Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevOpsDays Riga: A DevOps State of Mind: Continuous Security with DevSecOps + Containers

DevOpsDays Riga: A DevOps State of Mind: Continuous Security with DevSecOps + Containers

Chris Van Tuin

November 10, 2017
Tweet

More Decks by Chris Van Tuin

Other Decks in Technology

Transcript

  1. A DevOps State of Mind: Continuous Security with DevSecOps +

    Containers Chris Van Tuin Chief Technologist, NA West / Silicon Valley [email protected]
  2. DEV QA OPS Walled off people, walled off processes, walled

    off technologies “THROW IT OVER THE WALL”
  3. Time to Value Months to Years Weeks and Months Days

    and Weeks IT MUST EVOLVE TO STAY AHEAD OF DEMANDS
  4. DEV QA OPS Open organization + 
 cross-functional teams Software

    factory automation Linux + Containers IaaS Orchestration CI/CD Source Control Management Collaboration Build and Artifact Management Testing Frameworks Open Source CI/CD pipelines with feedback Culture Process Technology + + BREAKING DOWN THE WALLS WITH DEVOPS
  5. DEV QA OPS SECURITY IS AN AFTERTHOUGHT | SECURITY |

    “Patch? The servers are behind the firewall.” - Anonymous (far too many to name), 2005 - …
  6. DevSecOps End to End Security + + SECURITY DEV QA

    OPS Linux + Containers IaaS Orchestration CI/CD Source Control Management Collaboration Build and Artifact Management Testing Frameworks Open Source Culture Process Technology
  7. docker.io Registry Private Registry Red Hat Certified FROM fedora:latest CMD

    echo “Hello” Build file Physical, Virtual, Cloud Image Container Build Run Ship CONTAINERS: BUILD, SHIP, RUN
  8. 4 • Are there known vulnerabilities in the application layer?

    • Are the runtime and OS layers up to date? • How frequently will the container be updated and how will I know when it’s updated? CONTENT: EACH LAYER MATTERS CONTAINER OS RUNTIME APPLICATION Are there known vulnerabilities 
 in each application layer? Are the runtime and OS layers 
 up to date? How frequently will the container be updated and how will I know when its updated? IS THE CONTAINER ENVIRONMENT SECURE? Is the image from a trusted source? Can I quickly deploy a security update at scale? Is my multi-tenant host secure?
  9. Container host Network isolation Storage API & Platform access Monitoring

    & Logging Federated clusters Registry {} Builds CI/CD Images SECURING CONTAINERS
  10. RHEL Kernel Hardware (Intel, AMD) or Virtual Machine Containers Containers

    Containers Unit File Docker Image DOCKER CLI SYSTEMD Cgroups Namespaces SELinux Drivers CONTAINERS ARE LINUX
  11. Hardware (Intel, AMD) or Virtual Machine Containers Containers Containers Unit

    File Docker Image KUBERNETES / DOCKER SYSTEMD Cgroups Namespaces SELinux Drivers Best Practices • Don’t run as root • Limit SSH Access • Use namespaces • Define resource quotas • Enable logging • Apply Security Errata • Apply Security Context and seccomp filters http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html seccomp CONTAINER HOST SECURITY
  12. 4 • Are there known vulnerabilities in the application layer?

    • Are the runtime and OS layers up to date? • How frequently will the container be updated and how will I know when it’s updated? CONTENT: EACH LAYER MATTERS CONTAINER OS RUNTIME APPLICATION CONTENT: EACH LAYER MATTERS AYER MATTERS CONTAINER OS RUNTIME APPLICATION JAR CONTAINER
  13. code config data Kubernetes configmaps secrets Container image Traditional 


    data services, Kubernetes 
 persistent volumes TREAT CONTAINERS AS IMMUTABLE
  14. 64% of official images in Docker Hub 
 contain high

    priority security vulnerabilities examples: ShellShock (bash) Heartbleed (OpenSSL) Poodle (OpenSSL) Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps, May 2015 (http://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf) WHAT’S INSIDE THE CONTAINER MATTERS
  15. FROM fedora:latest CMD echo “Hello” Build file Build Best Practices

    • Treat as a Blueprint • Don’t login to build/configure • Version control build file • Be explicit with versions, not latest • Each Run creates a new layer BUILDS
  16. AUTOMATED SECURITY SCANNING with OpenSCAP Reports Scan SCAP Security Guide

    for RHEL CCE-27002-5 Set Password Minimum Length Content Scan physical servers, virtual machines, docker images and containers
 for Security Policy Compliance (CCEs) and known Security Vulnerabilities (CVEs)
  17. Standard Docker Host Security Profile Java Runtime Environment (JRE) Upstream

    Firefox STIG RHEL OSP STIG Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) STIG for Red Hat Enterprise Linux 6, 7 Server STIG for Red Hat Virtualization Hypervisor Common Profile for General-Purpose Debian Systems Common Profile for General-Purpose Fedora Systems Common Profile for General-Purpose Ubuntu Systems Payment Card Industry – Data Security Standard (PCI-DSS) v3 U.S. Government Commercial Cloud Services (C2S) CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 7 Criminal Justice Information Services (CJIS) Security Policy Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) U.S. Government Configuration Baseline (NIAP OSPP v4.0, USGCB, STIG) Security Policies in SCAP Security Guide (partial)
  18. CONTINUOUS DELIVERY DEPLOYMENT STRATEGIES DEPLOYMENT STRATEGIES • Blue / Green

    deployment • Rolling updates • Canary deployments • A / B testing
  19. Version 1 Version 1 Version 1 Version 1.2 ` Tests

    / CI ROLLING UPDATES with ZERO DOWNTIME
  20. Deploy new version and wait until it’s ready… Version 1

    Version 1 V1.2 Health Check: Readiness 
 Probe e.g. tcp, http, script V1
  21. Container host Network isolation Storage API & Platform access Monitoring

    & Logging Federated clusters Registry {} Builds CI/CD Images SECURING CONTAINERS
  22. Deployment Frequency Lead Time Deployment
 Failure Rate Mean Time to

    Recover 99.999 Service Availability DEVSECOPS METRICS Compliance Score