O'Reilly SACON "Continuous Delivery Patterns for Contemporary Architecture"
SACON - Devops-container (Richard Bussiere)
-
Upload
priyanka-aash -
Category
Technology
-
view
1.192 -
download
0
Transcript of SACON - Devops-container (Richard Bussiere)
SACON
SACONInternational2017
RichardBussiereTenable
TechnicalDirector
India|Bangalore|November10– 11|HotelLalit Ashok
IntegratingContainerVulnerabilityManagementintoDevOps
SACON 2017
ü What’stheSecurityRiskIntroducedthroughContainers?
ü Whatcanwedoaboutit?ü ShortDemoü Conclusions
Agenda
SACON 2017
Howcanyouunderstandthevulnerabilities&riskdynamicassetsexposeyoutowhentheassetisherenowthengone?
WhackaMole??
SACON 20174
Canyouanswerthesequestions?
HowExposedAreWe? HowDoWeProactivelyReduceOurExposure?HowSecureAreWe?
Everyorganization,nomatterhowlargeorsmall,should beabletoanswerthesethreefundamentalquestionsatalltimes:
SACON 2017
CommunicateCyber Risk
Continuous Visibility
Cyber ExposureMetric
PrioritizeExposure
LiveDiscovery
MeasuringCyberExposureLeveragesVulnerability Management
Accurately represent and communicate cyber risk to the business – in
business terms
Continuous Visibility into where an asset is
secure, or exposed, and to what extent
Apply Cyber Exposure data as a key risk metric
for strategic decision support
Add context to the exposure to prioritize
and select the appropriate remediation
technique
Live Discovery of every modern asset
across any computing
environment
SACON 20176
SACON 20177
Intersecting3Domains
SACON 2017
Agile=ContinuousChangeAgile=ContinuousChange
SACON 2017
AskedtwodifferentCISOsoftwodifferentmajorIndiantelcos “What’syourcontainerstrategy”?
• Answer:”What’sacontainer?”
Singapore
• ConsideringusingDevOpsinthenearfuture…
• Mostnotsureifthisstuffisactuallypresentintheirenvironments
DevOps&Security- Disconnected?
Cansecuritykeepupwiththepace?
SACON 201710
DevOpsisdrivingchangesinITarchitecture
Monolithic Microservices
Builtasasingle,self-containedunit
Componentsareinterconnected andinterdependent
Builtasasuiteofmodularservices
Componentsarelooselycoupledandhighlycohesive
SACON 201711
Applicationcontainersenableinfrastructuremodernizationwithmicroservices
Eachmicroservice ishostedinacontainerandconnectedviaAPIs
Containersencapsulatealightweightruntimeenvironmentfortheapplication
Microservices oncontainersprovide:• Faster developmentanddeploymentvelocity
•Greaterscalabilitytoquicklycreateanddestroy
• Increasedoperationalefficiencyandresponsiveness
SACON 201712
YouTubeexample:microservices andcontainers
SACON 2017
Applicationcontainersareexplodinginadoption…
13Sources:1) Datadog,20172) Docker,2017
Docker Adoption1
8 Billion+Docker Container
Downloads2
500,000+Dockerized apps in Docker
Hub2
SACON 201714
MajorCyberExposuregap
Oforganizationswithcontainersinproduction1
18%
Perform Image Scanning
RiskAssessmentIndex2Organization’sabilitytoassess
cybersecurityrisks
Score:52%Grade:F
Score:57%Grade:F
ContainerizationPlatforms
DevOpsEnvironments
15.9
40.5
Official Images
Community Images
AveragenumberofvulnerabilitiesinDockerHub3
Sources:1) Anchore,“SnapshotoftheContainerEcoystem,”20172) Tenable,“2017GlobalCybersecurityAssuranceReportCard,”20173) Tenable,“SourcingContainerImagesfromDockerHosts,”2017
SACON 2017
Modernapplicationsraisethestakeswithrisk
15
“Modern applications are largely assembled, not developed, and developers often download and use known vulnerable open-source components and frameworks.”
-Gartner
SACON 201716
Andorganizationshavetakennotice
“Even if Docker certifies an app as being safe and effective, I'm not risking $11 billion on Docker telling me it's safe. We need extra assurance and to prove it to ourselves.”
– James Ford, Chief Strategic Architect, ADP
SACON 2017
SharingImages:DockerHub… Safe?
SACON 201718
Traditionalsecurityapproachesdonotworkwithcontainers
1 2
Inability to Use Traditional VM
Techniques
Inability to RemediateVulnerabilitiesShort Lifespan
3
SACON 2017
Insanity: Doingthesamethingoverandoveragainandexpectingadifferentresult
19
Thinkdifferentlyaboutprotectingmodernassets
SACON 201720
Preventcontainervulnerabilitiesbysecuringimagespriortodeployment
IntegratecontainersecurityintotheDevOpstoolchain
Identifyandremediatevulnerabilitiesbeforetheyareexploitable
Ensureallcontainerimagesaresecureandcompliantbeforeproduction
SACON 201721
WhatdoesthismeantoSecurityandDevOps?
