DevSecOps: Taking a DevOps Approach to Security Alert Logic & Chef discuss overcoming security challenges in DevOps
Jul 18, 2015
DevSecOps: Taking a DevOps Approach to Security
Alert Logic & Chef discuss overcoming security challenges in DevOps
Before We Begin
Housekeeping
• Turn on your system’s sound to
hear the streaming presentation
• Questions? Submit them to the
presenter at anytime into the
question box
• The presentation slides will be
available to download from the
attachment tab after the webinar
• The webinar will be recorded
and published on BrightTalk
• Technical Problems? Click
“Help”
Agenda
• Security Challenges
• High Velocity IT
• Vulnerability Management
• Securing the Platform
• Continuous Monitoring
• Questions
Speaker Introduction
James Brown • Director of Cloud Computing &
Security Architecture
• Alert Logic
Alex Manly • Solution Architect
• Chef
OVERCOMING SECURITY CHALLENGES
Security Remains #1 Pain Point For Cloud Deployments
© 2014 451 Research, LLC. www.451research.com
Cloud Computing Pain Points
Q. What are your top cloud computing-related pain points? Select up to three. n=163. Source: Cloud Computing – Wave 7 |
2%
2%
2%
2%
2%
2.5%
2.5%
3.1%
3%
3%
4%
4%
4%
4%
5%
5%
7%
7%
7%
7.4%
8%
9%
10%
11%
11%
12%
17%
31%
Business Continuity/Disaster Recovery
Interoperability
Lack of Provider Competence
Perception and Internal Resistance
Storage
Data Movement
Governance
Capacity Planning/Management
Legacy Applications
Technology Immaturity
Complexity
Limited Transparency and Management
Service-level Management
Lack of Standards
Network
Service Reliability/Availability
Contractual/Legal Issues
Organizational Challenges
Vendor/Provider Issues
Lack of Internal Process
Management
Internal Resources/Expertise
Migration/Integration
Compliance
Security of Data, Control of Data Locality, Sovereignty
Human Change Management
Pricing/Budget/Cost
Security
Other Pain Points Mentioned
Automated Provisioning
Automation
Billing/Chargeback/Show-back
Ease of Transfer Between Private and Public Cloud
Integration of Private and Public Cloud
Lack of Control
Lack of Flexibility
Licensing
Orchestration
Performance
Platform/Provider Selection
Support
Time to Deployment
Q. What are your top cloud computing-related pain points?
Source: Cloud Computing – Wave 7 | © 2014 451 Research, LLC. www.451research.com
Shared Security Model
Application Security Technology Challenges
Network Changes Host Identity Auto-Scaling
Why do traditional security tools struggle
in the cloud
Security at Odds with DevOps Velocity
Traditional Security/Compliance is Slow • Bolted on at the end
• Manual processes
• Long cycle times
Mature DevOps Velocity is Fast
Security Practice does not Keep Up • Traditional Security Tools are not automated
• Continuous deployment stalls without security automation
InfoSec Ends Up Being Marginalized
“The problem for the security person who is used to turning
around security reviews in a month or two weeks is they're
just being shoved out of the game. There's no way with how
Infosec is currently configured that they can keep up with
that. So, Infosec gets all the complaints about being
marginalized and getting in the way of doing what needs
getting done.”
Gene Kim, former CTO of Tripwire
Author of “The Phoenix Project: A Novel About IT, DevOps” & “Helping Your Business Win”
Alert Logic Survey Findings
Good communications
between Development
and Operations Teams
Poor communication
between DevOps, Security
and Compliance teams
Security Infrastructure
had been poorly
managed or needed
significant improvement
Admitted to not
implementing security
into their continuous
process
High velocity IT
• Web scale IT
• Software is eating the world
• The Rise of Coded business
• Every business is an IT business
• Software defined everything
• Deliver change faster and safer
Infrastructure on demand
• Cheap
• Secure
• Elastically Scalable
• Self Service
DevOps
Configuration Management
Continuous Delivery
Architecture
Compliance Drag
If you think compliance is expensive,
try non-compliance Former US Deputy Attorney General, Paul McNulty
• Many hats **
• Not just Dev, not just Ops.
• Security is not and has never been, it’s just a check box.
• Security as Code - Software defined Security
• Embed security tests into the pipeline.
• Test security early.
DevSecOps – Don’t shoot me its just a word
** Hat tip to Ben Hughes (@benjammingh) from who I stole this slide from
https://speakerdeck.com/barnbarn/handmade-security-at-etsy
The changing role of the compliance officer
2015 Compliance Report - Verizon
VULNERABILITY MANAGEMENT
Vulnerability Management
Vulnerability management is key to maintaining a secure system.
Most IT environments use a mix of patch management and vulnerability scanning.
However
• Scanning is not run frequently enough
• Dealing with large numbers of potential vulnerabilities in one go introduces significant risk to the application stability
Manage Vulnerabilities with Base Images + CI
Manage Vulnerabilities
• Conduct normal vulnerability scanning
• Identify Vulnerabilities that exist in Base Images versus Application specific packages
• Remediate at appropriate level as part of Continuous Delivery process
• Start with Hardened “secure by default” base
Results • Less work, done more reliably • Patching fits naturally into Phoenix Upgrades • Continuous Delivery allow frequent scanning
in test environments to have real value • Fixes potential vulnerabilities systematically
Adopt Phoenix upgrade strategy
Embrace Phoenix Upgrades
• Stand up new instances, don’t upgrade
• Route traffic between old and new instances
• Rich service metrics and automate rollback
• Advanced routing can enable selective rollout
Results
• Creates evergreen systems, avoiding configuration drift and technical debt
• Enforces refresh of all system components as complete artifact, tested as a holistic system
• Greatly reduces security risks when combine with immutable instances and configuration management
Real World Case – Patching Shellshock
SECURING THE PLATFORM
Securing the platform
Aside from ensuring that an application and server is fully patched, it is key to start from a position where a server has been fully locked down.
