2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams

•

1 j'aime•386 vues

Presented at AFCEA West 2017: http://www.westconference.org/West17/Public/SessionDetails.aspx?FromPage=Sessions.aspx&SessionID=5747&SessionDateID=371

Logiciels

DevOpsSec: Building CI/CD
with Security Teams
Shawn Wells
Chief Security Strategist
Red Hat Pubic Sector
shawn@redhat.com || 443-534-0130

9
INTRO TO CI/CD
https://www.youtube.com/watch?v=65BnTLcDAJI
source
repository
CI/CD
engine
dev container

10
INTRO TO CI/CD
https://www.youtube.com/watch?v=65BnTLcDAJI

Meanwhile, in Government:
FISMA from an earlier era
● Written in 2003-2004
● Pre GovCloud, C2S, MilCloud
● Pre DevOps, Infrastructure as Code
● Multi-year dev/ship cycles common
● Waterfall dominant
● IT was more manual a decade ago
11

https://www.telos.com/assets/Telos-AWS-white-paper.pdf
Meanwhile, in Government:
FISMA from an earlier era
12

14
Layered Packaging: Separation of Concerns
Operations Architects Application
developers

Public and Private Registries
● What security meta-data
is available for your images?
● Are the images updated
regularly?
● Are there access controls in
the registry? How strong are
they?
15
Registries: Where do you get your containers?
● Red Hat Container
Registry
● Policies to control who
can deploy which
containers
● Certification Catalog
● Trusted content with
security updates
HOST OS
CONTAINER
OS
RUNTIME
APP
HOST OS
CONTAINER
OS
RUNTIME
APP

You need to know . . .
● Will what’s inside your container
compromise your infrastructure?
● Are there known vulnerabilities
in the application layer?
● Are the runtime and operating
system layers up to date?
16
Container Contents Matter
CONTAINER
OS
RUNTIME
APPLICATION

17
Community created portfolio of tools and content
to assess systems for known vulnerabilities.
https://github.com/NSAgov
Or direct: https://github.com/OpenSCAP

19
RHEL7 STIG content, rebased in RHEL 7.3:
● 6,180 commits from 95 people
● 441,055 lines of code
OpenSCAP interpreter contains:
● 6,811 commits from 74 people
● 157,775 lines of code
“Security Button” RHEL7 Installer:
● 6 people, 90 days
Shipping in RHEL 7:
● Intelligence Community: C2S and CS2
● DoD: RHEL7 Vendor STIG
● Civilian: USGCB/OSPP
● Justice: FBI Criminal Justice Info. Systems
(FBI CJIS)

Atomic Scan
Enables multiple container scanners
21
Red Hat
container
scanning
API
RED HAT
CONTAINER
SCANNING
INTERFACE

25
Contact Info
LinkedIn: https://www.linkedin.com/in/shawndwells/
EMail: shawn@redhat.com
Cell: 443-534-0130 (US EST)
Blog: https://shawnwells.io
OpenSCAP Slides + Videos:
https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References

Recommandé

IBM World of Watson 2016 - DB2 Analytics Accelerator on CloudDaniel Martin

DB2 Real-Time Analytics Meeting Wayne, PA 2015 - IDAA & DB2 Tools UpdateBaha Majid

EDBT 2013 - Near Realtime Analytics with IBM DB2 Analytics AcceleratorDaniel Martin

Db2 family and v11.1.4.4ModusOptimum

Ibm integrated analytics systemModusOptimum

Proactive Threat Detection and Safeguarding of Data for Enhanced Cyber resili...Sandeep Patil

How to Leverage Mainframe Data with Hadoop: Bridging the Gap Between Big Iron...Precisely

IBM Power Systems Announcement UpdateDavid Spurway

Recommandé

IBM World of Watson 2016 - DB2 Analytics Accelerator on CloudDaniel Martin

DB2 Real-Time Analytics Meeting Wayne, PA 2015 - IDAA & DB2 Tools UpdateBaha Majid

EDBT 2013 - Near Realtime Analytics with IBM DB2 Analytics AcceleratorDaniel Martin

