SlideShare une entreprise Scribd logo
1  sur  49
Télécharger pour lire hors ligne
October 24, 2017
Modern Security Operations
aka
Secure DevOps
Madhu Akula
Automation Ninja @ Appsecco
October 24, 2017
About Me
• Automation Ninja at Appsecco
• Interested in Security, DevOps and Cloud
• Speaker & Trainer : Defcon, All Day DevOps, DevSecCon,
c0c0n, null, etc.
• Discovered security vulnerabilities in Google, Microsoft,
Yahoo, Adobe, etc.
• Never ending learner
• Follow me (or) Tweet to me @madhuakula
October 24, 2017
Modern Security Operations
• To improve collaboration between Developers, Operations
and Security
• Applying security into each phase of DevOps lifecycle
• Practice of developing and deploying safer software sooner
• Building secure defaults and following best practices
• Proactive monitoring & defence
• Performing redteam activities, before real attacks happen
• Learning & sharing with community
October 24, 2017
What is DevOps?
There are many definitions for this term.
I personally follow CAMS by Damon Edwards and John Willis
‘Implementing a culture of sharing between
Development and Operations’
● Culture
● Automation
● Measurement
● Sharing
October 24, 2017
DevOps lifecycle
Test MonitorDeployCodePlan
October 24, 2017
Let’s talk about some
DevOops highlights
October 24, 2017
Security Misconfiguration
Source: https://www.upguard.com/breaches/cloud-leak-accenture
October 24, 2017
Components with known security vulnerabilities
Source: https://github.com/blog/2447-a-more-connected-universe
October 24, 2017
Insecure Defaults
Source: https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0
October 24, 2017
Secret keys in public github
Source: https://www.theregister.co.uk/2015/01/06/dev_blunder_shows_github_crawling_with_keyslurping_bots
October 24, 2017
Unauthorised access
Source: https://www.shodan.io/report/nlrw9g59
October 24, 2017
October 24, 2017
DevSecOps
October 24, 2017
What is DevSecops?
October 24, 2017
DevSecOps moto
“The purpose and intent of DevSecOps is to build on the
mindset that “everyone is responsible for security” with the goal
of safely distributing security decisions at speed and scale to
those who hold the highest level of context without sacrificing
the safety required.”
Source: http://www.devsecops.org/blog/2015/2/15/what-is-devsecops
October 24, 2017
Let’s fit security into
DevOps lifecycle
October 24, 2017
Thinking about security from the outset
“Companies that consider security from the start assess their
options and make reasonable choices based on the nature of
their business and the sensitivity of the information involved.
Threats to data may transform over time, but the fundamentals
of sound security remain constant.”
- Federal Trade Commision
Source: https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf
October 24, 2017
Planning
● The most important phase of development is planning
● Involve all parties (Dev, Sec, Ops) from the beginning, it will
enable everyone to understand and speed up things without
compromising quality & security
● Build things with the mindset of secure defaults with built-in
security
October 24, 2017
Planning
● This applies to all teams
○ Developers need to think about secure coding best practices,
using secure libraries and keeping up to date with latest
vulnerabilities.
○ Operations teams need to be aware of technology specific
security configurations, best practices and hardening
guidelines.
○ Security teams have to understand the workflow, create
suitable standards and apply them throughout the lifecycle
October 24, 2017
● Version control gives the power of moving traditional
operations to modern DevOps shops
● Managing things will be super-easy and efficient
● This way everything can be audited, tracked and can be
rolled back if required
Version control
October 24, 2017
● Some of the things that can be version controlled include
○ Documentation, knowledge bases, etc
○ Developers’ code
○ Op’s configurations and playbooks
○ Custom scripts and snippets
○ Many more...
Version control
October 24, 2017
● Infrastructure as code aims to make operations more
efficient and remove human errors
● By doing this, we can achieve
○ Version controlled and codified versions of secure
infrastructure
○ We can perform continuous integration with the deployment
process
○ We can improve the inventory by building Configuration
Management DataBases (CMDB)
Infrastructure as code
October 24, 2017
● This requires process and tools
○ Identifying the all manual repetitive tasks and structuring
them for automation
○ With tools like Ansible, Chef, Terraform, etc.
● We can validate our infrastructure as code against security &
compliance
● We can create security playbooks for hardening & patching
Infrastructure as code
October 24, 2017
Ansible playbook snippet for MySQL hardening
- name: Secures the MySQL root user
mysql_user:
user: root
password: "{{ mysql_root_password }}"
host: "{{ item }}"
login_password: "{{ mysql_root_password }}"
login_user: root
with_items:
- 127.0.0.1
- localhost
- ::1
- "{{ ansible_fqdn }}"
- name: Removes the MySQL test database
mysql_db:
db: test
state: absent
login_password: "{{ mysql_root_password }}"
login_user: root
October 24, 2017
● The practice of integrating work frequently, which requires
quick verification to process next steps using automated
build processes
● In this phase you include your test cases and security checks,
performing them before going to production
● It allows us to integrate existing tool sets using web hooks
and plugins into the build process
Continuous everything
October 24, 2017
● Ensures that the quality of the code and configurations
remains the same by using automated test cases and
validation checks
