Dev secops opsec, devsec, devops ?

  • View
    4.635

  • Download
    3

Embed Size (px)

Text of Dev secops opsec, devsec, devops ?

  • Devops, Secops, Opsec, Devops, Secops, Opsec, DevSec *ops *.* ?DevSec *ops *.* ?

    Kris BuytaertBrussels , February 2016

  • Kris BuytaertKris Buytaert I used to be a Dev,I used to be a Dev, Then Became an OpThen Became an Op Even did Security (OSSTM)Even did Security (OSSTM) Chief Trolling Officer and Open Source Chief Trolling Officer and Open Source

    Consultant @inuits.euConsultant @inuits.eu Everything is an effing DNS ProblemEverything is an effing DNS Problem Building Clouds since before the bookstoreBuilding Clouds since before the bookstore Some books, some papers, some blogsSome books, some papers, some blogs Too many conferences.Too many conferences.

  • Who is runningWho is running DrupalDrupal OpenSSLOpenSSL Bash Bash

  • Who is runningWho is running Drupal < 7.38Drupal < 7.38 OpenSSL 1.0.1 1.0.1fOpenSSL 1.0.1 1.0.1f Bash < 4.3... Bash < 4.3...

  • Who has them upgraded over the past Who has them upgraded over the past 12 months ?12 months ?

  • What's this Devops thing really about ?What's this Devops thing really about ?

  • World , 200X-2009World , 200X-2009Patrick Debois, Gildas Le Nadan, Andrew Clay Shafer, Kris Buytaert, Jezz Patrick Debois, Gildas Le Nadan, Andrew Clay Shafer, Kris Buytaert, Jezz Humble, Lindsay Holmwood, John Willis, Chris Read, Julian Simpson, and Humble, Lindsay Holmwood, John Willis, Chris Read, Julian Simpson, and

    lots of others ..lots of others ..

    Gent , October 2009Gent , October 2009Mountain View , June 2010Mountain View , June 2010Hamburg , October 2010Hamburg , October 2010

    Boston, March 2011Boston, March 2011Mountain View, June 2011Mountain View, June 2011

    Bangalore, Melbourne, Bangalore, Melbourne, Goteborg , October 2011Goteborg , October 2011

  • C(L)AMSC(L)AMS CultureCulture (Lean)(Lean) AutomationAutomation MeasurementMeasurement SecuritySecurity

    Damon Edwards and John WillisDamon Edwards and John Willis

  • Frank Breedijk Frank Breedijk @seccubus@seccubus

    Http httpsHttp https Imap imapsImap imaps Pop3 pop3sPop3 pop3s Devop devopSDevop devopS

  • DevOps is a cultural andDevOps is a cultural andprofessional movementprofessional movement

    Adam JacobAdam Jacob

  • How did we get here ?How did we get here ?

  • The Old DaysThe Old Days Put this Code Live, here's a tarball NOW! Put this Code Live, here's a tarball NOW! What dependencies ?What dependencies ? No machines available ?No machines available ? What database ?What database ? Security ?Security ? High Availability ? High Availability ? Scalability ?Scalability ? My computer can't install this ?My computer can't install this ?

  • Devs vs OpsDevs vs Ops

  • People hate SysadminsPeople hate SysadminsBecause Because

    They slow stuff downThey slow stuff downThe say noThe say noThey say no again They say no again They refuse to break stuffThey refuse to break stuffThey care about uptimeThey care about uptimeThey don't care about fancy new featuresThey don't care about fancy new features

  • People hate Security People hate Security OfficersOfficers

    Because Because They slow stuff downThey slow stuff downThe say noThe say noThey say no again They say no again They refuse to leave holes openThey refuse to leave holes openThey care about security They care about security They don't care about fancy new featuresThey don't care about fancy new featuresSecurity Officers have an expiry dateSecurity Officers have an expiry date

  • 10 days into operation10 days into operation What High Load ? What Memory usage ?What High Load ? What Memory usage ? Are these Logs ? Or this is actualy customer Are these Logs ? Or this is actualy customer

    data ?data ? How many users are there , should they launch How many users are there , should they launch

    100 queries each ?? Oh we're having 10K 100 queries each ?? Oh we're having 10K users users

    Why is debugging enabled ?Why is debugging enabled ? Who wrote this ?Who wrote this ?

  • 11 days into operations11 days into operations

  • 12 days into operations12 days into operations

  • 13 days into operations13 days into operations

  • We can solve this !We can solve this ! We are not here to We are not here to

    block block Some people think Some people think

    the Security / the Security / Operations work Operations work starts on deploymentstarts on deployment

    It starts much earlierIt starts much earlier Start talking asapStart talking asap

  • Culture,Culture,automation, automation,

    Measturement,Measturement,

    sharingsharing

  • Breaking the SilosBreaking the Silos

    Getting AlongGetting AlongOpsOpsDevs Devs

  • Who is in charge of security ? Who is in charge of security ? What do your developers think about security ?What do your developers think about security ? When do you think about security When do you think about security

    The problem with security is it doesn't The problem with security is it doesn't generate revenuegenerate revenue

    Security needs to become part of your DNA.Security needs to become part of your DNA.

