57
Devops, Secops, Opsec, Devops, Secops, Opsec, DevSec *ops *.* ? DevSec *ops *.* ? Kris Buytaert Brussels , February 2016

Dev secops opsec, devsec, devops ?

Embed Size (px)

Citation preview

Page 1: Dev secops opsec, devsec, devops ?

Devops, Secops, Opsec, Devops, Secops, Opsec, DevSec *ops *.* ?DevSec *ops *.* ?

Kris Buytaert

Brussels , February 2016

Page 2: Dev secops opsec, devsec, devops ?

Kris BuytaertKris Buytaert

● I used to be a Dev,I used to be a Dev,● Then Became an OpThen Became an Op● Even did Security (OSSTM)Even did Security (OSSTM)● Chief Trolling Officer and Open Source Chief Trolling Officer and Open Source

Consultant @inuits.euConsultant @inuits.eu● Everything is an effing DNS ProblemEverything is an effing DNS Problem● Building Clouds since before the bookstoreBuilding Clouds since before the bookstore● Some books, some papers, some blogsSome books, some papers, some blogs● Too many conferences.Too many conferences.

Page 3: Dev secops opsec, devsec, devops ?

Who is runningWho is running● DrupalDrupal

● OpenSSLOpenSSL

● Bash Bash

Page 4: Dev secops opsec, devsec, devops ?

Who is runningWho is running● Drupal < 7.38Drupal < 7.38

● OpenSSL 1.0.1 → 1.0.1fOpenSSL 1.0.1 → 1.0.1f

● Bash < 4.3... Bash < 4.3...

Page 5: Dev secops opsec, devsec, devops ?

Who has them upgraded over the past Who has them upgraded over the past 12 months ?12 months ?

Page 6: Dev secops opsec, devsec, devops ?

What's this Devops thing really about ?What's this Devops thing really about ?

Page 7: Dev secops opsec, devsec, devops ?

World , 200X-2009World , 200X-2009

Patrick Debois, Gildas Le Nadan, Andrew Clay Shafer, Kris Buytaert, Jezz Patrick Debois, Gildas Le Nadan, Andrew Clay Shafer, Kris Buytaert, Jezz Humble, Lindsay Holmwood, John Willis, Chris Read, Julian Simpson, and Humble, Lindsay Holmwood, John Willis, Chris Read, Julian Simpson, and

lots of others ..lots of others ..

Gent , October 2009Gent , October 2009

Mountain View , June 2010Mountain View , June 2010

Hamburg , October 2010Hamburg , October 2010

Boston, March 2011Boston, March 2011

Mountain View, June 2011Mountain View, June 2011

Bangalore, Melbourne, Bangalore, Melbourne,

Goteborg , October 2011Goteborg , October 2011

Page 8: Dev secops opsec, devsec, devops ?

C(L)AMSC(L)AMS● CultureCulture

● (Lean)(Lean)

● AutomationAutomation

● MeasurementMeasurement

● SecuritySecurity

Damon Edwards and John WillisDamon Edwards and John Willis

Page 9: Dev secops opsec, devsec, devops ?

Frank Breedijk Frank Breedijk @seccubus@seccubus

● Http → httpsHttp → https

● Imap → imapsImap → imaps

● Pop3 → pop3sPop3 → pop3s

● Devop → devopSDevop → devopS

Page 10: Dev secops opsec, devsec, devops ?

““DevOps is a cultural andDevOps is a cultural and

professional movement”professional movement”

Adam JacobAdam Jacob

Page 11: Dev secops opsec, devsec, devops ?

How did we get here ?How did we get here ?

Page 12: Dev secops opsec, devsec, devops ?

The Old DaysThe Old Days● ““Put this Code Live, here's a tarball” NOW! Put this Code Live, here's a tarball” NOW!

● What dependencies ?What dependencies ?

● No machines available ?No machines available ?

● What database ?What database ?

● Security ?Security ?

● High Availability ? High Availability ?

● Scalability ?Scalability ?

● My computer can't install this ?My computer can't install this ?

Page 13: Dev secops opsec, devsec, devops ?

Devs vs OpsDevs vs Ops

Page 14: Dev secops opsec, devsec, devops ?

People hate SysadminsPeople hate SysadminsBecause Because

•They slow stuff downThey slow stuff down

•The say noThe say no

•They say no again They say no again

•They refuse to break stuffThey refuse to break stuff

•They care about uptimeThey care about uptime

•They don't care about fancy new featuresThey don't care about fancy new features

Page 15: Dev secops opsec, devsec, devops ?
Page 16: Dev secops opsec, devsec, devops ?

