SlideShare une entreprise Scribd logo

DevSecOps: The open source way

Gordon Haff
Gordon Haff

DevOps purists may chafe at the DevSecOps term given that security and other important practices are supposed to already be an integral part of routine DevOps workflows. But the reality is that security often gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats. In this session, we’ll look at successful practices that distributed and diverse teams use to iterate rapidly. We’ll discuss how a container platform can serve as the foundation for DevSecOps in your organization. We'll also consider the risk management associated with integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning. Finally, we'll show ways by which automation and repeatable trusted delivery of code can be built directly into a DevOps pipeline.

Logiciels
1  sur  39
Télécharger pour lire hors ligne
DevSecOps: The Open Source Way Gordon Haff, Technology Evangelist, Red Hat @ghaff
● DevOps “purists” point out that security was always part of DevOps ● Did people just not read the book? ● Did people not understand the book? ● Are practitioners just skipping security anyway? WHY DevSecOps?
Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.
Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.
But Now it’s 2017. Right?
● A new silo ● Devs (often) don’t grok (even) traditional security ● Assembled applications and supply chains ● Security not integrated into pipeline What’s the Problem?
SEC
OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
…utilizing billions of available libraries, frameworks and utilities ● Not all are created equal, some are healthy and some are not ● All go bad over time, they age like milk, not like wine ● Enterprises consume an average 229,000 software components annually, of which 17,000 had a known security vulnerability Applications are ‘assembled’...
A typical DevOps pipeline
How security integrates
● Better organizations ● Containers ● Secured supply chain ● Secured pipeline ● Secured operations Opportunities! }Managed approach to risk
Better Organizations
Kids programming: Esti Alvarez cc license CULTURE of collaboration valuing openness and transparency
Culture = f (l, o, i, t, …) Where: l = leadership o = organization i = incentives t = trust … = many other things Open source offers guidance
Containers
What are containers? ● Sandboxed application processes on a shared Linux OS kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components Sys-Admins / Ops Developers It Depends on Who You Ask
Containers technical timeline LXC Initial release Aug ‘08 OpenShift online May ‘11 Docker Initial release Mar ‘13 OpenShift Enterprise 3.0 Jun‘ 15 Open Container Initiative Initial release, Buildah Jun ‘17 Moby Apr ‘17 Sep ‘17 CRI-O
Open source, leadership, and standards ● Docker/Moby ● Kubernetes/OpenShift ● OCI Specifications ● Cloud Native Technical Leadership ● Vendor/partner ecosystem The community landscape
● Docker, Red Hat et al. June 2015 ● Two Specifications ● Runtime ○ How to run a “filesystem bundle” that is unpacked on disk ● Image Format ○ How to create an OCI Image that contains sufficient information to launch the application on the target platform Open Container Initiative (OCI)
“Containers are an easy way to get a reasonable percentage of security built in.” John Willis co-Author, DevOps Handbook ServerlessConf 2017
Manage Risk
MANA Reuse AutomationMicroservices Immutability Pervasive access Speed Rapid tech churn Flexible deploys Containers Software-defined MANAGED RISK Dev Ops
Securing the assets ● Building code ○ Watching for changes in how things get built ○ Signing the builds ● Built assets ○ Scripts, binaries, packages (RPMs), containers (OCI images), machine images (ISOs, etc.) ○ Registries (Service, Container, App) ○ Repositories (Local on host images assets) Safe at Titan Missile Museum https://upload.wikimedia.org/wikipedia/commons/5/59/Red_Safe%2C_Titan_Missile_Museum.jpg
Registries ● Do you require a private registry? ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? Who can push images to the registry?
● Potentially lots of parallel builds ● Source code ● Where is it coming from? ● Who is it coming from? ● Supply Chain Tooling ● CI tools (e.g. Jenkins) ● Testing tools ● Scanning Tools (e.g. Black Duck) Securing the development process Boeing's Everett factory near Seattle https://upload.wikimedia.org/wikipedia/commons/c/c8/At_Boeing%27s_Everett_factory_near_Seattle_%289130160595%29.jpg Creative Commons
Ensure the application code is compliant Ensure the pipeline is not compromised Systematic, on-going, and automated Securing the development process Repo Scan Image Build Scan Dev Deploy Test
● How do ensure that all these variations are working and supported together? ● Containers and container ecosystems help vendors to continuously secure their software Track third-party development technologies
● Trusted registries and repos ● Signature authenticating and authorizing ● Image scanning ● Policies ● Ongoing assessment with automated remediation Securing the operations: Deployment Mission Control - Apollo 13 https://c1.staticflickr.com/4/3717/9460197822_9f6ab3f30c_b.jpg
● Blue Green or A/B or Canary, continuous deployments ● Monitoring deployments ● Possibly multiple environments Securing the operations: Lifecycle
● Log (most) things ● Alarm few things ● Establish relevant metrics ● Root cause analysis (reactive) ● Detect patterns/trends (proactive) ● Context and distributions matter ● Incentives drive behavior Securing the operations: Monitoring and metrics
“... we estimate that fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.” “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.” How are we doing? DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016
Thank You! Gordon Haff Technology Evangelist, Red Hat @ghaff Cloudy Chat podcast www.redhat.com www.bitmasons.com

