Integrate Security into DevOps

DW4
DevOps Design & Architecture
6/7/2017 1:30:00 PM
DW4 Integrate Security into DevOps
Presented by:
Hasan Yasar
Software Engineering Institute
Brought to you by:
350 Corporate Way, Suite 400, Orange Park, FL 32073
888-‐268-‐8770 ·∙ 904-‐278-‐0524 - info@techwell.com - https://www.techwell.com/

Hasan Yasar
Hasan Yasar is the technical manager of the secure lifecycle solutions group at
the Software Engineering Institute (SEI). Hasan leads an engineering group tasked
with developing prototype solutions with associated DevOps processes while
providing expertise and guidance to SEI's clients. He has more than twenty-five
years' experience as senior security engineer, software architect, and manager in
all phases of secure software development. Hasan specializes in secure software
solutions design and development in the cyber security domain including data-
driven investigation and collaborative incident management, network security
assessment, and automated large-scale malware analysis. He is an adjunct faculty
member at CMU Heinz College and Institute of Software Research.

1
Integrate Security into DevOps
June 7th 2017
© 2017 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimiteddistribution. Please see Copyright notice for non-US Governmentuse and distribution.
Carnegie Mellon University
Pittsburgh, PA 15213
Hasan Yasar
Technical Manager
CERT | Secure Lifecycle Solutions Group
2017

2
June 7th 2017
Notices
Copyright 2017 Carnegie Mellon University. All Rights Reserved.
This material is based upon work funded and supported by the Department of Defense under Contract
No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering
Institute, a federally funded research and development center.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING
INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY
MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER
INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL.
CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH
RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited
distribution. Please see Copyright notice for non-US Government use and distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or
electronic form without requesting formal permission. Permission is required for any other use. Requests
for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.
Carnegie Mellon® and CERT® are registered in the U.S. Patent and Trademark Office by Carnegie Mellon
University.
DM17-0273

3
June 7th 2017
Agenda - Content
• DevOps p3
• DevOps and Security
• Platform Security
• AppSec - Secure DevOps
• DevOps Anti-Patterns

4
June 7th 2017
Last Minute Security..
https://dzone.com/articles/last-minute-security-comic

5
June 7th 2017
DevOps p3

6
June 7th 2017
People
Heavy collaboration between all stakeholders
• Secure Design / Architecture decisions
• Secure Environment / Network configuration
• Secure Deployment planning
• Secure Code Review
Constantly available open communication channels:
• Dev and OpSec together in all project decision
meeting
• Chat/e-mail/Wiki services available to all team
members

7
June 7th 2017
Process
Establish a process to enable people to succeed
using the platform to develop secure
application
Such that;
• Constant communication and visible to all
• Ensures that tasks are testable and
repeatable
• Frees up human experts to do challenging,
creative work
• Allows tasks to be performed with minimal
effort or cost
• Creates confidence in task success, after
past repetitions
• Faster deployment , frequent quality
release

8
June 7th 2017
Platform
Where people use process to build
secure software
• Automated environment creation and
provisioning
• Automated infrastructure testing
• Parity between Development, QA, Staging,
and Production environments
• Sharing and versioning of environmental
configurations
• Collaborative environment between all
stakeholders

9
June 7th 2017
• Release configuration and release software (e.g., Puppet, Chef)
• Scripts and code used to release software (e.g., Python scripts)
• Servers, network or other infrastructure that support release tools
• Software and tools to support developer self-service operations
• External test frameworks (e.g., Jersey Test Framework)
• External operational monitoring and log mining tools (e.g., Splunk)
• Source code repositories (e.g., Git)
• Issue tracking systems (e.g., JIRA)
• Container driven tools (e.g., Docker)
• Rqmts mgmt. (Doors, Blueprint)
• Infrastructure and cloud providers
• IDEs integrated DevOps process
DevOps Pipeline Tool Landscape Complexity
(~180 tools)
Traceability(issuetracking)
Infrastructure
Version Control
Continous
Integration
Testing and
Metrics
RapidDeployment
Operations
Supports

10
June 7th 2017
Engineering the Deployment Pipeline is a challenge
• If pipeline is not engineered, it may require extensive effort
integrate tools and share data across the pipeline
• Key questions related to designing the integrated pipeline
include:
- Who owns the integrated deployment pipeline?
- How/what to measure/monitor to assess pipeline health?
- What are the key qualities attributes teams should look
for as they select tools for pipeline integration?
• Whether designing or buying it is important to understand
the end-to-end requirements (e.g., workflow visibility)

11
June 7th 2017
Integrated Pipeline Key Quality Attributes
Discussion Question: Which of these qualities do you think
might be important when selecting tools for the continuous
delivery pipeline?
• Integrate-ability
• Interoperability
• Usability
• Portability
• Resilience
• Security/Permissions
• Availability (Error handling)
• Scalability
• Performance
• Modifiability
• Configurability
• “Automate-ability” (of manual tasks)
• “Approvability” (allows for manual
approval)
• Measurability?
• Other?

