Embed Size (px)
Citation preview
A Security Control Language for Securing Continuous
DeploymentsBrian Eddy, Norman Wilde
The ProblemDevOps
Agile deployment of new features to production, up to hundreds of times
per day
DevOps
Continuous Deployment
Infrastructure-as-code
The Problem
Continuous Deployment
A "pipeline" automates provision of
environments for build, test, QA, staging, and
production
DevOps
Continuous Deployment
Infrastructure-as-code
The ProblemInfrastructure-as-code
Scripts and templates define how each
environment is created.
Test, QA, staging and production are kept near-
identical to reduce manual deployment
errors
DevOps
Continuous Deployment
Infrastructure-as-code
But What About Security*
The Good• Baselined scripts and
templates can be inspected and tested
• Short-lived immutable virtual machines can be a difficult target for an attacker
The Bad• Those scripts and
templates are very complex and hard to verify
• The pipeline tools add attack surface that must be protected
* Security for DevOps Deployment Processes: Defenses, Risks, Research Directions. To Appear: IJSEA.
This Project Focuses
Here!
Pre-DevOps Attack SurfaceOps manually builds each environment
Build Server
Application Virtual
Machines
Test, QA Staging Production EndUser
New Attack Surface Deployment Service and Deployment Agent create each environmentBuild Server
EndUser
Deployment Service(e.g. Chef Server)
Deployment Agent(e.g. Chef Client)
Application Virtual
Machines
Test, QA Staging Production
We Get Hacked!Attacker penetrates a production machine
Build ServerDeployment Service
(e.g. Chef Server)
Application Virtual
Machines
Test, QA Staging Production
We Get Hacked! Production has path to Deployment Service, which is then compromisedBuild Server
Deployment Service(e.g. Chef Server)
Application Virtual
Machines
Test, QA Staging Production
We Get Hacked! Deployment Service compromises staging, AFTER the QA tests have been run!Build Server
Deployment Service(e.g. Chef Server)
Application Virtual
Machines
Test, QA Staging Production
We Get Hacked! On next push to production, entire system may be compromisedBuild Server
Deployment Service(e.g. Chef Server)
Application Virtual
Machines
Test, QA Staging Production
Solution: A Distributed Security Control Language
Build Server
EndUser
Deployment Service(e.g. Chef Server) Monitor
Application Virtual
Machines
Test, QA Staging Production
Solution: Infrastructure byContract Assertions
Assert: There is no path from production to the deployment service
Build Server
EndUser
Deployment Service(e.g. Chef Server) Monitor
Application Virtual
Machines
Test, QA Staging Production
Summary of Research Approach
1. Consult with Affiliates to define a context: Small scale model application and pipeline
2. Define a small number of realistic assertions for this context
3. Write assertions in the security control language
4. Develop code for agents and monitor
5. Perform and document proof-of-concept case study for this context
Long Term Benefit: Verifiable Infrastructure
1. Improved security through:1. Verified deployment pipeline2. Verified application configuration
2. Avoid costly and preventable security failures
For further information:
Brian Eddy, [email protected]
