The Path of DevOps Enlightenment for InfoSec
Click here to load reader
-
Upload
james-wickett -
Category
Software
-
view
26.133 -
download
3
Transcript of The Path of DevOps Enlightenment for InfoSec
DevOps Days Kansas City @WICKETT
THE PATH OF DEVOPS ENLIGHTENMENT
FOR INFOSECJAMES WICKETT
SIGNAL SCIENCES
DevOps Days Kansas City @WICKETT
‣ HEAD OF RESEARCH AT SIGNAL SCIENCES
‣ ORGANIZER OF DEVOPS DAYS AUSTIN
‣ LYNDA.COM AUTHOR ON DEVOPS
‣ BLOG AT THEAGILEADMIN.COM
@WICKETT
DevOps Days Kansas City @WICKETT
‣ WHY DO WE HAVE DEVOPS?
‣ DID WE BUILD DEVOPS PROPERLY?
‣ IS THE DEVOPS CULTURE LOST?
‣ CAN WE GET IT BACK?
‣ CAN WE PROTECT DEVOPS FROM FURTHER DISTORTION?
QUESTIONS ON MY MIND
DevOps Days Kansas City @WICKETT
My Journey
DevOps Days Kansas City @WICKETT
‣ WEB AND ECOMM FOR $1B COMPANY
‣ BRUTAL ONCALL ROTATIONS
‣ +24HR DEPLOYMENTS
‣ WATERFALL, WATERFALL, WATERFALL
‣ FRIENDS ARE BORN FROM ADVERSITY
FIRST BIGCO JOB
DevOps Days Kansas City @WICKETT
‣ IN 2007 WENT STARTUP AND AWS CLOUD
‣ LEARNED A BIT ABOUT FAILURE AND HAPPINESS
‣ REJOINED OLD TEAM IN 2010 FOR NEW CLOUD VENTURE BACK IN BIGCO
CLOUDING FOR PROFIT
DevOps Days Kansas City @WICKETT
‣ DEVOPS AND INFRA AS CODE
‣ NOT CD, BUT DEPLOYS DAILY
‣ AT BIGCO DELIVERED 4 SAAS PRODUCTS IN 2 YEARS WITH DEVOPS AND CLOUD
ENTER DEVOPS
DevOps Days Kansas City @WICKETT
‣ FOUND RUGGED SOFTWARE
‣ MET GENE KIM IN 2012 IN A BAR IN AUSTIN
‣ CREATED GAUNTLT
‣ LATER, JOINED SIGNAL SCIENCES
DEVOPS AND SECURITY
DevOps Days Kansas City @WICKETT
DevOps is Friendship
DevOps Days Kansas City @WICKETT
Compassion for Ops
DevOps Days Kansas City @WICKETT
10:1
Dev:Ops
DevOps Days Kansas City @WICKETT
Labor Inequity Permeates IT Ranks
DevOps Days Kansas City @WICKETT
100:10:1
Dev:Ops:Sec
DevOps Days Kansas City @WICKETT
Yet, I remained optimistic for DevOps+Security
DevOps Days Kansas City @WICKETT
ENTER DOUBTS
DevOps Days Kansas City @WICKETT
‣ DEVOPS ON A BUS AT RSA
‣ EXPO FLOOR AT DOCKER CON AND THE DEVOPS TOOLCHAIN
TWO EVENTS
DevOps Days Kansas City @WICKETT
HAD WE ALLOWED DEVOPS TO BE A NEW GIMMICK OR SLOGAN ?
DevOps Days Kansas City @WICKETT
WHAT HAD DEVOPS BECOME?
DevOps Days Kansas City @WICKETT
‣ WHY DO WE HAVE DEVOPS?
‣ DID WE BUILD DEVOPS PROPERLY?
‣ IS THE DEVOPS CULTURE LOST?
‣ CAN WE GET IT BACK?
‣ CAN WE PROTECT DEVOPS FROM FURTHER DISTORTION?
QUESTIONING DEVOPS
DevOps Days Kansas City @WICKETT
OUR ROOTS: FRIENDSHIP
DevOps Days Kansas City @WICKETT
There is irony in my story…
DevOps Days Kansas City @WICKETT
‣ TEACH THREE DEVOPS CLASSES IN THE DEVOPS FOUNDATIONS SERIES AT LYNDA / LINKEDIN LEARNING
‣ WRITE DEVOPS AND SECURITY ARTICLES AS PART OF MY ROLE AT SIGNAL SCIENCES
DevOps Days Kansas City @WICKETT
Back to Our Roots
DevOps Days Kansas City @WICKETT
CULTURE IS THE MOST IMPORTANT ASPECT TO DEVOPS
SUCCEEDING IN THE ENTERPRISE
- PATRICK DEBOIS
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
‣ MUTUAL UNDERSTANDING
‣ SHARED LANGUAGE
‣ SHARED VIEWS
‣ COLLABORATIVE TOOLING
4 KEYS TO CULTURE
DevOps Days Kansas City @WICKETT
FRIENDSHIP
DevOps Days Kansas City @WICKETT
Make a friend at DevOps Days KC
DevOps Days Kansas City @WICKETT
Security is in Crisis
DevOps Days Kansas City @WICKETT
Companies are spending a great deal on security, but we read of massive computer-related attacks. Clearly something is wrong.