Db2 family and v11.1.4.4ModusOptimum

Ibm integrated analytics systemModusOptimum

Proactive Threat Detection and Safeguarding of Data for Enhanced Cyber resili...Sandeep Patil

How to Leverage Mainframe Data with Hadoop: Bridging the Gap Between Big Iron...Precisely

IBM Power Systems Announcement UpdateDavid Spurway

Co-Design Architecture for Exascaleinside-BigData.com

10/ EnterpriseDB @ OPEN'16 Kangaroot

FlexPod as a Competitive EdgeNetApp

Regarding Clouds, Mainframes, and Desktops … and LinuxRobert Sutor

10 reasons why to choose Pure StorageMarketingArrowECS_CZ

OpenStack + Nano Server + Hyper-V + S2DAlessandro Pilotti

Joint NetApp and Cisco Solutions for SAP: FlexPod and HANANetApp

Nutanix basicganang saputro

9/ IBM POWER @ OPEN'16Kangaroot

Highlights of OpenStack Mitaka and the OpenStack SummitCloud Standards Customer Council

Automating the Enterprise with CloudForms & AnsibleJerome Marc

Modernize Your Oracle Environment with an Agile Data InfrastructureNetApp

HCI comparison whatmatrixRodneyReinhardt

Liberate Your Files with a Private Cloud Storage Solution powered by Open SourceIsaac Christoffersen

IBM POWER8 as an HPC platformAlexander Pozdneev

IBM Power9 Features and Specificationsinside-BigData.com

NetApp All Flash storageMarketingArrowECS_CZ

Red Hat Storage Day Boston - Why Software-defined Storage MattersRed_Hat_Storage

Oracle big data appliance and solutionssolarisyougood

Oracle Cloud - Infrastruktura jako kódMarketingArrowECS_CZ

World of Watson - DB2 for Linux, UNIX and Windows RoadmapIBM_Info_Management

What´s next? Facebook Now and then #AFBMCAllFacebook.de

Contenu connexe

Tendances

Co-Design Architecture for Exascaleinside-BigData.com

10/ EnterpriseDB @ OPEN'16 Kangaroot

FlexPod as a Competitive EdgeNetApp

Regarding Clouds, Mainframes, and Desktops … and LinuxRobert Sutor

10 reasons why to choose Pure StorageMarketingArrowECS_CZ

OpenStack + Nano Server + Hyper-V + S2DAlessandro Pilotti

Joint NetApp and Cisco Solutions for SAP: FlexPod and HANANetApp

Nutanix basicganang saputro

9/ IBM POWER @ OPEN'16Kangaroot

Highlights of OpenStack Mitaka and the OpenStack SummitCloud Standards Customer Council

Automating the Enterprise with CloudForms & AnsibleJerome Marc

Modernize Your Oracle Environment with an Agile Data InfrastructureNetApp

HCI comparison whatmatrixRodneyReinhardt

Liberate Your Files with a Private Cloud Storage Solution powered by Open SourceIsaac Christoffersen

IBM POWER8 as an HPC platformAlexander Pozdneev

IBM Power9 Features and Specificationsinside-BigData.com

NetApp All Flash storageMarketingArrowECS_CZ

Red Hat Storage Day Boston - Why Software-defined Storage MattersRed_Hat_Storage

Oracle big data appliance and solutionssolarisyougood

Oracle Cloud - Infrastruktura jako kódMarketingArrowECS_CZ

Tendances (20)

