SlideShare une entreprise Scribd logo

Securing Pivotal Cloud Foundry by Regularly Rebuilding

Télécharger en tant que PPTX, PDF
VMware Tanzu
VMware Tanzu

SpringOne Platform 2018 Securing Pivotal Cloud Foundry by Regularly Rebuilding - Lance Rochelle, Matt Saner

Logiciels
1  sur  11
Security Through Repaving Lance Rochelle – Product Owner (Pivotal Cloud Foundry) August 2018 Public Information © 2018 Wells Fargo Bank, N.A. All rights reserved.
22 Introductions Lance Rochelle
33 History of Patching: A Comedy or a Tragedy ~1999 •“Hey, let’s see how long we can keep these servers up and use uptime as a benchmark for stability.” - Super 1337 SysAdmin ~2002 •“We should probably patch. Once a year seems like a pretty good idea, that way we know the server can survive a reboot” – Some CIO, probably ~2004 •“You know, this patching thing isn’t so bad. I bet we could do it twice a year.” – The Business, begrudgingly ~2007 •“About once a quarter there is a new Operating System kernel we should patch to the new kernel a few months after they come out, let’s do once a quarter” – OS Engineers, anxious to engineer ~2012 •“Security would like us to patch ONCE A MONTH?! Who does that, whyyyyyyyy…“ – Everyone and their brother ~2018 •“You know what would be cool, what if we could blow away the entire environment every day and rebuild it from scratch?” – A super smart person
44 What are the Primary Threats and Concerns? Advanced Persistent Threats.APT The state of the environment changing over time Configuration Drift Exploitable “things” that you don’t want in your environmentVulnerabilities Unpatched, out of date, and unmaintained software Technical Debt
55 What is “Repaving”? Principles… 1) Patch early, patch often 2) Gold Images 3) Deploy via Automation 4) Aim for “Cattle” not “Pets” 5) Redeploy Often - Even when you don’t think you have to or need to
66 Automate Platform Patching – BOSH with PCF BOSH is an open source project that unifies release engineering, deployment, and lifecycle management of small and large-scale cloud software. BOSH can provision and deploy software over hundreds of virtual appliances and can also perform monitoring, failure recovery, and software updates with zero-to-minimal downtime. While BOSH was developed to deploy Cloud Foundry PaaS, it can also be used to deploy almost any other software. BOSH is particularly well-suited for large distributed systems. In addition, BOSH supports multiple Infrastructure as a Service (IaaS) providers (VMware vSphere, Google Cloud Platform, Amazon Web Services EC2, Public Azure and some versions of OpenStack)
77 Application Deployment Process https://docs.cloudfoundry.org/concepts/images/app_push_flow_diagram_diego.png
88 Security Threats are Increasing at a Rapid Rate CVE = Common Vulnerabilities and Exposures. The total number of vulnerabilities identified in the wild: • 2015 = 6480 • 2016 = 6447 • 2017 = 14714 • 2018 ≈ 19500+ (estimate from Jan to Aug) The only way to keep up with threats is to automate all updates. https://www.cvedetails.com/browse-by-date.php 0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 jan feb mar apr may jun jul aug sep oct nov dec jan feb mar apr may jun jul By Month and CVSS Score Jan 2017 to Jul 2018 0-2.9 3-6.9 7-10+ Total 0 5000 10000 15000 20000 25000 CVE reported
99 Stemcell Scanning is Still Important! PivNet Scanning Agent IaaS (AWS/GCP/vSphere/Azure/OpenStack) Continuous Integration Pipeline Artifact Repository Representative Cluster 1 2 3 5 7
1010 Platform Repaving with BOSH and PCF Pivotal Cloud Foundry – Elastic Runtime Phase 3 Applications Reside on the Diego Cells Application 2 Instance 3 Application 1 Instance 1 Application 2 Instance 1 Application 1 Instance 2 Application 2 Instance 3 Application 1 Instance 3 Diego Cell Diego Cell Diego Cell Diego Cell Diego Cell Diego Cell Diego Cell Diego Cell Diego Cell Phase 1 Consul NATS ConsulConsul NATS Diego BBSDiego BBSDiego BBS UAA UAA Cloud Controller Cloud Ctl WorkerCloud Ctl Worker Clock Global Cloud Ctl Worker Diego Brain Diego BrainDiego Brain TCP Router TCP Router TCP Router Doppler ServerDoppler Server Doppler Server Doppler Server Doppler Server Doppler Server Logregator Logregator Logregator Logregator Logregator Logregator Logregator LogregatorLogregator Cloud ControllerCloud Controller Phase 2 Virtual RouterVirtual RouterVirtual Router Virtual Router Virtual Router Virtual Router  Key Point: All servers are immutable Phase 1 All Virtual Appliances are recreated with a new image based on a concurrency value. Phase 2 Traffic is drained automatically from the virtual appliances then the virtual appliance is recreated with a new image and assigned the role of the virtual router. Phase 3 Applications Instances are migrated from a currently running Diego Cell to another Diego Cell.
1111 Thank you! Q&A

