DevOps purists may chafe at the DevSecOps term given that security and other important practices are supposed to already be an integral part of routine DevOps workflows. But the reality is that security often gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats. In this session, we’ll look at successful practices that distributed and diverse teams use to iterate rapidly. We’ll discuss how a container platform can serve as the foundation for DevSecOps in your organization. We'll also consider the risk management associated with integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning. Finally, we'll show ways by which automation and repeatable trusted delivery of code can be built directly into a DevOps pipeline.

1. DevSecOps:
The Open Source Way
Gordon Haff, Technology Evangelist, Red Hat
@ghaff

2. ● DevOps “purists” point out that security was
always part of DevOps
● Did people just not read the book?
● Did people not understand the book?
● Are practitioners just skipping security
anyway?
WHY DevSecOps?

3. Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.

4. Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.

5. But Now it’s 2017. Right?

7. ● A new silo
● Devs (often) don’t grok (even) traditional security
● Assembled applications and supply chains
● Security not integrated into pipeline
What’s the Problem?

10. SEC

11. OWASP Top 10
2007
Cross-site scripting (XSS)
Injection flaws
Malicious file execution
Insecure direct object reference
Cross-site request forgery (CSRF)
Information leakage & improper error handling
Broken authentication & session management
Insecure cryptographic storage
Insecure communications
Failure to restrict URL access

12. 2017 RC2
Injection
Broken authentication
Sensitive data exposure
XML External Entities (XXE)
Broken access control
Security misconfiguration
Cross-site scripting (XSS)
Insecure deserialization
Using components with known vulnerabilities
Insufficient logging & monitoring
OWASP Top 10
2007
Cross-site scripting (XSS)
Injection flaws
Malicious file execution
Insecure direct object reference
Cross-site request forgery (CSRF)
Information leakage & improper error handling
Broken authentication & session management
Insecure cryptographic storage
Insecure communications
Failure to restrict URL access

13. 2017 RC2
Injection
Broken authentication
Sensitive data exposure
XML External Entities (XXE)
Broken access control
Security misconfiguration
Cross-site scripting (XSS)
Insecure deserialization
Using components with known vulnerabilities
Insufficient logging & monitoring
OWASP Top 10
2007
Cross-site scripting (XSS)
Injection flaws
Malicious file execution
Insecure direct object reference
Cross-site request forgery (CSRF)
Information leakage & improper error handling
Broken authentication & session management
Insecure cryptographic storage
Insecure communications
Failure to restrict URL access

14. …utilizing billions of available libraries,
frameworks and utilities
● Not all are created equal, some are
healthy and some are not
● All go bad over time, they age like milk,
not like wine
● Enterprises consume an average 229,000
software components annually, of which
17,000 had a known security vulnerability
Applications are ‘assembled’...

15. A typical DevOps pipeline

16. How security integrates

17. ● Better organizations
● Containers
● Secured supply chain
● Secured pipeline
● Secured operations
Opportunities!
}Managed approach to risk

18. Better Organizations

19. Kids programming: Esti Alvarez cc license
CULTURE
of collaboration
valuing openness
and transparency

20. Culture = f (l, o, i, t, …)
Where:
l = leadership
o = organization
i = incentives
t = trust
… = many other things
Open source offers guidance

21. Containers

22. What are containers?
● Sandboxed application processes
on a shared Linux OS kernel
● Simpler, lighter, and denser than
virtual machines
● Portable across different
environments
● Package my application and all of
its dependencies
● Deploy to any environment in
seconds and enable CI/CD
● Easily access and share
containerized components
Sys-Admins / Ops Developers
It Depends on Who You Ask

23. Containers technical timeline
LXC Initial
release
Aug ‘08
OpenShift
online
May
‘11
Docker Initial
release
Mar
‘13
OpenShift
Enterprise 3.0
Jun‘
15
Open
Container
Initiative
Initial release,
Buildah
Jun
‘17
Moby
Apr
‘17
Sep
‘17
CRI-O

24. Open source, leadership, and standards
● Docker/Moby
● Kubernetes/OpenShift
● OCI Specifications
● Cloud Native Technical Leadership
● Vendor/partner ecosystem
The community landscape

25. ● Docker, Red Hat et al. June 2015
● Two Specifications
● Runtime
○ How to run a “filesystem bundle” that is unpacked on disk
● Image Format
○ How to create an OCI Image that contains sufficient information
to launch the application on the target platform
Open Container Initiative (OCI)

26. “Containers are an easy way to get a reasonable
percentage of security built in.”
John Willis
co-Author, DevOps Handbook
ServerlessConf 2017

27. Manage Risk

29. MANA
Reuse
AutomationMicroservices Immutability
Pervasive access
Speed
Rapid tech churn
Flexible deploys
Containers
Software-defined
MANAGED RISK
Dev Ops

30. Securing the assets
● Building code
○ Watching for changes in how things get built
○ Signing the builds
● Built assets
○ Scripts, binaries, packages (RPMs), containers
(OCI images), machine images (ISOs, etc.)
○ Registries (Service, Container, App)
○ Repositories (Local on host images assets)
Safe at Titan Missile Museum
https://upload.wikimedia.org/wikipedia/commons/5/59/Red_Safe%2C_Titan_Missile_Museum.jpg

31. Registries
● Do you require a private registry?
● What security meta-data is available
for your images?
● Are the images in the registry
updated regularly?
● Are there access controls on the
registry? How strong are they? Who
can push images to the registry?

32. ● Potentially lots of parallel builds
● Source code
● Where is it coming from?
● Who is it coming from?
● Supply Chain Tooling
● CI tools (e.g. Jenkins)
● Testing tools
● Scanning Tools (e.g. Black Duck)
Securing the development process
Boeing's Everett factory near Seattle
https://upload.wikimedia.org/wikipedia/commons/c/c8/At_Boeing%27s_Everett_factory_near_Seattle_%289130160595%29.jpg
Creative Commons

33. Ensure the application code is compliant
Ensure the pipeline is not compromised
Systematic, on-going, and automated
Securing the development process
Repo Scan
Image
Build
Scan
Dev
Deploy
Test

34. ● How do ensure that all these
variations are working and
supported together?
● Containers and container
ecosystems help vendors to
continuously secure their
software
Track third-party development technologies

35. ● Trusted registries and repos
● Signature authenticating and authorizing
● Image scanning
● Policies
● Ongoing assessment with automated
remediation
Securing the operations: Deployment
Mission Control - Apollo 13
https://c1.staticflickr.com/4/3717/9460197822_9f6ab3f30c_b.jpg

36. ● Blue Green or A/B or Canary,
continuous deployments
● Monitoring deployments
● Possibly multiple environments
Securing the operations: Lifecycle

37. ● Log (most) things
● Alarm few things
● Establish relevant metrics
● Root cause analysis (reactive)
● Detect patterns/trends (proactive)
● Context and distributions matter
● Incentives drive behavior
Securing the operations: Monitoring and metrics

38. “... we estimate that fewer than 20% of enterprise security architects
have engaged with their DevOps initiatives to actively and systematically
incorporate information security into their DevOps initiatives; and fewer still
have achieved the high degrees of security automation required to qualify as
DevSecOps.”
“By 2019, more than 70% of enterprise DevOps initiatives will have
incorporated automated security vulnerability and configuration
scanning for open source components and commercial packages, up from
less than 10% in 2016.”
How are we doing?
DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016

39. Thank You!
Gordon Haff
Technology Evangelist, Red Hat
@ghaff
Cloudy Chat podcast
www.redhat.com
www.bitmasons.com