Devopssecfail

DevOpsSecFAILDevOps Security Anti Patterns

Dr. Constantine Aaron Cois

Carnegie Mellon University

Me

@aaroncois

www.codehenge.net

github.com/cacois

Disclaimer: Though I am an employee of the Software Engineering Institute at Carnegie Mellon University, this work was not funded by the SEI and does not reflect the work or opinions of the SEI or its customers.

DevOps

DevOps

DevOpsSec

DevOps is a

Risk Mitigation strategy,

built on

Situational Awareness,

Automation,and

Repetition

DevOpsSec

But security is where

a lot of DevOpsimplementations

Fall Down

THE EXCEPTIONAnti-pattern

TheException

You automate…

…builds

…functional tests

…deployment

…reporting

TheException

You automate…

…builds

…functional tests

…deployment

…reporting

…the coffee machine

Image: https://lh4.ggpht.com/z_w-yCMvUcrqZd_6eXlt7E24YvSHEak1k5lNvk5GGNYmzMaBQkH1oe3emhZk0scIWg=w300

TheException

But security testing is still

manual pen testing, done only

on release

Automate Security Testing removes…

…Human error

…infrequent execution

…Excuses

There are great projects out there

OWASP ZAPhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project http://gauntlt.org/

GAUNTLTBE MEAN TO YOUR CODE AND LIKE IT

Help improve them!

THE MULTIVERSEAnti-pattern

Image: https://artcritique.files.wordpress.com/2014/01/multiverse-and-schrodingers-cat-in-play.png

Dev

TheMultiverse

StagingDev

Test

Prod

TheMultiverse

Staging

Test

Prod

TheMultiverse

App

StagingDev

Prod

TheMultiverse

App

Dev

Test

Prod

TheMultiverse

App

StagingDev

Test

TheMultiverse

App

StagingDev

Test

Prod

TheMultiverse

StagingDev

Test

Prod

TheMultiverse

StagingDev

Test

Prod

TheMultiverse

StagingDev

Test

Prod

TheMultiverse

StagingDev

Test

Prod

TheMultiverse

StagingDev

Test

TheMultiverse

App

When nothing

looks the sameyou can never be sure your

app will

behave the same

When nothing

looks the sameyou can never be sure your

app security features will

behave the same

THE CONFIGURATORAnti-pattern

TheConfigurator

Manual configuration, done buy your

best and brightest...

Image: http://2vga1o5mew51s6gu7x0mnk7kf.wpengine.netdna-cdn.com/wp-content/uploads/main/2013_06/A-Cat-Snatching-Wires-Out-of-a-Server.jpg

TheConfigurator

…will still lead to an

unmanageable, unpredictable,

and

unrepeatablesolution

Image: http://assorted-images.s3.amazonaws.com/datacenterinfrastructure/messy%20data%20center.png

TheConfigurator

If it’s not

Automatedit’s not

Done

TheConfigurator

If it’s not

Automatedit’s not

Done Secure

THE INFILTRATORAnti-pattern

TheInfiltrator

He sneaks in…

…and alters production

…but he works for you!

http://blog.landesk.com/wp-content/uploads/sites/4/2012/05/ninja.jpg

There is always a reason to make a manual changes

But don’t do it!

Unexpected manual changes are often…

Undocumented,

Unauditable,

Unrepeatable

Unexpected manual changes are often…

Undocumented,

Unauditable,

Unrepeatable

Insecure

Protip

Configure production to alert the entire team when manually

accessed.

Transparency is key

THE SURVIVORAnti-pattern

We’ve all been there…

Intrusions overnight…

…lock it down…

…cascading system failures…

…it’s all crashing…

It feels like…

But it ends

You survive

You’re out of the woods. Just glad its over.

Going to go sleep for 18 hours…

…and then back to normal.

Survivor mentality defeats continuous improvement

When do we analyze what went wrong?

How do we prevent similar failures in the future?

All failures must result in codified change to DevOps process.

This attitude persists…

…when we don’t expect failure.

We should always expect failure.

Be ready for it.

Plan for it

After action rules for failure

Understand exactly what went wrong

Never let the same failure happen twice

Propagate fixes across the enterprise

Ensure that you teach the next generation

THE COLLEGE PARTYAnti-pattern

TheCollegeParty

Software libraries are

your guests, and

everyone’s invited

http://36.media.tumblr.com/2c189abde1066433264d5038df6172b8/tumblr_mlyab4PZvk1qjgvbto2_1280.jpg

TheCollegeParty

99%of Global 2000 companies

will be using open source code in

mission-critical apps by 20161

1 http://www.zdnet.com/article/scan-open-source-use-to-minimize-risks-optimize-benefits/

TheCollegeParty

Do you know what’s in your

app?

Code we wrote

Code someone else wrote

Image: http://acardiac.blogspot.com/

THE SKYDIVERAnti-pattern

http://marvinqeleys.blogspot.com/2011/09/skydiving-sky-surf.html

TheSkydiver

Once you jump, you can’t return to the plane.

You are committed.

Permanently.

This is not how we should model our deployments.

TheSkydiver

Rollback is

essential

Never be left without an escape route to completely working software.

QUESTIONS?Any