This document discusses continuous security improvement in the DevOps process. It describes how a DevOps company called VSHN integrates security practices like application security, DevSecOps, and security operations into the software development lifecycle. These include implementing security best practices and tools for activities like code analysis, dependency management, container scanning, testing, deployment, operations, identity and access management, logging, and metrics collection. The goal is to automate security across build, test, deploy, and operations phases to deliver secure software through a DevSecOps approach.
Continuous security improvements in the DevOps process
1. VSHN - The DevOps Company
Continuous Security
improvement in the
DevOps process
Aarno Aukia, CTO @ VSHN - The DevOps Company
2. VSHN - The DevOps Company
● About Aarno & VSHN.ch
● From Ops to DevOps
● DevOps/DevSecOps/SecOps?
● Automating Operations to include security
○ Build
○ Test
○ Deployment
○ Ops
22
Agenda
3. VSHN - The DevOps Company
@aarnoaukia http://about.me/aarno aarno.aukia@vshn.ch
ETH → Google → Atrila → VSHN
VSHN - The DevOps Company
Since 2014, currently 30 VSHNeers in Zürich, Switzerland
We help developers run web applications 24/7 in any cloud making both visitors
happy with stability and developers happy with agility
33
About Aarno & VSHN.ch
4. VSHN - The DevOps Company 4
OPS = Firefighting-as-a-Service ?
4
5. VSHN - The DevOps Company
DevOps:
People, Processes & Tools
55
7. VSHN - The DevOps Company
● Developer education, requirements engineering, design review -> AppSec
● Software Build/Deployment/Operations -> DevSecOps
● Incident detection & management -> SecOps
88
Areas of security improvement
8. VSHN - The DevOps Company
● Developer education, requirements engineering, design review -> AppSec
● Software Build/Deployment/Operations -> DevSecOps
● Incident detection & management -> SecOps
99
Areas of security improvement
9. VSHN - The DevOps Company
DevSecOps principles
1010
10. VSHN - The DevOps Company
● static code analysis automatically for each commit
● Dependency Management
● (base) container image scanning
1111
Build
11. VSHN - The DevOps Company
Code analysis: sonarqube
1212
12. VSHN - The DevOps Company 1313
Dependency updates: https://dependabot.com
13. VSHN - The DevOps Company
Container scanning: aquasec
1414
14. VSHN - The DevOps Company
● smoke tests
● test envs “à discretion”
1515
Test
15. VSHN - The DevOps Company
● atomic container deployment
● every deployment (and rollback) is a “normal deployment”
● deployment automation removes need for (all) devs root prod access and/or
waiting for ops to deploy new dev version
1616
Deployment
16. VSHN - The DevOps Company
● standardization on (minimal, hardened) OS and container orchestrator
● immutable (application) infrastructure using containers
● process/storage/network separation of applications/environments
● detect/prevent configuration drift between dev/test/stage/prod envs
● documentation & automatic backup of all volumes
● documentation & monitoring of routes/loadbalancers/ingresspoints with
enforcing SSL/TLS
● AAI for admin & application
● key & secrets management
● audit logging of control & application planes
1717
Ops
17. VSHN - The DevOps Company
Container isolation
1818
● Kernel namespacing (process & network)
● Control groups (resource quota to prevent DoS)
● SELinux (additional syscall filter)
● prevent running as root inside container, no user-provided privileged
containers (enforce best practice)
● readonly container filesystem (harder to persist exploit at runtime)
18. VSHN - The DevOps Company
AAI: Keycloak
1919
● Identity & Access Management
● Single sign in/out
● Identity brokering:
○ OpenID Connect (OAuth2, FB/Twitter/Github etc.)
○ SAML2.0
○ Kerberos
● User federation: LDAP, AD, etc
● 2FA: TOTP/HOTP
● Managing the Authorization groups
19. VSHN - The DevOps Company
Logs: ELK/EFK/Greylog
2020
● Logging all access and changes through the control plane
● Logging all access to the application and correlate with application logs
● Index, view, filter, aggregate KPI → monitoring
● Store outside of application scope
20. VSHN - The DevOps Company
● Prometheus
○ time series database
○ open source / CNCF-project
○ well-integrated in docker/kubernetes stats
● NewRelic APM
○ application-level profiling
○ performance tracking
○ exception tracking (backend & frontend)
○ available as SaaS
2121
Metrics: Prometheus / NewRelic
21. VSHN - The DevOps Company
Kubernetes Distribution Architecture
2222
22. VSHN - The DevOps Company
● OpenShift, Kubernetes, Docker
● Logging: EFK
● Metrics: Prometheus
● SSL-Certificates: letsencrypt.org
● Source-to-image builder, Dockerfile builder, Docker-Image-Registry:
OpenShift
● Load-balancing, horizontal (auto) scaling, rolling deployments: Kubernetes
● MySQL/MariaDB, PostgreSQL, Redis, Solr, Elasticsearch, RabbitMQ,
MongoDB: either single-container for dev or DBaaS for prod
● 24/7 Support and SLA, cloud or on-premises
2323
Auxiliary Services we use at APPUiO.ch
23. VSHN - The DevOps Company 2424
APPUiO.ch in 14 countries & on-premises
24. VSHN - The DevOps Company
● Please do get in touch with feedback
● Twitter: @aarnoaukia
● Linkedin: https://www.linkedin.com/in/aukia/
● Email: aarno.aukia@vshn.ch
2525
Thank you
25. Come visit us for a coffee!
VSHN AG - Neugasse 10 - CH-8005 Zürich - +41 44 545 53 00 - https://vshn.ch/ - info@vshn.ch
https://vshn.ch/kontakt/
Follow us on Twitter!
@vshn_ch
26
26. VSHN - The DevOps Company
The CNCF Landscape
2727
27. VSHN - The DevOps Company
Next Event
February 21, 2019 from 6.30pm
https://www.meetup.com/Cloud-Native-Computing-Switzerland
Please volunteer for Sponsoring & Talks
https://cnc-meetup.ch
2828
Cloud Native Computing