Devops Indonesia - DevSecOps - The Open Source Way

1. PAGE1 DEVOPS INDONESIA DEVOPS INDONESIA Jakarta, 26 September 2018 DevSecOps: The Open Source Way DevOps Community in Indonesia

2. PAGE3 DEVOPS INDONESIA DEVOPS INDONESIA HOUSE RULES 100% ATTENTION TAKE NOTES, NOT CALLS RECEIVE KNOWLEDGE, NOT MESSAGES MUTE NOTIFICATIONS FOR SLACK QQ WHATSAPP IMESSAGE EMAIL TELEGRAM SNAPCHAT FACEBOOK WEIBO HANGOUTS VOXER SIGNAL G+ TWITTER VIBER SKYPE WECHAT LINE SMS ...

3. PAGE4 DEVOPS INDONESIA Let’s get know each other Let's get know each other

4. PAGE5 DEVOPS INDONESIA Linux Geek | OpenSource Enthusiast | Security Hobbies Yusuf Hadiwinata Sutandar

5. PAGE6 DEVOPS INDONESIA Managing risk in a volatile DevOps worldManaging risk in a volatile DevOps world

6. PAGE8 DEVOPS INDONESIA Raise You Hand! Who.. ...has heard of Docker?

7. PAGE9 DEVOPS INDONESIA ...knows what Docker is?

8. PAGE10 DEVOPS INDONESIA ...has tried Docker? or ...uses Docker?

9. PAGE11 DEVOPS INDONESIA ...uses Docker in production? ...with additional tools?

10. PAGE12 DEVOPS INDONESIA ...or even implement DevSecOps? Or SecDevOps.. DevOpsSec?!! Or maybe SecDevSecOpsSec?

11. PAGE13 DEVOPS INDONESIA WHY DevSecOps?WHY DevSecOps? ● DevOps “purists” point out that security was always part of DevOps ● Did people just not read the book? Are practitioners skipping security? ● DevSecOps practitioners say it’s about how to continuously integrate and automate security at scale ● Goal: ● Protecting private User-data/Company daya ● Restricting access ● Standar Compliance

12. PAGE14 DEVOPS INDONESIA

14. PAGE16 DEVOPS INDONESIA GLASS HALF EMPTY, GLASS HALF FULLGLASS HALF EMPTY, GLASS HALF FULL “... we estimate that fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.” “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.” DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016

15. PAGE17 DEVOPS INDONESIA Security is seen as an inhibitor to DevOpsSecurity is seen as an inhibitor to DevOps ● Security infrastructure has lagged in its ability to become ‘software defined’ and programmable, making it difficult to integrate... ● Modern applications are largely ‘assembled,’ not developed, and developers often download and use known vulnerable open-source components and frameworks

16. PAGE18 DEVOPS INDONESIA Applications are ‘assembled’...Applications are ‘assembled’... ...utilizing billions of available libraries, frameworks and utilities ● Not all are created equal, some are healthy and some are not ● All go bad over time, they age like milk, not like wine ● Data shows enterprises consumed an average 229,000 software components annually, of which 17,000 had a known security vulnerability

17. PAGE19 DEVOPS INDONESIA THE PERFECT STORMTHE PERFECT STORM ● Cloud ● DevOps ● Open Source Software innovation explosion ● Containers/Microservices ● Digital transformation

18. PAGE20 DEVOPS INDONESIA YOU MANAGE RISK BYYOU MANAGE RISK BY ● Securing the Assets/Infra ● Securing the Dev ● Securing the Ops ● Securing the APIs

19. PAGE21 DEVOPS INDONESIA SECURING THE ASSETSSECURING THE ASSETS ● Building code ● Watching for changes in how things get built ● Signing the builds ● Built assets ● Scripts, binaries, packages (RPMs), containers ● (OCI images), machine images (ISOs, etc.) ● Registries (Service, Container, App) ● Repositories (Local on host images assets)

20. PAGE22 DEVOPS INDONESIA SECURING THE SOFTWARESECURING THE SOFTWARE ASSETS - E.G. IMAGEASSETS - E.G. IMAGE REGISTRYREGISTRY ● Public and private registries ● Do you require a private registry? ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? ● Who can push images to the ● registry?

