DevOpstoDevSecOps:TwoDimensionsofSecurityinaDevOpsEnterprise

SanjeevSharmaCTO,DevOpsTechnicalSalesandAdoptionIBMDistinguishedEngineer@sd_architect

#WhoAmI

• 20+ Years in Software Development and Delivery

• IBM’s Client-facing CTO for DevOps

• Author: DevOps For Dummies -http://ibm.co/devopsfordummies

• Write DevOps and Cloud Adoption Blog: http://bit.ly/sdarchitect

DevOpsOverview

DevOps:Origins

DevOpsapproach:ApplyLeanprinciplesacceleratefeedbackand

improvetimetovalue

5

People

Process

Line-of-business

Customer

1

3

2

1. Get ideas into production fast2. Get people to use it3. Get feedback

Continuously Improve:I. Application DeliveredII. Environment DeployedIII. Application and Environment Delivery Process

DeliveringaBusinessCapability:Multi-SpeedIT

Development SCM Build PackageRepo

Deploy

Development SCM Build PackageRepo

Deploy

Development SCM Build PackageRepo

Deploy

Development SCM Build PackageRepo

Deploy Test Stage Production Application N

Application C

Application B

Application A

EnterpriseRelease

Agile/InnovationEdgeRapidDeliveryforInnovation•Agile•Antifragile •Experimentation•NewandInnovative•HybridCloud•PaaS

IndustrializedCoreDeliveratregularcadence•Waterfall->Agile•Stability•Predictability•LeanDeliverypipeline•CoreandLegacy

HybridInfrastructure– Physical,Cloud•IaaS/PaaS

BusinessCapability

SecurityandtheApplicationDelivery

Pipeline

Three(Two)DimensionsofSecurity

8

1. Secure the Perimeter2. Secure the Delivery Pipeline3. Secure the Deliverable

http://www.ibm.com/developerworks/library/d-security-considerations-devops-adoption/

1. SecurethePerimeter

9OutofScopeforthissession

2. SecuretheDeliveryPipeline

10

SecureEngineering PatchManagementSecureBuildandDeploy

AvailabilityandBusinessContinuitySeparationofDuties

SecurityEvaluationandLearning

Development SCM BuildPackage

Repo Deploy Testing Staging Production FeedbackPlanning Manage

3. SecuretheDeliverable

11

Application

MiddlewareConfig

Middleware

OSConfig

HardwareFull

Stac

k Bl

uepr

int

Policies

Secure:• Code• Scripts• Packages• Components• Configurations• Content• Policies• Roles

Development SCM BuildPackage

Repo Deploy Testing Staging Production FeedbackPlanning Manage

RisksandVulnerabilities- DeliveryPipelineandDeliverables

12

1. Vulnerabilities related to the supply chain2. Insider attacks3. Errors and mistakes in the development project4. Weaknesses in the design, code, and integration5. API Economy and Security

http://www.ibm.com/developerworks/library/d-security-considerations-devops-adoption/

Vulnerabilitiesrelatedtothesupplychain

13

ExternalSupplierA

ExternalSupplierB

InternalSupplierA

InternalSupplierB

Development SCM BuildPackage

Repo Deploy Testing Staging Production FeedbackPlanning Manage

Insiderattacks

14

Errorsandmistakesinthedevelopmentproject

15

1 per min 1 per min

4 per min 1 per min

4 per min 4 per min

• Reduced Batch size• Continuous Validation:

– Continuous Security Testing– Testing small batches in

every Sprint

• Antifragile Systems– Servers are ‘cattle’ not

‘pets’

– MTBF vs MTTR

Weaknessesinthedesign,code,andintegration

16http://www-03.ibm.com/security/secure-engineering/

TheAPIeconomyandsecurity

17https://developer.ibm.com/architecture/gallery/APImanagement

TheAPIeconomyandsecurity:Implementation

18https://developer.ibm.com/architecture/gallery/APImanagement

1. API Key management2. API provider/consumer Identity Management3. API Access control4. API Usage management/throttling5. API Security Incident Monitoring6. API Logging and audit trail

DevOpsReferenceArchitecture

Adoptinga(Secure)DevOpsArchitecture

https://developer.ibm.com/architecture/devOps

SolutionArchitecture:DevOpsMulti-SpeedIT

https://developer.ibm.com/architecture/gallery/devOpsMultiSpeed

StartHere:ValueStreamMapping

for IdentifyingandAddressingbottlenecks

MappingyourDeliveryPipeline

Idea/Feature/Bug Fix/Enhancement

Production

Development Build QA SIT UAT Prod

PMORequirements/

Analyst

Developer

CustomersLine of Business

BuildEngineer

QA Team Integration Tester User/Tester Operations

Artifact Repository

Deployment Engineer

Release Management

Code Repository

Deploy

Get Feedback

Infrastructure as Code/Cloud Patterns

Feedback

Customer or Customer Surrogate

Metrics - Reporting/Dashboarding

Tasks

Artifacts

DevOpsInnovationWorkshop

24

Reviewthecurrentstate1. Businessgoals,ITgoals,current

initiatives2. DevOps3. Requirements4. Environments5. Repositories6. Roles/Organization7. Metrics8. Security

PrioritizechallengestoberesolvedCreateafirstpassatanimprovementroadmap

Thewhiteboard

Questions?

25