Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bringing Your Own Dependencies

Bringing Your Own Dependencies

Trends in software development and what it means for security.

Nick Galbreath

April 20, 2015
Tweet

More Decks by Nick Galbreath

Other Decks in Technology

Transcript

  1. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath BYOD:


    Bringing Your Own Dependencies Trends in software development and what it means for security Nick Galbreath - Founder/CTO Signal Sciences
  2. BYOD
 Bringing Your Own Dependencies The trend of systems development

    where development is primarily responsible for application dependencies in production.
  3. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Evolution?

    The general trend away from top-down control and toward distributed and point to point solutions is also true for software deployment
  4. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath OS-Based

    Dependencies • "operating system" provided by "operations" • packaging and release engineering provider by OS vendors • "yum install your-package" • Requires operations to update
  5. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Lots

    of problems here • Limited selection • Generally "out of date" • Security fixes only • Do not normally include stability fixes.
  6. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Custom

    OS Packaging • Reimplementations or updated versions of OS packages. • Again updates and additions added by operations
  7. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Javascript

    • The original BYOD since ops can't package it (normally) • Partial since clearly does not bundle in the browser
  8. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Java

    .war/.jar files • Packages up all java dependencies but doesn't package up the Java runtime. • (not really a java expert any more, so I defer to you)
  9. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Chef

    (Product) • Provides full install of Ruby (including the executable) • Near impossible to get a client's ruby install to be "correct" • Chef (the company) is responsible for security for its components
  10. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Full

    VM • Mostly done by product vendors, and not (normally?) done by internal enterprise deployments • And of course cloud providers, provide a blank slate (but thats a different story).
  11. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Docker

    • Dockerfile creates a container that provides all system requirements • Anything goes
  12. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Go

    lang • Golang produces a single static binary that provides all code requirements • Dependencies are manually managed by developers • Third party code frequently un-versioned • By default directly pulls from HEAD on github for other modules • No shared libraries
  13. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath This

    is a good trend for operations and development
  14. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath •

    Ops should not care about what version of some python module is installed. They can focus on operations and operating systems • Turns operations into platform and in-house consultancy (ideally) • Devs starts taking responsibility for how their code is packaged and run. • Clear separation of duties (or perhaps responsibilities) Love it
  15. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath The

    Old OS Model • Kinda nice! • "are we secure in our components?" is mostly a
 "apt-get/yum upgrade" invocation. • Actual work is outsourced (and centralized) to the OS Vendor, or the ops team
  16. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath BYOD

    Model • Uhhh, now what • Docker containers and golang binaries are opaque • By inspection not clear what components are used, nor what versions. • Are they outdated? Insecure? Obsoleted?
  17. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Evolution

    of Security • Security will need to get involved with
 release engineering • What does this mean?
  18. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Absolutely

    • Security has to get involved with how software is made and deployed. • Demand fast, reliable deployment pipeline mechanism • (how fast and how often you deploy is your policy) • If anything, you need to be able to patch quickly
  19. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Maybe?

    • Automation? Checking latest version of components. • What does "latest version" even mean? • Building manifests and bill of materials? And Displaying Them? • Alerting on manifest changes • ??? this is a work in process ???
  20. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath Tooling

    Can Help • Sonatype • Black Duck • I have no first hand experience with any of them • I assume not all use cases here are covered as it really depends how software is built, packaged and deployed.
  21. RSA USA 2015 - DevOps Connect @ngalbreath Nick Galbreath What

    are you doing here? Let me know at: [email protected] http://bit.ly/1E3mK7l