Upgrade to Pro — share decks privately, control downloads, hide ads and more …

BYOD DevOpsDays 2015

BYOD DevOpsDays 2015

Nick Galbreath

May 05, 2015
Tweet

More Decks by Nick Galbreath

Other Decks in Technology

Transcript

  1. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 BYOD:


    Bringing Your Own Dependencies Decentralized software development and what it means for security Nick Galbreath - Founder/CTO Signal Sciences
  2. DevOpsDays 2015 * Austin Texas 201 @ngalbreath Nick Galbreath It's

    online! http://bit.ly/1Plr5o9 one el #devopsdays
  3. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 OS

    Distribution AMI Packages SUSE Linux Enterprise Server 12 ami-b95b4ffc 724 Ubuntu 14.10 Utopic ami-b7515af2 461 Ubuntu 14.04 LTS Precise ami-076e6542 450 Ubuntu 12.04 LTS Trusty ami-b7515af2 396 Amazon Linux AMI 2014.09.1 ami-4b6f650e 361 Red Hat Enterprise Linux 7.0 ami-33cdd876 347 Debian 8.0 (experimental) ami-17899452 271 CentOS 7 ami-33c1ca76 246 Fedora-Cloud-Base-20141203-21 ami-970310d2 226 Debian 7.7 ami-b12e39f4 194
  4. DevOpsDays 2015 * Austin Texas 201 @ngalbreath Nick Galbreath What

    is the 
 provenance
 of any 
 single component?
  5. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 Side

    Note #1 • Lawyers are already mental on FOSS software licenses. • They (until now) have not carried about software version. • Interesting!
  6. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 Side

    Note #2 • In your deployment process how many network calls are made to external resources? (brittle) • (How many vendors are needed to deploy)
  7. BYOD
 Bringing Your Own Dependencies The trend of systems development

    where developers are primarily responsible for application dependencies in production.
  8. DevOpsDays 2015 * Austin Texas 201 @ngalbreath Nick Galbreath Evolution?

    The general trend away from top-down control and toward distributed and point to point solutions is also true for software deployment
  9. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 OS-Based

    Dependencies • "operating system" provided by "operations" • packaging and release engineering provider by OS vendors • "yum install your-package" • Requires operations to update
  10. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 Lots

    of problems here • Limited selection • Generally "out of date" • Security fixes only • Do not normally include stability fixes. • Definitely not feature updates
  11. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 Custom

    OS Packaging • Reimplementations or updated versions of OS packages. • Again updates and additions added by operations
  12. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 Javascript

    • The original BYOD since ops can't package it (normally) • Partial since clearly does not bundle in the browser
  13. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 Java

    .war/.jar files • Packages up all java dependencies but doesn't package up the Java runtime. • (not really a java expert any more, so I defer to you)
  14. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 Chef

    (Product) • Provides full install of Ruby (including the executable) • Near impossible to get a client's ruby install to be "correct" • Chef (the company) is responsible for security for its components
  15. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 Full

    VM • Mostly done by product vendors, and not (normally?) done by internal enterprise deployments • And of course cloud providers, provide a blank slate (but thats a different story). • But recently, "community OSs" have become popular.
  16. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 Docker

    • Dockerfile creates a container that provides all system requirements • "Docker…. , liberating developers from infrastructure" (from their press release) • "Community OS"
  17. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 "Trusted

    Builds" • Only says the Dockerfile and the resulting container are consistent. • Big whoop. • Unlikely any Dockerfile creates a reproducible build over time (since it involves network resources).
  18. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 Go

    lang • Golang produces a single static binary that provides all code requirements • Dependencies are manually managed by developers • Third party code frequently un-versioned • By default directly pulls from HEAD on github for other modules • No shared libraries
  19. DevOpsDays 2015 * Austin Texas 201 @ngalbreath Nick Galbreath This

    is a good trend for operations and development
  20. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 •

    Ops should not care about what version of some python module is installed. They can focus on operations and operating systems • Turns operations into platform and in-house consultancy (ideally) • Devs starts taking responsibility for how their code is packaged and run. • Clear separation of duties (or perhaps responsibilities) Love it
  21. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 The

    Old OS Model • Kinda nice! • "are we secure in our components?" is mostly a
 "apt-get/yum upgrade" invocation. • Actual work is outsourced (and centralized) to the OS Vendor, or the ops team
  22. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 BYOD

    Model • Uhhh, now what • AMIs, docker containers and golang binaries are opaque • By inspection not clear what components are used, nor what versions. • Are they outdated? Insecure? Obsoleted?
  23. DevOpsDays 2015 * Austin Texas 201 @ngalbreath Nick Galbreath We

    know anonymous chat rooms quickly degenerate into the lowest form of content.
  24. DevOpsDays 2015 * Austin Texas 201 @ngalbreath Nick Galbreath Why

    do we
 think anonymous 
 OS distributions 
 will be better? Scale Kills Community
  25. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 More

    than 300 million instances of Docker’s technology have been downloaded from its hosted service, Docker Hub, OK!
  26. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 Evolution

    of Security • Security will need to get involved with
 release engineering (and the software supply chain) • What does this mean?
  27. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 Absolutely

    • Security has to get involved with how software is made and deployed. • Demand fast, reliable deployment pipeline mechanism • (how fast and how often you deploy is your policy) • If anything, you need to be able to patch quickly
  28. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 Maybe?

    • Automation? Checking latest version of components. • What does "latest version" even mean? • Building manifests and bill of materials? And Displaying Them? • Alerting on manifest changes • ??? this is a work in process ???
  29. @ngalbreath Nick Galbreath DevOpsDays 2015 * Austin Texas 201 Tooling

    Can Help • Sonatype • Black Duck • I have no first hand experience with any of them • I assume not all use cases here are covered as it really depends how software is built, packaged and deployed.
  30. DevOpsDays 2015 * Austin Texas 201 @ngalbreath Nick Galbreath Can

    your 
 Continuously Deliver
 your Bill of Materials?
  31. DevOpsDays 2015 * Austin Texas 201 @ngalbreath Nick Galbreath What

    is the provenance of your operating system?
  32. DevOpsDays 2015 * Austin Texas 201 @ngalbreath Nick Galbreath What

    are you doing here? Let me know at: [email protected] http://bit.ly/1Plr5o9 one el