Upload
sanjeev-sharma
View
440
Download
2
Embed Size (px)
Citation preview
DevOpstoDevSecOps:TwoDimensionsofSecurityinaDevOpsEnterprise
SanjeevSharmaCTO,DevOpsTechnicalSalesandAdoptionIBMDistinguishedEngineer@sd_architect
#WhoAmI
• 20+ Years in Software Development and Delivery
• IBM’s Client-facing CTO for DevOps
• Author: DevOps For Dummies -http://ibm.co/devopsfordummies
• Write DevOps and Cloud Adoption Blog: http://bit.ly/sdarchitect
DevOpsOverview
DevOps:Origins
DevOpsapproach:ApplyLeanprinciplesacceleratefeedbackand
improvetimetovalue
5
People
Process
Line-of-business
Customer
1
3
2
1. Get ideas into production fast2. Get people to use it3. Get feedback
Continuously Improve:I. Application DeliveredII. Environment DeployedIII. Application and Environment Delivery Process
DeliveringaBusinessCapability:Multi-SpeedIT
Development SCM Build PackageRepo
Deploy
Development SCM Build PackageRepo
Deploy
Development SCM Build PackageRepo
Deploy
Development SCM Build PackageRepo
Deploy Test Stage Production Application N
Application C
Application B
Application A
EnterpriseRelease
Agile/InnovationEdgeRapidDeliveryforInnovation•Agile•Antifragile •Experimentation•NewandInnovative•HybridCloud•PaaS
IndustrializedCoreDeliveratregularcadence•Waterfall->Agile•Stability•Predictability•LeanDeliverypipeline•CoreandLegacy
HybridInfrastructure– Physical,Cloud•IaaS/PaaS
BusinessCapability
SecurityandtheApplicationDelivery
Pipeline
Three(Two)DimensionsofSecurity
8
1. Secure the Perimeter2. Secure the Delivery Pipeline3. Secure the Deliverable
http://www.ibm.com/developerworks/library/d-security-considerations-devops-adoption/
1. SecurethePerimeter
9OutofScopeforthissession
2. SecuretheDeliveryPipeline
10
SecureEngineering PatchManagementSecureBuildandDeploy
AvailabilityandBusinessContinuitySeparationofDuties
SecurityEvaluationandLearning
Development SCM BuildPackage
Repo Deploy Testing Staging Production FeedbackPlanning Manage
3. SecuretheDeliverable
11
Application
MiddlewareConfig
Middleware
OSConfig
HardwareFull
Stac
k Bl
uepr
int
Policies
Secure:• Code• Scripts• Packages• Components• Configurations• Content• Policies• Roles
Development SCM BuildPackage
Repo Deploy Testing Staging Production FeedbackPlanning Manage
RisksandVulnerabilities- DeliveryPipelineandDeliverables
12
1. Vulnerabilities related to the supply chain2. Insider attacks3. Errors and mistakes in the development project4. Weaknesses in the design, code, and integration5. API Economy and Security
http://www.ibm.com/developerworks/library/d-security-considerations-devops-adoption/
Vulnerabilitiesrelatedtothesupplychain
13
ExternalSupplierA
ExternalSupplierB
InternalSupplierA
InternalSupplierB
Development SCM BuildPackage
Repo Deploy Testing Staging Production FeedbackPlanning Manage
Insiderattacks
14
Errorsandmistakesinthedevelopmentproject
15
1 per min 1 per min
4 per min 1 per min
4 per min 4 per min
• Reduced Batch size• Continuous Validation:
– Continuous Security Testing– Testing small batches in
every Sprint
• Antifragile Systems– Servers are ‘cattle’ not
‘pets’
– MTBF vs MTTR
Weaknessesinthedesign,code,andintegration
16http://www-03.ibm.com/security/secure-engineering/
TheAPIeconomyandsecurity
17https://developer.ibm.com/architecture/gallery/APImanagement
TheAPIeconomyandsecurity:Implementation
18https://developer.ibm.com/architecture/gallery/APImanagement
1. API Key management2. API provider/consumer Identity Management3. API Access control4. API Usage management/throttling5. API Security Incident Monitoring6. API Logging and audit trail
DevOpsReferenceArchitecture
Adoptinga(Secure)DevOpsArchitecture
https://developer.ibm.com/architecture/devOps
SolutionArchitecture:DevOpsMulti-SpeedIT
https://developer.ibm.com/architecture/gallery/devOpsMultiSpeed
StartHere:ValueStreamMapping
for IdentifyingandAddressingbottlenecks
MappingyourDeliveryPipeline
Idea/Feature/Bug Fix/Enhancement
Production
Development Build QA SIT UAT Prod
PMORequirements/
Analyst
Developer
CustomersLine of Business
BuildEngineer
QA Team Integration Tester User/Tester Operations
Artifact Repository
Deployment Engineer
Release Management
Code Repository
Deploy
Get Feedback
Infrastructure as Code/Cloud Patterns
Feedback
Customer or Customer Surrogate
Metrics - Reporting/Dashboarding
Tasks
Artifacts
DevOpsInnovationWorkshop
24
Reviewthecurrentstate1. Businessgoals,ITgoals,current
initiatives2. DevOps3. Requirements4. Environments5. Repositories6. Roles/Organization7. Metrics8. Security
PrioritizechallengestoberesolvedCreateafirstpassatanimprovementroadmap
Thewhiteboard
Questions?
25