Recommandé

Microservices in Your Datacenter
Microservices in Your DatacenterMicroservices in Your Datacenter
Microservices in Your Datacenter
Ambassador Labs
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
Imperva
 
"Look Ma, no hands! Zero Touch Provisioning for OpenShift" DevConf.US 2021
"Look Ma, no hands! Zero Touch Provisioning for OpenShift" DevConf.US 2021"Look Ma, no hands! Zero Touch Provisioning for OpenShift" DevConf.US 2021
"Look Ma, no hands! Zero Touch Provisioning for OpenShift" DevConf.US 2021
Freddy Rolland
 
Cisco UCS loves Kubernetes, Docker and OpenStack Kolla
Cisco UCS loves Kubernetes, Docker and OpenStack KollaCisco UCS loves Kubernetes, Docker and OpenStack Kolla
Cisco UCS loves Kubernetes, Docker and OpenStack Kolla
Vikram G Hosakote
 
Puppet at the centre of everything
Puppet at the centre of everythingPuppet at the centre of everything
Puppet at the centre of everything
Server Density
 
2018년 3월 정기 세미나 - March 2018 Ops Meetup 후기
2018년 3월 정기 세미나 - March 2018 Ops Meetup 후기2018년 3월 정기 세미나 - March 2018 Ops Meetup 후기
2018년 3월 정기 세미나 - March 2018 Ops Meetup 후기
OpenStack Korea Community
 
Rakuten openstack
Rakuten openstackRakuten openstack
Rakuten openstack
Rakuten Group, Inc.
 
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Vincent Kok
 

Recommandé

Microservices in Your Datacenter
Microservices in Your DatacenterMicroservices in Your Datacenter
Microservices in Your Datacenter
Ambassador Labs
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
Imperva
 
"Look Ma, no hands! Zero Touch Provisioning for OpenShift" DevConf.US 2021
"Look Ma, no hands! Zero Touch Provisioning for OpenShift" DevConf.US 2021"Look Ma, no hands! Zero Touch Provisioning for OpenShift" DevConf.US 2021
"Look Ma, no hands! Zero Touch Provisioning for OpenShift" DevConf.US 2021
Freddy Rolland
 
Cisco UCS loves Kubernetes, Docker and OpenStack Kolla
Cisco UCS loves Kubernetes, Docker and OpenStack KollaCisco UCS loves Kubernetes, Docker and OpenStack Kolla
Cisco UCS loves Kubernetes, Docker and OpenStack Kolla
Vikram G Hosakote
 
Puppet at the centre of everything
Puppet at the centre of everythingPuppet at the centre of everything
Puppet at the centre of everything
Server Density
 
2018년 3월 정기 세미나 - March 2018 Ops Meetup 후기
2018년 3월 정기 세미나 - March 2018 Ops Meetup 후기2018년 3월 정기 세미나 - March 2018 Ops Meetup 후기
2018년 3월 정기 세미나 - March 2018 Ops Meetup 후기
OpenStack Korea Community
 
Rakuten openstack
Rakuten openstackRakuten openstack
Rakuten openstack
Rakuten Group, Inc.
 
