Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative...
Transcript of Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative...
![Page 1: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/1.jpg)
| ©2019 F5 NETWORKS1
Security in een DevOps wereld
Dennis de Leest
Sr. Solution Engineer
![Page 2: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/2.jpg)
| ©2019 F5 NETWORKS2 CONFIDENTIAL
ECOSYSTEM INTEGRATIONS
API
gateway
CDNIngress
controller
App / Web
server
CustomerLoad
balancer
DNSApp
security
DDoSCode
ContainersPurpose-built
hardwarePublic cloud
Virtual machines
Softwareas a Service
Commodityhardware
EcosystemsNGINX Controller BIG-IQ
Code to Customer
PLATFORM CONTROL PLANES
BIG-IP NGINX
![Page 3: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/3.jpg)
| ©2019 F5 NETWORKS3
DevOps DriversTHE MAIN DRIVERS THAT MAKE DEVOPS A MUST HAVE
Agile Methodologies
Scrum in Dev
Kanban in Ops
Microservice Patterns
Smaller and more
frequent moving parts
Cloud Migrations
API automation a given
GUI is a no-go
Infrastructure changes were a bottleneck
Infrastructure automation through APIs !!!
![Page 4: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/4.jpg)
| ©2019 F5 NETWORKS4
Tooling in the Automation Toolchain DEVOPS TOOLING LANDSCAPE – A NUTSHELL OVERVIEW
CICD Orchestrators Deployment Libs Others
![Page 5: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/5.jpg)
| ©2019 F5 NETWORKS5
DeployOnboardBootstrap
APP SERVICES 3
EXTENSION
TELEMETRY
STREAMING
EXTENSION
Deploy Classic and
Advanced Application
Services on BIG-IP
using Declarative
REST APIs
Stream
Telemetry, Events
& Logs from BIG-IP
to various Analytics
and Logging solutions
L4-L7L1-L3
Automation Lifecycle – F5 Automation toolchain
Monitor
F5 BIG-IP IMAGE
GENERATOR
Enables creation,
customization and
deployment of a
BIG-IP disk image for
a given private/public
cloud.
Canonical examples
using native templates
for quickly deploying
BIG-IP services on
public cloud providers
(AWS, Azure, Google)
CLOUD SOLUTION
TEMPLATES
DECLARATIVE
ONBOARDING
EXTENSION
Initial Config
of BIG-IP Instances
Cloud-Init
Handles early initialization of a cloud
instance with user-data provided at
instance launch time.
F5 Super-NetOps
Training
Free training for
Network Operations
professionals
![Page 6: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/6.jpg)
| ©2019 F5 NETWORKS6
DevOps => DevSecOps
Security configuration
➢ Complex and bespoke
➢ Tedious manual process done by experts
➢ Increased rate of application deliverables
=> bottleneck
➢ Risk of dropping descent security due to
time pressure/constraints to PROD!
NEXT STEP - EMBRACE SECURITY AUTOMATION CAPABILITIES
![Page 7: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/7.jpg)
| ©2019 F5 NETWORKS7
DevOps is mainstream
![Page 8: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/8.jpg)
| ©2019 F5 NETWORKS8
DevSecOps Principles
Open Security Information Sharing & Feedback Loops
Culture: Security is everybody’s responsibility
Continuous Automated Testing
Collaboration vs Blocking
Shift Left: Build security into software not bolt on.
Guard Rails Make the secure path the easy path
![Page 9: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/9.jpg)
| ©2019 F5 NETWORKS9
Pre- Commit Commit Acceptance Production Deploy Operations
Continuous Integration Continuous Deployment
• Threat Modeling as code
• IDE integrated SAST
• Software Composition/Dependency Analysis
• Static Code Analysis
• DAST/Security Scanning
• IaC for supporting infrastructure
• Security Smoke Test
• Secrets Management
• Runtime security
• IAM
• Monitoring/SIEM
• Continuous Scanning
Build Test DeployCode Run/MonitorPlan
DevSecOps Flow
![Page 10: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/10.jpg)
| ©2019 F5 NETWORKS10
F5’s Strategy to address DevSecOps use cases
![Page 11: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/11.jpg)
| ©2019 F5 NETWORKS11
F5 Automation Toolchain
Cloud Templates
Deploy F5 configured,
operational F5 BIG-IP VEs
into public and private
clouds.