12
June 7th 2017
Integrated Pipeline - General

13
June 7th 2017
Integrated Pipeline – With Tooling

14
June 7th 2017

15
June 7th 2017
Human actions/inputs to
the software
development process

16
June 7th 2017
Actions
performed by
autonomous
systems

17
June 7th 2017
DevOps and Security
Secure DevOps Process & Implementation

18
June 7th 2017
DevOps and Security

19
June 7th 2017
DevOps and Security

20
June 7th 2017
Rugged{Secure}Dev{Sec}Ops
• DevOps is a Risk Mitigation strategy, built on Situational
Awareness, Automation, and Repetition
• But security is where a lot of DevOps implementations fall
down
• Goal:
• Protecting private user data
• Restricting access to data / systems
• Protecting company data / IP
• Standards compliance
• Safeguarding disposition / transition

21
June 7th 2017
The Rugged Manifesto
I am rugged and, more importantly, my code is rugged.
I recognize that software has become a foundation of our modern world.
I recognize the awesome responsibility that comes with this foundational role.
I recognize that my code will be used in ways I cannot anticipate, in ways it was
not designed, and for longer than it was ever intended.
I recognize that my code will be attacked by talented and persistent adversaries
who threaten our physical, economic and national security.
I recognize these things – and I choose to be rugged.
I am rugged because I refuse to be a source of vulnerability or weakness.
I am rugged because I assure my code will support its mission.
I am rugged because my code can face these challenges and persist in spite of
them.
I am rugged, not because it is easy, but because it is necessary and I am up for
the challenge.

22
June 7th 2017
Rugged Continued …
Culture – NOT a tool, SDLC, or org structure
Rugged != Secure - secure is only an instant in time
Proactive security is better than reactive – Reactive
will fail eventually

23
June 7th 2017
Team Composition
Developers
• Features
• Quality Attributes
• Efficiency
• Performance
• Users
• Authentication
• Authorization
IT Ops
• Deployment
• Maintenance
• Updates
• Change policy
• Failure
• Data loss
• Risk prevention
QA
• Testable
• Issue tracking
• Bug Reports
• Usability
• Help Desk
Security Team
• Data Privacy
• Intrusion
detection
• Threat vectors
• CVEs
• Package
security
• Authentication
• Authorization
• Security
Standards
Compliance

24
June 7th 2017
DevOps: Multiple Team Integrations

25
June 7th 2017
DevOps: Multiple Team Integrations + With Security
Team

26
June 7th 2017
DevOps: Multiple Team Integrations + With Security Team

27
June 7th 2017
Platform Security in DevOps

28
June 7th 2017
Deployment Pipeline & Dependencies
• Deployment Pipeline
• Development Environment
• Scripting/ Automation
• Integration and
configuration
• Build Servers
• Monitoring
• Code Repositories
• Container Security
• Supply Chain/Dependencies
• 3rd party libraries
• Vulnerability analysis
• Trusted sources
• Open source software
• Code Snippets
• Application ready
frameworks

29
June 7th 2017
Evolution of software development
Custom development – context:
• Software was limited
 Size
 Function
 Audience
• Each organization employed developers
• Each organization created their own
software
Shared development – ISVs (COTS) –
context:
• Function largely understood
 Automating existing processes
• Grown beyond ability for using
organization to develop economically
• Outside of core competitiveness by
acquirers
Supply chain: practically none Supply chain: software supplier

30
June 7th 2017
Development is now assembly
General
Ledger
SQL Server WebSphere
HTTP server
XML Parser
Oracle DB
SIP servlet
container
GIF library
Note: hypothetical application composition
Collective development – context:
• Too large for single
organization
• Too much specialization
• Too little value in individual
components
Supply chain: long

31
June 7th 2017
Software supply chain for assembled software
Expanding the scope and complexity of acquisition and
deployment
Visibility and direct controls are limited (only in shaded area)
Source: “Scope of Supplier Expansion and Foreign Involvement”
graphic in DACS www.softwaretechnews.com Secure Software
Engineering, July 2005 article “Software Development Security: A
Risk Management Perspective” synopsis of May 2004 GAO-04-678
report “Defense Acquisition: Knowledge of Software Suppliers
Needed to Manage Risks”

