The Shift to Rugged DevOps

Transcript

1. 10/8/2018 1 THE SHIFT TO RUGGED DEVOPS SECURITY IN YOUR

   PIPELINES RENÉ VAN OSNABRUGGE @RENEVO COMPLIANCY

2. 10/8/2018 2 COMPLIANCY IMPOSSIBLE TO UNDERSTAND IMPOSSIBLE TO IMPLEMENT IMPOSSIBLE

   TO VALIDATE IMPOSSIBLE TO MAINTAIN

3. 10/8/2018 3 THE BATTLE WITH CISO 0 10 20 30

   40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec SECURITY LEVEL - CURRENT Security Level - Current Audit coming up ! Audit coming up ! THE CLASSIC “SECURITY” MODEL

4. 10/8/2018 4 0 10 20 30 40 50 60 70

   80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec SECURITY LEVEL - CURRENT Security Level - Current Audit coming up ! Audit coming up ! THE CLASSIC “SECURITY” MODEL ISO 27001 COBIT SOX PCI AUTHORITIES ETC.

5. 10/8/2018 5 BANG HEAD HERE CONFIDENTIALITY INTEGRITY AVAILABILITY

6. 10/8/2018 6 4-EYES PRINCIPLE TRACEABILITY AUDITABILITY

7. 10/8/2018 7 “Health is a state of complete physical, mental

   and social well-being, and not merely the absence of disease or infirmity.” World Health Organization, 1948 #RUGGED-1 @RENEVO THIS WAS ALL VERY SECURE! Unbreachable walls Indestructible Machines Watchful security guards

8. 10/8/2018 8 UNTILL IT WAS NOT! \ COMPLIANT SECURE RUGGED

9. 10/8/2018 9 CREATIVE THINKING HACKERS DO… NOT PLAY BY THE

   RULES ALREADY USE CONTINUOUS DELIVERY ARE ALWAYS AHEAD OF YOU USE ALL MEANS POSSIBLE THINK OUT OF THE BOX

10. 10/8/2018 10 ”FUNDAMENTALLY, IF SOMEBODY WANTS TO GET IN, THEY'RE

    GETTING IN…ACCEPT THAT. NUMBER ONE, YOU'RE IN THE FIGHT, WHETHER YOU THOUGHT YOU WERE OR NOT. NUMBER TWO, YOU ALMOST CERTAINLY ARE PENETRATED. WE NEED TO SHIFT FROM PREVENT TO ASSUME BREACH! ” Michael Hayden Former Director of NSA & CIA BETTER CHEAPER FASTER

11. 10/8/2018 11 STATE OF DEVOPS https://cloudplatformonline.com/2018-state-of-devops.html

12. 10/8/2018 12 0 10 20 30 40 50 60 70

    80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec SECURITY LEVEL - CURRENT Security Level - Current Audit coming up ! Audit coming up ! WE NEED TO MOVE FROM MANUAL…. 0 10 20 30 40 50 60 70 80 90 100 Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Jan FebMarAprMayJun Jul AugSep OctNovDec Security Level - Current Desired Audit coming up ! Audit coming up ! ….TO CODE

13. 10/8/2018 13 SECURITY IS THE NEXT SILO TO TEAR DOWN

    WHERE TO START?

14. 10/8/2018 14 IT STARTS WITH AWARENESS ! Make them part

    of your team! SHIFT LEFT SECURITY YOU BUILD IT YOU RUN IT

15. 10/8/2018 15 Make them part of your team! SHIFT LEFT

    SECURITY HOW DO WE DO THAT? IDENTIFY PREVENT REACT BUILD RUN

16. 10/8/2018 16 NOT OR…BUT AND! IDENTIFY PREVENT REACT PREVENT BREACH

    ASSUME BREACH PREVENT BREACH

17. 10/8/2018 17 CODE STORE BUILD DEPLOY RELEASE SECURE PIPELINES SECURE

    AND COMPLIANT ALL THE WAY Identity & Access Servers & Containers Firewalls & Network Passwords & Secrets Libraries & Licenses Application Code Build & Delivery Pipelines WHAT NEEDS TO BE SECURE?

