SlideShare uma empresa Scribd logo

What it feels like to live in a Security Enabled DevOps World

Transferir como PPTX, PDF
Karun Chennuri
Karun Chennuri

Security in DevOps world - Evolving frameworks. Cluster Hardening best practices. Automation pipelines for managing infrastructure and PaaS. Continuous Security and DevOps Maturity Model.

Software
1 de 50
What it feels like to live in a Security enabled DevOps world?
Disgusting! Nah Don’tCare! Team’sreaction Sec
Alright!
DevSecOps Let’s begin with a story…
There lived 3 friends... OPS DEV SEC
DEV OPS Dev: World will call us “DevOps” here on… Ops: Yay!
Dev: What happened? Why are you upset? SEC DEV Sec heard this and got upset…
Ops: What happened? “Dev” said you are upset! SEC OPS Sec: I feelbetrayed and insecure!!!
SEC DEV OPS Dev&Ops: What can wedo to makeyou happy again “Sec”?
SEC Ops Ops:ok! Sec:I want to be part of your group!
Sec: I always want to feel important and takecenter stage! SECDev Dev: Done!
Sec: World should call us “DevSecOps” here on… SECDEV OPS
Why stress Security explicitly? Isn’t it everyone’s responsibility?
Programmer Security SoftwareEngineer
There is only “DevOps”! DevSecOps is redundant and unnecessary confusion! Weshould build a culture where the Secis everyone’s responsibility and part of job role!
So…
Topic for today is: DevOps
Karun Chennuri • Sr. Engineer, Security Architecture at T-Mobile • 14 yrs. of experience in IT that includes 12 yrs. in PaaS, Cloud Security, Information Security, Security Solution Architecture • Speaker at Spring One and CF Summit • CISSP, CISM, ISO, CEH • Multiple Open Source contributions (~ 5 major projects) • https://www.linkedin.com/in/karunchennuri/ • @karunchennuri
Agenda DevOps world Architecture/Tools/Frameworks Adoption/Demo What? How? Use case
Introduction Problem Statement DevOps
Why DevOps? Company Deploy Frequency DeployLead Time Reliability Customer Responsiveness Amazon 23k/day Minutes High High Google 5.5k/day Minutes High High Netflix 500/day Minutes High High Facebook 1/day Hours High High Twitter 3/week Hours High High Typical enterprise Once every 9 months Months or Quarters Low/medium Low/medium Agility metrics Reliability metrics 30x more frequent code deployments 8000x faster code deployment lead time 2x the change success rate 12x faster MTTR Big 5 vs non-highperforming Orgs MarketshareProfitability
DevOps SalientFeatures • Fail fast and Fail safe • Faster feedback loops • Inject pressure proactively • Value non-functionalrequirements • No place for Low trust model • Peer review • Decision driven (Measure) • RoutineCI/CD • Don’t build when no ask! Thousands Containers 100+ Projectteams Millions ofTransactions/day SECURITY
Shift Security Left! Involvesecurity into DevOps pipeline from the very first step! 1 2 3 4 5 6 7 8 Dev Ops
1 2 3 4 5 6 7 8 Dev Ops Security Touchpoints Capture Security RequirementsSecureCoding, Secret Management, LeakPrevention Source Code Analysis, SCA Security Testing, Pen Testing Artifact Scanning Vulnerability Mgmt, DAST Scan Operations Security Security Metrics Measurement
Architecture Tools Frameworks DevSecOps
Going back in time! Hardware Hardware Hardware Operating System Operating System Operating System Hypervisor ContainerRuntimeApp App App OS Bin/Library APP APP APP OS Bin/Library APP APP APP Bin/Library APP Bin/Library APP Virtual Machine Virtual Machine Container Container Traditional Deployment VirtualizedDeployment ContainerDeployment
PlatformAbstraction HARDWARE OS CONTAINERS RUNTIME APPLICATION FUNCTIONS HARDWARE OS CONTAINERS RUNTIME APPLICATION FUNCTIONS HARDWARE OS CONTAINERS RUNTIME APPLICATION FUNCTIONS HARDWARE OS CONTAINERS RUNTIME APPLICATION FUNCTIONS HARDWARE OS CONTAINERS RUNTIME APPLICATION FUNCTIONS TRADITIONAL IaaS CaaS PaaS FaaS Managedby You Managedby PlatformProvider Wherewehavebeen Wherewearenow Wherewearegoing
Evolutionof ApplicationPatterns Applicationsoftware(app for short) is computer software designedto perform a group of coordinated functions, tasks, or activitiesfor thebenefitof the user. Monolith SOA Microservices Single Unit Coarse Grained Fine Grained
SoftwareLandscape – Tools/Frameworks Spring Boot Continuous Delivery
