SlideShare a Scribd company logo

Security Implications for a DevOps Transformation

DevOps.com, profile picture
DevOps.com

The document discusses the security implications of adopting DevOps practices, emphasizing the integration of security throughout the development and operations workflow. Key points include the importance of collaboration between development and security teams, the necessity of automation in testing and vulnerability scanning, and the challenge of maintaining security as changes are deployed quickly. Overall, it suggests that security must be an integral part of the DevOps process rather than an afterthought.

Software
1 of 60
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Security Implications of a DevOps transformation
Greg Sarjeant - Puppet - Manager of Professional Services - 20 Years in IT - Puppet user since 2012
Agenda ● Overview ● Technical baseline ● Implications for security Practical DevOps
Overview What do we mean by DevOps? Practical DevOps
Most DevOps conversation is loosely defined ● What DevOps isn’t ● Value proposition ● High-level characteristics — Fewer silos — Common tools — Tech closer to customers Practical DevOps
This makes it hard to quantify What are the impacts on security?
Practical DevOps Let’s Simplify Application Dev Server Ops
Disclaimer: None of the examples in this presentation are endorsements
Technical Foundation How did we get here? Practical DevOps
DevOps needs a “Hello, World”
Proposal Five Key Components ● Version Control ● Package Management ● Automated Testing ● Continuous Integration ● Infrastructure as Code Practical DevOps
Let’s start a company Keep it simple ● Get a host ● Install web server ● Write the app Practical DevOps
Initial development workflow ● Log on to production server ● Write the webpage Practical DevOps
Wait, there’s more than one language? Practical DevOps
Time for reinforcements Harry Hello Can say “Hello” in 57 languages Wendy World Can say “World” in 62 languages Practical DevOps
Complication 1: Collaboration ● Who owns the file? ● Is someone else editing it? ● How do I request a change? ● What changed last? Practical DevOps
Improvement 1: Version Control Authoritative source for application code ● File history ● Change tracking ● Conflict resolution ● Version rollback Practical DevOps
Version Control: Security Implications ● Attack vector ● Access controls — View code — Commit code ● Sensitive data Practical DevOps
Revised workflow ● Commit files to git repository ● Log in to prod ● Check files out Practical DevOps
Complication 2: Distribution ● No validation ● No dependencies ● Version management ● Dev tools on Prod servers Practical DevOps
Improvement 2: Package Management Atomic collections of related files ● Metadata ● Standard inspection tools ● Programmatic deployment tools ● Pre- and post- install tasks ● Uninstall/rollback functionality Practical DevOps
Package Management: Security Implications ● Installation is generally trusted ● Validate package integrity — MD5 sums Practical DevOps
Revised workflow ● Commit files to git repository ● Build package ● Log in to prod ● Install package Practical DevOps
Time to make the magic happen Let’s ship this thing…
Nice work, Harry. Practical DevOps
Let’s build a test server! Practical DevOps How about “Harry”? What do we call it? Test Prod
Complication 3: Validation Manual testing has weaknesses ● Slow: a person has to perform the steps ● Unreliable: people miss steps ● Late: can’t happen until after deployment Practical DevOps Test Prod
Improvement 3: Automated tests ● Fast ● Consistent ● Run early and often — Locally — On check-in — On deployment Practical DevOps
Automated tests: Security Implications ● Generally positive! ● Validate code, behavior ● Validate package contents Practical DevOps
Revised workflow ● Commit to git repository ● Invoke tests ● Build package ● Invoke tests ● Deploy to test ● Invoke tests ● Deploy to prod ● Invoke tests Practical DevOps Test Prod Tests Pass
Now we’re cooking with gas
Complication 4: Orchestration We’re just telling the computers what to do ● Manage code ● Run tests ● Build packages ● Deploy packages Practical DevOps
Improvement 4: Continuous Integration Continuous Integration Servers ● Define jobs ● Run tests ● Build packages ● Deploy apps ● Run jobs on target servers ● Chain jobs together ● Stop execution if a job fails Practical DevOps
Continuous Integration: Security Implications ● Single point of entry to infrastructure ● Elevated access to managed servers ● Arbitrary job execution Practical DevOps
All the pieces are in place Practical DevOps Test Prod I’ll take it from here
The test server just failed Somebody call the sysadmin!
Here I come to save the day Practical DevOps
Complication 5: Systems administration Practical DevOps
Progressively smaller anchors ● Run books ● Pile of shell scripts ● Golden images ● VM templates Practical DevOps
Improvement 5: Infrastructure as code ● Rewrite configuration instructions ● Interpreted by computers ● Managed identically to app code Practical DevOps
Infrastructure as code: Security implications ● Agents run as root on all servers ● Code is generally trusted ● Wide-ranging abilities — Package installation — Service reconfiguration — Arbitrary script execution ● Runs unattended Practical DevOps
Sysadmins join the pipeline Practical DevOps Test Prod
DevOps The directed use of automation to build a common workflow for developers and operations DevOps The directed use of automation to build a common workflow for developers and operations
But what about all those security questions?
Implications: Security Are DevOps and security mutually exclusive? Practical DevOps
There is a perception that DevOps is incompatible with strong security.
We feed this perception ● Emphasize trust over verification ● Purist mentality — If it interferes with efficiency, it’s not DevOps ● Security is an afterthought – deal with it in Production Practical DevOps Is security the new ops?
Security organizations have real concerns
Security concerns ● Financial protection ● Intellectual property ● Customer data Practical DevOps Compromises are costly and on the rise
Requirements of security organizations ● Rigor — Minimize opportunities to introduce vulnerabilities ● Visibility — Understand what has changed, so that effects can be evaluated ● Responsiveness — When a vulnerability is identified, remediate it as quickly as possible Practical DevOps
DevOps strengths: security weaknesses?
DevOps Strength: Collaboration ● Dev and Ops teams working together is a huge benefit ● Security often gets left out ● Stop throwing over the wall to ops, keep throwing over the wall to security Practical DevOps
DevOps Strength: Automation ● Fewer eyes and minds on the code ● Less consideration of concerns outside of direct application functionality — We’re only validating what we test Practical DevOps
DevOps Strength: Speed ● More changes introduced to production more frequently ● Less time to measure the impact of a change ● Often making updates before previous changes have been validated Practical DevOps
These aren’t fundamental flaws We’ve just been insufficiently inclusive
Collaboration: Include Security ● Design for security ● Assess security implications of changes in tickets ● Incorporate security patches into the delivery pipeline Practical DevOps
Automation: Automate tests and validation ● Trigger vulnerability scans on deploy to test — This can be expensive — Tie to deployment schedule, but leave time for remediation ● Build tests for security — System configuration — Package versions — Input validation ● Incorporate monitoring, logging — Install and configure servers and agents — Detect, repor, and alertt on anomalous behavior Practical DevOps
Speed: Accelerate remediation ● Use delivery pipeline to push OS patches to production ● Update, test, and deploy custom applications more quickly ● Use monitoring and logging to identify vulnerabilities and anomalous behavior more quickly Practical DevOps
Use the pipeline to our advantage Practical DevOps Test Prod
Security Implications for a DevOps Transformation

