a devops state of mind: continuous security with devsecops ... · a devops state of mind:...
TRANSCRIPT
![Page 1: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/1.jpg)
A DevOps State of Mind: Continuous Security with DevSecOps + Containers
Chris Van Tuin Chief Technologist, NA West / Silicon Valley [email protected]
![Page 2: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/2.jpg)
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
SECURITY BREACH: BILLION DATA RECORDS
![Page 3: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/3.jpg)
36% - Employees not taking proper security measures
32% - Outside breach
14% - Unpatched or unpatchable
11% - Internal attack by an employee
4% - Shadow IT
3% - Bring your own device/mobile
Source: Techvalidate/Red Hat
% of Respondants
WHAT IS THE GREATEST SECURITY RISK?
![Page 4: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/4.jpg)
“Only the paranoid survive” - Andy Grove, 1996
![Page 5: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/5.jpg)
SECURITY MUST EVOLVE & KEEP UP
![Page 6: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/6.jpg)
ANY COMBINATION, WHETHER TRADITIONAL OR CONTAINERIZED
LEGACY APPS (1,000+)
BARE METALPRIVATE CLOUD PUBLIC CLOUDVIRTUAL
PRODUCTION DEV/TEST
HYBRID CLOUD ENVIRONMENTS
![Page 7: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/7.jpg)
BARE METAL VIRTUAL PRIVATE CLOUD
OFF-PREMISEON-PREMISE
PUBLIC CLOUD
DATA
DATA
DISTRIBUTED APPLICATIONS
![Page 8: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/8.jpg)
DEV QA OPS
SECURITY IS AN AFTERTHOUGHT
| SECURITY |
“Patch? The servers are behind the firewall.”
- Anonymous (far too many to name), 2005 - …
![Page 9: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/9.jpg)
DEVSECOPS
+ +
End to End Security
DEV QA OPS
Culture Process Technology
Linux + ContainersIaaS
OrchestrationCI/CD
Source Control ManagementCollaboration
Build and Artifact ManagementTesting
Frameworks
Open Source
![Page 10: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/10.jpg)
DEVSECOPS
Continuous Security
ImprovementProcess
OptimizationSecurity
Automation
Dev QA Prod
Reduce Risks, Lower Costs, Speed Delivery, Speed Reaction
![Page 11: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/11.jpg)
CONTAINERS
![Page 12: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/12.jpg)
LAPTOP
Container
Application
OS dependencies
Guest VM
LINUX
BARE METAL
Container
Application
OS dependencies
LINUX
VIRTUALIZATION
Container
Application
OS dependencies
Virtual Machine
LINUX
PRIVATE CLOUD
Container
Application
OS dependencies
Virtual Machine
LINUX
PUBLIC CLOUD
Container
Application
OS dependencies
Virtual Machine
LINUX
APPLICATION PORTABILITY WITH CONTAINERS
![Page 13: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/13.jpg)
CONTAINERS AT SCALE
![Page 14: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/14.jpg)
Scheduling Monitoring
Persistence
DiscoveryLifecycle & health
Scaling Aggregation Security
MORE THAN CONTAINERS…
![Page 15: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/15.jpg)
BARE METAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD
![Page 16: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/16.jpg)
DEVSECOPS End to End Security
+ +
DEV QA OPS
SECURITY
![Page 17: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/17.jpg)
Web Databasereplicas=1, role=db
replicas=2, role=web
ORCHESTRATION Deployment, Declarative
Nodes
Controller Manager
& Data Store
(etcd)
![Page 18: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/18.jpg)
role=web role=web
ORCHESTRATION Schedule + Provision Pods (Compute/Storage/Network)
Image Registry
Pods
Nodes
Webreplicas=2, role=web ReplicaSet
![Page 19: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/19.jpg)
role=web role=db role=web
Pods
Nodes
Image Registry
ORCHESTRATION Schedule + Provision Pods (Compute/Storage/Network)
Webreplicas=2, role=web ReplicaSet
Databasereplicas=1, role=db StatefulSet
![Page 20: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/20.jpg)
Web Database
role=web role=db role=web