Dev{Sec}Ops MaturityModel Metric Description Deployment frequency Number ofdeployments toproduction in given time frame Deployment leadtime (for apps) Time between code commit andproddeployment ofthat code Change volume (for apps) Number ofuser stories deployed in a given time frame Change failure rate % of production deployments that failed MTTRecovery (for apps) Time b/w afailed proddeployment tofull restoration of prodoperations Availability Amount of uptime/downtime in a given time period(SLA) Customer issue volume Number ofissues reported by customers in a given time period Customer issue resolution time Mean time toresolve a customer reported issue Time tovalue Time between a feature request (user story creation) andrealization of business value from that feature Time toATO (Authority to Operate) Time between the beginning ofSprint0 toachieving an ATO Time topatch Vulnerabilities Time between identification ofa vulnerability andsuccessful patch rollout on prod Source: GSA
Level 1 Level 2 Level 3 Level 4 Level 5 MeasuringMaturity Level Ref:Modifiedversion of Securosis/IANSCSMM NoAutomation • Manuallymanage everything • TraditionalInfra SimpleAutomation (SecOps) • Initialuseof IaaC • Projectspecific • Basicprovisioning Manually executed scripts • Initialautomation • Automationstill executedmanually • Periodicreviewof security Guardrails • Automationspreadsto multipleprojects • Bigshiftfrommanual executionto automation • Centralized managementand reporting Automationeverywhere • CentrallyManaged • Coverallthedomains • Integratedto IaaC Whichlevel are you???
Degree of Automation
ContinuousSecurity(One of many approaches) Few Challenges: • Securing softwarethrough“measurement” • ConsistentSecurity • Measuring security • ContinuousScience/Tuning • Automate…Automate…Automate… Source:ShannonLietz
What are those many of many approaches???
General Case Study CI/CD DevOps Microservice Containers Cloud Native
PaaSCloudFoundry(One of Few) BOSH - Automation Layer Pivotal Cloud Foundry etcd OAuth 2.0 Server (UAA)Login Server Container Access SSH Proxy Cloud Controller Brain Converger Auctioneer Blobstore CELL Garden Metron Agent Rep Exec. CELL .NET Metron Agent Rep Exec. Ops Manager UI Ops Manager Director Operations Manager Service Broker Service Nodes Service Service Broker Service Nodes Service Loggregator Doppler Traffic Controller Log Firehose BBS Logging / Metrics Elastic Container Runtime Application Access Platform Access Ops Manager Service Service DynamicRouter BOSH Audit Trail CPI
PaaS Kubernetes (One of Few) Tools • Kube-hunter • Kube-benchmark • Kritis • Grafeas
Cluster hardening best-practices Maturity Setup a Cluster • Restrict access to Client libs/tools/CLI utilities • RBAC • Use Network Policies • TLS Prevent Known Attacks • Limit UIaccess (dashboard) • Disable default accounts • Protect workermetadata • Scan images for knownvulnerabilities Follow security hygiene • Patching & Upgrades • UseminimalOS baselining • Monitoring and Auditing • Verifybinaries that aredeployed Prevent/limit impactof microservice compromise • Protect secrets • Consider sandboxing • Useservice mesh for authentication &encryption • Rotate credentials
Chaos Engineering Infrastructure Failures Application Failures A A A A B B C C C C Turbulence++ Monarch Powered by T-Mobile
Powered by T-Mobile OPA as a sidecar policy definition Kubernetes plugin Customizable (slack alerts) TKE-V is a toolto enforce Policy-as-Code for Kubernetes Deny Level Severities Blocked OFF None LOW HIGH MED HIGH, MED HIGH HIGH, MED, LOW
1 2 3 4 5 6 7 8 Dev Ops Software Tools Design Reviews SAST: SonarQube, Fortify, SpotBugs, Micro Focus, Snyk Jenkins,Maven, Dependency Check,gitlab Integration Tests, UnitTests, Security Tests GitLab ContainerScan Chef,Puppet, Ansible, TKE- V Kubernetes, CloudFoundry, Turbulence++, Monarch Splunk, metasploit
AutomationPipelines
Demo • Git Commit • Gitlab Pipeline • Clair Scan • Sonarqube/snyk security scan • Deploy app to PCF/Kubernetes
DevOps Myths • DevOps replaces Agile • DevOps means NoOps • DevOps is only for Opensource • DevOps is just IaaSor automation • DevOps is only for startups!
Now that you heard metalking nonstop…
Let me bring this question again…
So, what it feels like to live in a Securityenabled DevOps world?
Good! Great! Team’sreaction Disgusting! Nah Don’tCare! Nah Before After
Thank You Karun Chennuri CISM,CISSP,ISO 27001, CEH Karun.Chennuri1@T-Mobile.com https://www.linkedin.com/in/karunchennuri/ Twitter:@karunchennuri
References • https://devops.com/shift-left-without-fear-the-role-of-security-in-enabling- devops/ • https://www.sonatype.com/hubfs/Corporate/Reference%20Architectures/2019 /2019%20DSO%20Reference%20Architectures_NEW-1.pdf • https://docs.pivotal.io/ • https://kubernetes.io/docs/concepts/architecture/

