DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Security with DevSecOps + Containers
2 likes508 views
The presentation discusses the integration of security into DevOps practices, emphasizing the importance of DevSecOps and container security. It highlights challenges such as treating security as an afterthought, and outlines best practices for securing containerized applications, including continuous integration and deployment strategies. Additional focus is given to compliance, vulnerability scanning, and the need for collaboration across teams to ensure comprehensive security in software delivery.
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Security with DevSecOps + Containers
- 1. A DevOps State of Mind: Continuous Security with DevSecOps + Containers Chris Van Tuin Chief Technologist, NA West / Silicon Valley cvantuin@redhat.com
- 2. βOnly the Paranoid Surviveβ - Andy Grove, 1998
- 3. Retail Finance Media Transportation ? ? SOFTWARE DISRUPTS BUSINESS
- 4. DEV QA OPS Walled off people, walled off processes, walled off technologies βTHROW IT OVER THE WALLβ
- 5. Time to Value Months to Years Weeks and Months Days and Weeks IT MUST EVOLVE TO STAY AHEAD OF DEMANDS
- 8. DEV QA OPS Open organization + β¨ cross-functional teams Software factory automation Linux + Containers IaaS Orchestration CI/CD Source Control Management Collaboration Build and Artifact Management Testing Frameworks OpenSource CI/CD pipelines with feedback Culture Process Technology + + BREAKING DOWN THE WALLS WITH DEVOPS
- 9. DEV QA OPS SECURITY IS AN AFTERTHOUGHT | SECURITY | βPatch? The servers are behind the firewall.β - Anonymous (far too many to name), 2005 - β¦
- 11. DevSecOps End to End Security + + SECURITY DEV QA OPS Linux + Containers IaaS Orchestration CI/CD Source Control Management Collaboration Build and Artifact Management Testing Frameworks OpenSource Culture Process Technology
- 12. APPLICATION DELIVERY VIA CONTAINERS
- 13. docker.io RegistryPrivate RegistryRed Hat Certified FROM fedora:latest CMD echo βHelloβ Build file Physical, Virtual, Cloud Image Container Build RunShip CONTAINERS: BUILD, SHIP, RUN
- 14. Scheduling Monitoring Persistence DiscoveryLifecycle & health Scaling Aggregation Security MORE THAN CONTAINERSβ¦
- 15. DevSecOps End to End Security + + <βββββββ SECURITY βββββββ> DEV QA OPS
- 16. 4 β Are there known vulnerabilities in the application layer? β Are the runtime and OS layers up to date? β How frequently will the container be updated and how will I know when itβs updated? CONTENT: EACH LAYER MATTERS CONTAINER OS RUNTIME APPLICATION Are there known vulnerabilities β¨ in each application layer? Are the runtime and OS layers β¨ up to date? How frequently will the container be updated and how will I know when its updated? IS THE CONTAINER ENVIRONMENT SECURE? Is the image from a trusted source? Can I quickly deploy a security update at scale? Is my multi-tenant host secure?
