SlideShare uma empresa Scribd logo

Dev seccon london 2016 intelliment security

DevSecCon
DevSecCon

DevSecCon London 2016

Apresentações e oratória
1 de 51
Baixar para ler offline
Join the conversation #devseccon By Ildefonso Montero Writing firewall policies in app manifests
Who am I Writing firewall policies in app manifests • Yet another Software Developer @imonteroperez
Who am I Writing firewall policies in app manifests • Yet another Software Developer @imonteroperez This talk is NOT about • ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for software delivery
Who am I Writing firewall policies in app manifests • Yet another Software Developer @imonteroperez This talk is NOT about • ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for software delivery This talk is about • ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for infrastructure delivery • Infrastructure (servers, databases, microservices, containers, networks, firewalls, etc.)
Preliminar Infrastructure-related Buzzwords Writing firewall policies in app manifests • Automated delivery or provision • Physical, Virtual, private and/or public clouds • Inmutable, Scalable, Replicable, etc. The Good parts • Security compliance • Firewalling security needs • Rapid treat containment under attacks • (Multi)vendor coupled The “Ugly” parts ______________________________________________________ From a DevOps perspective From a DevOps perspective
Preliminar Infrastructure-related Buzzwords Writing firewall policies in app manifests • Automated delivery or provision • Physical, Virtual, private and/or public clouds • Inmutable, Scalable, Replicable, etc. The Good parts • Security compliance • Firewalling security needs • Rapid treat containment under attacks • (Multi)vendor coupled The “Ugly” parts ______________________________________________________ Security Security Security Security Others … From a DevOps perspective From a DevOps perspective
Preliminar Infrastructure-related Buzzwords Writing firewall policies in app manifests • Automated delivery or provision • Physical, Virtual, private and/or public clouds • Inmutable, Scalable, Replicable, etc. The Good parts • Security compliance • Firewalling security needs • Rapid treat containment under attacks • (Multi)vendor coupled The “Ugly” parts ______________________________________________________ Security Security Security Security Others … From a DevOps perspective Only from DevOps perspective?
Application Delivery Writing firewall policies in app manifests Application Delivery Software Delivery Infrastructure Delivery Network Security (policies) Live application Servers Containers Services
Application Delivery Writing firewall policies in app manifests Complex communication • Software delivery • Infrastructure delivery (servers, containers, services) • Network delivery (network and security) Application Delivery Software Delivery Infrastructure Delivery Network Security (policies) Live application Servers Containers Services
Application Delivery Writing firewall policies in app manifests From www.devsecops.org/blog/2016/5/20/-security
Application Delivery Writing firewall policies in app manifests Complex communication • Software delivery • Infrastructure delivery (servers, containers, services) • Network delivery (network and security) Application Delivery Software Delivery Infrastructure Delivery Network Security (policies) Live application Servers Containers Services
Application Delivery Writing firewall policies in app manifests Complex communication • Software delivery • Infrastructure delivery (servers, containers, services) • Network delivery (network and security) Every part of the process need to be validated and reviewed by people, generating bottlenecks • DevOps to the rescue
Application Delivery Writing firewall policies in app manifests Complex communication • Software delivery • Infrastructure delivery (servers, containers, services) • Network delivery (network and security) Every part of the process need to be validated and reviewed by people, generating bottlenecks • NetOps to the rescue: • Vendor APIs (Juniper PyEz, PanOs, Cisco NX-API - pycsco - , IOS-XR – pyIOSXR – Arista EOS, etc.) • Netmiko, Paramiko • NAPALM + Ansible • SDN, OpenDaylight, NFV, flunnel, kb-proxy
Application Delivery Writing firewall policies in app manifests Complex communication • Software delivery • Infrastructure delivery (servers, containers, services) • Network delivery (network and security) Every part of the process need to be validated and reviewed by people, generating bottlenecks • DevOps/NetOps to the rescue Security validations and compliance of infrastructure delivery • ¿?
