Traditional security techniques don't work well in the high-cycle times of Agile teams practicing DevOps methodologies. Here we explore ways in which application security can be built into modern development processes.
in Cloud Computing 3! 172,000+ CUSTOMERS 4,000+ RACKERS 9 GLOBAL DATA CENTERS 120 + COUNTRIES 2008, 2010, 2011 & 2012 LEADER IN GARTNER'S MAGIC QUADRANT FOR MANAGED HOSTING 40% FORTUNE® 100 OF THE WE SERVE RAX
Adds Automation and Control Creates Pools of Resources Automates The Network USERS ADMINS CLOUD OPERATING SYSTEM Connects to apps via APIs Self-service Portals for users Stage II Cloud Data Center Stage III Cloud Federation Stage I Server Virtualization
LOCATIONS! 8! DEDICATED! PUBLIC CLOUD! PRIVATE CLOUD! PRIVATE CLOUD! PUBLIC CLOUD! Rackspace Provides! The Fanatical Support! • One Control Panel across OpenStack connected clouds! • One Fanatical Support Team! • Our Cloud, Your Cloud, Partner Hosted OpenStack Cloud! • Global Reach! THE FUTURE: FANATICAL SUPPORT ANYWHERE 8
is getting shorter! • Continuous delivery is a goal! • Scanning windows are not viable! ! THE PROBLEM 10 "DevOps" is an emerging set of principles, methods and practices for communication, collaboration and integration between software development (application/software engineering) and IT operations (systems administration/ infrastructure) professionals.
• Tagging your servers applies the required set of recipes! • A base set of recipes is common! • Each server will have multiple tags set at bootstrap time! Node! Node! Node! Node! DB! Node! Node! Node! Node! Cache! Node! Node! Node! Node! Web! Apache! Monitoring! MySql! Memcache!
single machines! • A multi-box conﬁguration is based on copying existing conﬁgurations! • No support for implicit application or environment conﬁguration! • Applications include more than just servers! • Images have security issues! Web! Web! Web! Cloud Load Balancer! Memcached! Database as a Service! Web! Cloud Files! CDN!
Queue Architect Contractor Inspector Checkmate Web Message Queue Compute Storage Load Balancer Database Hadoop Caching • Components communicate through a common queue! • Each provisioning component is independent!
plan and builds it! • Task Decomposition! - Uses standard workﬂow patterns! • Orchestration / Ordering! • Status Reporting! • Farms out tasks to sub- contractors! Our current implementation uses an open source Python workﬂow engine, SpiffWorkﬂow.!
plan & contractor’s output! • Focuses on checking for code compliance! - Not perfection, bare minimums! • Can include multiple facets! - Security! - Scalability! - Compliance! Our current implementation includes WP Scan for WordPress and the Nikto vulnerability scanner.!
Apache/2.2.12 (Ubuntu) + No CGI Directories found (use '-‐C all' to force check all possible dirs) + Apache/2.2.12 appears to be outdated (current is at least Apache/ 2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current. + ETag header found on server, inode: 12534048, size: 317, mtime: 0x4b9436dbea280 + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-‐3268: /icons/: Directory indexing found. + OSVDB-‐3233: /icons/README: Apache default file found. + 6448 items checked: 0 error(s) and 5 item(s) reported
WordPress "http://-‐-‐-‐.com/readme.html" file exists. [!] WordPress version 3.1 identified from meta generator. [+] Enumerating installed plugins...Checking for 2394 total plugins [+] We found 2 plugins: Name: disqus-‐comment-‐systemLocation: Name: wordpress-‐popular-‐postsLocation: [+] There were 1 vulnerabilities identified from the plugin names: [!] ["WordPress Plugin Disqus Comment System <= 2.68 Reflected Cross-‐Site Scripting (XSS)"]*