SlideShare a Scribd company logo

[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps

D
Daniel Oh

This document discusses DevSecOps, which is about continuously integrating security into DevOps processes and tools. It describes how development and operations teams traditionally view security, and why DevSecOps is important given trends like cloud computing, microservices, and open source software usage. The document then outlines ways to secure assets, development, operations, and APIs using open source tools as part of a DevSecOps approach. These include securing container registries and images, integrating security testing into builds, and using monitoring and logging tools to detect issues.

Presentations & Public Speaking
1 of 33
Downloaded 47 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
DevSecOps: How to Continuously Integrate Security Into DevOps with the Open Source Way Daniel Oh / @danieloh30
ABOUT ME ● Senior Specialist Solution Architect at Red Hat ● Agile & DevOps Community of Practice Manager at Red Hat doh@redhat.com @danieloh30 ● Transform Microservices apps ● Container Platform, PaaS ● Java EE with MicroProfile, JBoss for Cloud Native Runtimes ● Evangelism
WHAT IS DEVSECOPS?
HOW DEV AND OPS VIEW SECURITY?
WHY DevSecOps? ● DevOps “purists” point out that security was always part of DevOps ● Did people just not read the book? Are practitioners skipping security? ● DevSecOps practitioners say it’s about how to continuously integrate and automate security at scale
Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.
Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.
Has much changed? Ironically. Shift-left much?
GLASS HALF EMPTY, GLASS HALF FULL “... we estimate that fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.” “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.” Gartner Inc. September 2016
…utilizing billions of available libraries, frameworks and utilities ● Not all are created equal, some are healthy and some are not ● All go bad over time, they age like milk, not like wine ● Data shows enterprises consumed an average 229,000 software components annually, of which 17,000 had a known security vulnerability. Applications are ‘assembled’…
● Cloud ● DevOps ● Open Source Software innovation explosion ● Containers/Microservices ● Digital transformation THE PERFECT STORM
NEW PARADIGM …. AND SECURITY ON DEVOPS REUSE MICROSERVICES AUTOMATION IMMUTABILITY PERVASIVE ACCESS SPEED SOFTWARE DEFINED CONTAINERS RAPID TECH CURN FLEXIBLE DEPLOYS
NEW PARADIGM …. AND SECURITY ON DEVOPS REUSE MICROSERVICES AUTOMATION IMMUTABILITY PERVASIVE ACCESS SPEED SOFTWARE DEFINED CONTAINERS RAPID TECH CURN FLEXIBLE DEPLOYS MANAGEMENT RISKS
YOU MANAGE RISK BY ● Securing the Assets ● Securing the Dev ● Securing the Ops ● Securing the APIs OPEN SOURCE WAY
SECURING THE ASSETS ● Building code ○ Watching for changes in how things get built ○ Signing the builds ● Built assets ○ Scripts, binaries, packages (RPMs), containers (OCI images), machine images (ISOs, etc.) ○ Registries (Service, Container, App) ○ Repositories (Local on host images assets) Safe at Titan Missile Museum https://upload.wikimedia.org/wikipedia/commons/5/59/Red_Safe%2C_Titan_Missile_Museum.jp g
Is your public sources secure and available?
SECURING THE SOFTWARE ASSETS - E.G. IMAGE REGISTRY Public and private registries ● Do you require a private registry? ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? Who can push images to the registry?
SECURING THE ASSETS HEALTH - Security freshness ● Freshness Grade for container security. ● Monitor image registry to automatically replace affected images ● Use policies to gate what can be deployed: e.g. if a container requires root access, prevent deployment
SECURING THE DEVELOPMENT PROCESS ● Potentially lots of parallel builds ● Source code ○ Where is it coming from? ○ Who is it coming from? ● Supply Chain Tooling ○ CI tools (e.g. Jenkins) ○ Testing tools ○ Scanning Tools (e.g. Black Duck, Sonatype) Boeing's Everett factory near Seattle https://upload.wikimedia.org/wikipedia/commons/c/c8/At_Boeing%27s_Everett_factory_near_Seattle_%289130160595%29.jpg Creative Commons
Security & continuous integration ● Layered packaging model supports separation of concerns ● Integrate security testing into your build / CI process ● Use automated policies to flag builds with issues ● Trigger automated rebuilds MANAGING CONTAINER BUILDS Operations Architects Application developers
SECURING THE DEVELOPMENT https://www.youtube.com/watch?v=65BnTLcDAJI
SECURING THE OPERATIONS Deployment ○ Trusted registries and repos ○ Signature authenticating and authorizing ○ Image scanning ○ Policies ○ Ongoing assessment with automated remediation Mission Control - Apollo 13 https://c1.staticflickr.com/4/3717/9460197822_9f6ab3f30c_b.jpg
CONTAINER DEPLOYMENT PERMISSIONS (SCC)
SCAN YOUR IMAGES (ATOMIC SCAN)
SECURING THE OPERATIONS Lifecycle ○ Blue Green or A/B or Canary, continuous deployments ○ Monitoring deployments ○ Possibly multiple environments
SECURING THE OPERATIONS - LOGGING EFK Stack ● ElasticSearch, Fluentd, Kibana ● Based on log aggregation ● Event system - all events container, system, kubernetes, captured by EFK and issues or errors ● Good for ad hoc analytics ● Good for post mortem forensics because of extensive log information
SECURING THE OPERATIONS - MONITORING AND METRICS
MONITORING: HAWKULAR ● REST API to store and retrieve availability, counter, and gauge measurements ● Visualization and alerting ● Application performance management ● Integration with ManageIQ (cloud mgmt) ● Most associated with large scale central IT teams with lots of apps
MONITORING: PROMETHEUS ● Time series data model identified by metric name and key/value pairs ● Collection happens via a pull model over HTTP ● Values reliability even under failure conditions over 100% accuracy ● Most associated with web-scale DevSecOps
SECURING THE APIs DEVOPS LIFECYCLE SAAS/APP PAAS IAAS A P I Modern Architectures are API driven requiring a DevOps approach to API management. Visibility, routing, and authorization are key security concerns. Cloud Based Services CI/CD
THE SECURITY ECOSYSTEM ● Identity and Access management / Privileged Access Management ● External Certificate Authorities ● External Vaults / Key Management solutions ● Container content scanners & vulnerability management tools ● Container runtime analysis tools ● Security Information and Event Monitoring (SIEM) For enhanced security, or to meet existing policies, integrate with enterprise security tools, such as
SECURITY ECOSYSTEM: OPENSHIFT PRIMED Sysdig NGINX AquaSecurityJFrog, Inc. Signal Sciences Cisco Contiv Aporeto big switch Sonatype f5 Black Duck NeuVector Treasure Data Contrail Tremolo nuagenetworks dynatrace Avi Networks @danieloh30
THANK YOU & QUESTIONS Contacting me: doh@redhat.com / @danieloh30