Recommandé

Artificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine LearningArtificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine Learning
Gordon Haff
 
Blockchains for Business 101
Blockchains for Business 101Blockchains for Business 101
Blockchains for Business 101
Gordon Haff
 
Preserving privacy while sharing data
Preserving privacy while sharing dataPreserving privacy while sharing data
Preserving privacy while sharing data
Gordon Haff
 
Lightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising PrivacyLightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising Privacy
Gordon Haff
 
Free and Open:An Historical Perspective
Free and Open:An Historical PerspectiveFree and Open:An Historical Perspective
Free and Open:An Historical Perspective
Gordon Haff
 
Why do we contribute (to open source)?
Why do we contribute (to open source)?Why do we contribute (to open source)?
Why do we contribute (to open source)?
Gordon Haff
 
How do you get started in AI?
How do you get started in AI?How do you get started in AI?
How do you get started in AI?
Gordon Haff
 
The good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AIThe good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AI
Gordon Haff
 

Recommandé

Artificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine LearningArtificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine Learning
Gordon Haff
 
Blockchains for Business 101
Blockchains for Business 101Blockchains for Business 101
Blockchains for Business 101
Gordon Haff
 
Preserving privacy while sharing data
Preserving privacy while sharing dataPreserving privacy while sharing data
Preserving privacy while sharing data
Gordon Haff
 
Lightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising PrivacyLightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising Privacy
Gordon Haff
 
Free and Open:An Historical Perspective
Free and Open:An Historical PerspectiveFree and Open:An Historical Perspective
Free and Open:An Historical Perspective
Gordon Haff
 
Why do we contribute (to open source)?
Why do we contribute (to open source)?Why do we contribute (to open source)?
Why do we contribute (to open source)?
Gordon Haff
 
How do you get started in AI?
How do you get started in AI?How do you get started in AI?
How do you get started in AI?
Gordon Haff
 
The good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AIThe good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AI
Gordon Haff
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into Production
Gordon Haff
 
Containers: Don't Skeu Them Up
Containers: Don't Skeu Them UpContainers: Don't Skeu Them Up
Containers: Don't Skeu Them Up
Gordon Haff
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into Production
Gordon Haff
 
DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018
Gordon Haff
 
AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018
Gordon Haff
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
Gordon Haff
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
Gordon Haff
 
That's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successThat's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native success
Gordon Haff
 
The Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsThe Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing Operations
Gordon Haff
 
A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)
Gordon Haff
 
Optimizing the Ops in DevOps
Optimizing the Ops in DevOpsOptimizing the Ops in DevOps
Optimizing the Ops in DevOps
Gordon Haff
 
Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.
Gordon Haff
 
Fail Fast, Fail Often
Fail Fast, Fail OftenFail Fast, Fail Often
Fail Fast, Fail Often
Gordon Haff
 
The New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetThe New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing Yet
Gordon Haff
 
The New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureThe New Open Distributed Application Architecture
The New Open Distributed Application Architecture
Gordon Haff
 
DevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open SourceDevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open Source
Gordon Haff
 
The New Distributed Application Infrastructure
The New Distributed Application InfrastructureThe New Distributed Application Infrastructure
The New Distributed Application Infrastructure
Gordon Haff
 
Manufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOpsManufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOps
Gordon Haff
 
Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)
Gordon Haff
 
How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015
Gordon Haff
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
PearlKirahMaeRagusta1
 

Contenu connexe

Plus de Gordon Haff

Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into Production
Gordon Haff
 
Containers: Don't Skeu Them Up
Containers: Don't Skeu Them UpContainers: Don't Skeu Them Up
Containers: Don't Skeu Them Up
Gordon Haff
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into Production
Gordon Haff
 
DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018
Gordon Haff
 
AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018
Gordon Haff
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
Gordon Haff
 
That's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successThat's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native success
Gordon Haff
 
The Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsThe Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing Operations
Gordon Haff
 
Optimizing the Ops in DevOps
Optimizing the Ops in DevOpsOptimizing the Ops in DevOps
Optimizing the Ops in DevOps
Gordon Haff
 
Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.
Gordon Haff
 
Fail Fast, Fail Often
Fail Fast, Fail OftenFail Fast, Fail Often
Fail Fast, Fail Often
Gordon Haff
 
The New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetThe New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing Yet
Gordon Haff
 
The New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureThe New Open Distributed Application Architecture
The New Open Distributed Application Architecture
Gordon Haff
 
DevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open SourceDevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open Source
Gordon Haff
 
Manufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOpsManufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOps
Gordon Haff
 
Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)
Gordon Haff
 
How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015
Gordon Haff
 

Plus de Gordon Haff (20)

Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into Production
 
Containers: Don't Skeu Them Up
Containers: Don't Skeu Them UpContainers: Don't Skeu Them Up
Containers: Don't Skeu Them Up
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into Production
 
DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018
 
AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
 
That's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successThat's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native success
 
The Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsThe Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing Operations
 
A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)
 
Optimizing the Ops in DevOps
Optimizing the Ops in DevOpsOptimizing the Ops in DevOps
Optimizing the Ops in DevOps
 
Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.
 
Fail Fast, Fail Often
Fail Fast, Fail OftenFail Fast, Fail Often
Fail Fast, Fail Often
 
The New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetThe New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing Yet
 
The New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureThe New Open Distributed Application Architecture
The New Open Distributed Application Architecture
 
DevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open SourceDevOps: Lessons from Manufacturing and Open Source
DevOps: Lessons from Manufacturing and Open Source
 
The New Distributed Application Infrastructure
The New Distributed Application InfrastructureThe New Distributed Application Infrastructure
The New Distributed Application Infrastructure
 
Manufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOpsManufacturing Plus Open Source Equals DevOps
Manufacturing Plus Open Source Equals DevOps
 
Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)Containers: Don't Skeu Them Up (LinuxCon Dublin)
Containers: Don't Skeu Them Up (LinuxCon Dublin)
 
How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015How open source is driving DevOps innovation: CloudOpen NA 2015
How open source is driving DevOps innovation: CloudOpen NA 2015
 

Dernier

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 

Dernier (20)