18. 10/8/2018 18 CODING PHASE “In the coding phase, an idea

    transforms into code” CODING PHASE - IDENTIFY • Bad coding practices resulting in Technical Debt • Non Deployable code • Untested code and therefore unintended consequences • Passwords/Secrets etc. exposed in code

19. 10/8/2018 19 WE ALL NEED SOME PROTECTION … FROM OURSELVES

20. 10/8/2018 20

21. 10/8/2018 21 CODING PHASE - PREVENT • Compiling / Syntax

    Checking • First stage - Static Code Analysis • Ruleset selection is key ! • Greenfield or brownfield? • Unit Tests • Framework selection • Training • Stubbing, Faking and Mocking • Secure Assets • Approved templates • Secure shared Packages • Credential and Secret Scanning • Do we really need secrets? • Use of keyvaults #RUGGED-2 @RENEVO CREDENTIAL SCANNING DEMO

22. 10/8/2018 22 STORING PHASE “In the storing phase you make

    “your” code “our” code and ensure it is safe” STORING PHASE - IDENTIFY • Everything from Coding phase ! • Unknown committers to Git Repository • Suspicious code is committed to the code repository • Code is deployed without 4-eyes principle • Code contains secrets/passwords etc.

23. 10/8/2018 23 STORING PHASE - PREVENT • Protect Git Repo

    to ensure “pusher” is known • Use Pull Requests and protect the master branch • Run Continuous Integration Builds • Enforce 4-eyes on every code change • Enforce CI checks on every code change • Static Code Analysis • CredScans • Compiling Syntax Checking • Unit Tests BUILD PHASE “In the build phase we transform the product from code and script into an immutable and versioned package”

24. 10/8/2018 24 BUILD PHASE - IDENTIFY • Package can be

    unintentionally modified • Code can contain vulnerabilities / Technical Debt • Code can contain secrets • Code is untested/unstable • Unauthorized modification of build process • Code can use unsecure libraries • Code can use unlicensed / wrongly licensed libraries REMEMBER HEARTBLEED?

25. 10/8/2018 25 Components 80 – 90 % Original Code 10-20%

    (max) YOUR CODE VS. THEIR CODE

26. 10/8/2018 26 COPYLEFT GPL LGPL AGPL Permissive Restrictive AND THEN

    THERE IS LICENSING BUILD PHASE - PREVENT • Build activities from Storing Phase • Second stage - Static Code Analysis • Vulnerability and dependency scanning • License Scanning • Securely storing the Build Artifact • Protecting the Build History #RUGGED-3 @RENEVO

27. 10/8/2018 27 DEPENDENCY MANAGEMENT DEMO DEPLOY / RELEASE PHASE “THIS

    IS THE PHASE WHERE THE ARTIFACTS MOVE FROM YOUR “PROTECTED” ENVIRONMENT INTO THE OPEN”

28. 10/8/2018 28 DEPLOY / RELEASE PHASE - IDENTIFY • Unauthorized

    change in the release steps • Target environment accessible by multiple process • Deployed application has obvious vulnerabilities • Deployed application has unexpected consequences on availability etc. • Secrets are exposed during deployment process DEPLOY / RELEASE PHASE - PREVENT • Run Dynamic Security Tests on Infrastructure • Run Tests that require a deployed application • Monitor key metrics after deployment • Set up secure Endpoints to target environment • Secret Management in the pipeline • Build in a mechanism to separate functional from technical release • Enforce 4 eyes-principle on the release pipeline

29. 10/8/2018 29 RELEASE GATES DEMO ASSUME BREACH / RUN IDENTIFY

    PREVENT REACT PREVENT BREACH ASSUME BREACH

30. 10/8/2018 30 Monitor Detect Fix Bleeding Scan & Fix Locally

    Embed in Pipeline Set new Baseline Continuous Assurance DEMO DETECT AND MONITOR

31. 10/8/2018 31 DEMO BASELINES https://github.com/azsk/DevOpsKit-docs

32. 10/8/2018 32 ADD MORE RUGGED-NESS

33. 10/8/2018 33 RED TEAM vs. BLUE TEAM Red Team Model

    real-world attacks Identify gaps in security story Demonstrable impact Blue Team Exercises ability to detect & respond Enhances situational awareness Measures readiness & impact AND COMPLIANCY?

34. 10/8/2018 34 COMPLIANT BY DEFAULT 1 2 3 AVAILABILITY INTEGRITY

    CONFIDENTIALITY

35. 10/8/2018 35 René van Osnabrugge Xpirit Netherlands @renevo [email protected] https://roadtoalm.com

    René van Osnabrugge Xpirit Netherlands @renevo [email protected] https://roadtoalm.com Attributions Pictures: https://unsplash.com / https://www.flickr.com/photos/wocintechchat Gifs: https://giphy.com Music: https://open.spotify.com/user/rvanosnabrugge/playlist/ 0BWgsNPM5iwgk8ZGlMHeoY?si=l9-tV8FTR8S1J7AbKBz-KA Video: https://www.youtube.com/watch?v=47u3n1kX0wE Thanks: Geert, Marcel, Alex, Jasper, Xpirit