Post on 21-Jul-2020
© Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0
Paul Czarkowski@pczarkowski
Transform your Security Team with DevOps
© Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0
Paul Czarkowski@pczarkowski
Transform your DevOps Practice with Security
Cover w/ Image
Agenda
■ Who I Am
■ Compliance
■ DevOps
■ DevOps + Compliance
■ Q+A
Compliance ?
What is Compliance ?
Self Imposed
● CIS Controls / Benchmarks
● Security Technical Implementation Guide (STIG)
● Allowed opensource licenses
Regulatory
● PCI (US)
● HIPAA (US)
● Sarbanes-Oxley (US)
● EU GDPR
● NZ Information Security Manual (NZISM)
Verification
Validation of compliance based onControls in place.
● Checklists● External Auditors
Checklists
Practice, Policy or Procedure established to meet compliance
requirements.
● Spreadsheets● Checklists● Sharepoint Pages
Specifications
Documentation of requirements that need to be met in order to be
compliant.
● PDFs● Verbose
Compliance Controls Audit
Example of Compliance Specifications
Example of Compliance Specifications
ComplianceOfficer Operations Security
Officer Auditor
DevOps
http://blog.d2-si.fr/2016/02/22/devopsconnection/
Rugged DevOps
DevSecOps
Secure DevOps
https://www.devsecopsdays.com/articles/its-just-a-name
DevOps + Compliance
Embedded OS(Windows & Linux)
NSX-T
CPI (15 methods)
v1
v2
v3...
CVEs
Product UpdatesJava | .NET | NodeJS
Pivotal Application Service (PAS)
Application Code & Frameworks Buildpacks | Spring Boot | Spring Cloud |
Steeltoe
Elastic | Packaged Software | Spark
Pivotal Container Service (PKS)
>cf push >kubectl run
YOU build the containerWE build the container
vSphereAzure &
Azure StackGoogle CloudAWSOpenstack
PivotalNetwork
“3Rs”
Github
Concourse
Concourse
Pivotal ServicesMarketplace
Pivotal and Partner Products
Continuousdelivery
Public Cloud Services
Customer Managed Services
Ope
n S
ervi
ce B
roke
r A
PI
Repair — CVEs
Repave Rotate — Credhub
PIVOTAL CLOUD FOUNDRY OPS
Powered by BOSH
BOSH is an open source tool for release engineering, deployment, lifecycle management, and monitoring of distributed systems.
BOSHPackaging w/ embedded OS
Server provisioning on any IaaS
Software deployment across availability zones
Health monitoring (server AND processes)
Self-healing w/ Resurrector
Storage management
Rolling upgrades via canaries
Easy scaling of clusters
PIVOTAL CLOUD FOUNDRY OPS
Powered by BOSH
BOSH is an open source tool for release engineering, deployment, lifecycle management, and monitoring of distributed systems.
BOSHPackaging w/ embedded OS
Server provisioning on any IaaS
Software deployment across availability zones
Health monitoring (server AND processes)
Self-healing w/ Resurrector
Storage management
Rolling upgrades via canaries
Easy scaling of clusters
PIVOTAL CLOUD FOUNDRY OPS
Powered by BOSH
BOSH is an open source tool for release engineering, deployment, lifecycle management, and monitoring of distributed systems.
BOSHPackaging w/ embedded OS
Server provisioning on any IaaS
Software deployment across availability zones
Health monitoring (server AND processes)
Self-healing w/ Resurrector
Storage management
Rolling upgrades via canaries
Easy scaling of clusters
Culture
Adopting a DevOps culture
Despite varying approaches to describing high-performance teams there is a set of common characteristics that are recognised to lead to success.
● Participative leadership – using a democratic leadership style that involves and engages team members● Effective decision-making – using a blend of rational and intuitive decision making methods, depending on that
nature of the decision task● Open and clear communication – ensuring that the team mutually constructs shared meaning, using effective
communication methods and channels● Valued diversity – valuing a diversity of experience and background in team, contributing to a diversity of
viewpoints, leading to better decision making and solutions● Mutual trust – trusting in other team members and trusting in the team as an entity● Clear goals – goals that are developed using SMART criteria; also each goal must have personal meaning and
resonance for each team member, building commitment and engagement● Defined roles and responsibilities – each team member understands what they must do (and what they must not
do) to demonstrate their commitment to the team and to support team success● Positive atmosphere – an overall team culture that is open, transparent, positive, future-focused and able to
deliver success
https://en.wikipedia.org/wiki/High-performance_teams
Lean
https://imgur.com/gallery/kMJWs
https://www.slideshare.net/KarenMartinGroup/value-stream-mapping-in-office-service-setttings
Mappable Processes that include Security / Compliance
Application Release
● Vulnerability Scanning
● Security Scanning (sql injection etc)
● License Scanning
● Attribution
Compliance Audits
● Vulnerability Scanning
● Security Scanning (sql injection etc)
● Package updates
● OS inspection
Infrastructure Provisioning
● OS Hardening
● Firewalling
● User Management
● Remote logging and auditing
● Intrusion Detection
● Vulnerability Scanning
Value Stream map for Provisioning a New Server
Current State
PrepareRequest
Network/ VLANs
Launch VM/ Install OS
Test Compliance Deliver
1-5days
1-5days
1-5days
1-5days
1-2days
1-2days
1-2days
1-2days
Value Stream map for Provisioning a New Server
Future State
Deploy VM
ConfigureVM
Test Compliance Deliver
1-5days
1-5days
1-5days
1-2hours
1-2hours
1-2Hours
Value Stream map for Provisioning a New Server
Future State
Automation
● Implements STIG controls via Ansible playbooks● Opensource project started at Rackspace● Plays well with existing config management● Easily override problematic controls
● Extends RSPEC for Compliance testing● Similar to Serverspec, but better.● Easy to go from serverspec to inspec● Inspec-STIG is all of STIG already written into
inspec tests.
Source: @petecheslock
Example of Compliance Specifications
Measurement
Sharing
What’s Next ?
Other Security / Compliance tools
● Gauntlt ( Security Testing Framework )
● Metasploit ( Penetration Testing)
● Syntribos ( API security testing)
● Pivotal LicenseFinder ( Scanning licenses of dependencies )
● Snort ( Intrusion Detection )
● Fossology ( license compliance )
● OpenVAS ( vulnerability scanning )
● OSSEC ( Intrustion Detection )
Questions ?
Transforming How The World Builds Software
© Copyright 2018 Pivotal Software, Inc. All rights Reserved.