More Related Content

What's hot (18)

PDF
Building security into the pipelines
Vandana Verma
 
PDF
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
PDF
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
PPTX
DevSecOps reference architectures 2018
Sonatype
 
PDF
DevOps Spain 2019. Beatriz Martínez-IBM
atSistemas
 
PDF
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
PPTX
Enable DevSecOps using JIRA Software
AUGNYC
 
PDF
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
PDF
Barbican 1.0 - Open Source Key Management for OpenStack
jarito030506
 
PDF
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
PDF
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
PPTX
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
PDF
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
PPTX
DevSecOps OWASP
Priyanka Raghavan
 
PDF
ThoughtWorks Technology Radar Roadshow - Brisbane
Thoughtworks
 
PDF
Devops Indonesia - DevSecOps - The Open Source Way
Yusuf Hadiwinata Sutandar
 
PDF
Talk DevSecOps to me
Michelle Ribeiro
 
PDF
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
Building security into the pipelines
Vandana Verma
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
DevSecOps reference architectures 2018
Sonatype
 
DevOps Spain 2019. Beatriz Martínez-IBM
atSistemas
 
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
Enable DevSecOps using JIRA Software
AUGNYC
 
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Barbican 1.0 - Open Source Key Management for OpenStack
jarito030506
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
DevSecOps OWASP
Priyanka Raghavan
 
ThoughtWorks Technology Radar Roadshow - Brisbane
Thoughtworks
 
Devops Indonesia - DevSecOps - The Open Source Way
Yusuf Hadiwinata Sutandar
 
Talk DevSecOps to me
Michelle Ribeiro
 
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 

Similar to [muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps (20)

PDF
DevSecOps: The Open Source Way
Black Duck by Synopsys
 
PDF
DevSecOps: The Open Source Way
Gordon Haff
 
PPTX
Overcoming Security Challenges in DevOps
Alert Logic
 
PDF
DevSecOps: The Open Source Way for CloudExpo 2018
Gordon Haff
 
PPTX
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
JAXLondon_Conference
 
PPTX
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
Daniel Bryant
 
PPTX
Secure DevOPS Implementation Guidance
Tej Luthra
 
PPTX
Achieving DevSecOps Outcomes with Tanzu Advanced- March 22, 2021
VMware Tanzu
 
PDF
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
SecureSoftwareDevOn SecureSoftwareDevOn
 
PDF
Securing the container DevOps pipeline by William Henry
DevSecCon
 
PDF
Why Should Developers Care About Container Security?
All Things Open
 
PDF
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
PDF
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
PDF
DockerCon SF 2015: Faster, Cheaper, Safer
Docker, Inc.
 