Application delivery bottlenecks Writing firewall policies in app manifests Application Delivery Software Delivery Infrastructure Delivery Network Security (policies) Live application Servers Containers Services
Application delivery bottlenecks Writing firewall policies in app manifests IT teams are currently spending 20-32% of their time dealing with misconfigurations. Network Agility Research 2014. Dynamic Markets Change request (portal) Risk assessment (traffic simulation) APP OWNER Schedule for enforcement Approved Validate/Review change Implement changeDeliver changeTest change NO Policy clean-up (historic degradation) RISK TEAM RISK TEAM SECOPS TEAM SECOPS TEAMAPP OWNER CHANGE MANAGEMENT (WORKFLOW) Not approved YES SECOPS TEAM Periodic RISK TEAM
Application delivery bottlenecks Writing firewall policies in app manifests Node provisioning Automated! Node configuration Software testing Software provisioning Still mostly manual! Network provisioning Network configuration (incl. security policy) NO PRODUCTS YET!
Recap Problems Writing firewall policies in app manifests • Highly manual • Involve different teams (a.k.a silos) with different ways to do things • Live with the problem is not an option Security validation and compliance of infrastructure delivery is:
Recap Problems Writing firewall policies in app manifests • Highly manual • Involve different teams (a.k.a silos) with different ways to do things • Live with the problem is not an option Security validation and compliance of infrastructure delivery is: What we want Massive Agility Gains Massive Cost Reduction Better Risk Controls
DevSecOps to the rescue! Writing firewall policies in app manifests
DevSecOps to the rescue! Writing firewall policies in app manifests • Apply “shift to the left” paradigm • Define your network needs as code • Application Delivery
DevSecOps to the rescue! Writing firewall policies in app manifests • Apply “shift to the left” paradigm • Define your network needs as code • Application Delivery • SecOps • Define your security rules as code
DevSecOps to the rescue! Writing firewall policies in app manifests • Apply “shift to the left” paradigm • Define your network needs as code • Application Delivery • SecOps • Risk • Define your compliance as code • Define your security rules as code
DevSecOps to the rescue! Writing firewall policies in app manifests • Apply “shift to the left” paradigm • Define your network needs as code • Application Delivery • SecOps • Risk • Define your compliance as code • Define your security rules as code Firewall policies
Writing firewall policies is like … Writing firewall policies in app manifests
• Define your security rules as code • Apply “shift to the left” paradigm • Define your network needs as code Abstract all the things! Writing firewall policies in app manifests • Application Delivery • SecOps • Define your compliance as code• Risk
• Define your security rules as code • Apply “shift to the left” paradigm • Define your network needs as code Just say what you want Writing firewall policies in app manifests • Application Delivery • SecOps • Define your compliance as code• Risk I need to consume SNMP servers I will provide a service by tcp 443 and tcp80 Firewall policies as code!
• Define your security rules as code • Apply “shift to the left” paradigm • Define your network needs as code Just say what you want Writing firewall policies in app manifests • Application Delivery • SecOps • Define your compliance as code• Risk I need to consume SNMP servers I will provide a service by tcp 443 and tcp80 Firewall policies as code! User network must have visibility to App server
• Define your security rules as code • Apply “shift to the left” paradigm • Define your network needs as code Just say what you want Writing firewall policies in app manifests • Application Delivery • SecOps • Define your compliance as code• Risk I need to consume SNMP servers I will provide a service by tcp 443 and tcp80 Firewall policies as code! User network must have visibility to App server DMZ traffic must be limited to Internet by tcp 443 and tcp80
Firewall policies as code Writing firewall policies in app manifests • Abstraction • Use vendor and topology neutral model • Declarative • Express your infrastructure security needs as user intents • Write policies where you need • From a DevSecOps perspective: Apply shift left, so write on your app manifests!