In the cloud, have the developers take the base OS versions that are made available to them and used them?
You may be in a position where:
• Cannot change permissions on servers without risking breaking the application
• Base OS images used without any specific security implemented
• Different standard across different server types.
Prevent Attacks with Immutable Systems
Build secure base images that are
representative of your infrastructure
system base
Design file system layout to separate
code from data, and lock down to
minimum required permissions.
Should expand to network as well
Leverage SANS Checklist and CIS
Benchmark resources for system
level security best practices and
guidance
Leverage configuration management
tools to standardized all software
versions and configurations
Design Secure
Immutable Infrastructure
• This example will identify any code that tries to mount disk volumes. If code is identified, it will be audited and then workflow can control the action of this deviation to standards.
Example – Static Control Analysis
Example – Infrastructure Testing
Tests Chef
cookbooks using
cloud instances and
virtual machines
Lets you create a
realistic multi-server
test environment
Uses Chef and
supports everything
Chef supports (OSs,
VMs, Languages, etc)
Supports multiple
test runners (Bats,
Minitest, Rspec,
ServerSpec, etc.)
CONTINUOUS MONITORING
Chef Analytics Provides Visibility in Three Ways
• Record changes to
Chef Server or any
Chef Nodes
• Tracks changes
from any sources
(Chef UI, command
line, knife)
• Built-in
messaging
and email
integration
• Trivially
integrates with
your existing
systems
• Simple dashboard
with search, filters
and sorting options
• Integrate with
existing tools via API
Example
• PCI 2.3 - Encrypt all non-console administrative access such as browser/Web-based management tools.
rules ’PCI 2.3 – Confirm telnet port not available'
rule on run_control
when
name = 'should be listening'
resource_type = 'port'
resource_name = '23'
status != 'success'
then
audit:error("PCI 2.3 - Encrypt all non-console administrative access
such as browser/Web-based management tools.")
notify("[email protected]", "A machine is listening
for connections on port 23/telnet!")
end
end
Rule Control
controls 'port compliance' do
control port(23) do
it "has nothing listening"
expect(port(23)).to_not be_listening
end
end
end
Example – PCI Compliance
• SOX Section 302.4.B – Establish verifiable controls to track data access.
rules 'force key based auth'
rule on run_control
when
name = 'is disabled'
resource_type = 'File'
resource_name = '/etc/ssh/sshd_config'
status = 'failed'
then
audit:error("SOX Section 302.4.B – Establish verifiable controls to track
data access.")
notify(‘[email protected]’, "A machine has password login
enabled!")
end
end
Rule Control
controls 'password authentication' do
control file('/etc/ssh/sshd_config') do
it "is disabled"
expect(file('/etc/ssh/sshd_config'))
.to_not
match(/^\s*PasswordAuthentication\s+yes/i)
end
end
end
Example - SOX Compliance
How Cloud Defender Works
A L E R T L O G I C C L O U D D E F E N D E R
Identify
Attacks
& Protect
Customers
Big Data
Analytics
Platform
Threat
Intelligence
& Security
Content
24 x 7
Monitoring
&
Escalation
Alert Logic
ActiveAnalytics Alert Logic
ActiveIntelligence
Alert Logic
ActiveWatch
Cloud, Hybrid
On-Premises
Customer IT
Environment
Web
application
events
Log data
Network
incidents
Alert Logic Cloud Defender
Threat Manager: Network Intrusion Detection
• Detects suspicious activities across your networks
• Uncovers vulnerabilities in your networks, systems, and
applications
Log Manager: Log Management & Analysis
• Protects your networks, systems, and applications through
log analysis
• Collects, aggregates, and normalizes logs for easy searching
and long term storage
Web Security Manager: Web Application Protection
• Built to protect web applications from web specific attacks
• Learning engine adapts to normal behavior, ensuring
application uptime
-Simple Unified Deployment -
Questions and Resources
Resources
All available under the
“Attachments” tab of the webinar:
• DevOps: The Security Gap
• Key findings from Alert Logic’s
recent Dev-”Sec”-Ops Survey
• Chef’s Whitepaper:
Compliance at Velocity
• Alert Logic Blog
• Top 10 tips for Security
Professionals Blog
Questions
• Questions? Submit them to the
presenter at anytime into the
question box
Get Connected
www.alertlogic.com
www.chef.io
@alertlogic
@chef
linkedin.com/company/alert-logic
linkedin.com/company/opscode
alertlogic.com/resources/blog/
chef.io/blog
youtube.com/user/AlertLogicTV
youtube.com/user/getchef
brighttalk.com/channel/11587
brighttalk.com/channel/11349
Contact Us
James Brown
Director of Cloud Computing & Security Architecture
Alert Logic
Alex Manly
Solution Architect
Chef
Thank you!