More Related Content

PDF
Devops, Secops, Opsec, DevSec *ops *.* ?
Kris Buytaert
 
PDF
DevOps Continuous Integration & Delivery - A Whitepaper by RapidValue
RapidValue
 
PDF
Debugging distributed systems
Bert Jan Schrijver
 
PDF
Software architecture in a DevOps world
Bert Jan Schrijver
 
PDF
Software architecture in a DevOps world
Bert Jan Schrijver
 
PPTX
Continuous Integration and Continuous Deployment in Enterprise scenario
Davide Benvegnù
 
PDF
Continuous Testing in DevOps
TechWell
 
PDF
Using Crowdsourced Testing to Turbocharge your Development Team
Rainforest QA
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Kris Buytaert
 
DevOps Continuous Integration & Delivery - A Whitepaper by RapidValue
RapidValue
 
Debugging distributed systems
Bert Jan Schrijver
 
Software architecture in a DevOps world
Bert Jan Schrijver
 
Software architecture in a DevOps world
Bert Jan Schrijver
 
Continuous Integration and Continuous Deployment in Enterprise scenario
Davide Benvegnù
 
Continuous Testing in DevOps
TechWell
 
Using Crowdsourced Testing to Turbocharge your Development Team
Rainforest QA
 

What's hot (20)

PDF
Skills Matter DevSecOps eXchange Forum 2022 - Software architecture in a DevO...
Bert Jan Schrijver
 
PDF
Continuous Integration
drluckyspin
 
PDF
"DevOps > CI+CD "
Innovation Roots
 
PDF
TDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOps
Bert Jan Schrijver
 