The root of the problem is twofold: we’re protecting the wrong things,
and we’re hurting productivity in the process.
THINKING SECURITY, STEVEN M. BELLOVIN 2015
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
[Security by risk assessment] introduces a dangerous fallacy: that structured inadequacy is almost as
good as adequacy and that underfunded security efforts plus risk
management are about as good as properly funded security work
DevOps Days Kansas City @WICKETT
Security is often the cultural outlier in an
organization
DevOps Days Kansas City @WICKETT
many security teams work with a worldview where their goal is to inhibit change as much as possible
DevOps Days Kansas City @WICKETT
“SECURITY PREFERS A SYSTEM POWERED OFF AND UNPLUGGED”
- DEVELOPER
DevOps Days Kansas City @WICKETT
“…THOSE STUPID DEVELOPERS”
- SECURITY PERSON
DevOps Days Kansas City @WICKETT
It is 30 times cheaper to fix security defects in dev
vs. Prod
NIST, 2002, The Economic Impacts of Inadequate Infra for Software Testing
DevOps Days Kansas City @WICKETT
It is 30 times cheaper to fix security defects in dev
vs. Prod
NIST, 2002, The Economic Impacts of Inadequate Infra for Software Testing
DevOps Days Kansas City @WICKETT
Security must Change or Die
DevOps Days Kansas City @WICKETT
“every aspect of managing WAFs is an ongoing process. This is the antithesis of set it and forget it technology. That is the real point of this research. To maximize value from your WAF you need to go in with everyone’s eyes open to the effort required
to get and keep the WAF running productively.”
- WHITEPAPER FROM AN UNDISCLOSED WAF VENDOR
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
Bottleneck Approach
DevOps Days Kansas City @WICKETT
THE AVERAGE TIME TO DELIVER CORPORATE IT PROJECTS HAS INCREASED FROM ~8.5 MONTHS TO OVER 10
MONTHS IN THE LAST 5 YEARS
Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
THE GROWTH OF [SECURITY] FUNCTIONS WHICH IS TOO OFTEN POORLY COORDINATED… [RESULTING IN] A PROLIFERATION OF NEW TASKS IN THE AREAS OF COMPLIANCE, PRIVACY AND DATA PROTECTION.
DevOps Days Kansas City @WICKETT
Many security professionals have a hard time adapting their existing practices to a world where requirements can change every few weeks, or where they are never written down at all.
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
DevOps A New Traveling Companion
for Security (…and probably the only way to survive)
DevOps Days Kansas City @WICKETT
High performers spend 50 percent less time remediating security issues than
low performers. By better integrating information security objectives into daily work, teams achieve higher levels of IT performance and build
more secure systems. 2016 State of DevOps Report
DevOps Days Kansas City @WICKETT
High performing orgs achieve quality by incorporating
security (and security teams) into the delivery process
2016 State of DevOps Report
DevOps Days Kansas City @WICKETT
http://www.youtube.com/watch?v=jQblKuMuS0Y
DevOps Days Kansas City @WICKETT
The New Path
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATHEmbrace Secrecy Create Feedback LoopsJust Pass Audit! Compliance adds ValueEnforce Stability Create Chaos
Build a Wall Zero Trust NetworksSlow Validation Fast and Non-blocking
Certainty Testing Adversity TestingTest when Done Shift LeftProcess Driven The Paved Road
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATHEmbrace Secrecy Create Feedback LoopsJust Pass Audit! Compliance adds ValueEnforce Stability Create Chaos
Build a Wall Zero Trust NetworksSlow Validation Fast and Non-blocking
Certainty Testing Adversity TestingTest when Done Shift LeftProcess Driven The Paved Road
DevOps Days Kansas City @WICKETT
A security team who embraces openness about what it does and
why, spreads understanding. - Rich Smith
DevOps Days Kansas City @WICKETT
Runtime is arguably the most important place to
create feedback loops
DevOps Days Kansas City @WICKETT
‣ ACCOUNT TAKEOVER ATTEMPTS
‣ AREAS OF THE SITE UNDER ATTACK
‣ MOST LIKELY VECTORS OF ATTACK
‣ BUSINESS LOGIC FLOWS
DETECT WHAT MATTERS
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
Are you under attack?
