Bringing Your Own Dependencies

Transcript

1. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath BYOD:


   Bringing Your Own Dependencies Trends in software development and what it means for security Nick Galbreath - Founder/CTO Signal Sciences

2. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath It's

   online! http://bit.ly/1E3mK7l one el

3. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath https://www.illumio.com/blog/rsa-bingo

   Attention: this talk does not count toward RSA bingo no

4. BYOD
 Bringing Your Own Dependencies The trend of systems development

   where development is primarily responsible for application dependencies in production.

5. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Evolution?

   The general trend away from top-down control and toward distributed and point to point solutions is also true for software deployment

6. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath OS-Based

   Dependencies • "operating system" provided by "operations" • packaging and release engineering provider by OS vendors • "yum install your-package" • Requires operations to update

7. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Lots

   of problems here • Limited selection • Generally "out of date" • Security fixes only • Do not normally include stability fixes.

8. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Custom

   OS Packaging • Reimplementations or updated versions of OS packages. • Again updates and additions added by operations

9. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath BYOD

   Partial

10. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Javascript

    • The original BYOD since ops can't package it (normally) • Partial since clearly does not bundle in the browser

11. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Java

    .war/.jar files • Packages up all java dependencies but doesn't package up the Java runtime. • (not really a java expert any more, so I defer to you)

12. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Chef

    (Product) • Provides full install of Ruby (including the executable) • Near impossible to get a client's ruby install to be "correct" • Chef (the company) is responsible for security for its components

13. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath BYOD

    Full

14. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Full

    VM • Mostly done by product vendors, and not (normally?) done by internal enterprise deployments • And of course cloud providers, provide a blank slate (but thats a different story).

15. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Docker

    • Dockerfile creates a container that provides all system requirements • Anything goes

16. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Go

    lang • Golang produces a single static binary that provides all code requirements • Dependencies are manually managed by developers • Third party code frequently un-versioned • By default directly pulls from HEAD on github for other modules • No shared libraries

17. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath This

    is a good trend for operations and development

18. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath •

    Ops should not care about what version of some python module is installed. They can focus on operations and operating systems • Turns operations into platform and in-house consultancy (ideally) • Devs starts taking responsibility for how their code is packaged and run. • Clear separation of duties (or perhaps responsibilities) Love it

19. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath But

    what about security?

20. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath The

    Old OS Model • Kinda nice! • "are we secure in our components?" is mostly a
 "apt-get/yum upgrade" invocation. • Actual work is outsourced (and centralized) to the OS Vendor, or the ops team

21. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath BYOD

    Model • Uhhh, now what • Docker containers and golang binaries are opaque • By inspection not clear what components are used, nor what versions. • Are they outdated? Insecure? Obsoleted?

22. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Evolution

    of Security • Security will need to get involved with
 release engineering • What does this mean?

23. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Absolutely

    • Security has to get involved with how software is made and deployed. • Demand fast, reliable deployment pipeline mechanism • (how fast and how often you deploy is your policy) • If anything, you need to be able to patch quickly

24. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Maybe?

    • Automation? Checking latest version of components. • What does "latest version" even mean? • Building manifests and bill of materials? And Displaying Them? • Alerting on manifest changes • ??? this is a work in process ???

25. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Tooling

    Can Help • Sonatype • Black Duck • I have no first hand experience with any of them • I assume not all use cases here are covered as it really depends how software is built, packaged and deployed.

26. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath What


    New Processes
 are Required? By Whom?

27. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath What

    are you doing here? Let me know at: [email protected] http://bit.ly/1E3mK7l