replicas=1, role=db
replicas=2, role=web
ORCHESTRATION Service (Load Balancer)
Pods
Nodes
Services
Controller Manager
& Data Store
(etcd)
![Page 21: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/21.jpg)
HEALTH CHECK
Monitoring & Logging
Pods
Nodes
Services Web Database
role=web role=db role=web
replicas=1, role=db
replicas=2, role=web
![Page 22: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/22.jpg)
HEALTH CHECK
Pods
Nodes
Services Web Database
role=web role=db role=web
replicas=1, role=db
replicas=2, role=web
role=web
Controller Manager
& Data Store
(etcd)
![Page 23: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/23.jpg)
Web Databasereplicas=1, role=db
replicas=2, role=web
HEALTH CHECK
Pods
Nodes
Services
role=web role=db role=web
Controller Manager
& Data Store
(etcd)
![Page 24: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/24.jpg)
Web Databasereplicas=1, role=db
replicas=2, role=web
AUTO-SCALE
Monitoring & Logging
80% CPU
Pods
Nodes
Services
role=web role=db role=web
![Page 25: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/25.jpg)
Web Databasereplicas=1, role=db replicas=3
role=web
AUTO-SCALE
80% CPU
Pods
Nodes
Services
role=web role=db role=web role=web
Controller Manager
& Data Store
(etcd)
![Page 26: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/26.jpg)
Pods
Nodes
Services Web Databasereplicas=1, role=db replicas=3
role=web
AUTO-SCALE
50% CPU
role=web role=db role=web role=web
Controller Manager
& Data Store
(etcd)
![Page 27: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/27.jpg)
CONTAINER SECURITY
![Page 28: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/28.jpg)
Network isolation
Storage API & Platform access
Monitoring & Logging
Federated clusters
RegistryContainer
host
{}
CI/CDImages
SECURING CONTAINERS
Builds
![Page 29: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/29.jpg)
CONTAINER BUILDS
![Page 30: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/30.jpg)
4
● Are there known vulnerabilities in the application layer?
● Are the runtime and OS layers up to date?
● How frequently will the container be updated and how will I know when it’s updated?
CONTENT: EACH LAYER MATTERS
CONTAINER
OS
RUNTIME
APPLICATION
CONTENT: EACH LAYER MATTERS
4
● Are there known vulnerabilities in the application layer?
● Are the runtime and OS layers up to date?
● How frequently will the container be updated and how will I know when it’s updated?
CONTENT: EACH LAYER MATTERS
CONTAINER
OS
RUNTIME
APPLICATION
JAR CONTAINER
![Page 31: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/31.jpg)
docker.io RegistryPrivate
Registry
FROM fedora:1.0 CMD echo “Hello”
Build file
Physical, Virtual, Cloud
Image Container
Build RunShip
CONTAINER BUILDS
![Page 32: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/32.jpg)
Best Practices
• Treat as a Blueprint
• Specify a user, defaults to root
• Don’t login to build/configure
• Version control build file
• Be explicit with versions, not latest
• Each Run creates a new layer
CONTAINER BUILDS
FROM fedora:1.0 CMD echo “Hello”
Build file
Build
![Page 33: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/33.jpg)
A CONVERGED SOFTWARE SUPPLY CHAIN
![Page 34: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/34.jpg)
CONTAINER IMAGE SECURITY
![Page 35: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/35.jpg)
64% of official images in Docker Hub contain high priority security vulnerabilities
examples:
ShellShock (bash) Heartbleed (OpenSSL)
Poodle (OpenSSL)
Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps, May 2015 (http://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf)
WHAT’S INSIDE THE CONTAINER MATTERS
![Page 36: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/36.jpg)
SECURITY IMPLICATIONS What’s inside matters…
![Page 37: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/37.jpg)
code config data
Kubernetes configmaps
secretsContainer
image
Traditional data services, Kubernetes
persistent volumes
TREAT CONTAINERS AS IMMUTABLE
![Page 38: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/38.jpg)
