http://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf)
WHAT’S INSIDE THE CONTAINER MATTERS
32. FROM fedora:latest
CMD echo “Hello”
Build file
Build
Best Practices
• Treat as a Blueprint
• Don’t login to build/configure
• Version control build file
• Be explicit with versions, not latest
• Each Run creates a new layer
BUILDS
36. AUTOMATED SECURITY SCANNING with OpenSCAP
ReportsScan
SCAP Security
Guide
for RHEL
CCE-27002-5
Set Password Minimum
Length
Content
Scan physical servers, virtual machines, docker images and containers
for Security Policy Compliance (CCEs) and known Security Vulnerabilities (CVEs)
37. Standard Docker Host Security Profile
Java Runtime Environment (JRE)
Upstream Firefox STIG
RHEL OSP STIG
Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
STIG for Red Hat Enterprise Linux 6, 7 Server
STIG for Red Hat Virtualization Hypervisor
Common Profile for General-Purpose Debian Systems
Common Profile for General-Purpose Fedora Systems
Common Profile for General-Purpose Ubuntu Systems
Payment Card Industry – Data Security Standard (PCI-DSS) v3
U.S. Government Commercial Cloud Services (C2S)
CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 7
Criminal Justice Information Services (CJIS) Security Policy
Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
U.S. Government Configuration Baseline (NIAP OSPP v4.0, USGCB, STIG)
Security Policies in SCAP Security Guide (partial)