Firewall policies as code pipeline Writing firewall policies in app manifests
Demo overview Writing firewall policies in app manifests
Demo overview Writing firewall policies in app manifests Define on Puppet as code Automatically Validate, Deploy and Visualize on Intelliment
Demo overview Writing firewall policies in app manifests • Consumes: defines what visibility requirements the component needs from others. • Provides: defines what services it exposes to others.
Demo overview Writing firewall policies in app manifests • Consumes: defines what visibility requirements the component needs from others. • Provides: defines what services it exposes to others.
Writing firewall policies in app manifests Demo overview • App is a simple web application with two webservers and a database server. • Webserver nodes are located on the frontend network. • Database server is located on the backend network. • They must access a dns server present on the management network. • They must be accessed from Internet and Users and Admins networks.
Writing firewall policies in app manifests Demo overview APP VISIBILITY REQUIREMENTS Users need HTTPS access to webservers. Webservers need MySQL from database. All servers should use the dns server. System administrators need SSH access to all servers.
Writing firewall policies in app manifests Demo overview PRE-APPROVED FLOWS The RISK TEAM has pre-defined deny requirements to avoid using risky services: • Unencrypted HTTP flows from Internet or User network to webservers are denied Validation will make sure that no HTTP will be allowed between these elements.
Writing firewall policies in app manifests Firewall policies in app manifests webserver webserver2 NODES role::app::webserver ROLE profile::app::webserver PROFILE database NODES role::app:::database ROLE profile::app::database PROFILE profile::server::base PROFILE dns-server NODES role::server::dnsserver ROLE profile::server::dnsserver PROFILE NODE CLASIFICATION APP DEFINITION Provides web services Consumes database services Provides database services Provides ssh services Consumes dns services Provides dns services
Writing firewall policies in app manifests Firewall policies in app manifests profile::app::webserver profile::server::base APP DEFINITION Provides web services Consumes database services Provides ssh services Consumes dns services Network visibility requirements for Intelliment
APP NETWORK VISIBILITY REQUIREMENTS RETRIEVAL FROM PUPPET Writing firewall policies in app manifests Demo overview
APP NETWORK VISIBILITY REQUIREMENTS RETRIEVAL FROM PUPPET Writing firewall policies in app manifests Demo overview Pre-approved flows (cannot be contradicted)
Writing firewall policies in app manifests Demo overview
Writing firewall policies in app manifests Demo overview
Writing firewall policies in app manifests Demo overview profile::app::webserver PROFILE APP DEFINITION Provides web services Consumes database services One simple change
Writing firewall policies in app manifests Demo overview
Before Writing firewall policies in app manifests Change request (portal) Risk assessment (traffic simulation) APP OWNER Schedule for enforcement Approved Validate/Review change Implement changeDeliver changeTest change NO Policy clean-up (historic degradation) RISK TEAM RISK TEAM SECOPS TEAM SECOPS TEAMAPP OWNER CHANGE MANAGEMENT (WORKFLOW) Not approved YES SECOPS TEAM Periodic RISK TEAM
After Writing firewall policies in app manifests Define manifest Automated Risk assessment APP OWNER Schedule for enforcement Approved Automated Validate/Review change Automated Implement change Automated Deliver change Test change NO RISK TEAM RISK TEAM SECOPS TEAM SECOPS TEAMAPP OWNER CHANGE MANAGEMENT (WORKFLOW) Not approved SECOPS TEAM
Application delivery bottlenecks Writing firewall policies in app manifests Application Delivery Software Delivery Infrastructure Delivery Network Security (policies) Live application Servers Containers Services
Writing firewall policies in app manifests Conclusions • Imposing controls is a way to reduce risks, but not at the expense of agility • Work together. Security affect to everybody. Live with the problems is not an option • Define your security needs as code • Abstract all the things (and automate them) • Reduce your workflow bottlenecks
Join the conversation #devseccon Questions? Thank you! http://www.intellimentsec.com http://github.com/intelliment imontero@intellimentsec.com @imonteroperez

