34
Why Security needs to be at the DevOps Table Chris Perkins, Sr. Principal Security Technologist. Medtronic, PLC

Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

  • Upload
    others

  • View
    6

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

Why Security needs to be at the DevOps Table Chris Perkins, Sr. Principal Security Technologist. Medtronic, PLC

Page 2: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

Evolution of Compute and Development Methodologies

•  Both processes evolved over time, with a similar pathway

•  Technology advances helped drive speed in both arenas

•  Pivotal concepts also helped “break norms”

Page 3: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline
Page 4: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline
Page 5: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

!"#$%&#'&()"")"(**#•! Each application was “racked

and stacked”

•! Each box housed a dedicated database, dedicated service •! Web Services •! Email •! Authentication

Page 6: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

Waterfall

Page 7: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

•  Introduced the Theory of Constraints (TOC) concept

•  Process of Ongoing Improvement •  Critical Chain Project Management

(CCPM) •  First published in 1984

Page 8: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

ThencameVirtualiza4on•  The process of creating logical computing resources

from available physical resources •  Layer of abstraction between workloads and the

underlying physical hardware via Hypervisor •  Allowed for many to one, physical server usage

optimized

Page 9: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline
Page 10: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

Agile

Page 11: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

65"$-)"&07#,5"4"1&8#$%&#,5",&9$7#

Page 12: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

%:9;<<===*$%&92->50.*"&$<?@AB<@C<?C<%9,D7,%&812&07D7"-9D$5D85,E&0<#

Page 13: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline
Page 14: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

The Phoenix Project 3 Ways of DevOps

Strategies for Improving Operations

Page 15: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

Container Threat Modeling Container Threat Modeling

Page 16: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

●  Authen4ca4onA:acksagainstHost●  DockerDaemonDirectAccess●  TrojanizedDockerImages●  ExposureofPrivateDocker Registry●  ARPSpoofing●  DockerRegistryCer4ficateSpoofing●  InsecureDockerAPIconfigura4on

Spoofing

Page 17: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

●  TrojanizedDockerImage●  DockerDaemonDirectAccess●  DockerDaemonConfigura4onA:acks●  DockerRegistryCer4ficateSpoofing●  ContentTrust●  HostFileSystemIntegrityBreaches●  DockerDaemonTamperingHostNetwork Configura4ons

Tampering

Page 18: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

Repudiation

●  NoAudit/DeleteAuditDocker Images

●  DockerDaemonAPILogs- Compromise

●  HostFileSystemIntegrityBreaches

Page 19: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

Information Disclosure

●  Secretsbeingdisclosedtooutsideen44es

●  ExposedPortsand Services

●  NetworkTrafficCompromise

Page 20: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

Denial of Service

●  CPU/MemoryExhaust

●  NetworkExhaust

●  HDDExhaust

Page 21: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

Elevation of Privileges

●  ContainerBreakout

●  ContainerPrivileges

●  ContainerServices-Compromise

Page 22: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

DevOps

Page 23: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

Containers managed individually..

Page 24: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

Led to Orchestration

Page 25: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline
Page 26: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline
Page 27: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

And Finally, Serverless!

Page 28: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline
Page 29: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline
Page 30: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline
Page 31: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

DevSecOps

Page 32: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

Continuous Build, Integration and Delivery– Foundational and Automated (CI/CD)

Page 33: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

Example CI/CD pipeline with AppSec addition

Page 34: Why Security needs to be at the ... - Cyber Security Summit · •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline

Great place to start! DevSecOps Studio is one of its kind, self contained DevSecOps environment/distribution to help individuals in learning DevSecOps concepts. It takes lots of efforts to setup the environment for training/demos and more often, its error prone when done manually. DevSecOps Studio is easy to get started and is mostly automatic. DevSecOps Studio project aims to reduce the time to bootstrap the environment and help you in concentrating on learning/teaching DevSecOps practices. Features: •!Easy to setup environment with just one command “vagrant up” •!Teaches Security as Code, Compliance as Code, Infrastructure as Code •!With built-in support for CI/CD pipeline •!OS hardening using ansible •!Compliance as code using Inspec •!QA security using ZAP, BDD-Security and Gauntlt •!Static tools like bandit, brakeman, windbags, gitrob, gitsecrets •!Security Monitoring using ELK stack.

%:97;<<===*5=-79*50(<)"8&K*9%9<Z[FQM\H&NQ&,Z97\Q$18)5\M05I&,$#