Security in world of DevOps

.co.il www. Security in the world of DevOps

.co.il www. devops.com/wp-content/uploads/2015/04/DevOps_RuggedBook_Web.pdf

.co.il www. “Attackers are already using their own form of
continuous delivery to overwhelm the good guys. The reason security teams can’t keep up is because the bad guys have already figured out how to use automation and cloud-style technologies to scale up their attacks.” - Tim Prendergast, CEO of Evident.io

.co.il www.

.co.il www. Just as dev and ops have had to
bridge some serious cultural gulfs to start collaborating better, security needs to meet the developers and operations teams half way.

.co.il www.

.co.il www. SSLyze github.com/iSECPartners/sslyze

.co.il www. Robert’); DROP TABLE Students; -- bobby-tables.com

.co.il www. http://bobby-tables.com/about.html

.co.il www. SQLmap / sqlmap.org

.co.il www. Chef Audit mode control_group 'Blog Post Examples' do
control 'SSH' do it 'should be listening on port 22' do expect(port(22)).to be_listening end it 'disables root logins over ssh' do expect(file('/etc/ssh/sshd_config').content).to contain('PermitRootLogin no') end end end

.co.il www. Starting audit phase Blog Post Examples SSH should
be listening on port 22 disables root logins over ssh (FAILED - 1) Failures: 1) Blog Post Examples SSH disables root logins over ssh Failure/Error: expect(file('/etc/ssh/sshd_config').content).to contain('PermitRootLogin no') expected File "/etc/ssh/sshd_config" to contain "PermitRootLogin no" # /tmp/kitchen/cache/cookbooks/audit-test/recipes/default.rb:8:in `block (3 levels) in from_file' Finished in 0.13067 seconds (files took 0.32089 seconds to load) 2 examples, 1 failure Failed examples: rspec # Blog Post Examples SSH disables root logins over ssh [2015-04-04T03:29:41+00:00] ERROR: Audit phase failed with error message: Audit phase found failures - 1/2 controls failed Audit phase exception: Audit phase found failures - 1/2 controls failed Chef Audit mode

.co.il www. The Center for Internet Security (CIS) presents the
CIS Controls for Effective Cyber Defense Version 6.0, a recommended set of actions that provide specific and actionable ways to stop today's most pervasive and dangerous cyber attacks. July 01, 2015 www.cisecurity.org/critical-controls/

.co.il www. Chef PCI-DSS / CIS audit cookbook www.chef.io/blog/2015/05/11/towards-compliance-as-code-a-real-world-example/ control_group
'1 Install Updates, Patches and Additional Security Software' do control '1.2 Configure Software Updates' do it '1.2.2 Verify that gpgcheck is Globally Activated' do expect(file('/etc/yum.conf').content).to match(/^gpgcheck=1/) end end end

.co.il www.

We invite you to join Operations Israel Facebook group on
on.fb.me/Ops-IL we are hiring at [email protected] Thank you! www.devops.co.il

Reference - http://devseccon.com - http://threatspec.org - http://www.slideshare.net/shannonlietz/devseccon-keynote-london-2015 - https://securosis.com/blog/building-security-into-devops-security-integration-points -
http://sysadvent.blogspot.co.il/2014/12/day-24-12-days-of-secdevops.html - http://devops.com/wp-content/uploads/2015/04/DevOps_RuggedBook_Web.pdf - http://www8.hp.com/h30458/us/en/discover-performance/c/dp-weekly/devops/rugged-devops--sounds-like-it-s-excuse-for-an-old-spice- commercial.html - http://theagileadmin.com/2015/06/09/pragmatic-security-and-rugged-devops/ - http://gauntlt.org - http://www.slideshare.net/realgenekim/security-is-dead-long-live-rugged-devops-it-at-ludicrous-speed - http://www.csoonline.com/article/2131107/security-leadership/rugged-devops--in-search-of-the-defensible-infrastructure.html - https://www.tenable.com/blog/containers-virtualization-and-rugged-devops - http://www8.hp.com/h30458/us/en/discover-performance/c/dp-weekly/devops/rugged-devops--sounds-like-it-s-excuse-for-an-old-spice- commercial.html

Security in world of DevOps

Security in world of DevOps

ProdOps

More Decks by ProdOps

Other Decks in Technology

Featured

Transcript

.co.il www. Security in the world of DevOps

.co.il www. devops.com/wp-content/uploads/2015/04/DevOps_RuggedBook_Web.pdf

.co.il www. “Attackers are already using their own form of

.co.il www.

.co.il www.

.co.il www. devops.com/wp-content/uploads/2015/04/DevOps_RuggedBook_Web.pdf

.co.il www.

.co.il www. devops.com/wp-content/uploads/2015/04/DevOps_RuggedBook_Web.pdf

.co.il www. Just as dev and ops have had to

.co.il www. devops.com/wp-content/uploads/2015/04/DevOps_RuggedBook_Web.pdf

.co.il www. devops.com/wp-content/uploads/2015/04/DevOps_RuggedBook_Web.pdf

.co.il www. devops.com/wp-content/uploads/2015/04/DevOps_RuggedBook_Web.pdf

.co.il www.

.co.il www.

.co.il www. SSLyze github.com/iSECPartners/sslyze

.co.il www. Robert’); DROP TABLE Students; -- bobby-tables.com

.co.il www. http://bobby-tables.com/about.html

.co.il www. SQLmap / sqlmap.org

.co.il www. Chef Audit mode control_group 'Blog Post Examples' do

.co.il www. Starting audit phase Blog Post Examples SSH should

.co.il www. The Center for Internet Security (CIS) presents the

.co.il www. Chef PCI-DSS / CIS audit cookbook www.chef.io/blog/2015/05/11/towards-compliance-as-code-a-real-world-example/ control_group

.co.il www.

We invite you to join Operations Israel Facebook group on

Reference - http://devseccon.com - http://threatspec.org - http://www.slideshare.net/shannonlietz/devseccon-keynote-london-2015 - https://securosis.com/blog/building-security-into-devops-security-integration-points -