Co-Design Architecture for Exascale

10/ EnterpriseDB @ OPEN'16

FlexPod as a Competitive Edge

Regarding Clouds, Mainframes, and Desktops … and Linux

10 reasons why to choose Pure Storage

OpenStack + Nano Server + Hyper-V + S2D

Joint NetApp and Cisco Solutions for SAP: FlexPod and HANA

Nutanix basic

9/ IBM POWER @ OPEN'16

Highlights of OpenStack Mitaka and the OpenStack Summit

Automating the Enterprise with CloudForms & Ansible

Modernize Your Oracle Environment with an Agile Data Infrastructure

HCI comparison whatmatrix

Liberate Your Files with a Private Cloud Storage Solution powered by Open Source

IBM POWER8 as an HPC platform

IBM Power9 Features and Specifications

NetApp All Flash storage

Red Hat Storage Day Boston - Why Software-defined Storage Matters

Oracle big data appliance and solutions

Oracle Cloud - Infrastruktura jako kód

En vedette

World of Watson - DB2 for Linux, UNIX and Windows RoadmapIBM_Info_Management

What´s next? Facebook Now and then #AFBMCAllFacebook.de

2016 State of DevOpsNicole Forsgren

The DevOpsSec Dilemma | Lean Agile Scotland 2015cacorriere

Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...Dan Cundiff

Here For Good Report 2016 - GaneshganeshMIT

Informix 12.10.xC7 MQTT listener - june2016Shawn Moe

DB2 Data Sharing Performance for BeginnersMartin Packer

Presentation of Yemen Association for Certified Public Accountants (YACPA) to...International Federation of Accountants

Ekiti State 2016 Budget Q4 Appraisal.Government of Ekiti State, Nigeria

XM Asia connecting the dotsPaul Soon

Is technology innocent?Sami Uddin

5 Tips To Managing Growth InfographicBright Technology

Implantación de la nueva asignatura de "Tecnología, Programación y Robótica" ...Educación Innovación

2008-10-15 Red Hat Deep Dive Sessions: SELinuxShawn Wells

Devopssecfailcacois

2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...Shawn Wells

「VCL ユーザーのためのFireMonkey入門」Embarcadero Technologies

2016-08-29 AFITC Security AutomationShawn Wells

1 page project planning template.Ed Curley

En vedette (20)

World of Watson - DB2 for Linux, UNIX and Windows Roadmap

What´s next? Facebook Now and then #AFBMC

2016 State of DevOps

The DevOpsSec Dilemma | Lean Agile Scotland 2015

Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...

Here For Good Report 2016 - Ganesh

Informix 12.10.xC7 MQTT listener - june2016

DB2 Data Sharing Performance for Beginners

Presentation of Yemen Association for Certified Public Accountants (YACPA) to...

Ekiti State 2016 Budget Q4 Appraisal.

XM Asia connecting the dots

Is technology innocent?

5 Tips To Managing Growth Infographic

Implantación de la nueva asignatura de "Tecnología, Programación y Robótica" ...

2008-10-15 Red Hat Deep Dive Sessions: SELinux

Devopssecfail

2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...

「VCL ユーザーのためのFireMonkey入門」

2016-08-29 AFITC Security Automation

1 page project planning template.

Similaire à 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams

DoD Enterprise DevSecOps Initiative by Mr. Nicolas ChaillanHermanKBeta

Cloud Foundry May 1 2014Christopher Ferris

Transform your organization with cisco cloudsolarisyougood

Devops Columbia October 2020 - Gabriel Alix: A Discussion on TerraformDrew Malone

Devops Columbia October 2020 - Gabriel Alix: A Discussion on Terraform DevOpsColumbia

microXchg 2019: "Creating an Effective Developer Experience for Cloud-Native ...Daniel Bryant

PSOCLD 1007 Cisco Hybrid Cloud Platform for Google CloudRohit Agarwalla

DoD-Enterprise-DevSecOps-Initiative-Introduction-v4.52.pptxTomGrand4

ContainerCon- Cloud Native Applications, Containers, Microservices, Platforms...Fabio Chiodini

Continuous Deployment to the Cloud - Topher BullockVMware Tanzu

Get your head in the clouds! - Swansea Con 2016Christopher Cundill

Talk DevSecOps to meMichelle Ribeiro

Tech Talk - Cloud Transformation in 2017Alex Rhea

BRKINI-1679.pdftuancq77

cloud-migrations.pptxJohn Mulhall

Cncf checkov and bridgecrewLibbySchulze

Seguridad: sembrando confianza en el cloudNextel S.A.