Recomendados

Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudDevSecCon
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildDevSecCon
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everDevSecCon
 
Henrique Dantas - API fuzzing using Swagger
Henrique Dantas - API fuzzing using SwaggerHenrique Dantas - API fuzzing using Swagger
Henrique Dantas - API fuzzing using SwaggerDevSecCon
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 

Recomendados

Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudDevSecCon
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildDevSecCon
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everDevSecCon
 
Henrique Dantas - API fuzzing using Swagger
Henrique Dantas - API fuzzing using SwaggerHenrique Dantas - API fuzzing using Swagger
Henrique Dantas - API fuzzing using SwaggerDevSecCon
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsSumo Logic
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenryDevSecCon
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureStefan Streichsbier
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsDevSecCon
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDFranklin Mosley
 

Mais conteúdo relacionado

Mais procurados

DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsSumo Logic
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenryDevSecCon
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 

Mais procurados (20)

DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 

Destaque

Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsDevSecCon
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDFranklin Mosley
 
DevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August MeetupDevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August MeetupDevSecOpsSg
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryPriyanka Aash
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Canturk Isci
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessSeniorStoryteller
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)Dominic Tancredi
 
Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Adam Baldwin
 
The Art of Identifying Vulnerabilities - CascadiaFest 2015
The Art of Identifying Vulnerabilities - CascadiaFest 2015The Art of Identifying Vulnerabilities - CascadiaFest 2015
The Art of Identifying Vulnerabilities - CascadiaFest 2015Adam Baldwin
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016Ulf Mattsson
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Ulf Mattsson
 
Cloudsolutionday 2016: Compliance and cost controlling on AWS
Cloudsolutionday 2016: Compliance and cost controlling on AWSCloudsolutionday 2016: Compliance and cost controlling on AWS
Cloudsolutionday 2016: Compliance and cost controlling on AWSAWS Vietnam Community
 
The Changing Landscape of Information Security
The Changing Landscape of Information SecurityThe Changing Landscape of Information Security
The Changing Landscape of Information SecurityDevSecOpsSg
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Dinis Cruz
 

Destaque (20)

Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CD
 
DevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August MeetupDevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August Meetup
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for Success
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
 
Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016
 
The Art of Identifying Vulnerabilities - CascadiaFest 2015
The Art of Identifying Vulnerabilities - CascadiaFest 2015The Art of Identifying Vulnerabilities - CascadiaFest 2015
The Art of Identifying Vulnerabilities - CascadiaFest 2015
 
Evident io Continuous Compliance - Mar 2017
Evident io Continuous Compliance - Mar 2017Evident io Continuous Compliance - Mar 2017
Evident io Continuous Compliance - Mar 2017
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
 
Cloudsolutionday 2016: Compliance and cost controlling on AWS
Cloudsolutionday 2016: Compliance and cost controlling on AWSCloudsolutionday 2016: Compliance and cost controlling on AWS
Cloudsolutionday 2016: Compliance and cost controlling on AWS
 
The Changing Landscape of Information Security
The Changing Landscape of Information SecurityThe Changing Landscape of Information Security
The Changing Landscape of Information Security
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 
Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0
 

Semelhante a Dev seccon london 2016 intelliment security

Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPADiemShin
 
Learn how an app-centric approach will improve security & operational efficiency
Learn how an app-centric approach will improve security & operational efficiencyLearn how an app-centric approach will improve security & operational efficiency
Learn how an app-centric approach will improve security & operational efficiencyAdi Gazit Blecher
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsXebiaLabs
 
AWS18 Startup Day Toronto- Launching your Application the Amazon Way
AWS18 Startup Day Toronto- Launching your Application the Amazon WayAWS18 Startup Day Toronto- Launching your Application the Amazon Way
AWS18 Startup Day Toronto- Launching your Application the Amazon WayAmazon Web Services
 
Continuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scopeContinuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scopeSanjeev Sharma
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle ManagementAmazon Web Services
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Dinis Cruz
 
DTS-1778 Understanding DevOps - IBM InterConnect Session
DTS-1778 Understanding DevOps - IBM InterConnect SessionDTS-1778 Understanding DevOps - IBM InterConnect Session
DTS-1778 Understanding DevOps - IBM InterConnect SessionSanjeev Sharma
 