PPTX
Fundamentals of DevOps and CI/CD
Batyr Nuryyev
 
PPTX
DevQAOps - Surviving in a DevOps World
Winston Laoh
 
PPTX
Continuous integration, delivery & deployment
Martijn van der Kamp
 
PDF
Dev ops
farzanehvar
 
PDF
Agile Engineering Best Practices by Richard Cheng
Excella
 
PPT
Continuous Integration and Builds
Bhavin Javia
 
PDF
Test driven development_continuous_integration
haochenglee
 
PDF
DevOps(1) : What's DevOps - (MOSG)
Soshi Nemoto
 
PDF
QA in DevOps: Transformation thru Automation via Jenkins
Tatyana Kravtsov
 
PDF
Continuous Delivery Distilled
Matt Callanan
 
PPTX
Bringing CD to the DoD
Gene Gotimer
 
PPSX
Continuous Integration - Oracle Database Objects
Prabhu Ramasamy
 
PPTX
DevOps – The Evolution of Agile
Qualitest
 
PDF
The Continuous delivery Value @ codemotion 2014
David Funaro
 
PPTX
Continuous Delivery
Mike McGarr
 
PPTX
Introduction to DevOps
Francesco Garavaglia
 
Skills Matter DevSecOps eXchange Forum 2022 - Software architecture in a DevO...
Bert Jan Schrijver
 
Continuous Integration
drluckyspin
 
"DevOps > CI+CD "
Innovation Roots
 
TDC 2021 - Better software, faster: Principles of Continuous Delivery and DevOps
Bert Jan Schrijver
 
Fundamentals of DevOps and CI/CD
Batyr Nuryyev
 
DevQAOps - Surviving in a DevOps World
Winston Laoh
 
Continuous integration, delivery & deployment
Martijn van der Kamp
 
Dev ops
farzanehvar
 
Agile Engineering Best Practices by Richard Cheng
Excella
 
Continuous Integration and Builds
Bhavin Javia
 
Test driven development_continuous_integration
haochenglee
 
DevOps(1) : What's DevOps - (MOSG)
Soshi Nemoto
 
QA in DevOps: Transformation thru Automation via Jenkins
Tatyana Kravtsov
 
Continuous Delivery Distilled
Matt Callanan
 
Bringing CD to the DoD
Gene Gotimer
 
Continuous Integration - Oracle Database Objects
Prabhu Ramasamy
 
DevOps – The Evolution of Agile
Qualitest
 
The Continuous delivery Value @ codemotion 2014
David Funaro
 
Continuous Delivery
Mike McGarr
 
Introduction to DevOps
Francesco Garavaglia
 
Ad

Similar to Security Implications for a DevOps Transformation (20)

PPTX
DevSecOps and Drupal: Securing your applications in a modern IT landscape
Will Hall
 
PPTX
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
PDF
Scale security for a dollar or less
Mohammed A. Imran
 
PPTX
Secure DevOPS Implementation Guidance
Tej Luthra
 
PPTX
Devops
penetration Tester
 
PDF
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
your techdigest
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
PDF
Divine and felonios cyber security devopsdays austin 2018
John Willis
 
PDF
Dev ops
Eman Abdelmohsen
 
PPTX
DevOps
Gehad Elsayed
 
PPTX
SecDevOps: The New Black of IT
CloudPassage
 
ODP
Dev ops
Eslam El Husseiny
 
PDF
Introduction to DevSecOps
Setu Parimi
 
PDF
Securing DevOps Lifecycle
DevOps Indonesia
 
PDF
introduction_to_it_indusry_verticals.pdf
ANSHTYAGI33
 
PPT
DevOps in 2014
David Thompson
 
PPTX
DevOps DevSecOps Based on Training Materials
RifqiMultazamOfficia
 
PPTX
DevSecOps: Integrating Security Into DevOps! {Business Security}
Algoworks Inc
 
PDF
You build it - Cyber Chicago Keynote
John Willis
 
DevSecOps and Drupal: Securing your applications in a modern IT landscape
Will Hall
 
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
Scale security for a dollar or less
Mohammed A. Imran
 
Secure DevOPS Implementation Guidance
Tej Luthra
 
Devops
penetration Tester
 
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
The Rise of DevSecOps in CI_CD Workflows.pdf
your techdigest
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
Divine and felonios cyber security devopsdays austin 2018
John Willis
 
Dev ops
Eman Abdelmohsen
 
DevOps
Gehad Elsayed
 
SecDevOps: The New Black of IT
CloudPassage
 
Dev ops
Eslam El Husseiny
 
Introduction to DevSecOps
Setu Parimi
 
Securing DevOps Lifecycle
DevOps Indonesia
 
introduction_to_it_indusry_verticals.pdf
ANSHTYAGI33
 
DevOps in 2014
David Thompson
 
DevOps DevSecOps Based on Training Materials
RifqiMultazamOfficia
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
Algoworks Inc
 
