Multi Security Checkpoints on DevOps Platform
1 like1,111 views
The document discusses the integration of security practices within the DevOps framework, emphasizing collaboration among development, operations, and security teams. It highlights the need for continuous security measures throughout the software development lifecycle to protect user data and maintain compliance. Key recommendations include automating security processes, ongoing monitoring, and maintaining a secure software supply chain to mitigate risks.
![November 15, 2016
Copyright 2016 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with
Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development
center.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not
necessarily reflect the views of the United States Department of Defense.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN
“AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY
MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS
OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH
RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright
notice for non-US Government use and distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without
requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software
Engineering Institute at permission@sei.cmu.edu.
Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.
DM-0004210](https://image.slidesharecdn.com/multi-security-checkpoints-on-devops-platformhasanyasarfinal-161121142841/85/Multi-Security-Checkpoints-on-DevOps-Platform-2-320.jpg)
![November 15, 2016
What Wikipedia says…
• DevOps (a portmanteau of "development" and "operations”)
emphasizes communication, collaboration, and integration
between software developers and information technology
(IT) operations personnel. [1]
[1] http://en.wikipedia.org/wiki/DevOps](https://image.slidesharecdn.com/multi-security-checkpoints-on-devops-platformhasanyasarfinal-161121142841/85/Multi-Security-Checkpoints-on-DevOps-Platform-4-320.jpg)
Multi Security Checkpoints on DevOps Platform
- 1. November 15, 2016 Multi Security Checkpoints on DevOps platform Hasan Yasar, Technical Manager Secure Lifecycle Solutions, Software Engineering Institute, Carnegie Mellon University
- 4. November 15, 2016 What Wikipedia says… • DevOps (a portmanteau of "development" and "operations”) emphasizes communication, collaboration, and integration between software developers and information technology (IT) operations personnel. [1] [1] http://en.wikipedia.org/wiki/DevOps
- 6. November 15, 2016 DevOps is an Extension of Agile Thinking • Embrace constant change • Embed Customer in team to internalize expertise on requirements and domain Agile Embrace constant testing, delivery Embed Operations in team to internalize expertise on deployment and maintenance DevOps
- 8. November 15, 2016 Multiple Dimensions of DevOps Culture • Developer and Ops collaborate (Ops includes security) • Developers and Operations support releases beyond deployment • Dev and Ops have access to stakeholders who understand business and mission goals Culture Process and Practices System and Architecture Automation and Measurement Automation/ Measurement • Automate repetitive and error- prone tasks (e.g., build, testing, and deployment maintain consistent environments) • Static analysis automation (architecture health) • Performance dashboards Process and Practices • Pipeline streamlining • Continuous-delivery practices (e.g., continuous integration; test automation; script-driven, automated deployment; virtualized, self-service environments) System and Architecture • Architected to support test automation and continuous- integration goals • Applications that support changes without release (e.g., late binding) • Scalable, secure, reliable, etc.
- 18. November 15, 2016 Rugged{Secure}Dev{Sec}Ops • DevOps is a Risk Mitigation strategy, built on Situational Awareness, Automation, and Repetition • But security is where a lot of DevOps implementations fall down • Goal: – Protecting private user data – Restricting access to data / systems – Protecting company data / IP – Standards compliance – Safeguarding disposition / transition
- 19. November 15, 2016 Team Composition Developers • Features • Quality Attributes • Efficiency • Performance • Users • Authentication • Authorization IT Ops • Deployment • Maintenance • Updates • Change policy • Failure • Data loss • Risk prevention QA • Testable • Issue tracking • Bug Reports • Usability • Help Desk Security Team • Data Privacy • Intrusion detection • Threat vectors • CVEs • Package security • Authentication • Authorization • Security Standards Compliance
- 24. November 15, 2016 Evolution of software development • Custom development – context: • Software was limited § Size § Function § Audience • Each organization employed developers • Each organization created their own software • Shared development – ISVs (COTS) – context: • Function largely understood § Automating existing processes • Grown beyond ability for using organization to develop economically • Outside of core competitiveness by acquirers Supply chain: practically none Supply chain: software supplier Old days… In these days…
- 25. November 15, 2016 Development is now assembly General Ledger SQL Server WebSphere HTTP server XML Parser Oracle DB SIP servlet container GIF library Like “Plug N Play” Note: hypothetical application composition Collective development – context: • Too large for single organization • Too much specialization • Too little value in individual components Supply chain: long
- 26. November 15, 2016 Software supply chain for assembled software • Complexity of acquisition, development and deployment • Visibility & awareness Source: “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article “Software Development Security: A Risk Management Perspective” synopsis of May 2004 GAO-04-678 report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks”
- 28. November 15, 2016 Supply Chain Hygiene: Recommendations • Supplier security commitment evidence • Supplier employees are educated as to security engineering practices • Supplier follows suitable security design practices • Evaluate a product’s threat resistance • What product characteristics minimize opportunities to enter and change the product’s security characteristics? • Create a centralized private repositories of vetted 3rd party components for all developers • Establish good product distribution practices • Recognize that supply chain risks are accumulated • Monitor for new vulnerabilities and know where they are in the enterprise to fix • Minimize variation of components to make things easier (multiple versions, duplicated utility)
- 29. November 15, 2016 • Development, operations, teams engineer infrastructure and application • Operations maintains continuous delivery process • Developers write and push code • Continuous integration server internally deploys code • Docker run / VM provision • Build • Test • QA team evaluates the application for correctness • Continuous delivery process deploys code to production servers • Operations maintains production servers Platform Security Overview
- 30. November 15, 2016 Platform Security Overview with Security Highlights • Development, operations, and security teams engineer infrastructure and application • Operations maintains continuous delivery process • Developers write and push code • Code push triggers security analysis via security controller • Continuous integration server internally deploys code • Docker run / VM provision • Build • Test • Automated security scan • QA team evaluates the application for correctness • Continuous delivery process deploys code to production servers • Operations maintains production servers
- 31. November 15, 2016 Multi Security Checkpoints AppSec and DevOps - Integrating Security practices into DevOps
- 46. November 15, 2016 Automation (CI/CD) and Security § Not everything can be, needs to be, or should be, automated § Draw perimeters around things you trust and let that guide where human interaction and verification is needed § Keep track of security assessments § Regimented code management § Know what source code contributed to a build that’s in production so patches are fast and confident § Perform manual reviews as least as possible (NOT to block CD) § static analysis § (peer) Code review § Penn testing (or any security testing tools)
- 47. November 15, 2016 Post-Production Monitoring with Security Mindset • Monitor audit logs produced by CI/CD for anomalies • Monitor production applications to assure nothing changes outside of the normal change process • Monitor for new vulnerabilities / threats (a catalog of running components helps!)
- 49. November 15, 2016 Secure DevOps Lifecycle • Pausing for manual steps is typical • Optimize the manual work! • Persist the output of any tools / work