2. PAGE3
DEVOPS INDONESIA
DEVOPS INDONESIA HOUSE RULES
100% ATTENTION
TAKE NOTES, NOT CALLS
RECEIVE KNOWLEDGE, NOT MESSAGES
MUTE NOTIFICATIONS FOR SLACK QQ WHATSAPP IMESSAGE EMAIL
TELEGRAM SNAPCHAT FACEBOOK WEIBO HANGOUTS VOXER SIGNAL G+
TWITTER VIBER SKYPE WECHAT LINE SMS ...
11. PAGE13
DEVOPS INDONESIA
WHY DevSecOps?
● DevOps “purists” point out that security was always
part of DevOps
● Did people just not read the book? Are practitioners
skipping security?
● DevSecOps practitioners say it’s about how to
continuously integrate and automate security at
scale
● Goal:
● Protecting private User-data/Company daya
● Restricting access
● Standar Compliance
14. PAGE16
DEVOPS INDONESIA
GLASS HALF EMPTY, GLASS HALF FULL
“... we estimate that fewer than 20% of enterprise security architects have
engaged with their DevOps initiatives to actively and systematically incorporate
information security into their DevOps initiatives; and fewer still have achieved the
high degrees of security automation required to qualify as
DevSecOps.”
“By 2019, more than 70% of enterprise DevOps initiatives will have
incorporated automated security vulnerability and configuration scanning for
open source components and commercial packages, up from less than 10% in 2016.”
DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016
15. PAGE17
DEVOPS INDONESIA
Security is seen as an inhibitor to DevOps
Security infrastructure has lagged in its ability
to become ‘software defined’ and
programmable, making it difficult to
integrate...
Modern applications are largely ‘assembled,’
not developed, and developers often download
and use known vulnerable open-source
components and frameworks
16. PAGE18
DEVOPS INDONESIA
Applications are ‘assembled’...
...utilizing billions of available libraries,
frameworks and utilities
● Not all are created equal, some are healthy and
some are not
● All go bad over time, they age like milk, not like
wine
● Data shows enterprises consumed an average
229,000 software components annually, of which
17,000 had a known security vulnerability
17. PAGE19
DEVOPS INDONESIA
THE PERFECT STORM
● Cloud
● DevOps
● Open Source Software
● innovation explosion
● Containers/Microservices
● Digital transformation
19. PAGE21
DEVOPS INDONESIA
SECURING THE ASSETS
● Building code
● Watching for changes in how things get built
● Signing the builds
● Built assets
● Scripts, binaries, packages (RPMs),
containers
● (OCI images), machine images (ISOs, etc.)
● Registries (Service, Container, App)
● Repositories (Local on host images assets)
20. PAGE22
DEVOPS INDONESIA
SECURING THE SOFTWARE ASSETS - E.G. IMAGE REGISTRY
● Public and private registries
● Do you require a private registry?
● What security meta-data is available for your images?
● Are the images in the registry updated regularly?
● Are there access controls on the registry? How strong are they?
● Who can push images to the registry?
22. PAGE24
DEVOPS INDONESIA
SECURING THE ASSETS
HEALTH - Security freshness
● Freshness Grade for container security.
● Monitor image registry to automatically replace affected images
● Use policies to gate what can be deployed: e.g. if a container requires
root access, prevent deployment
24. PAGE26
DEVOPS INDONESIA
SECURING THE DEVELOPMENT PROCESS
● Potentially lots of parallel builds
● Source code
● Where is it coming from?
● Who is it coming from?
● Supply Chain Tooling
● CI tools (e.g. Jenkins)
● Testing tools
● Scanning Tools (e.g. Black Duck,
Sonatype)
25. PAGE28
DEVOPS INDONESIA
SECURING THE OPERATIONS
▪ Deployment
▪ Trusted registries and repos
▪ Signature authenticating and
authorizing
▪ Image scanning
▪ Policies
▪ Ongoing assessment with automated
remediation
26. PAGE29
DEVOPS INDONESIA
SECURING THE OPERATIONS
Lifecycle
● Blue Green or A/B or Canary, continuous deployments
● Monitoring deployments
● Possibly multiple environments
37. PAGE44
DEVOPS INDONESIA
Plan - Thread Modeling Tools
OWASP Threat Dragon Project
Threat Dragon is a free, open-source threat modeling tool
from OWASP. It can be used as a standalone desktop app for
Windows and MacOS (Linux coming soon) or as a web
application.
The desktop app is great if you want to try the application
without giving it access to your GitHub repos, but if you
choose the online version you get to unleash the awesome
power of GitHub on your threat models! Obviously, to do
this you need to log in first..
https://github.com/appsecco/owasp-threat-dragon-gitlab
40. PAGE47
DEVOPS INDONESIA
Security Automation for Containers and VMs with OpenSCAP
SCAP is a set of specifications related to security automation. SCAP is used to improve
security posture - hardening and finding vulnerabilities—as well as regulatory reasons
https://github.com/dstraub/satellite-plugin
https://github.com/RedHatSatellite/soe-ci
https://servicesblog.redhat.com/2017/06/12/standard-operating-environment-part-iii-a-
reference-implementation/
41. PAGE48
DEVOPS INDONESIA
API-aware Networking and Security
Cilium brings API-aware network security
filtering to Linux container frameworks like
Docker and Kubernetes. Using a new Linux
kernel technology called BPF, Cilium provides a
simple and efficient way to define and enforce
both network-layer and application-layer
security policies based on container/pod
identity.