You build it - Cyber Chicago Keynote
John Willis
 
Ad

More from DevOps.com (20)

PDF
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
PDF
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
PPTX
Vulnerability Discovery in the Cloud
DevOps.com
 
PDF
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
PDF
A New Year’s Ransomware Resolution
DevOps.com
 
PPTX
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
PDF
Don't Panic! Effective Incident Response
DevOps.com
 
PDF
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
PDF
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
PDF
Monitoring Serverless Applications with Datadog
DevOps.com
 
PDF
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
PPTX
Securing medical apps in the age of covid final
DevOps.com
 
PDF
How to Build a Healthy On-Call Culture
DevOps.com
 
PPTX
The Evolving Role of the Developer in 2021
DevOps.com
 
PDF
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
PPTX
Secure Data Sharing in OpenShift Environments
DevOps.com
 
PPTX
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
PDF
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
Vulnerability Discovery in the Cloud
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
A New Year’s Ransomware Resolution
DevOps.com
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
Don't Panic! Effective Incident Response
DevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
Monitoring Serverless Applications with Datadog
DevOps.com
 
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
Securing medical apps in the age of covid final
DevOps.com
 
How to Build a Healthy On-Call Culture
DevOps.com
 
The Evolving Role of the Developer in 2021
DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
Secure Data Sharing in OpenShift Environments
DevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 

Recently uploaded (20)

PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
System and Network Administration Chapter 2
jaramharo
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Introduction Database Management System for Course Database
ReinertYosua
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
AI in Product Development-omnex systems
omnex systems
 