Cloud Innovation Tour - Design TrackLaurenWendler

Developers Driving DevOps at Scale: 5 Keys to SuccessDevOps.com

Implementing Cloud-Based DevOps for Distributed Agile ProjectsTechWell

Similaire à 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams (20)

DoD Enterprise DevSecOps Initiative by Mr. Nicolas Chaillan

Cloud Foundry May 1 2014

Transform your organization with cisco cloud

Devops Columbia October 2020 - Gabriel Alix: A Discussion on Terraform

microXchg 2019: "Creating an Effective Developer Experience for Cloud-Native ...

PSOCLD 1007 Cisco Hybrid Cloud Platform for Google Cloud

DoD-Enterprise-DevSecOps-Initiative-Introduction-v4.52.pptx

ContainerCon- Cloud Native Applications, Containers, Microservices, Platforms...

Continuous Deployment to the Cloud - Topher Bullock

Get your head in the clouds! - Swansea Con 2016

Talk DevSecOps to me

Tech Talk - Cloud Transformation in 2017

BRKINI-1679.pdf

cloud-migrations.pptx

Cncf checkov and bridgecrew

Seguridad: sembrando confianza en el cloud

Cloud Innovation Tour - Design Track

Developers Driving DevOps at Scale: 5 Keys to Success

Implementing Cloud-Based DevOps for Distributed Agile Projects

Plus de Shawn Wells

2017-10-10 AUSA 2017: Repeatable DCO PlatformsShawn Wells

2017-07-12 GovLoop: New Era of Digital SecurityShawn Wells

2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...Shawn Wells

2017 02-17 rsac 2017 tech-f02Shawn Wells

2016 -11-18 OpenSCAP Workshop CoursebookShawn Wells

2016-08-18 Red Hat Partner Security UpdateShawn Wells

2015-11-15 - Supercomputing 2015 - Applied Cross DomainShawn Wells

2015-10-05 Fermilabs DevOps Alone in the DarkShawn Wells

2015-06-25 Red Hat Summit 2015 - Security Compliance Made EasyShawn Wells

2015 06-12 DevOpsDC 2015 - Consumer to CollaboratorShawn Wells

2015-01-27 ssa opening remarksShawn Wells

2014-12-16 defense news - shutdown the hackersShawn Wells

2014-07-31 customer convergence applied scapShawn Wells

2014-07-30 defense in depth scap workbookShawn Wells

2014-05-08 IT Craftsmanship to IT ManufacturingShawn Wells

2014-04-28 cloud security frameworks and enforcementShawn Wells

2014 04-17 Applied SCAP, Red Hat Summit 2014Shawn Wells

2014 04-03 xyratex eventShawn Wells

2013-08-22 NSA System Security & ManagementShawn Wells

2013-07-21 MITRE Developer Days - Red Hat SCAP RemediationShawn Wells

Plus de Shawn Wells (20)

2017-10-10 AUSA 2017: Repeatable DCO Platforms

2017-07-12 GovLoop: New Era of Digital Security

2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...

2017 02-17 rsac 2017 tech-f02

2016 -11-18 OpenSCAP Workshop Coursebook

2016-08-18 Red Hat Partner Security Update

2015-11-15 - Supercomputing 2015 - Applied Cross Domain

2015-10-05 Fermilabs DevOps Alone in the Dark

2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy

2015 06-12 DevOpsDC 2015 - Consumer to Collaborator

2015-01-27 ssa opening remarks

2014-12-16 defense news - shutdown the hackers

2014-07-31 customer convergence applied scap

2014-07-30 defense in depth scap workbook

2014-05-08 IT Craftsmanship to IT Manufacturing

2014-04-28 cloud security frameworks and enforcement

2014 04-17 Applied SCAP, Red Hat Summit 2014

2014 04-03 xyratex event

2013-08-22 NSA System Security & Management

2013-07-21 MITRE Developer Days - Red Hat SCAP Remediation

Dernier

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE9953056974 Low Rate Call Girls In Saket, Delhi NCR

Exploring iOS App Development: Simplifying the ProcessEvangelist Apps https://twitter.com/EvangelistSW/

Active Directory Penetration Testing, cionsystems.com.pdfCionsystems

Clustering techniques data mining book ....ShaimaaMohamedGalal

Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions

Microsoft AI Transformation Partner Playbook.pdfWilly Marroquin (WillyDevNET)