42. PAGE49
DEVOPS INDONESIA
Secure container-aware credentials storage, trust management.
HashiCorp Vault secures, stores, and tightly
controls access to tokens, passwords,
certificates, API keys, and other secrets in
modern computing. Vault handles leasing, key
revocation, key rolling, and auditing. Through a
unified API, users can access an encrypted
Key/Value store and network encryption-as-a-
service, or generate AWS IAM/STS credentials,
SQL/NoSQL databases, X.509 certificates, SSH
credentials, and more.
https://github.com/jenkinsci/hashicorp-vault-plugin
44. PAGE51
DEVOPS INDONESIA
Static source-code analysis / static application security testing (SAST)
Brakeman - Rails Security Scanner
Static analysis security scanner for Ruby on Rail
https://jenkins.io/doc/pipeline/steps/brakeman/
https://jenkins.io/blog/2016/08/10/rails-cd-with-pipeline/
45. PAGE52
DEVOPS INDONESIA
Static source-code analysis / static application security
testing (SAST)
SonarQube is an open source platform
developed by SonarSource for continuous
inspection of code quality to perform
automatic reviews with static analysis of code
to detect bugs, code smells, and security
vulnerabilities on 20+ programming languages
https://docs.sonarqube.org/display/SCAN/Analyzing+with+
SonarQube+Scanner+for+Jenkins
https://www.owasp.org/index.php/Source_Code_Analysis_
Tools
47. PAGE54
DEVOPS INDONESIA
Integrate the image scanning into Jenkins pipelines with clairctl
Clairctl is a lightweight command-line tool doing the bridge between Registries as
Docker Hub, Docker Registry or Quay.io, and the CoreOS vulnerability tracker,
Clair. Clairctl will play as reverse proxy for authentication.
https://github.com/jgsqware/clairctl
Jenkins CI Image Vulnerability Scan
https://github.com/protacon/ci-image-vulnerability-scan
https://github.com/jgsqware/clairctl
Static Application Security Testing (SAST)
Clair: The Container Image Security Analyzer
Clair is an open source project for the static analysis of vulnerabilities in
application containers (currently including appc and docker).
https://github.com/benfab/clair-demo
48. PAGE55
DEVOPS INDONESIA
Dynamic Application Security Testing (DAST)
OWASP Zed Attack Proxy Project
is one of the world’s most popular free security tools and is actively maintained by
hundreds of international volunteers*. It can help you automatically find security
vulnerabilities in your web applications while you are developing and testing your
applications. Its also a great tool for experienced pentesters to use for manual security
testing.
https://plugins.jenkins.io/zapper
https://wiki.jenkins.io/display/JENKINS/Zapper+Plugin
https://youtu.be/xMLb7BDdfNo
50. PAGE57
DEVOPS INDONESIA
Dynamic Application Security Testing (DAST)
Free, Simple, Distributed, Intelligent, Powerful,
Friendly.
Arachni is a feature-full, modular, high-
performance Ruby framework aimed towards
helping penetration testers and administrators
evaluate the security of modern web
applications.
https://blog.secodis.com/2016/03/17/automated-security-tests-
3-jenkins-arachni-threadfix/
https://wiki.jenkins.io/display/JENKINS/Arachni+Scanner+plugin
52. PAGE59
DEVOPS INDONESIA
Mobile Application Security Testing (MAST)
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application
(Android/iOS/Windows) pen-testing framework capable of performing static, dynamic
and malware analysis. It can be used for effective and fast security analysis of Android,
iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and
zipped source code. MobSF can do dynamic application testing at runtime for Android
apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific
security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline
integration seamless.
https://medium.com/@omerlh/how-to-continuously-hacking-your-app-c8b32d1633ad
https://github.com/MobSF/Mobile-Security-Framework-MobSF/wiki/10.-MobSF-CI-CD
54. PAGE61
DEVOPS INDONESIA
Security Framework
Managed Ecosystem for Secure Operations
SIMP is an Open Source, fully automated, and extensively tested
framework that can either enhance your existing infrastructure or allow
you to quickly build one from scratch. Built on the mature Puppet
product suite, SIMP is designed around scalability, flexibility, and
compliance.
55. PAGE62
DEVOPS INDONESIA
Container Security Framework
NIST Special Publication 800-190: Application Container Security Guide
Access Control; Configuration Management; System and Communications
Protection; System and Information Integrity; Audit and Accountability;
Awareness and Training; Identification and Authentication; Incident
Response; Risk Assessment;
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf
58. PAGE65
DEVOPS INDONESIA
Continues learning DevSecOps concepts
OWASP DevSecOps Studio Project DevSecOps Studio is one of its kind, self
contained DevSecOps environment/distribution to help individuals in learning
DevSecOps concepts. It takes lots of efforts to setup the environment for
training/demos and more often, its error prone when done manually.
Features:
● Easy to setup environment with just one command “vagrant up”
● Teaches Security as Code, Compliance as Code, Infrastructure as Code
● With built-in support for CI/CD pipeline
● OS hardening using ansible
● Compliance as code using Inspec
● QA security using ZAP, BDD-Security and Gauntlt
● Static tools like bandit, brakeman, windbags, gitrob, gitsecrets
● Security Monitoring using ELK stack.
59. PAGE66
DEVOPS INDONESIA
● Git server to store code and infrastructure (as code).
● CI/CD pipeline to embed security as part CI/CD like SAST, DAST, hardening, compliance etc.,
● Add Security tools as jobs.
● Analyze and fix the issues found.
https://github.com/teacheraio/DevSecOps-Studio/wiki