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Vincent Kok
 
Configuring OpenStack to Use the Xen Project Hypervisor
Configuring OpenStack to Use the Xen Project HypervisorConfiguring OpenStack to Use the Xen Project Hypervisor
Configuring OpenStack to Use the Xen Project Hypervisor
The Linux Foundation
 
Building Windows - how the bits flow from check-in to the fast-ring
Building Windows - how the bits flow from check-in to the fast-ringBuilding Windows - how the bits flow from check-in to the fast-ring
Building Windows - how the bits flow from check-in to the fast-ring
Microsoft Tech Community
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
Cameron More
 
NexusでAnsibleやってみた
NexusでAnsibleやってみたNexusでAnsibleやってみた
NexusでAnsibleやってみた
Takehiro Yokoishi
 
Cloud Surfing: Kubernetes on Mesos
Cloud Surfing: Kubernetes on MesosCloud Surfing: Kubernetes on Mesos
Cloud Surfing: Kubernetes on Mesos
KubeAcademy
 
Flexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-AnsibleFlexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-Ansible
Major Hayden
 
SharePoint Disaster Recovery in Microsoft Azure
SharePoint Disaster Recovery in Microsoft AzureSharePoint Disaster Recovery in Microsoft Azure
SharePoint Disaster Recovery in Microsoft Azure
Davide Benvegnù
 
Xen and OpenStack
Xen and OpenStackXen and OpenStack
Xen and OpenStack
Stefano Stabellini
 
OpenStack-Ansible Security
OpenStack-Ansible SecurityOpenStack-Ansible Security
OpenStack-Ansible Security
Major Hayden
 
OpenStack!
OpenStack!OpenStack!
OpenStack!
철민 홍
 
Network Monitoring with Icinga
Network Monitoring with IcingaNetwork Monitoring with Icinga
Network Monitoring with Icinga
learjk
 
Have You Seen My Malware?
Have You Seen My Malware?Have You Seen My Malware?
Have You Seen My Malware?
midnite_runr
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken Tools
NotSoSecure Global Services
 
SMART Cloud - K8s in produzione - best practices
SMART Cloud - K8s in produzione - best practices SMART Cloud - K8s in produzione - best practices
SMART Cloud - K8s in produzione - best practices
SerenaSensini1
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
k8sjp#9 KubeCon - Service Mesh, ML/DL on k8s
k8sjp#9 KubeCon - Service Mesh, ML/DL on k8sk8sjp#9 KubeCon - Service Mesh, ML/DL on k8s
k8sjp#9 KubeCon - Service Mesh, ML/DL on k8s
JUNICHI YOSHISE
 
CMPS 494 Presentation [Cloud Computing]
CMPS 494 Presentation [Cloud Computing]CMPS 494 Presentation [Cloud Computing]
CMPS 494 Presentation [Cloud Computing]
Travis McAdams
 
Building A SaaS with CoreOS, Docker, and Etcd
Building A SaaS with CoreOS, Docker, and EtcdBuilding A SaaS with CoreOS, Docker, and Etcd
Building A SaaS with CoreOS, Docker, and Etcd
Ross Kukulinski
 
What Have Namespaces Done for you Lately? Liz Rice, Aqua Security
What Have Namespaces Done for you Lately? Liz Rice, Aqua SecurityWhat Have Namespaces Done for you Lately? Liz Rice, Aqua Security
What Have Namespaces Done for you Lately? Liz Rice, Aqua Security
Docker, Inc.
 
Docker 進階實務班
Docker 進階實務班Docker 進階實務班
Docker 進階實務班
Philip Zheng
 
Sanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticiansSanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticians
Peter Clapham
 
Flexible compute
Flexible computeFlexible compute
Flexible compute
Peter Clapham
 

Contenu connexe

Tendances

Cloud Surfing: Kubernetes on Mesos
Cloud Surfing: Kubernetes on MesosCloud Surfing: Kubernetes on Mesos
Cloud Surfing: Kubernetes on Mesos
KubeAcademy
 
CMPS 494 Presentation [Cloud Computing]
CMPS 494 Presentation [Cloud Computing]CMPS 494 Presentation [Cloud Computing]
CMPS 494 Presentation [Cloud Computing]
Travis McAdams
 

Tendances (20)

Configuring OpenStack to Use the Xen Project Hypervisor
Configuring OpenStack to Use the Xen Project HypervisorConfiguring OpenStack to Use the Xen Project Hypervisor
Configuring OpenStack to Use the Xen Project Hypervisor
 