● This requires defining the steps each team needs to perform
to speed up the delivery process without compromising
security
Continuous everything
October 24, 2017
● Deployment is the phase where things are made live; aka
production
● Using a standard baseline-OS and containers, which reduces
the level of security risk
● Hardening configuration and environments with best
practice and against known vulnerabilities (Using your
security playbooks)
Secure deployments
October 24, 2017
● Managing secrets and data is a key part while deploying to
production, use secure communication channels and storage
like Vault
● Verify deployments by running security scans against them
for misconfigurations
● Also using modern tool-set like Moby project, LinuxKit, etc.
for docker containers
Secure deployments
October 24, 2017
● To make an important decisions (or) to troubleshoot things,
monitoring is the place to start
● Monitoring needs to apply to every phase of the DevOps
lifecycle
● Health checks of applications & infrastructure to know how
things are going
● Security monitoring of applications, servers, network devices
Proactive monitoring & alerting
October 24, 2017
● Alerting based on thresholds and attack anomalies
● Fine-tuning and improving the alerting system gives more
control
● Automating actions against known repetitive alerts can be
efficient, but take care
Proactive monitoring & alerting
October 24, 2017
● Define baseline security
○ Test against it
○ And run tests continuously
● Drive testing from the DevOps pipeline
● Never deploy sub-standard code
● Requires tests to be passed in order to deploy into
production
● Empower DevOps teams to fix issues
● Apply feedback loops
Test driven security
Source: https://docs.google.com/presentation/d/1H0Ym0bJ4TgVz7BRkoeun7ndGuTIteVyFGDDxguXmff0
October 24, 2017
● This requires you to have proactive monitoring in place,
which includes building centralised logging and monitoring
systems
● Build your defences from an offensive mindset and start by
focusing on your critical infrastructure
● Enable DevOps teams to better understand and identify
what security attacks look like by red teaming (we can also
use this log data to train defence systems)
Attack driven defence
Source: https://www.slideshare.net/zanelackey/attackdriven-defense
October 24, 2017
● Identify patterns and anomalies for alerting and take action
against them using automated defence
● Apply data science and machine learning techniques for data
sets
● Build defence systems with real attack data and defend like
an attacker
Attack driven defence
Source: https://www.slideshare.net/zanelackey/attackdriven-defense
October 24, 2017
● Clear communication enables us to be more productive
● Collaboration between teams makes things faster. It should
start from outset!
● Break requirements into actionable items and assign them
to respective teams
● Eliminate the barriers between Devs, Ops and Security
teams and work towards a DevSecOps approach (everyone
is responsible for security)
Communication & collaboration
October 24, 2017
● Use task and project management tools for collaboration,
this will help showcase dependencies between teams
● Spread awareness of different roles and skills by conducting
social events; learning by lunch, etc.
Communication & collaboration
October 24, 2017
Training people
Training developers and operations about how attackers work,
by using vulnerable labs and applications, will give them a better
understanding
OWASP Vulnerable Web Applications Directory Project
October 24, 2017
● We must learn from each other, the best way to do this is
sharing with others
○ For example, security teams can write a playbook to harden
infrastructure to meet the policies and standards rather
pointing out that it’s an ops issue
● Rather than working as a big teams, we can mix the different
teams into smaller groups and work together to achieve
great results
Culture & innovation
October 24, 2017
● Simplicity, documentation and clear communication is a
win-win
● When things go wrong transparency and open contributions
is vital
● Attending conferences and meetups and being part of the
community helps us to know how the world is doing things
differently to us
Culture & innovation
October 24, 2017
● Fail fast and early, so there is less cost and damage for the
business
● Maintain secure backups and validate the restore process
● Test for resiliency and recoverability using tools like chaos
monkey and security monkey
● Conduct internal hackathons and bug bounty programs
● Perform redteam activities, simulate how real attacks
happen
Think about failures, before they occur
October 24, 2017
Wardly maps for DevSecOps
Source: https://github.com/devsecops/wardley-maps
October 24, 2017
Demo Time
Code to Production
October 24, 2017
https://www.youtube.com/watch?v=y9Usd0Q2Il0
October 24, 2017
What did we see?
October 24, 2017
Takeaways
● Everyone is responsible for security (Dev + Sec + Ops)
● Clear communication, active collaboration is key to success
● Build with secure defaults mindset
● Test driven development & Attack driven defence
● Hack your applications, infra, etc. like real attackers
● Keep learning and sharing
October 24, 2017
References
● https://www.devsecops.org
● http://www.devseccon.com/devsecops-whitepaper
● https://pages.cloudpassage.com/sans-a-devsecops-playboo
k.html
● https://devops-security-checklist.sqreen.io
October 24, 2017
Session Title
Your Name
Your Title
Your Company
Your @TwitterHandle
October 24, 2017
Session Title
Your Name
Your Title
Your Company
Your @TwitterHandle
October 24, 2017
bit.ly/addo-slack
Find me on slack, right now!
October 24, 2017
Thank You
@madhuakula | @appseccouk