CONTAINER REGISTRY SECURITY
![Page 39: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/39.jpg)
PRIVATE REGISTRY
![Page 40: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/40.jpg)
IMAGE SIGNING Validate what images and version are running
![Page 41: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/41.jpg)
CONTINUOUS INTEGRATION WITH CONTAINERS
![Page 42: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/42.jpg)
CONTINUOUS INTEGRATION + SECURITY
![Page 43: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/43.jpg)
Security
CONTINUOUS INTEGRATION WITH SECURITY SCAN
![Page 44: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/44.jpg)
CONTINUOUS DELIVERY WITH CONTAINERS
![Page 45: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/45.jpg)
CONTINUOUS DELIVERY WITH CONTAINERS
![Page 46: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/46.jpg)
CONTINUOUS DELIVERY + SECURITY
![Page 47: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/47.jpg)
CONTINUOUS DELIVERY: DEPLOYMENT STRATEGIES
![Page 48: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/48.jpg)
CONTINUOUS DELIVERY DEPLOYMENT STRATEGIES
DEPLOYMENT STRATEGIES
• Recreate
• Rolling updates
• Blue / Green deployment
![Page 49: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/49.jpg)
Recreate
![Page 50: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/50.jpg)
Version 1 Version 1Version 1
Version 1.2
`
Tests / CI
RECREATE WITH DOWNTIME
![Page 51: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/51.jpg)
Version 1 Version 1Version 1
Version 1.2
`
Tests / CI
RECREATE WITH DOWNTIME
![Page 52: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/52.jpg)
Version 1.2 Version 1.2Version 1.2
RECREATE WITH DOWNTIMEUse Case• Non-mission critical services
Cons• Downtime
Pros• Simple, clean• No Schema incompatibilities• No API versioning
![Page 53: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/53.jpg)
Rolling Updates
![Page 54: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/54.jpg)
Version 1 Version 1Version 1
Version 1.2
`
Tests / CI
ROLLING UPDATES with ZERO DOWNTIME
![Page 55: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/55.jpg)
Deploy new version and wait until it’s ready…
Version 1 Version 1 V1.2
Health Check: readiness probe
e.g. tcp, http, script
V1
![Page 56: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/56.jpg)
Each container/pod is updated one by one
Version 1.2
50%
Version 1 V1 V1.2
![Page 57: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/57.jpg)
Each container/pod is updated one by one
Version 1.2Version 1.2Version 1.2
100%Use Case• Horizontally scaled• Backward compatible
API/data• Microservices
Cons• Require backward
compatible APIs/data• Resource overhead
Pros• Zero downtime• Reduced risk, gradual
rollout w/health checks• Ready for rollback
![Page 58: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/58.jpg)
Blue / Green Deployment
![Page 59: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/59.jpg)
Version 1
BLUE / GREEN DEPLOYMENT
Route
BLUE
![Page 60: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/60.jpg)
Version 1
BLUE / GREEN DEPLOYMENT
Version 1.2
BLUE GREEN
![Page 61: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/61.jpg)
Version 1 Tests / CI
BLUE / GREEN DEPLOYMENT
Version 1.2
BLUE GREEN
![Page 62: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/62.jpg)
Version 1 Version 1.2
BLUE / GREEN DEPLOYMENT
Route
Version 1.2
BLUE GREEN
![Page 63: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/63.jpg)
Version 1
BLUE / GREEN DEPLOYMENT
Rollback
Route
Version 1.2
BLUE GREEN
Use Case• Self-contained micro
services (data)
Cons• Resource overhead• Data synchronization
Pros• Low risk, never
change production• No downtime• Production like testing• Rollback
![Page 64: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/64.jpg)
RAPID INNOVATION & EXPERIMENTATION
![Page 65: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/65.jpg)
”only about 1/3 of ideas improve the metrics they were designed to improve.”