Building Windows - how the bits flow from check-in to the fast-ring
Building Windows - how the bits flow from check-in to the fast-ringBuilding Windows - how the bits flow from check-in to the fast-ring
Building Windows - how the bits flow from check-in to the fast-ring
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
 
NexusでAnsibleやってみた
NexusでAnsibleやってみたNexusでAnsibleやってみた
NexusでAnsibleやってみた
 
Cloud Surfing: Kubernetes on Mesos
Cloud Surfing: Kubernetes on MesosCloud Surfing: Kubernetes on Mesos
Cloud Surfing: Kubernetes on Mesos
 
Flexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-AnsibleFlexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-Ansible
 
SharePoint Disaster Recovery in Microsoft Azure
SharePoint Disaster Recovery in Microsoft AzureSharePoint Disaster Recovery in Microsoft Azure
SharePoint Disaster Recovery in Microsoft Azure
 
Xen and OpenStack
Xen and OpenStackXen and OpenStack
Xen and OpenStack
 
OpenStack-Ansible Security
OpenStack-Ansible SecurityOpenStack-Ansible Security
OpenStack-Ansible Security
 
OpenStack!
OpenStack!OpenStack!
OpenStack!
 
Network Monitoring with Icinga
Network Monitoring with IcingaNetwork Monitoring with Icinga
Network Monitoring with Icinga
 
Have You Seen My Malware?
Have You Seen My Malware?Have You Seen My Malware?
Have You Seen My Malware?
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken Tools
 
SMART Cloud - K8s in produzione - best practices
SMART Cloud - K8s in produzione - best practices SMART Cloud - K8s in produzione - best practices
SMART Cloud - K8s in produzione - best practices
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 
k8sjp#9 KubeCon - Service Mesh, ML/DL on k8s
k8sjp#9 KubeCon - Service Mesh, ML/DL on k8sk8sjp#9 KubeCon - Service Mesh, ML/DL on k8s
k8sjp#9 KubeCon - Service Mesh, ML/DL on k8s
 
CMPS 494 Presentation [Cloud Computing]
CMPS 494 Presentation [Cloud Computing]CMPS 494 Presentation [Cloud Computing]
CMPS 494 Presentation [Cloud Computing]
 
Building A SaaS with CoreOS, Docker, and Etcd
Building A SaaS with CoreOS, Docker, and EtcdBuilding A SaaS with CoreOS, Docker, and Etcd
Building A SaaS with CoreOS, Docker, and Etcd
 
What Have Namespaces Done for you Lately? Liz Rice, Aqua Security
What Have Namespaces Done for you Lately? Liz Rice, Aqua SecurityWhat Have Namespaces Done for you Lately? Liz Rice, Aqua Security
What Have Namespaces Done for you Lately? Liz Rice, Aqua Security
 
Docker 進階實務班
Docker 進階實務班Docker 進階實務班
Docker 進階實務班
 

Similaire à Securing Pivotal Cloud Foundry by Regularly Rebuilding

What HPC can learn from DevOps?
What HPC can learn from DevOps?What HPC can learn from DevOps?
What HPC can learn from DevOps?
Walid Shaari
 
Coding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE frameworkCoding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE framework
James Wickett
 
AIST Super Green Cloud: lessons learned from the operation and the performanc...
AIST Super Green Cloud: lessons learned from the operation and the performanc...AIST Super Green Cloud: lessons learned from the operation and the performanc...
AIST Super Green Cloud: lessons learned from the operation and the performanc...
Ryousei Takano
 
Don't Fumble the Data! Integrate Database Automation into your DevOps Toolchain
Don't Fumble the Data! Integrate Database Automation into your DevOps ToolchainDon't Fumble the Data! Integrate Database Automation into your DevOps Toolchain
Don't Fumble the Data! Integrate Database Automation into your DevOps Toolchain
DevOps.com
 
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to MicroservicesLessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
VMware Tanzu
 

Similaire à Securing Pivotal Cloud Foundry by Regularly Rebuilding (20)

Sanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticiansSanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticians
 
Flexible compute
Flexible computeFlexible compute
Flexible compute
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps Paradigm
 
Evolution of unix environments and the road to faster deployments
Evolution of unix environments and the road to faster deploymentsEvolution of unix environments and the road to faster deployments
Evolution of unix environments and the road to faster deployments
 
What HPC can learn from DevOps?
What HPC can learn from DevOps?What HPC can learn from DevOps?
What HPC can learn from DevOps?
 