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 

DevSecOps: The open source way

  • 1. DevSecOps: The Open Source Way Gordon Haff, Technology Evangelist, Red Hat @ghaff
  • 2. ● DevOps “purists” point out that security was always part of DevOps ● Did people just not read the book? ● Did people not understand the book? ● Are practitioners just skipping security anyway? WHY DevSecOps?
  • 3. Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.
  • 4. Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.
  • 5. But Now it’s 2017. Right?
  • 6.
  • 7. ● A new silo ● Devs (often) don’t grok (even) traditional security ● Assembled applications and supply chains ● Security not integrated into pipeline What’s the Problem?
  • 8.
  • 9.
  • 10. SEC
  • 11. OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
  • 12. 2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
  • 13. 2017 RC2 Injection Broken authentication Sensitive data exposure XML External Entities (XXE) Broken access control Security misconfiguration Cross-site scripting (XSS) Insecure deserialization Using components with known vulnerabilities Insufficient logging & monitoring OWASP Top 10 2007 Cross-site scripting (XSS) Injection flaws Malicious file execution Insecure direct object reference Cross-site request forgery (CSRF) Information leakage & improper error handling Broken authentication & session management Insecure cryptographic storage Insecure communications Failure to restrict URL access
  • 14. …utilizing billions of available libraries, frameworks and utilities ● Not all are created equal, some are healthy and some are not ● All go bad over time, they age like milk, not like wine ● Enterprises consume an average 229,000 software components annually, of which 17,000 had a known security vulnerability Applications are ‘assembled’...
  • 15. A typical DevOps pipeline
  • 17. ● Better organizations ● Containers ● Secured supply chain ● Secured pipeline ● Secured operations Opportunities! }Managed approach to risk
  • 19. Kids programming: Esti Alvarez cc license CULTURE of collaboration valuing openness and transparency
  • 20. Culture = f (l, o, i, t, …) Where: l = leadership o = organization i = incentives t = trust … = many other things Open source offers guidance
  • 22. What are containers? ● Sandboxed application processes on a shared Linux OS kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components Sys-Admins / Ops Developers It Depends on Who You Ask
  • 23. Containers technical timeline LXC Initial release Aug ‘08 OpenShift online May ‘11 Docker Initial release Mar ‘13 OpenShift Enterprise 3.0 Jun‘ 15 Open Container Initiative Initial release, Buildah Jun ‘17 Moby Apr ‘17 Sep ‘17 CRI-O
  • 24. Open source, leadership, and standards ● Docker/Moby ● Kubernetes/OpenShift ● OCI Specifications ● Cloud Native Technical Leadership ● Vendor/partner ecosystem The community landscape
  • 25. ● Docker, Red Hat et al. June 2015 ● Two Specifications ● Runtime ○ How to run a “filesystem bundle” that is unpacked on disk ● Image Format ○ How to create an OCI Image that contains sufficient information to launch the application on the target platform Open Container Initiative (OCI)
  • 26. “Containers are an easy way to get a reasonable percentage of security built in.” John Willis co-Author, DevOps Handbook ServerlessConf 2017
  • 28.
  • 29. MANA Reuse AutomationMicroservices Immutability Pervasive access Speed Rapid tech churn Flexible deploys Containers Software-defined MANAGED RISK Dev Ops
  • 30. Securing the assets ● Building code ○ Watching for changes in how things get built ○ Signing the builds ● Built assets ○ Scripts, binaries, packages (RPMs), containers (OCI images), machine images (ISOs, etc.) ○ Registries (Service, Container, App) ○ Repositories (Local on host images assets) Safe at Titan Missile Museum https://upload.wikimedia.org/wikipedia/commons/5/59/Red_Safe%2C_Titan_Missile_Museum.jpg
  • 31. Registries ● Do you require a private registry? ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? Who can push images to the registry?
  • 32. ● Potentially lots of parallel builds ● Source code ● Where is it coming from? ● Who is it coming from? ● Supply Chain Tooling ● CI tools (e.g. Jenkins) ● Testing tools ● Scanning Tools (e.g. Black Duck) Securing the development process Boeing's Everett factory near Seattle https://upload.wikimedia.org/wikipedia/commons/c/c8/At_Boeing%27s_Everett_factory_near_Seattle_%289130160595%29.jpg Creative Commons
  • 33. Ensure the application code is compliant Ensure the pipeline is not compromised Systematic, on-going, and automated Securing the development process Repo Scan Image Build Scan Dev Deploy Test
  • 34. ● How do ensure that all these variations are working and supported together? ● Containers and container ecosystems help vendors to continuously secure their software Track third-party development technologies
  • 35. ● Trusted registries and repos ● Signature authenticating and authorizing ● Image scanning ● Policies ● Ongoing assessment with automated remediation Securing the operations: Deployment Mission Control - Apollo 13 https://c1.staticflickr.com/4/3717/9460197822_9f6ab3f30c_b.jpg
  • 36. ● Blue Green or A/B or Canary, continuous deployments ● Monitoring deployments ● Possibly multiple environments Securing the operations: Lifecycle
  • 37. ● Log (most) things ● Alarm few things ● Establish relevant metrics ● Root cause analysis (reactive) ● Detect patterns/trends (proactive) ● Context and distributions matter ● Incentives drive behavior Securing the operations: Monitoring and metrics
  • 38. “... we estimate that fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.” “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.” How are we doing? DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016
  • 39. Thank You! Gordon Haff Technology Evangelist, Red Hat @ghaff Cloudy Chat podcast www.redhat.com www.bitmasons.com