Contenu connexe

Tendances

[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Gareth Davies
 
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in AzureCheah Eng Soon
 
Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudAlert Logic
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slidesWallarm
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkWallarm
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host SecurityEng Teong Cheah
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad SahputraContent Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputraidsecconf
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOpslokori
 

Tendances (20)

Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
 
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
 
Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slides
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talk
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host Security
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad SahputraContent Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
 

Similaire à Modern Security Operations aka Secure DevOps @ All Day DevOps 2017

Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Amazon Web Services
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Enov8
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Enov8
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveColin Domoney
 
AWS Well-Architected Framework (nov 2017)
AWS Well-Architected Framework (nov 2017)AWS Well-Architected Framework (nov 2017)
AWS Well-Architected Framework (nov 2017)Rick Hwang
 
Enterprise Devsecops
Enterprise DevsecopsEnterprise Devsecops
Enterprise DevsecopsEnov8
 
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...Turja Narayan Chaudhuri
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenNadira Bajrei
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
CI and CD with Visual Studio Team Services and Azure
CI and CD with Visual Studio Team Services and AzureCI and CD with Visual Studio Team Services and Azure
CI and CD with Visual Studio Team Services and AzureLennart Passig
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Dinis Cruz
 
Cloud Governance & DevOps: Must-have Tools on Your Journey to Azure Cloud
Cloud Governance & DevOps: Must-have Tools on Your Journey to Azure CloudCloud Governance & DevOps: Must-have Tools on Your Journey to Azure Cloud
Cloud Governance & DevOps: Must-have Tools on Your Journey to Azure CloudPredica Group
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}Ajeet Singh
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24
 

Similaire à Modern Security Operations aka Secure DevOps @ All Day DevOps 2017 (20)

Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
 
AWS Well-Architected Framework (nov 2017)
AWS Well-Architected Framework (nov 2017)AWS Well-Architected Framework (nov 2017)
AWS Well-Architected Framework (nov 2017)
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Enterprise Devsecops
Enterprise DevsecopsEnterprise Devsecops
Enterprise Devsecops
 
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
DOIS22 Why you need Cloud-agnostic practices to fuel your DevSecOps adoption ...
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
intro to DevOps
intro to DevOpsintro to DevOps
intro to DevOps
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
CI and CD with Visual Studio Team Services and Azure
CI and CD with Visual Studio Team Services and AzureCI and CD with Visual Studio Team Services and Azure
CI and CD with Visual Studio Team Services and Azure
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
 
Cloud Governance & DevOps: Must-have Tools on Your Journey to Azure Cloud
Cloud Governance & DevOps: Must-have Tools on Your Journey to Azure CloudCloud Governance & DevOps: Must-have Tools on Your Journey to Azure Cloud
Cloud Governance & DevOps: Must-have Tools on Your Journey to Azure Cloud
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018
 

Dernier

Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 

Dernier (20)

Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 

Modern Security Operations aka Secure DevOps @ All Day DevOps 2017

  • 1. October 24, 2017 Modern Security Operations aka Secure DevOps Madhu Akula Automation Ninja @ Appsecco
  • 2. October 24, 2017 About Me • Automation Ninja at Appsecco • Interested in Security, DevOps and Cloud • Speaker & Trainer : Defcon, All Day DevOps, DevSecCon, c0c0n, null, etc. • Discovered security vulnerabilities in Google, Microsoft, Yahoo, Adobe, etc. • Never ending learner • Follow me (or) Tweet to me @madhuakula
  • 3. October 24, 2017 Modern Security Operations • To improve collaboration between Developers, Operations and Security • Applying security into each phase of DevOps lifecycle • Practice of developing and deploying safer software sooner • Building secure defaults and following best practices • Proactive monitoring & defence • Performing redteam activities, before real attacks happen • Learning & sharing with community
  • 4. October 24, 2017 What is DevOps? There are many definitions for this term. I personally follow CAMS by Damon Edwards and John Willis ‘Implementing a culture of sharing between Development and Operations’ ● Culture ● Automation ● Measurement ● Sharing
  • 5. October 24, 2017 DevOps lifecycle Test MonitorDeployCodePlan
  • 6. October 24, 2017 Let’s talk about some DevOops highlights
  • 7. October 24, 2017 Security Misconfiguration Source: https://www.upguard.com/breaches/cloud-leak-accenture
  • 8. October 24, 2017 Components with known security vulnerabilities Source: https://github.com/blog/2447-a-more-connected-universe
  • 9. October 24, 2017 Insecure Defaults Source: https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0
  • 10. October 24, 2017 Secret keys in public github Source: https://www.theregister.co.uk/2015/01/06/dev_blunder_shows_github_crawling_with_keyslurping_bots
  • 11. October 24, 2017 Unauthorised access Source: https://www.shodan.io/report/nlrw9g59
  • 14. October 24, 2017 What is DevSecops?
  • 15. October 24, 2017 DevSecOps moto “The purpose and intent of DevSecOps is to build on the mindset that “everyone is responsible for security” with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.” Source: http://www.devsecops.org/blog/2015/2/15/what-is-devsecops
  • 16. October 24, 2017 Let’s fit security into DevOps lifecycle
  • 17. October 24, 2017 Thinking about security from the outset “Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved. Threats to data may transform over time, but the fundamentals of sound security remain constant.” - Federal Trade Commision Source: https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf
  • 18. October 24, 2017 Planning ● The most important phase of development is planning ● Involve all parties (Dev, Sec, Ops) from the beginning, it will enable everyone to understand and speed up things without compromising quality & security ● Build things with the mindset of secure defaults with built-in security
  • 19. October 24, 2017 Planning ● This applies to all teams ○ Developers need to think about secure coding best practices, using secure libraries and keeping up to date with latest vulnerabilities. ○ Operations teams need to be aware of technology specific security configurations, best practices and hardening guidelines. ○ Security teams have to understand the workflow, create suitable standards and apply them throughout the lifecycle
  • 20. October 24, 2017 ● Version control gives the power of moving traditional operations to modern DevOps shops ● Managing things will be super-easy and efficient ● This way everything can be audited, tracked and can be rolled back if required Version control
  • 21. October 24, 2017 ● Some of the things that can be version controlled include ○ Documentation, knowledge bases, etc ○ Developers’ code ○ Op’s configurations and playbooks ○ Custom scripts and snippets ○ Many more... Version control
  • 22. October 24, 2017 ● Infrastructure as code aims to make operations more efficient and remove human errors ● By doing this, we can achieve ○ Version controlled and codified versions of secure infrastructure ○ We can perform continuous integration with the deployment process ○ We can improve the inventory by building Configuration Management DataBases (CMDB) Infrastructure as code
  • 23. October 24, 2017 ● This requires process and tools ○ Identifying the all manual repetitive tasks and structuring them for automation ○ With tools like Ansible, Chef, Terraform, etc. ● We can validate our infrastructure as code against security & compliance ● We can create security playbooks for hardening & patching Infrastructure as code
  • 24. October 24, 2017 Ansible playbook snippet for MySQL hardening - name: Secures the MySQL root user mysql_user: user: root password: "{{ mysql_root_password }}" host: "{{ item }}" login_password: "{{ mysql_root_password }}" login_user: root with_items: - 127.0.0.1 - localhost - ::1 - "{{ ansible_fqdn }}" - name: Removes the MySQL test database mysql_db: db: test state: absent login_password: "{{ mysql_root_password }}" login_user: root
  • 25. October 24, 2017 ● The practice of integrating work frequently, which requires quick verification to process next steps using automated build processes ● In this phase you include your test cases and security checks, performing them before going to production ● It allows us to integrate existing tool sets using web hooks and plugins into the build process Continuous everything
  • 26. October 24, 2017 ● Ensures that the quality of the code and configurations remains the same by using automated test cases and validation checks ● This requires defining the steps each team needs to perform to speed up the delivery process without compromising security Continuous everything
