SESSION ID: Andrew Storms
How Security can be the Next Force Multiplier in DevOps
ASD-F01
VP , Security Services
New Context @St0rmz
Make security the reason for DevOps adoption
◆Software development challenges
◆DevOps doesn’t address secure coding challenges
◆Its our duty to affect change in DevOps
◆Security embedded in DevOps, makes DevOps better
◆Don’t fear DevOps – Know the people, processes and tools
◆Find your positive entry points
◆Making a plan
Plan Code Test Release Deploy Operate
PM Dev QA Release
Mgmt
Ops
Ops
Security
◆Non DevOps software development environment
◆Everything is separate
Process Step
Owner
Plan Code Test Release Deploy Operate
PM Dev QA Release
Mgmt
Ops
Ops
Security
Time To Market Changing Requirements
Tech Debt Control Costs
Risk Reduction
Reporting
Downward business pressures
Process Step
Owner
Plan Code Test Release Deploy Operate PM
Dev QA
Release Mgmt
Ops
Ops Security
Time To Market Changing Requirements
Tech Debt Control Costs Risk Reduction
Threat Mgmt
Risk Reduction
Reporting
Upward security pressures
Process Step Owner
Plan Code Test Release Deploy Operate PM
Dev QA
Release Mgmt
Ops
Ops Security
Governance
Policy
Audit Compliance
Time To Market Changing Requirements
Tech Debt Control Costs Risk Reduction
Threat Mgmt
Risk Reduction
Reporting
Program Management
Business & Product
Security & Compliance
Software Dev
Pressure
P r e s s u r e
◆External pressures
◆Disjointed
◆Costly
◆Siloed
◆Opaque
◆Complex
◆Always late, out of sync, fragile
Then along came the DevOps
Non DevOps
◆Disjointed
◆Costly
◆Opaque
◆Always late
DevOps
◆Conjoined
◆Lean
◆Transparent
◆Agile
9
Governance Compliance
Plan Code Test Release Deploy Operate DevOps
Ops Security
Policy Audit Time To Market Changing Requirements
Tech Debt Control Costs Risk Reduction
Threat Mgmt
Risk Reduction
Reporting
Agile
Green = DevOps
◆Meets business & product needs
◆On time within budget
◆Meets ops and dev needs
◆Agile, harmonious, consistent
◆Fails to meet security needs
◆No attempt to deliver secure application code
◆Security still left out and left last
How popular is DevOps?
◆Oct 2014 CA Technologies Survey
◆88% respondents already have or plan to adopt DevOps in the next 5
years. (up from 66% on prior year)
◆Top obstacle (28%) to DevOps in their organization were security or
compliance concerns
◆Oct 2014 Rackspace Survey
◆55% already implemented DevOps. 31% planning to implement
DevOps within 3 years.
◆Primary driver for DevOps? Only 2% said audit or compliance
https://www.wendangku.net/doc/9b10127525.html,/us/articles/devops/research-report--devops-the-worst-kept-secret-to-winning-in-the-application-economy.aspx
https://www.wendangku.net/doc/9b10127525.html,/sites/default/files/devops-automation-report.pdf
DevOps Kicks The Security Can Down The Road
Plan Code Test Release Deploy Operate
DevOps
Ops
Security
PM Dev QA
Release
Mgmt
Ops
Ops
Security
Old Way
DevOps Way
Security is
still the last
guy
DevOps Is Bad For Security
◆Fast
◆~50 deploys a day!
◆Faster to production = faster to be pwned
◆Too much complexity
◆Unwieldy
◆Everyone has access to everything
◆Full stack engineers
◆Fewer test cases
◆Deplorable
◆No audit
◆No control points
◆No process
DevOps Is Good For Security
◆Increases process insertion points
◆Increases consistency
◆Increases predictability
◆Decreases time to change ◆Increases audit ability
◆Reduces costs
◆Reduces waste
Simple Manageable Automatable Testable
Security Is Good For DevOps
◆Business enabler
◆Transparency
◆Trust
DevOps ◆Protects privacy
◆Accountability
◆Regulatory & audit Security
Let the people focus on their core competencies
Know Your Nemesis
Security Team
◆Compliance
◆Silos
◆Change control
◆FUD masters
DevOps Teams
◆Security != compliance
◆Open
◆Lots of change
◆Data scientists
“If you know the enemy and know yourself, you need not fear the result of a hundred battles.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu
How do we get these teams to work together?
(Every DevOps presentation must have random gears image)
Action Plan
◆Pipeline
◆Tools
◆Processes
◆Today’s todos
Long term
Short term
Know your DevOps
Apply Security Expertise to DevOps Pipeline
Instrumentation
Log Analysis
Logging
F u n c t i o n a l T e s t s
S e c u r i t y T e s t s
O t h e r T e s t s
statsd
Jenkins App Code Inf Code Templates
Dev
Git Chef
Stage Prod
◆Git (Source Code Management)
◆Make it the source of truth for everything
◆Sometimes people use Chef for revision control
◆Separate repositories for each cookbook
◆Branching strategy needs to support isolation, rollback, logging
◆Git Hooks
◆Enforce policy at commit time
◆Commit message, additional logging