Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security and DevOps

Security and DevOps

Talks about DevOps and how security teams can be part of it.

Matt Konda

October 14, 2015
Tweet

More Decks by Matt Konda

Other Decks in Programming

Transcript

  1. Agenda • Introductions • What is DevOps to Security •

    Case Study 1 • Case Study 2 • Pipeline • Conceptual framework • Maturity Model • OWASP Projects • How to Get Involved
  2. Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of

    Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] DevOps Growing
  3. Of course, it is also a result of an increasingly

    cloud oriented Ops environment that is scripted with Chef, Puppet, Ansible, etc.
  4. I think that security should just be implied by DevOps

    and doesn’t need to have another name.
  5. Extension Points • Mounters: mount, supports? • Tasks: run, analyze,

    supported? • Filters: filter • Reporter: run_report Mounter Files Code App Filter Reporter “Tasks”
  6. Other Internals • Within “Tasks”, each of the files, code

    and app phases of the pipeline can be run selectively. Mounter Files Code App Filter Reporter “Tasks”
  7. Still noisy … but you can dismiss and move on

    and hopefully rarely see them.
  8. Two passes • First talk about security overlaid on continuous

    delivery model • Then talk about event based security and DevOps related activities
  9. A detailed example: • Let’s say a feature is being

    developed • Then devs and testers are checking a new feature • Let them browse through an attack proxy (like Burp or ZAP) in passive mode • At night or when the system is quiet, use the browsing pattern as seeds for overnight attacks
  10. continuous delivery Since its easy to provision we can do

    security testing safely in a new env.
  11. continuous delivery Another principle of software delivery: build security in!

    Done means secure! Empowered to do security right!
  12. Commit • Security Unit Tests • Static Code Analysis (Pipeline)

    • Security Requirements • Check Dependencies • Code Review • Checklists
  13. Deploy • Scripted Provisioning / Built in Change Control •

    Provisioning Auditing (Chef Audit, hardening.io) • Gauntlt
  14. Periodic • Full app analysis (static, manual pen test) •

    Secure Development Training • Baseline Security Requirements Review • ASVS Review • Data Science on Results
  15. Kata Name: Run ZAP Proxy Daily Kata Detail: Automate a

    way to run ZAP Proxy against an app on a daily basis and report issues to Jira How to Do the Kata: Activate “XYZ” Jenkins Plugin Training Resource: A web page with specifics about this Kata. Experts: A reference to people that can help with this Kata. Difficulty: Belt level for the Kata. Security Objectives: What security objectives does this Kata help us to achieve?
  16. Data Classification OWASP Top 10 Training Simple Developer Environment Setup

    Continuous Integration and Testing Source Code Repository and Proper Tags Repeatable Deployment HTTPS (TLS) Everywhere
  17. Baseline Security Requirements Test for Security Headers Lockout to Prevent

    Brute Force Consistent Output Encoding Audit Records Written IDE Style Checks Villain Persona and Security Requirements Operational Metrics Unauthenticated Scanning
  18. Storing Secrets Solid SSL Security of Dependencies Audit Records Written

    Anti DoS Anti-CSRF Protection Consistent SQL Injection Protection Static Analysis Vulnerability Scanning Authenticated Application Scanning Security Code Review
  19. Logs Aggregated with Security Event Incident Management System Appropriate Encryption

    Antivirus / Malware Business Metrics HSTS and Certificate Pinning Application Penetration Testing
  20. Attack Awareness Behavioral Blocking Centralized Security Service Security Unit Tests

    for Business Logic Hands on Developer Security Training Dynamic Analysis Runtime Application Security Analysis Application Honeypot
  21. The intent is not to force everyone to do every

    one of those things. The intent is to help to identify the things that can be done and layer them so that they can be prioritized.
  22. Josh Corman Matt Tesauro Aaron Weaver Shannon Lietz James Wicket

    Mercedes Cox Aaron Tesch Matt Konda You … ?
  23. I recognize that software has become a foundation of our

    modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.
  24. I recognize that software has become a foundation of our

    modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.