People hate Security People hate Security OfficersOfficers

Because Because

•They slow stuff downThey slow stuff down

•The say noThe say no

•They say no again They say no again

•They refuse to leave holes openThey refuse to leave holes open

•They care about security They care about security

•They don't care about fancy new featuresThey don't care about fancy new features

•Security Officers have an expiry dateSecurity Officers have an expiry date

Page 17: Dev secops opsec, devsec, devops ?
Page 18: Dev secops opsec, devsec, devops ?

10 days into operation10 days into operation● What High Load ? What Memory usage ?What High Load ? What Memory usage ?

● Are these Logs ? Or this is actualy customer Are these Logs ? Or this is actualy customer data ?data ?

● How many users are there , should they launch How many users are there , should they launch 100 queries each ?? Oh we're having 10K 100 queries each ?? Oh we're having 10K users users

● Why is debugging enabled ?Why is debugging enabled ?

● Who wrote this ?Who wrote this ?

Page 19: Dev secops opsec, devsec, devops ?

11 days into operations11 days into operations

Page 20: Dev secops opsec, devsec, devops ?

12 days into operations12 days into operations

Page 21: Dev secops opsec, devsec, devops ?

13 days into operations13 days into operations

Page 22: Dev secops opsec, devsec, devops ?

We can solve this !We can solve this !

● We are not here to We are not here to block block

● Some people think Some people think the Security / the Security / Operations work Operations work starts on deploymentstarts on deployment

● It starts much earlierIt starts much earlier

● Start talking asapStart talking asap

Page 23: Dev secops opsec, devsec, devops ?

Culture,Culture,automation, automation,

Measturement,Measturement,

sharingsharing

Page 24: Dev secops opsec, devsec, devops ?

Breaking the SilosBreaking the Silos

Getting AlongGetting AlongOpsOpsDevs Devs

Page 25: Dev secops opsec, devsec, devops ?

● Who is in charge of security ? Who is in charge of security ?

● What do your developers think about security ?What do your developers think about security ?

● When do you think about security When do you think about security

● The problem with security is it doesn't The problem with security is it doesn't generate revenuegenerate revenue

● Security needs to become part of your DNA.Security needs to become part of your DNA.

Page 26: Dev secops opsec, devsec, devops ?

Build TrustBuild Trust● ExperimentExperiment

• DevDev

• TestTest

● ProdProd

● Automate all the Automate all the thingsthings

● Measure successMeasure success

● Measure FailureMeasure Failure

Page 27: Dev secops opsec, devsec, devops ?

With great power ...With great power ...

Your code will go to production..Your code will go to production..

You will be able to fix it ..You will be able to fix it ..

You will have access to the logsYou will have access to the logs

Access to the metrics...Access to the metrics...

Page 28: Dev secops opsec, devsec, devops ?
Page 29: Dev secops opsec, devsec, devops ?
Page 30: Dev secops opsec, devsec, devops ?

Devops is a ReorgDevops is a Reorg● New role for Change ManagementNew role for Change Management

● New role for Security OfficersNew role for Security Officers

● Added roles for TestersAdded roles for Testers

Page 31: Dev secops opsec, devsec, devops ?
Page 32: Dev secops opsec, devsec, devops ?

Culture, Culture,

Automation,Automation,Measurement,Measurement,

SharingSharing

Page 33: Dev secops opsec, devsec, devops ?

" Our job as engineers (and ops, dev-ops, QA, " Our job as engineers (and ops, dev-ops, QA, support, everyone in the company actually) is to support, everyone in the company actually) is to enable the business goals. We strongly feel that enable the business goals. We strongly feel that in order to do that you must have in order to do that you must have the ability to the ability to deploy code quickly and safelydeploy code quickly and safely. Even if the . Even if the business goals are to deploy strongly QA’d code business goals are to deploy strongly QA’d code once a month at 3am (it’s not for us, we push all once a month at 3am (it’s not for us, we push all the time), having a reliable and easy the time), having a reliable and easy deployment should be deployment should be non-negotiablenon-negotiable." ."

Etsy Blog upon releasing DeployinatorEtsy Blog upon releasing Deployinator

http://codeascraft.etsy.com/2010/05/20/quantum-of-deployment/http://codeascraft.etsy.com/2010/05/20/quantum-of-deployment/

Page 34: Dev secops opsec, devsec, devops ?

Continuous Delivery is a Continuous Delivery is a Security RequirementSecurity Requirement

Page 35: Dev secops opsec, devsec, devops ?

How do we get there ?How do we get there ?

Page 36: Dev secops opsec, devsec, devops ?

Use Version ControlUse Version Control

No ExcusesNo Excuses

Also for scripts/config/cookbooks,manifests,etcAlso for scripts/config/cookbooks,manifests,etc

Page 37: Dev secops opsec, devsec, devops ?

CI ToolsCI Tools● HudsonHudson

● JenkinsJenkins

•A zillion pluginsA zillion plugins

● Make your builds reproducible !Make your builds reproducible !