21. PAGE23 DEVOPS INDONESIA SECURING THE ASSETSSECURING THE ASSETS HEALTH - Security freshness ● Freshness Grade for container security. ● Monitor image registry to automatically replace affected images ● Use policies to gate what can be deployed: e.g. if a container requires root access, prevent deployment

22. PAGE24 DEVOPS INDONESIA SECURING THESECURING THE DEVELOPMENT PROCESSDEVELOPMENT PROCESS ● Potentially lots of parallel builds ● Source code ● Where is it coming from? ● Who is it coming from? ● Supply Chain Tooling ● CI tools (e.g. Jenkins) ● Testing tools ● Scanning Tools (e.g. Black Duck, Sonatype)

23. PAGE26 DEVOPS INDONESIA SECURING THESECURING THE OPERATIONSOPERATIONS Deployment ● Trusted registries and repos ● Signature authenticating and authorizing ● Image scanning ● Policies ● Ongoing assessment with automated remediation

24. PAGE27 DEVOPS INDONESIA SECURING THESECURING THE OPERATIONSOPERATIONS Lifecycle ● Blue Green or A/B or Canary, continuous deployments ● Monitoring deployments ● Possibly multiple environments

25. PAGE28 DEVOPS INDONESIA Modern Architectures are API driven requiring a DevOps approach to API management. Visibility, routing, and authorization are key security concerns.

35. PAGE42 DEVOPS INDONESIA Plan - Thread Modeling ToolsPlan - Thread Modeling Tools OWASP Threat Dragon Project Threat Dragon is a free, open-source threat modeling tool from OWASP. It can be used as a standalone desktop app for Windows and MacOS (Linux coming soon) or as a web application. The desktop app is great if you want to try the application without giving it access to your GitHub repos, but if you choose the online version you get to unleash the awesome power of GitHub on your threat models! Obviously, to do this you need to log in first.. https://github.com/appsecco/owasp-threat-dragon-gitlab

37. PAGE44 DEVOPS INDONESIA Docker Host Security ComplianceDocker Host Security Compliance

38. PAGE45 DEVOPS INDONESIA Security Automation for Containers and VMsSecurity Automation for Containers and VMs with OpenSCAPwith OpenSCAP SCAP is a set of specifications related to security automation. SCAP is used to improve security posture - hardening and finding vulnerabilities—as well as regulatory reasons https://github.com/dstraub/satellite-plugin https://github.com/RedHatSatellite/soe-ci https://servicesblog.redhat.com/2017/06/12/standard-operating-environment- part-iii-a-reference-implementation/

39. PAGE46 DEVOPS INDONESIA API-aware Networking and SecurityAPI-aware Networking and Security Cilium brings API-aware network security filtering to Linux container frameworks like Docker and Kubernetes. Using a new Linux kernel technology called BPF, Cilium provides a simple and efficient way to define and enforce both network-layer and application-layer security policies based on container/pod identity.

40. PAGE47 DEVOPS INDONESIA Secure container-aware credentials storage,Secure container-aware credentials storage, trust management.trust management. HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a- service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more. https://github.com/jenkinsci/hashicorp-vault- plugin

42. PAGE49 DEVOPS INDONESIA Static source-code analysis / static applicationStatic source-code analysis / static application security testing (sast)security testing (sast) Brakeman - Rails Security Scanner Static analysis security scanner for Ruby on Rail https://jenkins.io/doc/pipeline/steps/brakeman/ https://jenkins.io/blog/2016/08/10/rails-cd-with-pipeline/

43. PAGE50 DEVOPS INDONESIA Static source-code analysis / static applicationStatic source-code analysis / static application security testing (sast)security testing (sast) SonarQube is an open source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages https://docs.sonarqube.org/display/SCAN/Analy zing+with+SonarQube+Scanner+for+Jenkins https://www.owasp.org/index.php/Source_Code _Analysis_Tools

45. PAGE52 DEVOPS INDONESIA Static Application Security Testing (SAST)Static Application Security Testing (SAST) Clair: The Container Image Security Analyzer Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including appc and docker). https://github.com/benfab/clair-demo Integrate the image scanning into Jenkins pipelines with clairctl Clairctl is a lightweight command-line tool doing the bridge between Registries as Docker Hub, Docker Registry or Quay.io, and the CoreOS vulnerability tracker, Clair. Clairctl will play as reverse proxy for authentication. https://github.com/jgsqware/clairctl Jenkins CI Image Vulnerability Scan https://github.com/protacon/ci-image-vulnerability-scan https://github.com/jgsqware/clairctl