Optimizing AI for immediate response in Smart CCTVshikhaohhpro

TECUNIQUE: Success Stories: IT Service providermohitmore19

Right Money Management App For Your Financial GoalsJhone kinadey

Professional Resume Template for Software DevelopersVinodh Ram

Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01

How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave

Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab

why an Opensea Clone Script might be your perfect match.pdfjoe51371421

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171

Software Quality Assurance Interview QuestionsArshad QA

Dernier (20)

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE

Exploring iOS App Development: Simplifying the Process

Active Directory Penetration Testing, cionsystems.com.pdf

Clustering techniques data mining book ....

Advancing Engineering with AI through the Next Generation of Strategic Projec...

Microsoft AI Transformation Partner Playbook.pdf

Optimizing AI for immediate response in Smart CCTV

TECUNIQUE: Success Stories: IT Service provider

Right Money Management App For Your Financial Goals

Professional Resume Template for Software Developers

Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...

Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

why an Opensea Clone Script might be your perfect match.pdf

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf

Software Quality Assurance Interview Questions

2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams

1. DevOpsSec: Building CI/CD with Security Teams Shawn Wells Chief Security Strategist Red Hat Pubic Sector shawn@redhat.com || 443-534-0130

2. NDA REQUIRED | JIM TYRRELL

8. 1/day RELEASES PER YEAR 1/hour

9. 9 INTRO TO CI/CD https://www.youtube.com/watch?v=65BnTLcDAJI source repository CI/CD engine dev container

10. 10 INTRO TO CI/CD https://www.youtube.com/watch?v=65BnTLcDAJI

11. Meanwhile, in Government: FISMA from an earlier era ● Written in 2003-2004 ● Pre GovCloud, C2S, MilCloud ● Pre DevOps, Infrastructure as Code ● Multi-year dev/ship cycles common ● Waterfall dominant ● IT was more manual a decade ago 11

12. https://www.telos.com/assets/Telos-AWS-white-paper.pdf Meanwhile, in Government: FISMA from an earlier era 12

13. 13 DevOps + Security

14. 14 Layered Packaging: Separation of Concerns Operations Architects Application developers

15. Public and Private Registries ● What security meta-data is available for your images? ● Are the images updated regularly? ● Are there access controls in the registry? How strong are they? 15 Registries: Where do you get your containers? ● Red Hat Container Registry ● Policies to control who can deploy which containers ● Certification Catalog ● Trusted content with security updates HOST OS CONTAINER OS RUNTIME APP HOST OS CONTAINER OS RUNTIME APP

16. You need to know . . . ● Will what’s inside your container compromise your infrastructure? ● Are there known vulnerabilities in the application layer? ● Are the runtime and operating system layers up to date? 16 Container Contents Matter CONTAINER OS RUNTIME APPLICATION

17. 17 Community created portfolio of tools and content to assess systems for known vulnerabilities. https://github.com/NSAgov Or direct: https://github.com/OpenSCAP

18. 18 https://github.com/nsagov

19. 19 RHEL7 STIG content, rebased in RHEL 7.3: ● 6,180 commits from 95 people ● 441,055 lines of code OpenSCAP interpreter contains: ● 6,811 commits from 74 people ● 157,775 lines of code “Security Button” RHEL7 Installer: ● 6 people, 90 days Shipping in RHEL 7: ● Intelligence Community: C2S and CS2 ● DoD: RHEL7 Vendor STIG ● Civilian: USGCB/OSPP ● Justice: FBI Criminal Justice Info. Systems (FBI CJIS)

20. 20

21. Atomic Scan Enables multiple container scanners 21 Red Hat container scanning API RED HAT CONTAINER SCANNING INTERFACE

22. Example Pipeline 22

23. demos!

24. Thank You

25. 25 Contact Info LinkedIn: https://www.linkedin.com/in/shawndwells/ EMail: shawn@redhat.com Cell: 443-534-0130 (US EST) Blog: https://shawnwells.io OpenSCAP Slides + Videos: https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References