SecDevOps 2017
2 likes1,824 views
The document outlines a presentation by Aarno Aukia from VSHN AG, focusing on the principles of securing DevOps through agile practices in software engineering, infrastructure, and security. It discusses the importance of collaboration between development and operations, automating processes, and ensuring security throughout the software delivery lifecycle, including authentication and authorization mechanisms. VSHN AG, established in 2014, provides cloud-native solutions and consulting services to enhance software application delivery and operations.
SecDevOps 2017
- 1. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch SIGS Technology Conference 16.05.2017 SecDevOps Securing DevOps Aarno Aukia VSHN AG – The DevOps Company
- 2. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Agenda ● About Aarno / VSHN ● Agile Software Engineering ● Agile Infrastructure Engineering ● Agile Security Engineering ● Securing the software delivery process ● Example: authentication & authorization ● Q & A
- 3. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Who Aarno Aukia, CTO & co-founder ETH → Google → Atrila → VSHN @aarnoaukia or aarno.aukia@vshn.ch VSHN AG - the DevOps Company Since 2014, 20 people in Zürich Running web applications on-premises and in the clouds making both visitors and developers happy https://vshn.ch @vshn_ch
- 4. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Software Engineering 1/2 Require- ments Design Implemen- tation Validation Maintenance
- 5. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Software Engineering 2/2 Require- ments Design Validation Maintenance Implemen- tation
- 6. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Agile Software Engineering Requirements Design Implemen- tation TestingRelease
- 7. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Agile Infrastructure Engineering? How do operations cope with the continuous changes by the developers? How do you change the operations process from reactive (fire brigade) to proactive (fire detector, sprinkler, building regulations)? How do operations change from infrastructure provider to service provider?
- 8. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Ops: fire brigade as a Service
- 9. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Agile Infrastructure Engineering 1/2 ● Close collaboration between Dev & Ops = DevOps ● Proactive consulting, adding value to the development process ● Automating processes ● Accelerate the time-to-market up until self-service by PL/PO/Dev ● Eliminate manual errors and achieve higher robustness ● Standardize deployment, monitoring, logging, access control, scaling
- 10. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch
- 11. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Agile Infrastructure Engineering 2/2 ● Automation = infrastructure as code ● Quality assurance like in a software-project ● Testing the automation process ● Versioning, changelog, rollback ● Repeatability, reproducability, traceability ● By default and from the beginning with security
- 12. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch How to prevent cleaning up a mess?
- 13. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Agile Security Engineering 1/3 ● Also known as AppSec ● Contributes to success like UX Design, usability, performance, operations ● A quality aspect of applications ● Proactively involved in application engineering ● Security Requirements ● Security Design/Architecture ● Security best practices in development ● Security testing ● Security Operations (SecOps) ● Use same language, development cycle and goal as developers
- 14. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Agile Security Engineering 2/3
- 15. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Agile Security Engineering 3/3 ● Safe software development process = integrity of the application ● Separation of applications on process level (container, virtual machine) ● Separation on network level ● Reproducibility of configuration (dev/test/stage- Environments, Disaster Recovery) ● Authentication & Authorization ● Controlling the access to applications ● RBAC on control plane ● Logging
- 16. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch SecDevOps
- 17. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Securing the Software Delivery Process 1/2
- 18. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Securing the Software Delivery Process 2/2
- 19. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Authentication & Authorization
- 20. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch AAI = Keycloak ● Identity & Access Management ● Single sign in/out ● Identity brokering: OpenID Connect (OAuth2 social login, FB/Twitter/Github etc.), SAML2.0, Kerberos ● User federation: LDAP, ActiveDirectory, custom RDBMS ● Multi-Factor-Authentication: TOTP/HOTP ● Managing the Authorization groups
- 21. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Audit Log = ElasticSearch, Logstash, Kibana ● Logging all access and changes through the control plane ● Logging all access to the application and correlate with application logs ● Index, view, filter, aggregate KPI → monitoring ● Store outside of application scope
- 22. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch APPUiO.ch ● Container Platform as a Service ● Based on Docker, Kubernetes, OpenShift ● On-premises, private or public cloud in Switzerland ● Run on any infrastructure ● Turnkey platform with proactive support ● Consulting services to become cloud native and integration ● From YoloOps to RelaxOps
- 23. VSHN AG I Neugasse 10 I 8005 Zürich I T 044 545 53 00 www.vshn.ch Thank you Questions? VSHN AG Aarno Aukia Neugasse 10 8005 Zürich https://vshn.ch @vshn_ch