46. PAGE53 DEVOPS INDONESIA Dynamic Application Security Testing (DAST)Dynamic Application Security Testing (DAST) OWASP Zed Attack Proxy Project is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing. https://plugins.jenkins.io/zapper https://wiki.jenkins.io/display/JENKINS/Zapper+Plugin https://youtu.be/xMLb7BDdfNo

47. PAGE54 DEVOPS INDONESIA Dynamic Application Security Testing (DAST)Dynamic Application Security Testing (DAST) Free, Simple, Distributed, Intelligent, Powerful, Friendly. Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications. https://blog.secodis.com/2016/03/17/automated- security-tests-3-jenkins-arachni-threadfix/ https://wiki.jenkins.io/display/JENKINS/Arachni+Scan ner+plugin

49. PAGE56 DEVOPS INDONESIA Mobile Application Security Testing (MAST)Mobile Application Security Testing (MAST) Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. https://medium.com/@omerlh/how-to-continuously-hacking-your-app-c8b32d1633ad https://github.com/MobSF/Mobile-Security-Framework-MobSF/wiki/10.-MobSF-CI-CD

51. PAGE58 DEVOPS INDONESIA Security FrameworkSecurity Framework Managed Ecosystem for Secure Operations SIMP is an Open Source, fully automated, and extensively tested framework that can either enhance your existing infrastructure or allow you to quickly build one from scratch. Built on the mature Puppet product suite, SIMP is designed around scalability, flexibility, and compliance.

52. PAGE59 DEVOPS INDONESIA Container Security FrameworkContainer Security Framework NIST Special Publication 800-190: Application Container Security Guide Access Control; Configuration Management; System and Communications Protection; System and Information Integrity; Audit and Accountability; Awareness and Training; Identification and Authentication; Incident Response; Risk Assessment; https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf

53. PAGE60 DEVOPS INDONESIA BRINGING IT ALL TOGETHERBRINGING IT ALL TOGETHER

54. PAGE61 DEVOPS INDONESIA Homework!!Homework!!

55. PAGE62 DEVOPS INDONESIA Continues learning DevSecOps conceptsContinues learning DevSecOps concepts OWASP DevSecOps Studio Project DevSecOps Studio is one of its kind, self contained DevSecOps environment/distribution to help individuals in learning DevSecOps concepts. It takes lots of efforts to setup the environment for training/demos and more often, its error prone when done manually. Features: ● Easy to setup environment with just one command “vagrant up” ● Teaches Security as Code, Compliance as Code, Infrastructure as Code ● With built-in support for CI/CD pipeline ● OS hardening using ansible ● Compliance as code using Inspec ● QA security using ZAP, BDD-Security and Gauntlt ● Static tools like bandit, brakeman, windbags, gitrob, gitsecrets ● Security Monitoring using ELK stack.

56. PAGE63 DEVOPS INDONESIA BRINGING IT ALL TOGETHERBRINGING IT ALL TOGETHER ● Git server to store code and infrastructure (as code). ● CI/CD pipeline to embed security as part CI/CD like SAST, DAST, hardening, compliance etc., ● Add Security tools as jobs. ● Analyze and fix the issues found. https://github.com/teacheraio/DevSecOps-Studio/wiki

57. PAGE65 DEVOPS INDONESIA Question???Question???

58. PAGE66 DEVOPS INDONESIA linkedin.com/in/yusufhadiwinata/ https://www.meetup.com/Docker-Indonesia/ Stay Connected @devopsindonesia facebook.com/yusuf.hadiwinata www.devopsindonesia.com linkedin.com/in/mademulia/ https://www.meetup.com/DevOps-Indonesia

59. PAGE67 DEVOPS INDONESIA Are You Awesome?Are You Awesome? We are Hiring !We are Hiring ! CheckCheck https://t.me/IDDevOpshttps://t.me/IDDevOps for detailfor detail

60. PAGE68 DEVOPS INDONESIA Alone We are smart, together We are brilliant THANK YOU ! Quote by Steve Anderson

Devops Indonesia - DevSecOps - The Open Source Way

Esté a ler uma amostra.

Confira estes a seguir

Devops Indonesia - DevSecOps - The Open Source Way

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Devops Indonesia - DevSecOps - The Open Source Way (20)

Mais de Yusuf Hadiwinata Sutandar (20)

Mais recentes (20)