- 17. Container host Network isolation Storage API & Platform access Monitoring & Logging Federated clusters Registry {} Builds CI/CDImages SECURING CONTAINERS
- 19. RHEL Kernel Hardware (Intel, AMD) or Virtual Machine Containers ContainersContainers Unit File Docker Image DOCKER CLI SYSTEMD Cgroups Namespaces SELinux Drivers CONTAINERS ARE LINUX
- 20. Hardware (Intel, AMD) or Virtual Machine Containers ContainersContainers Unit File Docker ImageKUBERNETES / DOCKER SYSTEMD Cgroups Namespaces SELinux Drivers Best Practices β’ Donβt run as root β’ Limit SSH Access β’ Use namespaces β’ Define resource quotas β’ Enable logging β’ Apply Security Errata β’ Apply Security Context and seccomp filters http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html seccomp CONTAINER HOST SECURITY
- 22. 4 β Are there known vulnerabilities in the application layer? β Are the runtime and OS layers up to date? β How frequently will the container be updated and how will I know when itβs updated? CONTENT: EACH LAYER MATTERS CONTAINER OS RUNTIME APPLICATION CONTENT: EACH LAYER MATTERS AYER MATTERS CONTAINER OS RUNTIME APPLICATION JAR CONTAINER
- 23. A CONVERGED SOFTWARE SUPPLY CHAIN
- 25. code config data Kubernetes configmaps secrets Container image Traditional β¨ data services, Kubernetes β¨ persistent volumes TREAT CONTAINERS AS IMMUTABLE
- 26. IMAGE SIGNING Validate what images and version are running
- 28. 64% of official images in Docker Hub β¨ contain high priority security vulnerabilities examples: ShellShock (bash) Heartbleed (OpenSSL) Poodle (OpenSSL) Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps, May 2015 (http://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf) WHATβS INSIDE THE CONTAINER MATTERS
- 29. PRIVATE REGISTRY
- 32. FROM fedora:latest CMD echo βHelloβ Build file Build Best Practices β’ Treat as a Blueprint β’ Donβt login to build/configure β’ Version control build file β’ Be explicit with versions, not latest β’ Each Run creates a new layer BUILDS
- 33. Security CONTINUOUS INTEGRATION WITH SECURITY SCAN
- 35. Compliance and Vulnerability Audits with OpenSCAP
- 36. AUTOMATED SECURITY SCANNING with OpenSCAP ReportsScan SCAP Security Guide for RHEL CCE-27002-5 Set Password Minimum Length Content Scan physical servers, virtual machines, docker images and containers⨠for Security Policy Compliance (CCEs) and known Security Vulnerabilities (CVEs)
- 37. Standard Docker Host Security Profile Java Runtime Environment (JRE) Upstream Firefox STIG RHEL OSP STIG Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) STIG for Red Hat Enterprise Linux 6, 7 Server STIG for Red Hat Virtualization Hypervisor Common Profile for General-Purpose Debian Systems Common Profile for General-Purpose Fedora Systems Common Profile for General-Purpose Ubuntu Systems Payment Card Industry β Data Security Standard (PCI-DSS) v3 U.S. Government Commercial Cloud Services (C2S) CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 7 Criminal Justice Information Services (CJIS) Security Policy Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) U.S. Government Configuration Baseline (NIAP OSPP v4.0, USGCB, STIG) Security Policies in SCAP Security Guide (partial)
- 42. CD with Security
- 43. CONTINUOUS DEPLOYMENT WITH CONTAINERS
- 44. CONTINUOUS DELIVERY DEPLOYMENT STRATEGIES DEPLOYMENT STRATEGIES β’ Blue / Green deployment β’ Rolling updates β’ Canary deployments β’ A / B testing
- 45. Version 1 BLUE / GREEN DEPLOYMENT Route
- 46. Version 1 BLUE / GREEN DEPLOYMENT Version 1.2
- 47. Version 1 Tests / CI BLUE / GREEN DEPLOYMENT Version 1.2
- 48. Version 1 Version 1.2 BLUE / GREEN DEPLOYMENT Route Version 1.2
- 49. Version 1 BLUE / GREEN DEPLOYMENT Rollback Route Version 1.2
- 50. Version 1 Version 1Version 1 Version 1.2 ` Tests / CI ROLLING UPDATES with ZERO DOWNTIME
- 51. Deploy new version and wait until itβs readyβ¦ Version 1 Version 1 V1.2 Health Check: Readiness β¨ Probe e.g. tcp, http, script V1
- 52. Each container/pod is updated one by one Version 1.2 50% Version 1 V1 V1.2
- 53. Each container/pod is updated one by one Version 1.2Version 1.2Version 1.2 100%
- 54. Container host Network isolation Storage API & Platform access Monitoring & Logging Federated clusters Registry {} Builds CI/CDImages SECURING CONTAINERS
- 55. Deployment Frequency Lead Time Deployment⨠Failure Rate Mean Time to Recover 99.999 Service Availability DEVSECOPS METRICS Compliance Score
- 56. THANK YOU linkedin: Chris Van Tuin email: cvantuin@redhat.com twitter: @chrisvantuin