PPTX
What it feels like to live in a Security Enabled DevOps World
Karun Chennuri
 
PDF
Optimizing the Ops in DevOps
Gordon Haff
 
PDF
Secure Software Ecosystem Teqnation 2024
Soroosh Khodami
 
PPTX
AWS Cloud + Container Security Webinar
Oscar Moncada
 
PPTX
DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...
Daniel Bryant
 
PDF
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
DevSecOps: The Open Source Way
Black Duck by Synopsys
 
DevSecOps: The Open Source Way
Gordon Haff
 
Overcoming Security Challenges in DevOps
Alert Logic
 
DevSecOps: The Open Source Way for CloudExpo 2018
Gordon Haff
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
JAXLondon_Conference
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
Daniel Bryant
 
Secure DevOPS Implementation Guidance
Tej Luthra
 
Achieving DevSecOps Outcomes with Tanzu Advanced- March 22, 2021
VMware Tanzu
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
SecureSoftwareDevOn SecureSoftwareDevOn
 
Securing the container DevOps pipeline by William Henry
DevSecCon
 
Why Should Developers Care About Container Security?
All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Container Stranger Danger - Why should devs care about container security
Eric Smalling
 
DockerCon SF 2015: Faster, Cheaper, Safer
Docker, Inc.
 
What it feels like to live in a Security Enabled DevOps World
Karun Chennuri
 
Optimizing the Ops in DevOps
Gordon Haff
 
Secure Software Ecosystem Teqnation 2024
Soroosh Khodami
 
AWS Cloud + Container Security Webinar
Oscar Moncada
 
DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...
Daniel Bryant
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Eric Smalling
 
Ad

More from Daniel Oh (11)

PDF
[DevConf.US 2019]Quarkus Brings Serverless to Java Developers
Daniel Oh
 
PDF
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Daniel Oh
 
PDF
Quarkus on Knative at Red Hat Summit 2019
Daniel Oh
 
PDF
Knative makes Developers Incredible on Serverless
Daniel Oh
 
PDF
Microservice 4.0 Journey - From Spring NetFlix OSS to Istio Service Mesh and ...
Daniel Oh
 
PDF
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
Daniel Oh
 
PDF
[OSSummitEU2017]Ten Llayers of Linux Container Security
Daniel Oh
 
PDF
Transform Digital Business with DevOps
Daniel Oh
 
PDF
Automate App Container Delivery with CI/CD and DevOps
Daniel Oh
 
PDF
Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...
Daniel Oh
 
PDF
ApacheCon Europe 2016 : CONTAINERS IN ACTION - Transform Application Delivery...
Daniel Oh
 
[DevConf.US 2019]Quarkus Brings Serverless to Java Developers
Daniel Oh
 
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Daniel Oh
 
Quarkus on Knative at Red Hat Summit 2019
Daniel Oh
 
Knative makes Developers Incredible on Serverless
Daniel Oh
 
Microservice 4.0 Journey - From Spring NetFlix OSS to Istio Service Mesh and ...
Daniel Oh
 
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
Daniel Oh
 
[OSSummitEU2017]Ten Llayers of Linux Container Security
Daniel Oh
 
Transform Digital Business with DevOps
Daniel Oh
 
Automate App Container Delivery with CI/CD and DevOps
Daniel Oh
 
Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...
Daniel Oh
 
ApacheCon Europe 2016 : CONTAINERS IN ACTION - Transform Application Delivery...
Daniel Oh
 
Ad

Recently uploaded (20)

PDF
The Origin - A Simple Presentation on any project
RishabhDwivedi43
 
DOC
STABILITY INDICATING METHOD DEVELOPMENT AND VALIDATION FOR SIMULTANEOUS ESTIM...
jmkeans624
 
PDF
Model Project Report_36DR_G&P.pdf for investors understanding
MeetAgrawal23
 
PPTX
Unit 1, 2 & 3 - Pharmacognosy - Defn_history_scope.pptx
bagewadivarsha2024
 
PDF
Buy Verified Payoneer Accounts — The Ultimate Guide for 2025 (Rank #1 on Goog...
Buy Verified Cash App Accounts
 