  • Build TrustBuild Trust ExperimentExperiment

    DevDev TestTest

    ProdProd Automate all the Automate all the

    thingsthings Measure successMeasure success Measure FailureMeasure Failure

  • With great power ...With great power ...

    Your code will go to production..Your code will go to production..You will be able to fix it ..You will be able to fix it ..You will have access to the logsYou will have access to the logsAccess to the metrics...Access to the metrics...

  • Devops is a ReorgDevops is a Reorg New role for Change ManagementNew role for Change Management New role for Security OfficersNew role for Security Officers Added roles for TestersAdded roles for Testers

  • Culture, Culture,

    Automation,Automation,Measurement,Measurement,

    SharingSharing

  • " Our job as engineers (and ops, dev-ops, QA, " Our job as engineers (and ops, dev-ops, QA, support, everyone in the company actually) is to support, everyone in the company actually) is to enable the business goals. We strongly feel that enable the business goals. We strongly feel that in order to do that you must have in order to do that you must have the ability to the ability to deploy code quickly and safelydeploy code quickly and safely. Even if the . Even if the business goals are to deploy strongly QAd code business goals are to deploy strongly QAd code once a month at 3am (its not for us, we push all once a month at 3am (its not for us, we push all the time), having a reliable and easy the time), having a reliable and easy deployment should be deployment should be non-negotiablenon-negotiable." ." Etsy Blog upon releasing DeployinatorEtsy Blog upon releasing Deployinator

    http://codeascraft.etsy.com/2010/05/20/quantum-of-deployment/http://codeascraft.etsy.com/2010/05/20/quantum-of-deployment/

  • Continuous Delivery is a Continuous Delivery is a Security RequirementSecurity Requirement

  • How do we get there ?How do we get there ?

  • Use Version ControlUse Version ControlNo ExcusesNo Excuses

    Also for scripts/config/cookbooks,manifests,etcAlso for scripts/config/cookbooks,manifests,etc

  • CI ToolsCI Tools HudsonHudson JenkinsJenkinsA zillion pluginsA zillion plugins Make your builds reproducible !Make your builds reproducible !

    Test your (Puppet/Chef/CFengine) Test your (Puppet/Chef/CFengine)

  • Build PipelinesBuild Pipelines

  • Test AutomationTest Automation Unit testsUnit tests Regression testsRegression tests SeleniumSelenium Cucumber Cucumber TDDTDD BDDBDD

  • What's in your Pipeline ?What's in your Pipeline ?

  • A pipelineA pipeline Checkout codeCheckout code SyntaxSyntax StyleStyle Code CoverageCode Coverage TestsTests BuildBuild More TestsMore Tests Package Package

    Upload to RepoUpload to Repo

  • A pipeline++A pipeline++ Checkout codeCheckout code SyntaxSyntax StyleStyle Code CoverageCode Coverage TestsTests BuildBuild More TestsMore Tests Package Package

    Upload to RepoUpload to Repo Deploy on TestDeploy on Test Insert SECURITY Insert SECURITY

    TESTS !TESTS !

  • Attack yourselve on Attack yourselve on every buildevery build

    Gauntlt , write security testsGauntlt , write security tests Vulnerability scans (Arachni)Vulnerability scans (Arachni) Content Scanner (DIRB)Content Scanner (DIRB) https://github.com/garethr/pentesting-playgrouhttps://github.com/garethr/pentesting-playgrou

    ndnd

    https://github.com/garethr/pentesting-playgroundhttps://github.com/garethr/pentesting-playground

  • Infrastructure as CodeInfrastructure as Code Configure 1000 nodes,Configure 1000 nodes, Modify 2000 files, Modify 2000 files, TogetherTogether Think : Think : Cfengine,Puppet, ChefCfengine,Puppet, Chef Put configs under version controlPut configs under version control Please don't roll your own ... Please don't roll your own ...

  • Puppet in ActionPuppet in Action

  • OrchestrationOrchestration Fix security issues with 1 commandFix security issues with 1 command

    Mco package bind upgradeMco package bind upgrade Write Ansible role to upgradeWrite Ansible role to upgrade

  • Culture, Culture,

    Automation,Automation,

    Measurement :Measurement :measure all the thingsmeasure all the things

    SharingSharing

  • Logstash in ActionLogstash in Action

  • Security in devops ?Security in devops ? Version control => AuditingVe