  • 27. October 24, 2017 ● Deployment is the phase where things are made live; aka production ● Using a standard baseline-OS and containers, which reduces the level of security risk ● Hardening configuration and environments with best practice and against known vulnerabilities (Using your security playbooks) Secure deployments
  • 28. October 24, 2017 ● Managing secrets and data is a key part while deploying to production, use secure communication channels and storage like Vault ● Verify deployments by running security scans against them for misconfigurations ● Also using modern tool-set like Moby project, LinuxKit, etc. for docker containers Secure deployments
  • 29. October 24, 2017 ● To make an important decisions (or) to troubleshoot things, monitoring is the place to start ● Monitoring needs to apply to every phase of the DevOps lifecycle ● Health checks of applications & infrastructure to know how things are going ● Security monitoring of applications, servers, network devices Proactive monitoring & alerting
  • 30. October 24, 2017 ● Alerting based on thresholds and attack anomalies ● Fine-tuning and improving the alerting system gives more control ● Automating actions against known repetitive alerts can be efficient, but take care Proactive monitoring & alerting
  • 31. October 24, 2017 ● Define baseline security ○ Test against it ○ And run tests continuously ● Drive testing from the DevOps pipeline ● Never deploy sub-standard code ● Requires tests to be passed in order to deploy into production ● Empower DevOps teams to fix issues ● Apply feedback loops Test driven security Source: https://docs.google.com/presentation/d/1H0Ym0bJ4TgVz7BRkoeun7ndGuTIteVyFGDDxguXmff0
  • 32. October 24, 2017 ● This requires you to have proactive monitoring in place, which includes building centralised logging and monitoring systems ● Build your defences from an offensive mindset and start by focusing on your critical infrastructure ● Enable DevOps teams to better understand and identify what security attacks look like by red teaming (we can also use this log data to train defence systems) Attack driven defence Source: https://www.slideshare.net/zanelackey/attackdriven-defense
  • 33. October 24, 2017 ● Identify patterns and anomalies for alerting and take action against them using automated defence ● Apply data science and machine learning techniques for data sets ● Build defence systems with real attack data and defend like an attacker Attack driven defence Source: https://www.slideshare.net/zanelackey/attackdriven-defense
  • 34. October 24, 2017 ● Clear communication enables us to be more productive ● Collaboration between teams makes things faster. It should start from outset! ● Break requirements into actionable items and assign them to respective teams ● Eliminate the barriers between Devs, Ops and Security teams and work towards a DevSecOps approach (everyone is responsible for security) Communication & collaboration
  • 35. October 24, 2017 ● Use task and project management tools for collaboration, this will help showcase dependencies between teams ● Spread awareness of different roles and skills by conducting social events; learning by lunch, etc. Communication & collaboration
  • 36. October 24, 2017 Training people Training developers and operations about how attackers work, by using vulnerable labs and applications, will give them a better understanding OWASP Vulnerable Web Applications Directory Project
  • 37. October 24, 2017 ● We must learn from each other, the best way to do this is sharing with others ○ For example, security teams can write a playbook to harden infrastructure to meet the policies and standards rather pointing out that it’s an ops issue ● Rather than working as a big teams, we can mix the different teams into smaller groups and work together to achieve great results Culture & innovation
  • 38. October 24, 2017 ● Simplicity, documentation and clear communication is a win-win ● When things go wrong transparency and open contributions is vital ● Attending conferences and meetups and being part of the community helps us to know how the world is doing things differently to us Culture & innovation
  • 39. October 24, 2017 ● Fail fast and early, so there is less cost and damage for the business ● Maintain secure backups and validate the restore process ● Test for resiliency and recoverability using tools like chaos monkey and security monkey ● Conduct internal hackathons and bug bounty programs ● Perform redteam activities, simulate how real attacks happen Think about failures, before they occur
  • 40. October 24, 2017 Wardly maps for DevSecOps Source: https://github.com/devsecops/wardley-maps
  • 41. October 24, 2017 Demo Time Code to Production
  • 43. October 24, 2017 What did we see?
  • 44. October 24, 2017 Takeaways ● Everyone is responsible for security (Dev + Sec + Ops) ● Clear communication, active collaboration is key to success ● Build with secure defaults mindset ● Test driven development & Attack driven defence ● Hack your applications, infra, etc. like real attackers ● Keep learning and sharing
  • 45. October 24, 2017 References ● https://www.devsecops.org ● http://www.devseccon.com/devsecops-whitepaper ● https://pages.cloudpassage.com/sans-a-devsecops-playboo k.html ● https://devops-security-checklist.sqreen.io
  • 46. October 24, 2017 Session Title Your Name Your Title Your Company Your @TwitterHandle
  • 47. October 24, 2017 Session Title Your Name Your Title Your Company Your @TwitterHandle
  • 48. October 24, 2017 bit.ly/addo-slack Find me on slack, right now!
  • 49. October 24, 2017 Thank You @madhuakula | @appseccouk