DevOps Days Kansas City @WICKETT
Where?
DevOps Days Kansas City @WICKETT
Options: RASP, NGWAF or Web Protection Platform
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATHEmbrace Secrecy Create Feedback LoopsJust Pass Audit! Compliance adds ValueEnforce Stability Create Chaos
Build a Wall Zero Trust NetworksSlow Validation Fast and Non-blocking
Certainty Testing Adversity TestingTest when Done Shift LeftProcess Driven The Paved Road
DevOps Days Kansas City @WICKETT
‣ POLICIES AND PROCEDURES IN PLACE
‣ EFFECTIVE EXECUTION OF THOSE POLICIES TO ALLOW YOU TO KEEP FUNCTIONING
‣ MOST OF PCI AND OTHER FRAMEWORKS PROVIDE REASONABLY GOOD PRACTICES *IF* YOU REMOVE ALL THE WATERFALL BITS
UNDERSTAND AUDITORS
DevOps Days Kansas City @WICKETT
[Deploys] can be treated as standard or routine changes that have been pre-approved by management, and that don’t require a heavyweight change review meeting.
Separation of Duties Considered Harmful
DevOps Days Kansas City @WICKETT
Developers with Access to Production, Oh My!!!
https://www.schellmanco.com/blog/2012/12/auditing-devops-developers-with-access-to-production/
DevOps Days Kansas City @WICKETT
Check out DevOps Audit Defense Toolkit
https://cdn2.hubspot.net/hubfs/228391/Corporate/DevOps_Audit_Defense_Toolkit_v1.0.pdf
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATHEmbrace Secrecy Create Feedback LoopsJust Pass Audit! Compliance adds ValueEnforce Stability Create Chaos
Build a Wall Zero Trust NetworksSlow Validation Fast and Non-blocking
Certainty Testing Adversity TestingTest when Done Shift LeftProcess Driven The Paved Road
DevOps Days Kansas City @WICKETT
‣ ADD IN CHAOS TO YOUR SYSTEM AND APPLICATION
‣ CHAOS MONKEY
‣ ANTI-FRAGILE
‣ RELEASE IT! BOOK
CHAOS ENGINEERING
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
‣ ADDS MISCONFIG TO THE STACK AND CHECKS TO SEE IF IT GETS DETECTED
‣ NEW OPEN SOURCE TOOL!
‣ RUNS AS A LAMBDA
CHAOS SLINGR
DevOps Days Kansas City @WICKETT
‣ I AM BEING PEN TESTED ANYWAY, WHY NOT FIND OUT WHAT THEY ARE FINDING?
‣ 24/7 PEN TESTING
‣ BUILDS DEVELOPER CONFIDENCE
‣ FINDS MIX OF LOW HANGING FRUIT AND SOMETIMES MUCH MORE!
BUG BOUNTIES
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATHEmbrace Secrecy Create Feedback LoopsJust Pass Audit! Compliance adds ValueEnforce Stability Create Chaos
Build a Wall Zero Trust NetworksSlow Validation Fast and Non-blocking
Certainty Testing Adversity TestingTest when Done Shift LeftProcess Driven The Paved Road
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
‣ NO PERIMETER SECURITY
‣ ASSUME COMPROMISE
‣ INSTRUMENT ALL LAYERS
‣ EXTENDS FROM LAPTOPS TO WEB APPS TO CUSTOMER ACCOUNTS
ZERO TRUST NETWORKS
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATHEmbrace Secrecy Create Feedback LoopsJust Pass Audit! Compliance adds ValueEnforce Stability Create Chaos
Build a Wall Zero Trust NetworksSlow Validation Fast and Non-blocking
Certainty Testing Adversity TestingTest when Done Shift LeftProcess Driven The Paved Road
DevOps Days Kansas City @WICKETT
‣ DON’T SLOW DELIVERY
‣ CONTINUOUS TESTING AND VALIDATION
‣ TESTING ON THE SIDE OF THE PIPELINE
‣ PENETRATION TESTING OUTSIDE OF DELIVERY
FAST AND NON-BLOCKING
DevOps Days Kansas City @WICKETT
Currently, at Signal Sciences we do about 15
deploys per day
DevOps Days Kansas City @WICKETT
Roughly 10,000 deploys in the last 2.5 yrs
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
CD is how little you can deploy at a time
DevOps Days Kansas City @WICKETT
We optimized for cycle time—the time from code
commit to production
Gave power to the team to deploy
DevOps Days Kansas City @WICKETT
Signal Sciences is a software as a service
company and a security company
DevOps Days Kansas City @WICKETT
Security is part of CI/CD and the overall delivery
pipeline
DevOps Days Kansas City @WICKETT
‣DESIGN
‣INHERIT
‣BUILD
‣DEPLOY
‣OPERATE
PIPELINE PHASES
DevOps Days Kansas City @WICKETT
‣INHERIT
‣BUILD
‣OPERATE
SECURITY CONSIDERATIONS
What have I bundled into my app that leaves me
vulnerable?