32
June 7th 2017
Substantial open source and 3rd party apps contained
in supply chain
• 90% of modern applications are
assembled from 3rd party components
• At least 75% of organizations rely on open source
as the foundation of their applications
• Most applications are now assembled
from hundreds of open source
components, often reflecting as much
as 90% of an application
Distributed development –
context:
• Amortize expense
• Outsource non-differential
features
• Lower acquisition (CapEx)
expense
Sources: Geer and Corman, “Almost Too Big To Fail,” ;login: (Usenix), Aug 2014; Sonatype, 2014 open source development and application security
survey
Supply chain: opaque

33
June 7th 2017
Reducing the Supply Chain Risk
• Open source software usage policy
• Supplier resource management
• Apply policy and management through DevOps pipeline
• Automate and monitor dependencies management
• Track build and deploy decencies list
• Apply discovered(new) vulnerabilities and deployment process
• Continues training and monitoring developers activities

34
June 7th 2017
Supply Chain Hygiene: Recommendations
• Supplier security commitment evidence
• Supplier employees are educated as to security engineering practices
• Supplier follows suitable security design practices
• Evaluate a product’s threat resistance
• What product characteristics minimize opportunities to enter and change the
product’s security characteristics?
• Create a centralized private repositories of vetted 3rd party components for all
developers
• Establish good product distribution practices
• Recognize that supply chain risks are accumulated
• Monitor for new vulnerabilities and know where they are in the enterprise to fix
• Minimize variation of components to make things easier (multiple versions,
duplicated utility)

35
June 7th 2017
AppSec and DevOps

36
June 7th 2017

37
June 7th 2017
Microsoft Secure Development Lifecycle (SDL)

38
June 7th 2017
Development Lifecycle

39
June 7th 2017
Dev Lifecycle
+ Business
Enhancing the SDLC

40
June 7th 2017
DevOps Lifecycle
Enhancing the SDLC

41
June 7th 2017
Where are opportunities for security processes?

42
June 7th 2017
DevOps Lifecycle
Threat Modeling,
Security as a quality attribute
Enhancing SDLC Security

43
June 7th 2017
DevOps Lifecycle
Secure / hardened
environments

44
June 7th 2017
DevOps Lifecycle
Security-focused code review

45
June 7th 2017
DevOps Lifecycle
Automated Security
Testing (Static analysis, etc)

46
June 7th 2017
DevOps Lifecycle
More Security Testing (Pen
Testing, Fuzz Testing)

47
June 7th 2017
DevOps Lifecycle
Security review /
acceptance testing

48
June 7th 2017
Secure
DevOps Lifecycle

49
June 7th 2017
Security must be addressed without breaking the
rapid delivery, continuous feedback model

50
June 7th 2017
Secure
DevOps
Lifecycle
Devs

51
June 7th 2017
Secure
DevOps
Lifecycle
Devs

52
June 7th 2017
Secure
DevOps
Lifecycle
Devs

53
June 7th 2017
Secure
DevOps
Lifecycle
Devs

54
June 7th 2017
Secure
DevOps
Lifecycle
Devs

55
June 7th 2017
Secure
DevOps
Lifecycle
Devs

56
June 7th 2017
Secure
DevOps
Lifecycle
Devs
Constant
Feedback to Dev

57
June 7th 2017
Secure
DevOps
Lifecycle

58
June 7th 2017
Secure
DevOps
Lifecycle
• Pausing for
manual steps is
typical
• Optimize the
manual work!
• Persist the
output of any
tools / work

59
June 7th 2017
Post-Production Monitoring
• Monitor audit logs produced by CI/CD for anomalies
• Monitor production applications to assure nothing changes
outside of the normal change process
• Monitor for new vulnerabilities / threats (a catalog of running
components helps!)

60
June 7th 2017
Automation (CI/CD) and Security
Not everything can be, needs to be, or should be, automated
• Draw perimeters around things you trust and let that guide
where human interaction and verification is needed
Keep track of security assessments
Regimented code management
• Know what source code contributed to a build that’s in
production so patches are fast and confident
Perform static analysis where possible

61
June 7th 2017
Security Overview
Development, operations, teams engineer infrastructure and
application
Operations maintains continuous delivery process
Developers write and push code
Continuous integration server internally deploys code
• Docker run / VM provision
• Build
• Test
QA team evaluates the application for correctness
Continuous delivery process deploys code to production servers
Operations maintains production servers

62
June 7th 2017
Security Overview with Security Highlights
Development, operations, and security teams engineer infrastructure and
application
• Build
• Test

63
June 7th 2017
application
Code push triggers security analysis via security controller
• Build
• Test

64
June 7th 2017
application
Code push triggers security analysis via security controller
• Build
• Test
• Automated security scan

65
Secure DevOps Process & Implementation
[Distribution Statement A] This material has been approved for public release and unlimited
distribution. Please see Copyright notice for non-US Government use and distribution.
Secure DevOps Anti-Patterns

