Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213
© 2016 Carnegie Mellon University
REV-03.18.2016.0[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Security Practitioner Perspective on DevOps for Building Secure Solutions
Zane LackeyHasan Yasar
2Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Copyright 2016 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.
DM-0004111
3Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
This talk will cover the perspectives of security practitioners on building secure software using the DevOps development process and modern security approach.
4Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
© 2016 Carnegie Mellon University[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Building Secure Solutions
DevOps Foundations
5Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
The DevOps Movement Began as a Reaction …
to years of disconnect between Development and Operations that began to manifest itself as conflict and inefficiency
6Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
What is DevOps?
DevOps (a portmanteau of "development" and "operations”) emphasizes communication, collaboration, and integrationbetween software developers and information technology (IT) operations personnel. [1]
[1] http://en.wikipedia.org/wiki/DevOps
7Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
8Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Dev Ops QA Analysts
Silos Block Collaboration
9Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Silos Reinforce Waterfall
Developers
QA Engineers
IT Operations
Teams have moved to Agile methodologies, but roles still align with waterfall methods
10Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Jez Humble, https://youtu.be/L1w2_AY82WYDave West, http://sdtimes.com/analyst-watch-water-scrum-fall-is-the-reality-of-agile/
Business
Research
Budget
Document
Water
Development
Scrum
Integrate
Test
Release
QAOperations
Fall- -
11Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
DevOps is an Extension of Agile Thinking
Embrace constant change
Embed Customer in team to internalize expertise on requirements and domain
Agile
Embrace constant testing, delivery
Embed Operations in team to internalize expertise on deployment and maintenance
DevOps
12Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)Polling ?
Does your organization follow DevOps process and methodologies?
13Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Every Transition of the System is a Risk
14Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)Agile Means Constant Transition
15Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Significant Collaboration Is Needed Where Paths Intersect
Create
Change
Deliver
Developers Operations
Maintain
Monitor
Manage Environment
16Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
To address these pain points, DevOpspromotes Collaboration
Heavy collaboration between Dev and Ops on:• Design / Architecture decisions• Environment / Network configuration• Deployment planning• Code Review
Constantly available open communication channels:• Dev and Ops together in all project meetings• Chat/Email/Wiki services available to all team members• Dev / Ops report together as one project team
17Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
An Engaged, Cross-Functional team is needed
Early involvement of experts
• Ops = experts in maintainability and deployability
Complete engagement
• Don’t bring Ops Engineers in as consultants – make them first-class team members with same success criteria as devs
Break down organizational silos
• Enable and require constant communication
18Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
DevOps Aims to Increase…
…the pace of innovation
…responsiveness to business needs
…collaboration
…software quality
19Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)Multiple Dimensions of DevOps Culture• Developer and Ops collaborate
(Ops includes security)• Developers and Operations
support releases beyond deployment
• Dev and Ops have access to stakeholders who understand business and mission goals
Culture
Process and Practices
System and Architecture
Automation and
MeasurementAutomation/Measurement• Automate repetitive and error-
prone tasks (e.g., build, testing, and deployment maintain consistent environments)
• Static analysis automation (architecture health)
• Performance dashboards
Process and Practices• Pipeline streamlining• Continuous-delivery practices
(e.g., continuous integration; test automation; script-driven, automated deployment; virtualized, self-service environments)
System and Architecture• Architected to support test
automation and continuous-integration goals
• Applications that support changes without release (e.g., late binding)
• Scalable, secure, reliable, etc.
20Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Integration and communication, even among tools, is the key to integrate Security into Development Platform!
21Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
22Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
© 2016 Carnegie Mellon University[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Building Secure Solutions
DevOps Lesson Learned
23Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)Polling ?
Do you have Security Ops Team as part of development activities?
24Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
For security teams, the world has changedin three fundamental ways:
– Agility means code deployment is trending tonear-instantaneous
– Security is no longer the gatekeeper to deployment
– If security is a blocker, it will be routed around
25Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Near-instantaneousdeployment?
26Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
A simulation of deploying code in the waterfall model
27Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
What is this shifting to?
28Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
An agility example: Etsy pushes toproduction 50 times a day on average
29Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Constant iteration in production via featureflags, ramp ups, A/B testing
30Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
But doesn’t the rapid rate of
change mean things are less
secure?!
31Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Actually, the opposite is true
32Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
They key to realize is vulnerabilities occur inall development methodologies
33Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
They key to realize is vulnerabilities occur inall development methodologies
…But there’s no such thing as an out-of-band patch in continuous deployment
34Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Compared to:
“We’ll rush that security fix. It will go out …in about 6 weeks.”
- Former vendor at Etsy
35Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)Polling ?
Do you believe that the DevOps process, mainly Continuous Delivery is a barrier for application security?
36Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
What makes continuous deployment safe?
37Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
What makes continuous deployment safe?
Visibility
38Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
k yo tor es ing.
39Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Source: http://www.slideshare.net/mikebrittain/advanced-topics-in-continuous-deployment
40Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
The same hard lessons are slowly shifting to security
41Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Ex: Which of these is a quicker way to spotan attack?
42Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
se.css" "Mozi.lla/5.0(Maci.ntosh; Intel Mac OS X 10.7; rv:10.0)Gecko/20100101 Fi.refox/10.0" - - - - - - - - - - 16951- - - - [20/Feb/2012:22:32:10 +l'JII,..,..,] "GET /i.mages/spri.tes/buttons-master .png HTT P/1.1" 304 - "http:// ·assets/di.st/88166671/css/
.7; rv:10.0modules/buttons-new.css" "Mozi.lla/5.0 (Maci.ntosh; Intel Mac OS X 10 )Gecko/20100101Fi.refox/10.01
' - - - :
- 12156- - - -[20/Feb/2012:22:32:10 ]"GET /i.mages/spi.nners/spi.nner16.gi.fHTTP/1.1" 304- "http://! t/ossets/di.st/88166671/css/base.css" "Mozi.lla/5.0(Maci.ntosh; Intel Mac OS X 10.7; rv:10.0)Gecko/20100101 Fi.re fox/10.0" - - - ! - - - - - - - 18810- - - -[20/Feb/2012:22:32:10 ]"GET /assets/di.st/88166671/js/convos/threads.js HTTP/1.1" 20061743 "http:/1 I conversati.ons?re f=si._con" "Mozi.lla/5.0 (Maci.ntosh; Intel Mac OS X 10.7; rv:10.0)Gecko/20100101 Fi.refox/10.0" - - - - - - - - - - 834687- - - -[20/Feb/2012:22:32:10 ]"GET /assets/di.st/88166671/js/bootstrap/com mon.js HTTP/1.1" 200 127238 "http:// 'conversati.ons?ref=si._con" "Mozi.lla/5.0(Maci.ntosh; Intel Mac OS X 10.7; rv:10.0)Gecko/201001
- - - -01 Fi.refox/10.0" - -- 1 - - - 928201- - - - [20/Feb/2012:22:32:11 ]"GET /ossets/di.st/88166671/js/overlays/external-1 i.nk .js HTTP/1.1" 200 487 "http:// _ _ _ /conversati. ons?ref=si._con""Mozi.lla/5.0 (Maci.ntosh; Intel Mac OS X 10.7;rv:10.0)Gecko/201
, - - - - --
43Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Attacks >
4
3
.2
0
Anomalies >
4
3
.2
9AM
09AM
10AM 1.A
44Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Increase agility by surfacing securityvisibility for everyone, not just the security team
45Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Having to talk to security to getsecurity awareness causesdelays
46Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Having to talk to security to get security awareness causes delays
Delays get routed around
47Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
To embrace agility, security has to decentralize
48Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Lessons Learned:– Embracing DevOps/Agile/Continuous
Deployment helps not harms security
– Visibility is the key to moving quickly and safely
– You (in the general case) are never going to be able to hire enough staff, so steal everyone else’s
49Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
More on SEI DevOps Bloghttps://insights.sei.cmu.edu/devopshttps://signalsciences.com/resources/
50Security Practitioner Perspective on DevOps for Building Secure Solutions, October 19th, 016© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution
Section (optional)Picture
(optional)
Thank you!
[email protected]@sei.cmu.edu
@zanelackey@securelifecycle