Do my build acceptance tests and integration tests
catch security issues before release?
Am I being attacked right now? Is it working?
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATHEmbrace Secrecy Create Feedback LoopsJust Pass Audit! Compliance adds ValueEnforce Stability Create Chaos
Build a Wall Zero Trust NetworksSlow Validation Fast and Non-blocking
Certainty Testing Adversity TestingTest when Done Shift LeftProcess Driven The Paved Road
DevOps Days Kansas City @WICKETT
Be Mean to Your Code
DevOps Days Kansas City @WICKETT
The goal should be to come up with a set of automated tests that probe and check security configurations and runtime system behavior for security features that will execute every time the system is built and every time it is deployed.
DevOps Days Kansas City @WICKETT
Security tools are intractably noisy and
difficult to use
DevOps Days Kansas City @WICKETT
A method of collaboration was needed for devs, ops
and security eng.
DevOps Days Kansas City @WICKETT
There needed to be a new language to span the
parties
DevOps Days Kansas City @WICKETT
Started Gauntlt 4 years ago
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
Open source, MIT License
Gauntlt comes with pre-canned steps that hook security testing tools
Gauntlt does not install tools
Gauntlt wants to be part of the CI/CD pipeline
Be a good citizen of exit status and stdout/stderr
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
$ gem install gauntlt
# download example attacks from github # customize the example attacks # now you can run gauntlt
$ gauntlt
DevOps Days Kansas City @WICKETT
@slow @finalFeature: Look for cross site scripting (xss) using arachni against a URL
Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni —check=xss* <url> """ Then the output should contain "0 issues were detected."
Given
When
Then
What?
DevOps Days Kansas City @WICKETT
“We have saved millions of dollars using Gauntlt for the largest healthcare industry
project.”
- Aaron Rinehart, UnitedHealthCare
DevOps Days Kansas City @WICKETT
‣ 8 LABS FOR GAUNTLT
‣ HOW TO USE GAUNTLT FOR NETWORK CHECKS
‣ GAUNTLT FOR XSS, SQLI, OTHER APSES
‣ HANDLING REPORTING
‣ USING ENV VARS
‣ CI SYSTEM SETUP
WORKSHOP INCLUDES:
DevOps Days Kansas City @WICKETTgithub.com/gauntlt/gauntlt-demo
DevOps Days Kansas City @WICKETT
github.com/gauntlt/gauntlt-starter-kit
DevOps Days Kansas City @WICKETT
SOURCE: THE THREE WAYS OF
DEVOPS, GENE KIM
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
Most teams use Gauntlt in Docker containers
DevOps Days Kansas City @WICKETT
https://github.com/gauntlt/gauntlt-docker
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATHEmbrace Secrecy Create Feedback LoopsJust Pass Audit! Compliance adds ValueEnforce Stability Create Chaos
Build a Wall Zero Trust NetworksSlow Validation Fast and Non-blocking
Certainty Testing Adversity TestingTest when Done Shift LeftProcess Driven The Paved Road
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
Red Team Mondays at Intuit
DevOps Days Kansas City @WICKETT
DevOps Days Kansas City @WICKETT
OVER 30% OF OFFICIAL IMAGES IN DOCKER HUB CONTAIN HIGH PRIORITY
SECURITY VULNERABILITIES
https://banyanops.com/blog/analyzing-docker-hub/
DevOps Days Kansas City @WICKETT
OLD PATH VS. NEW PATHEmbrace Secrecy Create Feedback LoopsJust Pass Audit! Compliance adds ValueEnforce Stability Create Chaos
Build a Wall Zero Trust NetworksSlow Validation Fast and Non-blocking
Certainty Testing Adversity TestingTest when Done Shift LeftProcess Driven The Paved Road
DevOps Days Kansas City @WICKETT
‣ MAKE IT EASY FOR PEOPLE TO DO THE RIGHT THING
‣ JASON CHAN, NETFLIX
‣ GOLD IMAGES
‣ BLESSED BUILDS AND DEPENDENCIES
THE PAVED ROAD
DevOps Days Kansas City @WICKETT
Don’t be a blocker, be an enabler of the business