66
June 7th 2017
DevOps Security Anti-Pattern: TheException-1
You automate…
…builds
…functional tests
…deployment
…reporting
…the coffee machine

67
June 7th 2017
But security testing is still
manual pen testing,
done only on release.
Recommendations:
• Don’t leave security automation out of your DevOps automation
strategy
- Automated security testing removes human error, infrequent,
execution, and excuses
• Don’t try to avoid open source with policies, it is coming whether you
like it or not!
• InfoSec must maintain awareness of open source vulnerabilities and
continuously check for them

68
June 7th 2017
OWASP ZAP
https://www.owasp.org/index.php/OWAS
P_Zed_Attack_Proxy_Project
http://gauntlt.org/
GAUNTLT
BE MEAN TO YOUR CODE AND LIKE IT
There are great projects out there…

69
June 7th 2017
DevOps Security Anti-Pattern: Multiverse
When environments are not the same,
your app may never
behave predictably.
Environment parity (between dev, test, prod) is critical for
controlling opportunity for security gaps

70
June 7th 2017
DevOps Security Anti-Pattern: Multiverse
Recommendations:
• Automate manual steps to the extent possible
• Make development environment parity a priority
• Get Ops involved in creating all environments, including
Dev
• Focus on providing fast easy-to-use automation tools for
developers everyone to keep environments in synch

71
June 7th 2017
DevOps Security Anti-Pattern: Configurator
• Uncontrolled configuration changes will
lead to an unmanageable, unpredictable,
and unrepeatable solution
• Easy for info security to get out of synch;
For example, change in DNS and you
have security hole.
Recommendations:
• Avoid the manual quick fix particularly for
configuration changes
• Put configuration files under configuration
controls

72
June 7th 2017
DevOps Security Anti-Pattern: Infiltrator
He sneaks in…
…and alters production …but he works
for you!
Recommendations:
• Set up roles and revoke administrative
access to manually edit production
• Configure prod environment to alert the
entire team when manually accessed.
Transparency is key.

73
June 7th 2017
DevOps Security Anti-Pattern: Survivor
We have all been there…
Intrusions overnight…
…cascading system failures…
…it’s all crashing…
…help…me..…

74
June 7th 2017
DevOps Security Anti-Pattern: Survivor-2
But you survive…
Glad its over. Going to go sleep for 18 hours…and then back to the
normal cycle.
When do we analyze what went wrong?
How do we prevent similar failures in the future?
All failures must result in codified change to DevOps process
Recommendations:
• Understand exactly what went wrong
• Never let the same failure happen twice
• Propagate fixes across the enterprise
• Ensure that you teach the next generation

75
June 7th 2017
DevOps Security Anti-Pattern: College Party
99% of Global 2000 companies will be using open source code in
mission-critical apps by 2016
Do you know
what’s in your app?
Code we wrote
Code someone
else wrote

76
June 7th 2017
DevOps Security Anti-Pattern: College Party-2
Recommendations:
• Infosec must enable constant (read: automated) checking for
open source vulnerabilities
Ways to fail:
• Place infosec outside of the dev workflow
• When UI/UX, infosec and accessibility requirements conflict
and never get resolved
• Dictate policy to not use open source
• Document-driven checking is not going catch
Prepare for what is coming….

77
June 7th 2017
DevOps Security Anti-Pattern: Skydiver
Once you jump, you can’t return to the plane.
You are committed. Permanently.
This is not how we should model our
deployments
Recommendations:
• Rollback is essential; Never be left
without an escape route to completely
working software
• Strive for approaches that support “one
button” rollback (e.g, feature flags or A/B)

78
June 7th 2017
SLS team GitHub Projects
• Once Click DevOps deployment
https://github.com/SLS-ALL/devops-voltron
• Sample app with DevOps Process
https://github.com/SLS-ALL/flask_api_sample
• Tagged checkpoints
• v0.1.0: base Flask project
• v0.2.0: Vagrant development configuration
• v0.3.0: Test environment and Fabric deployment
• v0.4.0: Upstart services, external configuration files
• v0.5.0: Production environment
• On YouTube:
https://www.youtube.com/watch?v=5nQlJ-FWA5A

79
June 7th 2017
For more information…
SEI DevOps Blog
https://insights.sei.cmu.edu/devops

80
June 7th 2017
Contact Information
Hasan Yasar
Technical Manager,
Secure Lifecycle Solutions
hyasar@sei.cmu.edu
@securelifecycle
Web Resources (CERT/SEI)
http://www.cert.org/
http://www.sei.cmu.edu/

Integrate Security into DevOps

More Related Content

What's hot (20)

Similar to Integrate Security into DevOps (20)

More from TechWell (20)

Recently uploaded (20)

Integrate Security into DevOps