Recomendados

Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
Amazon Web Services
 
DevSecOps OWASP
DevSecOps OWASPDevSecOps OWASP
DevSecOps OWASP
Priyanka Raghavan
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
Akash Mahajan
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 

Recomendados

Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
Amazon Web Services
 
DevSecOps OWASP
DevSecOps OWASPDevSecOps OWASP
DevSecOps OWASP
Priyanka Raghavan
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
Akash Mahajan
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
Amazon Web Services
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOps
James Wickett
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Cheah Eng Soon
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
Agile Testing Alliance
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf Hadiwinata
Hananto Wibowo Soenarto
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
Peter Lamar
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelines
Vandana Verma
 
Automated Testing in Continuous Change Management
Automated Testing in Continuous Change ManagementAutomated Testing in Continuous Change Management
Automated Testing in Continuous Change Management
Perforce
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
What DevOps Isn't
What DevOps Isn'tWhat DevOps Isn't
What DevOps Isn't
Frank Lamantia
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
DevSecOpsSg
 

Mais conteúdo relacionado

Mais procurados

Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 

Mais procurados (20)

Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOps
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf Hadiwinata
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelines
 
Automated Testing in Continuous Change Management
Automated Testing in Continuous Change ManagementAutomated Testing in Continuous Change Management
Automated Testing in Continuous Change Management
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 

Semelhante a What it feels like to live in a Security Enabled DevOps World

The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
Black Duck by Synopsys
 

Semelhante a What it feels like to live in a Security Enabled DevOps World (20)

What DevOps Isn't
What DevOps Isn'tWhat DevOps Isn't
What DevOps Isn't
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
2019 05 - Exploring Container Offerings in Azure
2019 05 - Exploring Container Offerings in Azure2019 05 - Exploring Container Offerings in Azure
2019 05 - Exploring Container Offerings in Azure
 
AWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for Developers
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps Paradigm
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Dev ops
Dev opsDev ops
Dev ops
 
DevOps The Cultural revolution
DevOps The Cultural revolutionDevOps The Cultural revolution
DevOps The Cultural revolution
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
State of Infrastructure as Code - AutomaCon 2016
State of Infrastructure as Code - AutomaCon 2016State of Infrastructure as Code - AutomaCon 2016
State of Infrastructure as Code - AutomaCon 2016
 
Docker for Ops: Operationalize your Docker Built Apps in Production by Evan H...
Docker for Ops: Operationalize your Docker Built Apps in Production by Evan H...Docker for Ops: Operationalize your Docker Built Apps in Production by Evan H...
Docker for Ops: Operationalize your Docker Built Apps in Production by Evan H...
 

Último

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 

Último (20)

10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 

What it feels like to live in a Security Enabled DevOps World

Notas do Editor

  1. Take an organization… take a team in it… talk to few folks in that team and post this question “What it feels like to live in a security enabled DevOps world?”
  2. Here is what may be their reaction… in fact may be worse… On the other hand in my humble opinion this is what sec team member might react - And usually security person’s reaction! That might be little harsh reaction 
  3. Some may hate me for what ‘am going to say in next few slides! 
  4. Remember this term “Dev
  5. Ref: https://www.wikihow.com/Identify-a-False-Friend
  6. https://www.wikihow.com/Console-an-Upset-Friend Dev One find morning meets Ops and says “Ops my friend world will now call us DevOps here on…” Ops feels excited about it.
  7. On the other hand Sec heard this and is totally upset…
  8. https://www.wikihow.com/Console-an-Upset-Friend
  9. Chronic conflict between Dev and Ops preordains failure for the entire IT org, as well as the enterprise. High performing orgs such as Amazon, Google, Twitter, Etsy and Netflix are adopting a set of techniques that we now call DevOps, they are routinely and casually deploying hundreds or even thousands of production changes per day, while preserving world class reliability, stability and security. They are able to quickly deploy changes into production, with a code deployment lead time measured in minutes or hours, this enables them to innovate and out-experiment their competition in the marketplace, with higher quality and better customer outcomes. DevOps leads to faster feature time to market, increased customer satisfaction, market share, employee productivity, allows orgs to wind in marketplace. In contrast to orgs taking weeks months in delivering a feature, DevOps shortens the lead time to few days. In 2009, 10 deploys per day was considered fast. Now this is considered merely average. In 2012, Amazon went on record stating that they were doing, on average, 23,000 deploys per day. Big 5 are deploying code 30 times more frequently and time required to go from “code committed” to “successfully running in prod” was 8000 times faster. High performers had lead times measured in minutes or hours, while lower performers weeks, months and quarters When high performers deployed changes and code, they were twice likely to be completed successfully (i.e. wihtout causing a production outage or service impairment) and when the change failed and resulted in an incident the time required to resolve the incident was 12 times faster. This explains how high performers are providing world class levesl of reliability, stability and security enabling them to out-experiment their competitors in marketplace. Overall speed in delivering things has resulted in exceeded profitability, market share and productivity goals.
  10. “Fail Fast and Fail Safe”  Is an important slogan that all high-performing orgs adopt. Thus they believe in faster feedback loops to prevent problematic code going to prod. Even if it goes, the issues are quickly detected and corrected! Everyone in the value stream shares a culture that not only values each other’s time and contributions but also relentlessly injects pressure into the system of work to enable organizational learning and improvement. Everyone in the team values non-functional requirements (quality,… operability). Why? Because nonfunctional requirements are just as important in achieving business objectives. No place for low trust model eg: approval and compliance processes, command and control management culture… Instead in DevOps world rely on peer review so that everyone has confidence in the quality of the deliverable. Everyone need to be a scientist, taking no assumptions for granted and doing nothing without measuring. DevOps doesn’t spend months/years building features that customers don’t actually want, deploy code that doesn’t work, fix something that isn’t acutally a problem. CI/CD happening in the middle of the day during business hours seamlessly. Deployments should becoming routine and stress free jobs.
