DevSecOps: Taking a DevOps Approach to Security

Alert Logic & Chef discuss overcoming security challenges in DevOps

Before We Begin

Housekeeping

• Turn on your system’s sound to

hear the streaming presentation

• Questions? Submit them to the

presenter at anytime into the

question box

• The presentation slides will be

available to download from the

attachment tab after the webinar

• The webinar will be recorded

and published on BrightTalk

• Technical Problems? Click

“Help”

Agenda

• Security Challenges

• High Velocity IT

• Vulnerability Management

• Securing the Platform

• Continuous Monitoring

• Questions

Speaker Introduction

James Brown • Director of Cloud Computing &

Security Architecture

• Alert Logic

Alex Manly • Solution Architect

• Chef

OVERCOMING SECURITY CHALLENGES

Security Remains #1 Pain Point For Cloud Deployments

© 2014 451 Research, LLC. www.451research.com

Cloud Computing Pain Points

Q. What are your top cloud computing-related pain points? Select up to three. n=163. Source: Cloud Computing – Wave 7 |

2%

2%

2%

2%

2%

2.5%

2.5%

3.1%

3%

3%

4%

4%

4%

4%

5%

5%

7%

7%

7%

7.4%

8%

9%

10%

11%

11%

12%

17%

31%

Business Continuity/Disaster Recovery

Interoperability

Lack of Provider Competence

Perception and Internal Resistance

Storage

Data Movement

Governance

Capacity Planning/Management

Legacy Applications

Technology Immaturity

Complexity

Limited Transparency and Management

Service-level Management

Lack of Standards

Network

Service Reliability/Availability

Contractual/Legal Issues

Organizational Challenges

Vendor/Provider Issues

Lack of Internal Process

Management

Internal Resources/Expertise

Migration/Integration

Compliance

Security of Data, Control of Data Locality, Sovereignty

Human Change Management

Pricing/Budget/Cost

Security

Other Pain Points Mentioned

Automated Provisioning

Automation

Billing/Chargeback/Show-back

Ease of Transfer Between Private and Public Cloud

Integration of Private and Public Cloud

Lack of Control

Lack of Flexibility

Licensing

Orchestration

Performance

Platform/Provider Selection

Support

Time to Deployment

Q. What are your top cloud computing-related pain points?

Source: Cloud Computing – Wave 7 | © 2014 451 Research, LLC. www.451research.com

Shared Security Model

Application Security Technology Challenges

Network Changes Host Identity Auto-Scaling

Why do traditional security tools struggle

in the cloud

Security at Odds with DevOps Velocity

Traditional Security/Compliance is Slow • Bolted on at the end

• Manual processes

• Long cycle times

Mature DevOps Velocity is Fast

Security Practice does not Keep Up • Traditional Security Tools are not automated

• Continuous deployment stalls without security automation

InfoSec Ends Up Being Marginalized

“The problem for the security person who is used to turning

around security reviews in a month or two weeks is they're

just being shoved out of the game. There's no way with how

Infosec is currently configured that they can keep up with

that. So, Infosec gets all the complaints about being

marginalized and getting in the way of doing what needs

getting done.”

Gene Kim, former CTO of Tripwire

Author of “The Phoenix Project: A Novel About IT, DevOps” & “Helping Your Business Win”

Alert Logic Survey Findings

Good communications

between Development

and Operations Teams

Poor communication

between DevOps, Security

and Compliance teams

Security Infrastructure

had been poorly

managed or needed

significant improvement

Admitted to not

implementing security

into their continuous

process

High velocity IT

• Web scale IT

• Software is eating the world

• The Rise of Coded business

• Every business is an IT business

• Software defined everything

• Deliver change faster and safer

Infrastructure on demand

• Cheap

• Secure

• Elastically Scalable

• Self Service

DevOps

Configuration Management

Continuous Delivery

Architecture

Compliance Drag

If you think compliance is expensive,

try non-compliance Former US Deputy Attorney General, Paul McNulty

• Many hats **

• Not just Dev, not just Ops.

• Security is not and has never been, it’s just a check box.

• Security as Code - Software defined Security

• Embed security tests into the pipeline.

• Test security early.

DevSecOps – Don’t shoot me its just a word

** Hat tip to Ben Hughes (@benjammingh) from who I stole this slide from

https://speakerdeck.com/barnbarn/handmade-security-at-etsy

The changing role of the compliance officer

2015 Compliance Report - Verizon

VULNERABILITY MANAGEMENT

Vulnerability Management

Vulnerability management is key to maintaining a secure system.

Most IT environments use a mix of patch management and vulnerability scanning.

However

• Scanning is not run frequently enough

• Dealing with large numbers of potential vulnerabilities in one go introduces significant risk to the application stability

Manage Vulnerabilities with Base Images + CI

Manage Vulnerabilities

• Conduct normal vulnerability scanning

• Identify Vulnerabilities that exist in Base Images versus Application specific packages

• Remediate at appropriate level as part of Continuous Delivery process

• Start with Hardened “secure by default” base

Results • Less work, done more reliably • Patching fits naturally into Phoenix Upgrades • Continuous Delivery allow frequent scanning

in test environments to have real value • Fixes potential vulnerabilities systematically

Adopt Phoenix upgrade strategy

Embrace Phoenix Upgrades

• Stand up new instances, don’t upgrade

• Route traffic between old and new instances

• Rich service metrics and automate rollback

• Advanced routing can enable selective rollout

Results

• Creates evergreen systems, avoiding configuration drift and technical debt

• Enforces refresh of all system components as complete artifact, tested as a holistic system

• Greatly reduces security risks when combine with immutable instances and configuration management

Real World Case – Patching Shellshock

SECURING THE PLATFORM

Securing the platform

Aside from ensuring that an application and server is fully patched, it is key to start from a position where a server has been fully locked down.