System and Network Administraation Chapter 3
jaramharo
 

Security Implications for a DevOps Transformation

  • 1. Security Implications of a DevOps transformation
  • 2. Greg Sarjeant - Puppet - Manager of Professional Services - 20 Years in IT - Puppet user since 2012
  • 3. Agenda ● Overview ● Technical baseline ● Implications for security Practical DevOps
  • 4. Overview What do we mean by DevOps? Practical DevOps
  • 5. Most DevOps conversation is loosely defined ● What DevOps isn’t ● Value proposition ● High-level characteristics — Fewer silos — Common tools — Tech closer to customers Practical DevOps
  • 6. This makes it hard to quantify What are the impacts on security?
  • 8. Disclaimer: None of the examples in this presentation are endorsements
  • 9. Technical Foundation How did we get here? Practical DevOps
  • 11. Proposal Five Key Components ● Version Control ● Package Management ● Automated Testing ● Continuous Integration ● Infrastructure as Code Practical DevOps
  • 12. Let’s start a company Keep it simple ● Get a host ● Install web server ● Write the app Practical DevOps
  • 13. Initial development workflow ● Log on to production server ● Write the webpage Practical DevOps
  • 14. Wait, there’s more than one language? Practical DevOps
  • 15. Time for reinforcements Harry Hello Can say “Hello” in 57 languages Wendy World Can say “World” in 62 languages Practical DevOps
  • 16. Complication 1: Collaboration ● Who owns the file? ● Is someone else editing it? ● How do I request a change? ● What changed last? Practical DevOps
  • 17. Improvement 1: Version Control Authoritative source for application code ● File history ● Change tracking ● Conflict resolution ● Version rollback Practical DevOps
  • 18. Version Control: Security Implications ● Attack vector ● Access controls — View code — Commit code ● Sensitive data Practical DevOps
  • 19. Revised workflow ● Commit files to git repository ● Log in to prod ● Check files out Practical DevOps
  • 20. Complication 2: Distribution ● No validation ● No dependencies ● Version management ● Dev tools on Prod servers Practical DevOps
  • 21. Improvement 2: Package Management Atomic collections of related files ● Metadata ● Standard inspection tools ● Programmatic deployment tools ● Pre- and post- install tasks ● Uninstall/rollback functionality Practical DevOps
  • 22. Package Management: Security Implications ● Installation is generally trusted ● Validate package integrity — MD5 sums Practical DevOps
  • 23. Revised workflow ● Commit files to git repository ● Build package ● Log in to prod ● Install package Practical DevOps
  • 24. Time to make the magic happen Let’s ship this thing…
  • 26. Let’s build a test server! Practical DevOps How about “Harry”? What do we call it? Test Prod
  • 27. Complication 3: Validation Manual testing has weaknesses ● Slow: a person has to perform the steps ● Unreliable: people miss steps ● Late: can’t happen until after deployment Practical DevOps Test Prod
  • 28. Improvement 3: Automated tests ● Fast ● Consistent ● Run early and often — Locally — On check-in — On deployment Practical DevOps
  • 29. Automated tests: Security Implications ● Generally positive! ● Validate code, behavior ● Validate package contents Practical DevOps
  • 30. Revised workflow ● Commit to git repository ● Invoke tests ● Build package ● Invoke tests ● Deploy to test ● Invoke tests ● Deploy to prod ● Invoke tests Practical DevOps Test Prod Tests Pass
  • 32. Complication 4: Orchestration We’re just telling the computers what to do ● Manage code ● Run tests ● Build packages ● Deploy packages Practical DevOps
  • 33. Improvement 4: Continuous Integration Continuous Integration Servers ● Define jobs ● Run tests ● Build packages ● Deploy apps ● Run jobs on target servers ● Chain jobs together ● Stop execution if a job fails Practical DevOps
  • 34. Continuous Integration: Security Implications ● Single point of entry to infrastructure ● Elevated access to managed servers ● Arbitrary job execution Practical DevOps
  • 35. All the pieces are in place Practical DevOps Test Prod I’ll take it from here
  • 36. The test server just failed Somebody call the sysadmin!
  • 37. Here I come to save the day Practical DevOps
  • 38. Complication 5: Systems administration Practical DevOps
  • 39. Progressively smaller anchors ● Run books ● Pile of shell scripts ● Golden images ● VM templates Practical DevOps
  • 40. Improvement 5: Infrastructure as code ● Rewrite configuration instructions ● Interpreted by computers ● Managed identically to app code Practical DevOps
  • 41. Infrastructure as code: Security implications ● Agents run as root on all servers ● Code is generally trusted ● Wide-ranging abilities — Package installation — Service reconfiguration — Arbitrary script execution ● Runs unattended Practical DevOps
  • 42. Sysadmins join the pipeline Practical DevOps Test Prod
  • 43. DevOps The directed use of automation to build a common workflow for developers and operations DevOps The directed use of automation to build a common workflow for developers and operations
  • 44. But what about all those security questions?
  • 45. Implications: Security Are DevOps and security mutually exclusive? Practical DevOps
  • 46. There is a perception that DevOps is incompatible with strong security.
  • 47. We feed this perception ● Emphasize trust over verification ● Purist mentality — If it interferes with efficiency, it’s not DevOps ● Security is an afterthought – deal with it in Production Practical DevOps Is security the new ops?
  • 49. Security concerns ● Financial protection ● Intellectual property ● Customer data Practical DevOps Compromises are costly and on the rise
  • 50. Requirements of security organizations ● Rigor — Minimize opportunities to introduce vulnerabilities ● Visibility — Understand what has changed, so that effects can be evaluated ● Responsiveness — When a vulnerability is identified, remediate it as quickly as possible Practical DevOps
  • 52. DevOps Strength: Collaboration ● Dev and Ops teams working together is a huge benefit ● Security often gets left out ● Stop throwing over the wall to ops, keep throwing over the wall to security Practical DevOps
  • 53. DevOps Strength: Automation ● Fewer eyes and minds on the code ● Less consideration of concerns outside of direct application functionality — We’re only validating what we test Practical DevOps
  • 54. DevOps Strength: Speed ● More changes introduced to production more frequently ● Less time to measure the impact of a change ● Often making updates before previous changes have been validated Practical DevOps
  • 55. These aren’t fundamental flaws We’ve just been insufficiently inclusive
  • 56. Collaboration: Include Security ● Design for security ● Assess security implications of changes in tickets ● Incorporate security patches into the delivery pipeline Practical DevOps
  • 57. Automation: Automate tests and validation ● Trigger vulnerability scans on deploy to test — This can be expensive — Tie to deployment schedule, but leave time for remediation ● Build tests for security — System configuration — Package versions — Input validation ● Incorporate monitoring, logging — Install and configure servers and agents — Detect, repor, and alertt on anomalous behavior Practical DevOps
  • 58. Speed: Accelerate remediation ● Use delivery pipeline to push OS patches to production ● Update, test, and deploy custom applications more quickly ● Use monitoring and logging to identify vulnerabilities and anomalous behavior more quickly Practical DevOps
  • 59. Use the pipeline to our advantage Practical DevOps Test Prod