Microdeployments for microservices dev ops nashville
Microdeployments for microservices dev ops nashvilleMicrodeployments for microservices dev ops nashville
Microdeployments for microservices dev ops nashvilleNathaniel (Ned) Bauerle
 
DevOps for AI Apps
DevOps for AI AppsDevOps for AI Apps
DevOps for AI AppsRichin Jain
 
DevOps on AWS - Building Systems to Deliver Faster
DevOps on AWS - Building Systems to Deliver FasterDevOps on AWS - Building Systems to Deliver Faster
DevOps on AWS - Building Systems to Deliver FasterAmazon Web Services
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
Application Centric Microservices from Redhat Summit 2015
Application Centric Microservices from Redhat Summit 2015Application Centric Microservices from Redhat Summit 2015
Application Centric Microservices from Redhat Summit 2015Ken Owens
 
Cloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a CacheCloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a Cachecornelia davis
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
Strong practices for rails applications continuous delivery
Strong practices for rails applications continuous deliveryStrong practices for rails applications continuous delivery
Strong practices for rails applications continuous deliveryRobb Kidd
 
Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?Reuven Harrison
 

Semelhante a Dev seccon london 2016 intelliment security (20)

Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPA
 
Learn how an app-centric approach will improve security & operational efficiency
Learn how an app-centric approach will improve security & operational efficiencyLearn how an app-centric approach will improve security & operational efficiency
Learn how an app-centric approach will improve security & operational efficiency
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale Organizations
 
AWS18 Startup Day Toronto- Launching your Application the Amazon Way
AWS18 Startup Day Toronto- Launching your Application the Amazon WayAWS18 Startup Day Toronto- Launching your Application the Amazon Way
AWS18 Startup Day Toronto- Launching your Application the Amazon Way
 
Continuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scopeContinuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scope
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle Management
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)
 
DTS-1778 Understanding DevOps - IBM InterConnect Session
DTS-1778 Understanding DevOps - IBM InterConnect SessionDTS-1778 Understanding DevOps - IBM InterConnect Session
DTS-1778 Understanding DevOps - IBM InterConnect Session
 
Microdeployments for microservices dev ops nashville
Microdeployments for microservices dev ops nashvilleMicrodeployments for microservices dev ops nashville
Microdeployments for microservices dev ops nashville
 
DevOps for AI Apps
DevOps for AI AppsDevOps for AI Apps
DevOps for AI Apps
 
DevOps on AWS - Building Systems to Deliver Faster
DevOps on AWS - Building Systems to Deliver FasterDevOps on AWS - Building Systems to Deliver Faster
DevOps on AWS - Building Systems to Deliver Faster
 
OTT for Mobile Devices
OTT for Mobile DevicesOTT for Mobile Devices
OTT for Mobile Devices
 
DevOps: Infrastructure as Code
DevOps: Infrastructure as CodeDevOps: Infrastructure as Code
DevOps: Infrastructure as Code
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 
Application Centric Microservices from Redhat Summit 2015
Application Centric Microservices from Redhat Summit 2015Application Centric Microservices from Redhat Summit 2015
Application Centric Microservices from Redhat Summit 2015
 
Cloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a CacheCloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a Cache
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
Strong practices for rails applications continuous delivery
Strong practices for rails applications continuous deliveryStrong practices for rails applications continuous delivery
Strong practices for rails applications continuous delivery
 
Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?
 