In the cloud, have the developers take the base OS versions that are made available to them and used them?

You may be in a position where:

• Cannot change permissions on servers without risking breaking the application

• Base OS images used without any specific security implemented

• Different standard across different server types.

Prevent Attacks with Immutable Systems

Build secure base images that are

representative of your infrastructure

system base

Design file system layout to separate

code from data, and lock down to

minimum required permissions.

Should expand to network as well

Leverage SANS Checklist and CIS

Benchmark resources for system

level security best practices and

guidance

Leverage configuration management

tools to standardized all software

versions and configurations

Design Secure

Immutable Infrastructure

• This example will identify any code that tries to mount disk volumes. If code is identified, it will be audited and then workflow can control the action of this deviation to standards.

Example – Static Control Analysis

Example – Infrastructure Testing

Tests Chef

cookbooks using

cloud instances and

virtual machines

Lets you create a

realistic multi-server

test environment

Uses Chef and

supports everything

Chef supports (OSs,

VMs, Languages, etc)

Supports multiple

test runners (Bats,

Minitest, Rspec,

ServerSpec, etc.)

CONTINUOUS MONITORING

Chef Analytics Provides Visibility in Three Ways

• Record changes to

Chef Server or any

Chef Nodes

• Tracks changes

from any sources

(Chef UI, command

line, knife)

• Built-in

messaging

and email

integration

• Trivially

integrates with

your existing

systems

• Simple dashboard

with search, filters

and sorting options

• Integrate with

existing tools via API

Example

• PCI 2.3 - Encrypt all non-console administrative access such as browser/Web-based management tools.

rules ’PCI 2.3 – Confirm telnet port not available'

rule on run_control

when

name = 'should be listening'

resource_type = 'port'

resource_name = '23'

status != 'success'

then

audit:error("PCI 2.3 - Encrypt all non-console administrative access

such as browser/Web-based management tools.")

notify("security-team@financialcorp.com", "A machine is listening

for connections on port 23/telnet!")

end

end

Rule Control

controls 'port compliance' do

control port(23) do

it "has nothing listening"

expect(port(23)).to_not be_listening

end

end

end

Example – PCI Compliance

• SOX Section 302.4.B – Establish verifiable controls to track data access.

rules 'force key based auth'

rule on run_control

when

name = 'is disabled'

resource_type = 'File'

resource_name = '/etc/ssh/sshd_config'

status = 'failed'

then

audit:error("SOX Section 302.4.B – Establish verifiable controls to track

data access.")

notify(‘security-team@financialcorp.com’, "A machine has password login

enabled!")

end

end

Rule Control

controls 'password authentication' do

control file('/etc/ssh/sshd_config') do

it "is disabled"

expect(file('/etc/ssh/sshd_config'))

.to_not

match(/^\s*PasswordAuthentication\s+yes/i)

end

end

end

Example - SOX Compliance

How Cloud Defender Works

A L E R T L O G I C C L O U D D E F E N D E R

Identify

Attacks

& Protect

Customers

Big Data

Analytics

Platform

Threat

Intelligence

& Security

Content

24 x 7

Monitoring

&

Escalation

Alert Logic

ActiveAnalytics Alert Logic

ActiveIntelligence

Alert Logic

ActiveWatch

Cloud, Hybrid

On-Premises

Customer IT

Environment

Web

application

events

Log data

Network

incidents

Alert Logic Cloud Defender

Threat Manager: Network Intrusion Detection

• Detects suspicious activities across your networks

• Uncovers vulnerabilities in your networks, systems, and

applications

Log Manager: Log Management & Analysis

• Protects your networks, systems, and applications through

log analysis

• Collects, aggregates, and normalizes logs for easy searching

and long term storage

Web Security Manager: Web Application Protection

• Built to protect web applications from web specific attacks

• Learning engine adapts to normal behavior, ensuring

application uptime

-Simple Unified Deployment -

Questions and Resources

Resources

All available under the

“Attachments” tab of the webinar:

• DevOps: The Security Gap

• Key findings from Alert Logic’s

recent Dev-”Sec”-Ops Survey

• Chef’s Whitepaper:

Compliance at Velocity

• Alert Logic Blog

• Top 10 tips for Security

Professionals Blog

Questions

• Questions? Submit them to the

presenter at anytime into the

question box

Get Connected

www.alertlogic.com

www.chef.io

@alertlogic

@chef

linkedin.com/company/alert-logic

linkedin.com/company/opscode

alertlogic.com/resources/blog/

chef.io/blog

youtube.com/user/AlertLogicTV

youtube.com/user/getchef

brighttalk.com/channel/11587

brighttalk.com/channel/11349

Contact Us

James Brown

Director of Cloud Computing & Security Architecture

Alert Logic

jbrown@alertlogic.com

Alex Manly

Solution Architect

Chef

amanly@chef.io

Thank you!