Application Security at DevOps Speed - DevOpsDays Singapore 2016
Devops, Docker and Security - DevOpsTalks.Com · •One of the founding members of “Devopsdays”...
Transcript of Devops, Docker and Security - DevOpsTalks.Com · •One of the founding members of “Devopsdays”...
• One of the founding members of “Devopsdays” • Co-author of the “Devops Handbook”. • Author of the “Introduction to Devops” on Linux Foundation
edX. • Podcaster at devopscafe.org • Devops Enterprise Summit - Cofounder • Nine person in at Chef (VP of Customer Enablement) • Formally Director of Devops at Dell • Found of Socketplane (Acquired by Docker) • 10 Startups over 25 years
About Mehttps://github.com/botchagalupe/my-presentations
Faster, Effective, Reliable
• Devops (Faster)
• Docker (Effective)
• Supply Chain (Reliable)
8
Immutable Service Delivery
• CAMS
• Culture • Automation • Measurement • Sharing
Devops Taxonomies
• The Three Ways
•The First Way •The Second Way •The Third Way
Devops Practices and Patterns• Continuous Delivery
• Everything in version control • Small batch principle • Trunk based deployments • Manage flow (WIP) • Automate everything
• Culture • Everyone is responsible • Done means released • Stop the line when it breaks • Remove silos
12
itrevolution.com/devops-handbook
30x 200xmore frequent deployments
faster lead times
60x 168xthe change success rate
faster mean time to recover (MTTR)
2x 50%more likely to exceed profitability, market share & productivity goals
higher market capitalization growth over 3 years*
High performers compared to their peers…
Data from 2014/2015 State of DevOps Report - https://puppetlabs.com/2015-devops-report
Recent IT Performance Data is Compelling
30x 200xmore frequent deployments
faster lead times
60x 168xthe change success rate
faster mean time to recover (MTTR)
2x 50%more likely to exceed profitability, market share & productivity goals
higher market capitalization growth over 3 years*
High performers compared to their peers…
Data from 2014/2015 State of DevOps Report - https://puppetlabs.com/2015-devops-report
Recent IT Performance Data is Compelling
Faster
HigherQuality
MoreEffective
2555x
18
Devops ResultsGoogle
• Over 15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree
• Over 75M test cases run daily
19
Devops ResultsAmazon
• 11.6 second mean time between deploys. • 1079 max deploys in a single hour. • 10,000 mean number of hosts
simultaneously receiving a deploy. • 30,000 max number of hosts simultaneously
receiving a deploy
20
Unicorns and Horses (Enterprises)
Unicorns
Enterprise
Shamelessly stolen and repurposed from: Pete Cheslock
21
Devops Results
Enterprise Organizations
• Ticketmaster - 98% reduction in MTTR • Nordstrom - 20% shorter Lead Time • Target - Full Stack Deploy 3 months to minutes • USAA - Release from 28 days to 7 days • ING - 500 applications teams doing devops • CSG - From 200 incidents per release to 18
• IBM 360/370 (1960/1970) • CHROOT - Version 7 Unix 1979 (Bell Labs) • BSD in 1982 (Berkley) • VMware (1998) • FreeBSD Jails 2000 • XEN 2003 • Solaris Zones 2004 • OpenVZ 2005 • Amazon Web Services 2006 • Namespaces 2007 • Cgroups (Google) 2007 • KVM 2007 • AIX LPARS (IBM) 2007 • Drawbridge (2008) • Hyper-V (2008) • Linux Containers - LXC (Parelles, IBM, Google) 2008 • Docker (Dotcloud Inc) 2013 • Microsoft Docker on Windows Server 2016
History of
Virtualization
•Type 1 Virtualization •VMware ESX, XEN, Hyper-V
•Type 2 Virtualization •KVM, Virtualbox, QEMU, VMware Workstation
•OS Level Virtualization •OpenVZ, LXC, Docker
Virtualization
www.slideshare.net/BodenRussell/realizing-linux-containerslxc
• Provision in milliseconds • Near bare metal runtime performance • VM-like agility – it’s still “virtualization” • Lightweight – Just enough Operating System (JeOS) • Supported with modern Linux kernel • Growing in popularity
Why OS Level Virtualization
29
Docker Security Enhancements
• Docker Security Scanning • Docker Content Trust • Docker Trusted Registry • TLS by Default for Swarm/Docker Data Center • Read Only Containers • User Namespaces • Secomp and LSMS support • Enhanced System “Capabilities” support • Secrets Management • Immutable Operating System (Coming Soon)
35
Supply&chain&advantage&
Source:(Toyota(Supply(Chain(Management:(A(Strategic(Approach(to(Toyota’s(Renowned(System,(by(Ananth(Iyer(and(Sridhar(Seshadri(
Toyota&Advantage&
Toyota&Prius&
Chevy&Volt&
Unit%Retail%Price% 61%& $24,200% $39,900%
Units%Sold/Month% 13x& 23,294% 1,788%
In?House%ProducBon% 50%& 27%% 54%%
Plant%Suppliers% 16%&& 125% 800%
Firm@Wide(Suppliers( 4%# 224( 5,500(
37
Variety • Determine your variety of
offerings based on operational efficiency and market demand
Velocity • Maintain a steady flow through all
processes of the supply chain Variability • Manage inconsistencies carefully
to reduce cost and improve quality
Visibility • Ensure the transparency of all
processes to enable continuous learning and improvement
Toyota Production Systems - 4VL
39
Variety • Learn faster, Limited frameworks,
Limited operating systems, Limit vendors.
Velocity • Small Batch, Small Teams,
Microservices and Containers Variability • Docker and Immutable Delivery Visibility • Automated Testing, Docker Trust,
Docker Security Scanning, Bounded Context, Bill of Materials
Immutable Service Delivery (4VL)
Use their highest quality parts
Use fewer, better suppliers
Track which parts you use & where
40
Visibility - Docker - Bill of Material
• Where and when was it built and why • What was its ancestor images • How do I start, validate, monitor and update it • What git repo is being built, what hash of that git repo
was built • What are all the tags this specific container is known as
at time of build • What’s the project name this belongs to • Have the ability to have arbitrary user supplied rich
metadata
Software Supply Chain - 4VL
DevSecOps
Requirements & Design Development CI
Interval Trigger
AssessmentProduction
Application Risk Classification
Security Requirement Definition
Secure Libraries
Static Analysis/IDE
SCM
Open Source Governance(CI)
Secure Coding Standards
Perimeter Assessment
Dynamic Assessments
Threat-Based Pen Test
Web Application Firewalls
Automated Attack/Bot Defense
Container Security Management
Security Mavens (Security-Trained Developers and Operations)Role Based Software Security Training
Continuous Monitoring, Analytics and KPI Gathering
Preventative Detective
Lightweight threat modeling approach
Detailed manual assessments
triggered automatically at
appropriate interval; detached from
release cycle
Container Security Compliance (CI)
Threat modeling
Static Analysis (CI)
43
Immutable Service Delivery
Fortune 500 Insurance Company
• Tracks critical and high security defect rate per 10k lines of code
• Started out with (10/10k) • After applying Devops practices and principles (4/10k) • After applying Toyota Supply Chain 4VL (1/10k ) • After Docker with Immutable Delivery (0.1/10k)
44
With Docker
Fortune 500 Insurance Company
• One Service • One Container • One Read Only File System • One Port