  11. SOA has been standard dev practice for nearly 2 decades. Granular but not fine granular enough! Especially not resourceful when working with cloud computing, also limits feature request changes, not scalable easily. Microservices are – Easily deployable Less dev time Scale individually Reusable in different projects Better fault isolation Work well with containers Disadvantages: Potentially too much granularity Extra effort designing for communication between services Latency during heavy use Complex testing
  12. Every maturity model is measurable on a scale of 5 levels.
  13. https://www.devsecops.org/blog/2016/5/20/-security o Securing software through “measurement”. Like all other – ilities, Security, too, must become a measurable capability in the art of deployed software. o Hooking up security scanners to the CI/CD pipeline (isn’t just enough, you need more) o Automation is key to solving major security issues – embrace CI/CD o Steps to DevSecOps: Identify & eliminate Security gates, Training barriers, Communication barriers, Compile/track known weaknesses, Security curation (reduce false positives), Continuous monitoring etc.
  14. Kata container: Stripped down guest kernel gVisor: Intercepts system calls by acting as guest kernel in user space Nabla: Limits system calls using unikernal and blocks rest with seccomp Firecracker: Light weight microVM meant for running in non-virtualized environment Grafeas: Container image scan and registry Kritis: Admission control to verify sign of container images Podman: Secure container with CRI-O Kube-bench: Check your cluster against 100+ tests of the CIS Kubernetes Benchmark so you can harden it according to the best practices Kube-hunter: Penetration testing tool that “attacks” your cluster and nodes, looking for configuration issues
  15. Envoy can be used for “Systematic fault injection”, which can help us think in direction of using this architecture for performing Chaos Engineering attacks at app level. “Systematic” here can be introducing 400ms timeout on service calls, circuit breaker tests etc Envoy can add fault tolerance/resiliency without any changes to the code.
  16. Talking points I usually cover:- Use of OPA allows for generic policy definition/enforcement. Can be used in a shift-left model by calling OPA within CI/CD (we're not doing this yet, but I'm thinking of enabling this)- Deny Level allows a low barrier to entry with minimal disturbance and can be turned up as the dev organization matures. Also allows to set policy severity to fit your business needs (Not everyone views policies the same way/weight)- The alerts provide instant feedback to users and the use of "TKE" codes makes it easy for customers to locate info and remediation steps for specific policy failures- Model allows for alerts to platform team, and to development teams as well (customized by annotating namespaces with Slack Incoming Webhook URL)- Admission controller model works regardless of deployment tooling (kubectl, helm, client libraries, direct API, etc.) Liveness Probe/Readiness Probe Resource Requests/Limits PDB Configuration PVC Reclaim Policy NodePort Whitelist Privileged Pods HostPath HostNet
  17. https://gitlab.com/tmobile/cdp/containers/sonarqube/pipelines https://gitlab.com/KChennu1/gitlab-secure-pipeline/pipelines
  18. DevOps is logical continuation of Agile journey. “Done” in devops means code complete/fully tested and operating in production. No need of Dev team opening a ticket for IT Ops to complete the work, many of these activities are automated so that devs can do it themselves. Having said that IT Ops is not completely eliminated. DevOps is universal and applicable everywhere DevOps is not just automation but it also talks about nonfunctional requirements we spoke about earlier Nope it’s for established enterprises with 2 pizza team size.
  19. I asked the same question again to a group of engineers (non security)
  20. This is what their response is… Team pointed at Security team saying… who is the most awesome person today?