● Test your (Puppet/Chef/CFengine) Test your (Puppet/Chef/CFengine)

Page 38: Dev secops opsec, devsec, devops ?

Build PipelinesBuild Pipelines

Page 39: Dev secops opsec, devsec, devops ?

Test AutomationTest Automation● Unit testsUnit tests

● Regression testsRegression tests

● SeleniumSelenium

● Cucumber Cucumber

● TDDTDD

● BDDBDD

Page 40: Dev secops opsec, devsec, devops ?
Page 41: Dev secops opsec, devsec, devops ?

What's in your Pipeline ?What's in your Pipeline ?

Page 42: Dev secops opsec, devsec, devops ?

A pipelineA pipeline● Checkout codeCheckout code

● SyntaxSyntax

● StyleStyle

● Code CoverageCode Coverage

● TestsTests

● BuildBuild

● More TestsMore Tests

● Package Package

● Upload to RepoUpload to Repo

Page 43: Dev secops opsec, devsec, devops ?

A pipeline++A pipeline++● Checkout codeCheckout code

● SyntaxSyntax

● StyleStyle

● Code CoverageCode Coverage

● TestsTests

● BuildBuild

● More TestsMore Tests

● Package Package

● Upload to RepoUpload to Repo

● Deploy on TestDeploy on Test

● ……

● Insert SECURITY Insert SECURITY TESTS !TESTS !

Page 44: Dev secops opsec, devsec, devops ?

Attack yourselve on Attack yourselve on every buildevery build

● Gauntlt , write security testsGauntlt , write security tests

● Vulnerability scans (Arachni)Vulnerability scans (Arachni)

● Content Scanner (DIRB)Content Scanner (DIRB)

● ……

● https://github.com/garethr/pentesting-playgrouhttps://github.com/garethr/pentesting-playgroundnd

Page 45: Dev secops opsec, devsec, devops ?

Infrastructure as CodeInfrastructure as Code● Configure 1000 nodes,Configure 1000 nodes,

● Modify 2000 files, Modify 2000 files,

● TogetherTogether

● Think : Think :

•Cfengine,Puppet, ChefCfengine,Puppet, Chef

● Put configs under version controlPut configs under version control

● Please don't roll your own ... Please don't roll your own ...

Page 46: Dev secops opsec, devsec, devops ?

Puppet in ActionPuppet in Action

Page 47: Dev secops opsec, devsec, devops ?

OrchestrationOrchestration● Fix security issues with 1 commandFix security issues with 1 command

● Mco package bind upgradeMco package bind upgrade

● Write Ansible role to upgradeWrite Ansible role to upgrade

Page 48: Dev secops opsec, devsec, devops ?

Culture, Culture,

Automation,Automation,

Measurement :Measurement :

measure all the thingsmeasure all the thingsSharingSharing

Page 49: Dev secops opsec, devsec, devops ?

Logstash in ActionLogstash in Action

Page 50: Dev secops opsec, devsec, devops ?
Page 51: Dev secops opsec, devsec, devops ?
Page 52: Dev secops opsec, devsec, devops ?

Security in devops ?Security in devops ?● Version control => AuditingVersion control => Auditing

● CI => Add security IN the pipelineCI => Add security IN the pipeline

● Configuration Mgmt Configuration Mgmt

•Policy DefinitionPolicy Definition

•Auditing & EnforcingAuditing & Enforcing

● MonitoringMonitoring

Page 53: Dev secops opsec, devsec, devops ?

Debunking the CriticsDebunking the Critics

Security not included ?Security not included ? Everyone is Included: Everyone is Included: security, dba, devs, security, dba, devs,

ops, designer, analysts,ops, designer, analysts,

We are solving a busines problem, We are solving a busines problem,

Not a technology problemNot a technology problem

Page 54: Dev secops opsec, devsec, devops ?

*ops*ops*.**.*

Page 55: Dev secops opsec, devsec, devops ?

It's not about the tools It's not about the tools

It's about change It's about change

It's about the people It's about the people

Page 56: Dev secops opsec, devsec, devops ?

{devops security }{devops security }

is not a product you can buy,is not a product you can buy,

It's a lifestyleIt's a lifestyle

Page 57: Dev secops opsec, devsec, devops ?

ContactContactKris Buytaert [email protected] Buytaert [email protected]

Further ReadingFurther Reading@krisbuytaert @krisbuytaert http://www.krisbuytaert.be/blog/http://www.krisbuytaert.be/blog/http://www.inuits.eu/http://www.inuits.eu/

InuitsInuits

Essensesteenweg 31Essensesteenweg 312930 Brasschaat2930 BrasschaatBelgiumBelgium891.514.231891.514.231

+32 475 961221+32 475 961221