Ronny Kohavi, Microsoft (Amazon)
MICROSERVICES RAPID INNNOVATION & EXPERIMENTATION
![Page 66: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/66.jpg)
CONTINUOUS FEEDBACK LOOP
![Page 67: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/67.jpg)
A/B TESTING USING CANARY DEPLOYMENTS
![Page 68: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/68.jpg)
Version 1.2Version 1
100% Tests / CI
Version 1.2
Route
25% Conversion Rate ?! Conversion Rate
CANARY DEPLOYMENTS
![Page 69: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/69.jpg)
50% 50%
Version 1.2Version 1
Route
Version 1.2
25% Conversion Rate 30% Conversion Rate
CANARY DEPLOYMENTS
![Page 70: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/70.jpg)
25% Conversion Rate
100%
Version 1 Version 1.2
Route
Version 1.2
30% Conversion Rate
CANARY DEPLOYMENTS
![Page 71: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/71.jpg)
Version 1.2Version 1
100% Route
Rollback
25% Conversion Rate 20% Conversion Rate
CANARY DEPLOYMENTS
![Page 72: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/72.jpg)
CONTAINER HOST SECURITY
![Page 73: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/73.jpg)
Kernel Hardware (Intel, AMD) or Virtual Machine
Containers ContainersContainers
Unit File
Docker Image
Container CLI
SYSTEMD
Cgroups Namespaces SELinux
Drivers
CONTAINERS ARE LINUX
seccomp Read Only mounts
![Page 74: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/74.jpg)
CGROUPS - RESOURCE ISOLATION
![Page 75: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/75.jpg)
NAMESPACES - PROCESS ISOLATION
![Page 76: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/76.jpg)
SELINUX - MANDATORY ACCESS CONTROLS
Password Files
Web Server Attacker
Discretionary Access Controls (file permissions)
Mandatory Access Controls (selinux)
Internal Network
Firewall Rules
Password Files
Firewall RulesInternal
Network
Web Server
selinuxpolicy
![Page 77: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/77.jpg)
SECCOMP - DROPPING PRIVILEGES
![Page 78: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/78.jpg)
READ ONLY MOUNTS
![Page 79: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/79.jpg)
Best Practices • Don’t run as root • Limit SSH Access • Use namespaces • Define resource quotas • Enable logging • Apply Security Errata • Apply Security Context and seccomp filters
http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html
CONTAINER HOST SECURITY
Kernel Hardware (Intel, AMD) or Virtual Machine
Containers ContainersContainers
Unit File
Docker Image
Container
SYSTEM
Cgroup Namespace SELinu
Driver seccom Read Only
![Page 80: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/80.jpg)
Network isolation
Storage API & Platform access
Monitoring & Logging
Federated clusters
RegistryContainer
host
{}
CI/CDImagesBuilds
SECURING CONTAINERS
![Page 81: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/81.jpg)
NETWORK ISOLATION
![Page 82: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/82.jpg)
Network Namespace provides resource isolation
NETWORK ISOLATION
Multi-Environment Multi-Tenant
![Page 83: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/83.jpg)
NETWORK POLICYexample:
all pods in namespace ‘project-a’ allow traffic from any other pods in the same namespace.”
![Page 84: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/84.jpg)
STORAGE SECURITY
![Page 85: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/85.jpg)
Local Storage Quota
Security Context Constraints
STORAGE SECURITY
![Page 86: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/86.jpg)
API & PLATFORM ACCESS
![Page 87: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/87.jpg)
Authentication via
OAuth tokens and SSL certificate
Authorization via
Policy Engine checks
User/Group Defined Roles
API & PLATFORM ACCESS
![Page 88: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/88.jpg)
MONITORING & LOGGING
![Page 89: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/89.jpg)
Aggregate platform and application log access via Kibana + Elasticsearch
LOGGING
![Page 90: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/90.jpg)
Historical CPU and Memory usage
MONITORING
![Page 91: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/91.jpg)
FEDERATION
![Page 92: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/92.jpg)
Amazon East OpenStack
FEDERATED CLUSTERS Roles & access management (in-dev)
![Page 93: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/93.jpg)
MICROSERVICES
![Page 94: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/94.jpg)
Monitoring & Metrics-prometheus (logs)-grafana (visual)
Access Control & usage policies-mixr (policy decisions)
Encryption & Auth-citadel-service 2 service-user auth
Traffic routing- pilot- circuit breaker- a/b testing- traffic mirroring
Fault injections-envoycorner cases: abort & delays
SERVICE MESH
![Page 95: A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration](https://reader036.vdocuments.net/reader036/viewer/2022062414/5ec6dc95df99ba07f6112c14/html5/thumbnails/95.jpg)
Deployment Frequency
Lead Time
DeploymentFailure Rate
Mean Time to Recover
99.999
Service Availability
DEVSECOPS METRICS
Compliance Score