Mais de DevSecCon

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 

Mais de DevSecCon (20)

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heel
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 

Último

VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsaqsarehman5055
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMoumonDas2
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardsticksaastr
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AITatiana Gurgel
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 

Último (20)

VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 

Dev seccon london 2016 intelliment security

  • 1. Join the conversation #devseccon By Ildefonso Montero Writing firewall policies in app manifests
  • 2. Who am I Writing firewall policies in app manifests • Yet another Software Developer @imonteroperez
  • 3. Who am I Writing firewall policies in app manifests • Yet another Software Developer @imonteroperez This talk is NOT about • ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for software delivery
  • 4. Who am I Writing firewall policies in app manifests • Yet another Software Developer @imonteroperez This talk is NOT about • ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for software delivery This talk is about • ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for infrastructure delivery • Infrastructure (servers, databases, microservices, containers, networks, firewalls, etc.)
  • 5. Preliminar Infrastructure-related Buzzwords Writing firewall policies in app manifests • Automated delivery or provision • Physical, Virtual, private and/or public clouds • Inmutable, Scalable, Replicable, etc. The Good parts • Security compliance • Firewalling security needs • Rapid treat containment under attacks • (Multi)vendor coupled The “Ugly” parts ______________________________________________________ From a DevOps perspective From a DevOps perspective
  • 6. Preliminar Infrastructure-related Buzzwords Writing firewall policies in app manifests • Automated delivery or provision • Physical, Virtual, private and/or public clouds • Inmutable, Scalable, Replicable, etc. The Good parts • Security compliance • Firewalling security needs • Rapid treat containment under attacks • (Multi)vendor coupled The “Ugly” parts ______________________________________________________ Security Security Security Security Others … From a DevOps perspective From a DevOps perspective
  • 7. Preliminar Infrastructure-related Buzzwords Writing firewall policies in app manifests • Automated delivery or provision • Physical, Virtual, private and/or public clouds • Inmutable, Scalable, Replicable, etc. The Good parts • Security compliance • Firewalling security needs • Rapid treat containment under attacks • (Multi)vendor coupled The “Ugly” parts ______________________________________________________ Security Security Security Security Others … From a DevOps perspective Only from DevOps perspective?
  • 8. Application Delivery Writing firewall policies in app manifests Application Delivery Software Delivery Infrastructure Delivery Network Security (policies) Live application Servers Containers Services
  • 9. Application Delivery Writing firewall policies in app manifests Complex communication • Software delivery • Infrastructure delivery (servers, containers, services) • Network delivery (network and security) Application Delivery Software Delivery Infrastructure Delivery Network Security (policies) Live application Servers Containers Services
  • 10. Application Delivery Writing firewall policies in app manifests From www.devsecops.org/blog/2016/5/20/-security
  • 11. Application Delivery Writing firewall policies in app manifests Complex communication • Software delivery • Infrastructure delivery (servers, containers, services) • Network delivery (network and security) Application Delivery Software Delivery Infrastructure Delivery Network Security (policies) Live application Servers Containers Services
  • 12. Application Delivery Writing firewall policies in app manifests Complex communication • Software delivery • Infrastructure delivery (servers, containers, services) • Network delivery (network and security) Every part of the process need to be validated and reviewed by people, generating bottlenecks • DevOps to the rescue
  • 13. Application Delivery Writing firewall policies in app manifests Complex communication • Software delivery • Infrastructure delivery (servers, containers, services) • Network delivery (network and security) Every part of the process need to be validated and reviewed by people, generating bottlenecks • NetOps to the rescue: • Vendor APIs (Juniper PyEz, PanOs, Cisco NX-API - pycsco - , IOS-XR – pyIOSXR – Arista EOS, etc.) • Netmiko, Paramiko • NAPALM + Ansible • SDN, OpenDaylight, NFV, flunnel, kb-proxy