Declarative
Onboarding
Provision initial
configuration of virtual BIG-
IP devices through a
declarative API.
Application Services
3 Extension
Configure F5 modules
using declarative APIs.
Runs on TMOS, as a
container, or in BIG-IQ 6.1+
Telemetry Streaming
Stream BIG-IP telemetry for
analytics and automation.
Telemetry Streaming is an
iControl LX extension and will
send client/server stats from
the BIG-IP via HTTP(S),
Statsd or Kafka formats.
Change
Use telemetry data to track
health, security and
performance of applications
Use thresholds and triggers
to scale app services
Bootstrap Device Onboard Deploy App Services Monitor Change
re ted by drien o et ro t e o n ro e t
![Page 12: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/12.jpg)
| ©2019 F5 NETWORKS12
Declarative WAF API Example
Support Base Templates
predefined or external reference
Adaptation layer: Base Template Adaption
Option to customize the initial policy
{"policy": {
"name":"AppPolicy01",
"description":"AppV1.1 - DEMO FOR DECLARATIVE AND WEBHOOKS CAPABILITIES",
"template":{ "name":"POLICY_TEMPLATE_RAPID_DEPLOYMENT" },
"enforcementMode":"blocking",
"server-technologies":[
{
"serverTechnologyName":"MySQL"
} ],
"signature-settings":{
"signatureStaging": false
},
"modifications": [{
"entityChanges": {
"type": "explicit"
},
"entity": {
"name": "log"
},
"entityKind": "tm:asm:policies:filetypes:filetypestate",
"action": "delete",
"description": "Delete Disallowed File Type"
} ] }
Modification layer: Policy builder suggestions
Part of the modification layer and can be shared between policies
![Page 13: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/13.jpg)
| ©2019 F5 NETWORKS13
Solutions
No Feedback Loop
No notification for configuration changes, security events and
resources health to modern DevOps tools
Update Different Dev Ops Tools
Tools such as Chat Ops, CI Server, Ticketing Management are notified
by Adv WAF via Webhooks. Delivering notification and collaboration
between teams.
Challenges
Visibility and DevOps Notification
![Page 14: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/14.jpg)
| ©2019 F5 NETWORKS14
Slack/Teams ChatOps Example
![Page 15: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/15.jpg)
| ©2019 F5 NETWORKS15
Policy Testing
No Automated Sanity Tests
No option to generate quick sanity test that report on Adv. WAF
deployment state as part of the pipeline
F5 Testing Tool for Policy Validation
Lightweight testing tool provides immediate testing result of the basic
protection level and adapted to automated testing pipeline
{
"summary": {"fail": 1, "success": 127 },
"details": {"100000012": {
"attack_type": "Path Traversal", "CVE": "", "results": {
"url": {
"reason": "There are disabled evasions",
"expected_result": {"type": "evasion", "value": "Directory traversals"},
"success": false
},
"100000036": {
"attack_type": "Server Side Code Injection",
"CVE": "", "results": {"url": {
"reason": "", "expected_result": {"type": "signature", "value": "200001404"},
"success": true
} } } } } } }
Test Summary Report Example
Attack Test Type
Signature
Evasion
HTTP RFC
Test Success State
True – Test Passed
False – Test Failed
SolutionsChallenges
![Page 16: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/16.jpg)
| ©2019 F5 NETWORKS16
Policy Workflow
Notify DevOps about new policy
ready for automation testing
Create declarative policy file
with desired security (base
template + modification)
upload the policy file into
source control
Define security
requirements while app
onboarding
Automation security pipeline run
for functional and vulnerability
testing
Automation security pipeline
run again until all tests are
passed
DevSecOps or CI server export
policy builder suggestions to source
control
security events sent to
DevSecOps ChatOps
channel
DevSecOps refer that new
suggestions in the policy file
16
![Page 17: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/17.jpg)
| ©2019 F5 NETWORKS17
Free up your time ! Start nowLets do a demo !
17
![Page 18: Security in DevOps and Cloud · 2 days ago · ready for automation testing Create declarative policy file with desired security (base template + modification) upload the policy file](https://reader033.fdocuments.us/reader033/viewer/2022042322/5f0c7c497e708231d435a3b8/html5/thumbnails/18.jpg)
| ©2019 F5 NETWORKS18