Coding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE frameworkCoding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE framework
 
Successful Patterns for running platforms
Successful Patterns for running platformsSuccessful Patterns for running platforms
Successful Patterns for running platforms
 
AIST Super Green Cloud: lessons learned from the operation and the performanc...
AIST Super Green Cloud: lessons learned from the operation and the performanc...AIST Super Green Cloud: lessons learned from the operation and the performanc...
AIST Super Green Cloud: lessons learned from the operation and the performanc...
 
2016 - Open Mic - IGNITE - Open Infrastructure = ANY Infrastructure
2016 - Open Mic - IGNITE - Open Infrastructure = ANY Infrastructure2016 - Open Mic - IGNITE - Open Infrastructure = ANY Infrastructure
2016 - Open Mic - IGNITE - Open Infrastructure = ANY Infrastructure
 
OpenStack Preso: DevOps on Hybrid Infrastructure
OpenStack Preso: DevOps on Hybrid InfrastructureOpenStack Preso: DevOps on Hybrid Infrastructure
OpenStack Preso: DevOps on Hybrid Infrastructure
 
Containerizing couchbase with microservice architecture on mesosphere.pptx
Containerizing couchbase with microservice architecture on mesosphere.pptxContainerizing couchbase with microservice architecture on mesosphere.pptx
Containerizing couchbase with microservice architecture on mesosphere.pptx
 
Continuous Deployment to the Cloud - Topher Bullock
Continuous Deployment to the Cloud - Topher BullockContinuous Deployment to the Cloud - Topher Bullock
Continuous Deployment to the Cloud - Topher Bullock
 
DevOps LA Meetup Intro to Habitat
DevOps LA Meetup Intro to HabitatDevOps LA Meetup Intro to Habitat
DevOps LA Meetup Intro to Habitat
 
At the Crossroads of HPC and Cloud Computing with Openstack
At the Crossroads of HPC and Cloud Computing with OpenstackAt the Crossroads of HPC and Cloud Computing with Openstack
At the Crossroads of HPC and Cloud Computing with Openstack
 
Don't Fumble the Data! Integrate Database Automation into your DevOps Toolchain
Don't Fumble the Data! Integrate Database Automation into your DevOps ToolchainDon't Fumble the Data! Integrate Database Automation into your DevOps Toolchain
Don't Fumble the Data! Integrate Database Automation into your DevOps Toolchain
 
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to MicroservicesLessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
 
Rancher Rodeo 13 mai 2022
Rancher Rodeo 13 mai 2022Rancher Rodeo 13 mai 2022
Rancher Rodeo 13 mai 2022
 
What DevOps Isn't
What DevOps Isn'tWhat DevOps Isn't
What DevOps Isn't
 
Modern application development with oracle cloud sangam17
Modern application development with oracle cloud sangam17Modern application development with oracle cloud sangam17
Modern application development with oracle cloud sangam17
 

Plus de VMware Tanzu

Plus de VMware Tanzu (20)

What AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
 
Enhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at Scale
 
Spring Update | July 2023
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023
 
Platforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a Product
 
Building Cloud Ready Apps
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready Apps
 
Spring Boot 3 And Beyond
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And Beyond
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
 
tanzu_developer_connect.pptx
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
 
Tanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - French
 
Tanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
 
Virtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
 
Tanzu Developer Connect - French
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - French
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
 
SpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs Practice
 
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
 

Dernier

Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 

Dernier (20)

WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 

Securing Pivotal Cloud Foundry by Regularly Rebuilding

  • 1. Security Through Repaving Lance Rochelle – Product Owner (Pivotal Cloud Foundry) August 2018 Public Information © 2018 Wells Fargo Bank, N.A. All rights reserved.
  • 3. 33 History of Patching: A Comedy or a Tragedy ~1999 •“Hey, let’s see how long we can keep these servers up and use uptime as a benchmark for stability.” - Super 1337 SysAdmin ~2002 •“We should probably patch. Once a year seems like a pretty good idea, that way we know the server can survive a reboot” – Some CIO, probably ~2004 •“You know, this patching thing isn’t so bad. I bet we could do it twice a year.” – The Business, begrudgingly ~2007 •“About once a quarter there is a new Operating System kernel we should patch to the new kernel a few months after they come out, let’s do once a quarter” – OS Engineers, anxious to engineer ~2012 •“Security would like us to patch ONCE A MONTH?! Who does that, whyyyyyyyy…“ – Everyone and their brother ~2018 •“You know what would be cool, what if we could blow away the entire environment every day and rebuild it from scratch?” – A super smart person
  • 4. 44 What are the Primary Threats and Concerns? Advanced Persistent Threats.APT The state of the environment changing over time Configuration Drift Exploitable “things” that you don’t want in your environmentVulnerabilities Unpatched, out of date, and unmaintained software Technical Debt
  • 5. 55 What is “Repaving”? Principles… 1) Patch early, patch often 2) Gold Images 3) Deploy via Automation 4) Aim for “Cattle” not “Pets” 5) Redeploy Often - Even when you don’t think you have to or need to
  • 6. 66 Automate Platform Patching – BOSH with PCF BOSH is an open source project that unifies release engineering, deployment, and lifecycle management of small and large-scale cloud software. BOSH can provision and deploy software over hundreds of virtual appliances and can also perform monitoring, failure recovery, and software updates with zero-to-minimal downtime. While BOSH was developed to deploy Cloud Foundry PaaS, it can also be used to deploy almost any other software. BOSH is particularly well-suited for large distributed systems. In addition, BOSH supports multiple Infrastructure as a Service (IaaS) providers (VMware vSphere, Google Cloud Platform, Amazon Web Services EC2, Public Azure and some versions of OpenStack)
  • 8. 88 Security Threats are Increasing at a Rapid Rate CVE = Common Vulnerabilities and Exposures. The total number of vulnerabilities identified in the wild: • 2015 = 6480 • 2016 = 6447 • 2017 = 14714 • 2018 ≈ 19500+ (estimate from Jan to Aug) The only way to keep up with threats is to automate all updates. https://www.cvedetails.com/browse-by-date.php 0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 jan feb mar apr may jun jul aug sep oct nov dec jan feb mar apr may jun jul By Month and CVSS Score Jan 2017 to Jul 2018 0-2.9 3-6.9 7-10+ Total 0 5000 10000 15000 20000 25000 CVE reported
  • 9. 99 Stemcell Scanning is Still Important! PivNet Scanning Agent IaaS (AWS/GCP/vSphere/Azure/OpenStack) Continuous Integration Pipeline Artifact Repository Representative Cluster 1 2 3 5 7
  • 10. 1010 Platform Repaving with BOSH and PCF Pivotal Cloud Foundry – Elastic Runtime Phase 3 Applications Reside on the Diego Cells Application 2 Instance 3 Application 1 Instance 1 Application 2 Instance 1 Application 1 Instance 2 Application 2 Instance 3 Application 1 Instance 3 Diego Cell Diego Cell Diego Cell Diego Cell Diego Cell Diego Cell Diego Cell Diego Cell Diego Cell Phase 1 Consul NATS ConsulConsul NATS Diego BBSDiego BBSDiego BBS UAA UAA Cloud Controller Cloud Ctl WorkerCloud Ctl Worker Clock Global Cloud Ctl Worker Diego Brain Diego BrainDiego Brain TCP Router TCP Router TCP Router Doppler ServerDoppler Server Doppler Server Doppler Server Doppler Server Doppler Server Logregator Logregator Logregator Logregator Logregator Logregator Logregator LogregatorLogregator Cloud ControllerCloud Controller Phase 2 Virtual RouterVirtual RouterVirtual Router Virtual Router Virtual Router Virtual Router  Key Point: All servers are immutable Phase 1 All Virtual Appliances are recreated with a new image based on a concurrency value. Phase 2 Traffic is drained automatically from the virtual appliances then the virtual appliance is recreated with a new image and assigned the role of the virtual router. Phase 3 Applications Instances are migrated from a currently running Diego Cell to another Diego Cell.