  • 14. Application Delivery Writing firewall policies in app manifests Complex communication • Software delivery • Infrastructure delivery (servers, containers, services) • Network delivery (network and security) Every part of the process need to be validated and reviewed by people, generating bottlenecks • DevOps/NetOps to the rescue Security validations and compliance of infrastructure delivery • ¿?
  • 15. Application delivery bottlenecks Writing firewall policies in app manifests Application Delivery Software Delivery Infrastructure Delivery Network Security (policies) Live application Servers Containers Services
  • 16. Application delivery bottlenecks Writing firewall policies in app manifests IT teams are currently spending 20-32% of their time dealing with misconfigurations. Network Agility Research 2014. Dynamic Markets Change request (portal) Risk assessment (traffic simulation) APP OWNER Schedule for enforcement Approved Validate/Review change Implement changeDeliver changeTest change NO Policy clean-up (historic degradation) RISK TEAM RISK TEAM SECOPS TEAM SECOPS TEAMAPP OWNER CHANGE MANAGEMENT (WORKFLOW) Not approved YES SECOPS TEAM Periodic RISK TEAM
  • 17. Application delivery bottlenecks Writing firewall policies in app manifests Node provisioning Automated! Node configuration Software testing Software provisioning Still mostly manual! Network provisioning Network configuration (incl. security policy) NO PRODUCTS YET!
  • 18. Recap Problems Writing firewall policies in app manifests • Highly manual • Involve different teams (a.k.a silos) with different ways to do things • Live with the problem is not an option Security validation and compliance of infrastructure delivery is:
  • 19. Recap Problems Writing firewall policies in app manifests • Highly manual • Involve different teams (a.k.a silos) with different ways to do things • Live with the problem is not an option Security validation and compliance of infrastructure delivery is: What we want Massive Agility Gains Massive Cost Reduction Better Risk Controls
  • 20. DevSecOps to the rescue! Writing firewall policies in app manifests
  • 21. DevSecOps to the rescue! Writing firewall policies in app manifests • Apply “shift to the left” paradigm • Define your network needs as code • Application Delivery
  • 22. DevSecOps to the rescue! Writing firewall policies in app manifests • Apply “shift to the left” paradigm • Define your network needs as code • Application Delivery • SecOps • Define your security rules as code
  • 23. DevSecOps to the rescue! Writing firewall policies in app manifests • Apply “shift to the left” paradigm • Define your network needs as code • Application Delivery • SecOps • Risk • Define your compliance as code • Define your security rules as code
  • 24. DevSecOps to the rescue! Writing firewall policies in app manifests • Apply “shift to the left” paradigm • Define your network needs as code • Application Delivery • SecOps • Risk • Define your compliance as code • Define your security rules as code Firewall policies
  • 25. Writing firewall policies is like … Writing firewall policies in app manifests
  • 26. • Define your security rules as code • Apply “shift to the left” paradigm • Define your network needs as code Abstract all the things! Writing firewall policies in app manifests • Application Delivery • SecOps • Define your compliance as code• Risk
  • 27. • Define your security rules as code • Apply “shift to the left” paradigm • Define your network needs as code Just say what you want Writing firewall policies in app manifests • Application Delivery • SecOps • Define your compliance as code• Risk I need to consume SNMP servers I will provide a service by tcp 443 and tcp80 Firewall policies as code!
  • 28. • Define your security rules as code • Apply “shift to the left” paradigm • Define your network needs as code Just say what you want Writing firewall policies in app manifests • Application Delivery • SecOps • Define your compliance as code• Risk I need to consume SNMP servers I will provide a service by tcp 443 and tcp80 Firewall policies as code! User network must have visibility to App server
  • 29. • Define your security rules as code • Apply “shift to the left” paradigm • Define your network needs as code Just say what you want Writing firewall policies in app manifests • Application Delivery • SecOps • Define your compliance as code• Risk I need to consume SNMP servers I will provide a service by tcp 443 and tcp80 Firewall policies as code! User network must have visibility to App server DMZ traffic must be limited to Internet by tcp 443 and tcp80