EnterpriseSecurity DevOps
Ensure containers are part of a holistic Cyber Exposure program
Reduce risk across a growing modern attack surface
Identify and remediate vulnerabilities as early in the SDLC as possible
Deliver quality, well-tested code at high velocity and scale
Integrate security into the DevOps toolchain, without sacrificing speed
Identify and remediate vulnerabilities as early in the SDLC as possible
SACON 2017
PerformrapidvulnerabilityandmalwaredetectiontestingwithintheDevOpstoolchain
OutoftheboxintegrationswithCI/CDbuildsystems
• Jenkins, Bamboo, Shippable, Travis CI and more• Import across container images registries• Fully documented RESTful API for custom
integrations
22
“Shiftleft”withsecurityinthesoftwaredevelopmentlifecycle
RegistryTestBuildSource Control
Build ContainerUnit TestsAPI TestsSecurity TestsPush to Registry
SACON 2017
Produceadetailedbillofmaterialscoveringalllayersandcomponents
• Libraries / binaries• Configuration files• Dependencies• Applications
“At-a-glancevisibility”intobothcontainerimageinventoryandsecurity
23
Knowwhatisinsideacontainerbeforedeployment
Layer 1
Layer 2
Layer 3
Layer 4
Container Image Layers
SACON 2017
Assessmentofcontainerimagesbylayer
Detectthepresenceofmalwareinthelayers
Applylayerhierarchyintelligencetounderstandwhenvulnerabilitiesaremitigatedinhigherlayers
24
Deepassessmentofcontainerimages
SACON 2017
Continuouslymonitorinproductioncontainersfornewvulnerabilities
Automaticallyre-testasnewvulnerabilitiesareidentified
Respondtonewlyemergingriskstoencsureontinuous protection
25
Continuouslyprotectcontainersfromnewlyidentifiedthreats
SACON 2017
Writecontainersecuritypoliciesthataligntosecuritygoalsandobjectives
Notifydevelopersimmediatelywhencontainerimagesexceedorganizationriskthresholds
Allowdeveloperstotakedirectactionwithspecificremediationadvice
26
Policy- Ensurecontainersinproductionarecompliantwithpolicy
SACON 201727
Reducecostsbycatchingcontainervulnerabilitiesearlier
1X 7X 15X
100X
Design Implementation Testing Maintenance
Cost of Fixing Defects in SLDC1
1)Source:ComputerBusinessReview,”ThecostoffixingbugsthroughouttheSDLC,”March2017
Reducecostsby>85%byremediatingvulnerabilitiesbeforedeployment
Reducefalsepositivesandensuredevelopersdonotwastetimefixingnon-vulns
Reduce Costs
SACON 201728
EliminateBlindSpots
Comprehensiveinsightinto:• Containerimageinventory• Summaryofvulnerabilitiesandmalware
• DistributionofvulnerabilitiesbyCVSSscoreandrisklevel
Eliminate Blind Spots
SACON 201729
AvoidslowingdownexistingDevOpsprocessesandworkflows
<30secondsecuritytestwithintheDevOpstoolchain
OutoftheboxintegrationwithcommonCI/CDsystemsandcontainerregistries
Accelerate DevOps
SACON 2017
ContainerHost
TheEntireProcessLaidOut…
KubernetesSwarmMesosphereCloudFoundry
GitlabGithub EnterpriseGithubBitbucker ServerBitbucket
JenkinsBambooDistelliWerckerCodeship
SourceControl Build
PublicRegistry
Registry
Containerimages liveherebeforedeployment
Orchestration
Docker
SACON 2017
InjectingSecurityintoDevOpsWorkflow
ContainerHost
Build
PublicRegistry
Registry
Orchestration
SACON 2017
WhentoScanContainerImages?
Pre-ProductionbyDeveloper
In-ProductionAutomaticallyandContinuously
Build PublicRegistry
SACON 2017
VulnerabilityScanningwithModernStacks
Server
HostOS
ContainerEngine
Bins/Libs
MySQL
Bins/Libs
App
App
App
MySQL
MySQL
Containers
Scanforvulnsusing“traditional”approaches
Scanforvulnsbyscanningcontainerimages
ExternalWebAppScanning
SACON 201734
Identifyrunningcontainerhosts…
Vulnerability Management
SACON 201735
…andhardenhostswiththeCISDockerbenchmark
ConfigurationPatchingPermissionsAccessSprawl
SACON 2017
TryTenable.io ContainerSecuritytoday
Try It for Free
tenable.com/try-container
60 Day Fully Operational Trial for FREE!!
SACON 201737