  • 30. Firewall policies as code Writing firewall policies in app manifests • Abstraction • Use vendor and topology neutral model • Declarative • Express your infrastructure security needs as user intents • Write policies where you need • From a DevSecOps perspective: Apply shift left, so write on your app manifests!
  • 31. Firewall policies as code pipeline Writing firewall policies in app manifests
  • 32. Demo overview Writing firewall policies in app manifests
  • 33. Demo overview Writing firewall policies in app manifests Define on Puppet as code Automatically Validate, Deploy and Visualize on Intelliment
  • 34. Demo overview Writing firewall policies in app manifests • Consumes: defines what visibility requirements the component needs from others. • Provides: defines what services it exposes to others.
  • 35. Demo overview Writing firewall policies in app manifests • Consumes: defines what visibility requirements the component needs from others. • Provides: defines what services it exposes to others.
  • 36. Writing firewall policies in app manifests Demo overview • App is a simple web application with two webservers and a database server. • Webserver nodes are located on the frontend network. • Database server is located on the backend network. • They must access a dns server present on the management network. • They must be accessed from Internet and Users and Admins networks.
  • 37. Writing firewall policies in app manifests Demo overview APP VISIBILITY REQUIREMENTS Users need HTTPS access to webservers. Webservers need MySQL from database. All servers should use the dns server. System administrators need SSH access to all servers.
  • 38. Writing firewall policies in app manifests Demo overview PRE-APPROVED FLOWS The RISK TEAM has pre-defined deny requirements to avoid using risky services: • Unencrypted HTTP flows from Internet or User network to webservers are denied Validation will make sure that no HTTP will be allowed between these elements.
  • 39. Writing firewall policies in app manifests Firewall policies in app manifests webserver webserver2 NODES role::app::webserver ROLE profile::app::webserver PROFILE database NODES role::app:::database ROLE profile::app::database PROFILE profile::server::base PROFILE dns-server NODES role::server::dnsserver ROLE profile::server::dnsserver PROFILE NODE CLASIFICATION APP DEFINITION Provides web services Consumes database services Provides database services Provides ssh services Consumes dns services Provides dns services
  • 40. Writing firewall policies in app manifests Firewall policies in app manifests profile::app::webserver profile::server::base APP DEFINITION Provides web services Consumes database services Provides ssh services Consumes dns services Network visibility requirements for Intelliment
  • 41. APP NETWORK VISIBILITY REQUIREMENTS RETRIEVAL FROM PUPPET Writing firewall policies in app manifests Demo overview
  • 42. APP NETWORK VISIBILITY REQUIREMENTS RETRIEVAL FROM PUPPET Writing firewall policies in app manifests Demo overview Pre-approved flows (cannot be contradicted)
  • 43. Writing firewall policies in app manifests Demo overview
  • 44. Writing firewall policies in app manifests Demo overview
  • 45. Writing firewall policies in app manifests Demo overview profile::app::webserver PROFILE APP DEFINITION Provides web services Consumes database services One simple change
  • 46. Writing firewall policies in app manifests Demo overview
  • 47. Before Writing firewall policies in app manifests Change request (portal) Risk assessment (traffic simulation) APP OWNER Schedule for enforcement Approved Validate/Review change Implement changeDeliver changeTest change NO Policy clean-up (historic degradation) RISK TEAM RISK TEAM SECOPS TEAM SECOPS TEAMAPP OWNER CHANGE MANAGEMENT (WORKFLOW) Not approved YES SECOPS TEAM Periodic RISK TEAM
  • 48. After Writing firewall policies in app manifests Define manifest Automated Risk assessment APP OWNER Schedule for enforcement Approved Automated Validate/Review change Automated Implement change Automated Deliver change Test change NO RISK TEAM RISK TEAM SECOPS TEAM SECOPS TEAMAPP OWNER CHANGE MANAGEMENT (WORKFLOW) Not approved SECOPS TEAM
  • 49. Application delivery bottlenecks Writing firewall policies in app manifests Application Delivery Software Delivery Infrastructure Delivery Network Security (policies) Live application Servers Containers Services
  • 50. Writing firewall policies in app manifests Conclusions • Imposing controls is a way to reduce risks, but not at the expense of agility • Work together. Security affect to everybody. Live with the problems is not an option • Define your security needs as code • Abstract all the things (and automate them) • Reduce your workflow bottlenecks
  • 51. Join the conversation #devseccon Questions? Thank you! http://www.intellimentsec.com http://github.com/intelliment imontero@intellimentsec.com @imonteroperez