PDF
The Family Secret (essence of loveliness)
Favour Biodun
 
PDF
From Draft to DSN - How to Get your Paper In [DSN 2025 Doctoral Forum Keynote]
vschiavoni
 
PDF
Jotform Presentation Agents: Features and Benefits
Jotform
 
PDF
Buy Verified Coinbase Accounts — The Ultimate Guide for 2025 (Rank #1 on Goog...
Buy Verified Cash App Accounts
 
PPTX
Great-Books. Powerpoint presentation. files
tamayocrisgie
 
PDF
Committee-Skills-Handbook---MUNprep.org.pdf
SatvikAgarwal9
 
PPTX
Melbourne_Keynote_June_19_2013_without_photos.pptx
BryInfanteRayos
 
PDF
The Impact of Game Live Streaming on In-Game Purchases of Chinese Young Game ...
Shibaura Institute of Technology
 
PPTX
Lesson 1-3(Learners' copy).pptxucspctopi
KrizeAnneCorneja
 
PPTX
STURGEON BAY WI AG PPT JULY 6 2025.pptx
FamilyWorshipCenterD
 
PDF
Jotform Presentation Agents: Use Cases and Examples
Jotform
 
DOCX
How Digital Marketplaces are Empowering Emerging MedTech Brands
Ram Gopal Varma
 
PDF
Planning the parliament of the future in greece – considerations for a data-d...
Dr. Fotios Fitsilis
 
PPTX
presentation on legal and regulatory action
raoharsh4122001
 
PPTX
INTRO-TO-EMPOWERMENT-TECHNOLGY grade 11 lesson
ReyAcosta8
 
The Origin - A Simple Presentation on any project
RishabhDwivedi43
 
STABILITY INDICATING METHOD DEVELOPMENT AND VALIDATION FOR SIMULTANEOUS ESTIM...
jmkeans624
 
Model Project Report_36DR_G&P.pdf for investors understanding
MeetAgrawal23
 
Unit 1, 2 & 3 - Pharmacognosy - Defn_history_scope.pptx
bagewadivarsha2024
 
Buy Verified Payoneer Accounts — The Ultimate Guide for 2025 (Rank #1 on Goog...
Buy Verified Cash App Accounts
 
The Family Secret (essence of loveliness)
Favour Biodun
 
From Draft to DSN - How to Get your Paper In [DSN 2025 Doctoral Forum Keynote]
vschiavoni
 
Jotform Presentation Agents: Features and Benefits
Jotform
 
Buy Verified Coinbase Accounts — The Ultimate Guide for 2025 (Rank #1 on Goog...
Buy Verified Cash App Accounts
 
Great-Books. Powerpoint presentation. files
tamayocrisgie
 
Committee-Skills-Handbook---MUNprep.org.pdf
SatvikAgarwal9
 
Melbourne_Keynote_June_19_2013_without_photos.pptx
BryInfanteRayos
 
The Impact of Game Live Streaming on In-Game Purchases of Chinese Young Game ...
Shibaura Institute of Technology
 
Lesson 1-3(Learners' copy).pptxucspctopi
KrizeAnneCorneja
 
STURGEON BAY WI AG PPT JULY 6 2025.pptx
FamilyWorshipCenterD
 
Jotform Presentation Agents: Use Cases and Examples
Jotform
 
How Digital Marketplaces are Empowering Emerging MedTech Brands
Ram Gopal Varma
 
Planning the parliament of the future in greece – considerations for a data-d...
Dr. Fotios Fitsilis
 
presentation on legal and regulatory action
raoharsh4122001
 
INTRO-TO-EMPOWERMENT-TECHNOLGY grade 11 lesson
ReyAcosta8
 

[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps

  • 1. DevSecOps: How to Continuously Integrate Security Into DevOps with the Open Source Way Daniel Oh / @danieloh30
  • 2. ABOUT ME ● Senior Specialist Solution Architect at Red Hat ● Agile & DevOps Community of Practice Manager at Red Hat [email protected] @danieloh30 ● Transform Microservices apps ● Container Platform, PaaS ● Java EE with MicroProfile, JBoss for Cloud Native Runtimes ● Evangelism
  • 4. HOW DEV AND OPS VIEW SECURITY?
  • 5. WHY DevSecOps? ● DevOps “purists” point out that security was always part of DevOps ● Did people just not read the book? Are practitioners skipping security? ● DevSecOps practitioners say it’s about how to continuously integrate and automate security at scale
  • 6. Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.
  • 7. Source: IT Revolution, DevOps Enterprise abstract word cloud, 2014.
  • 8. Has much changed? Ironically. Shift-left much?
  • 9. GLASS HALF EMPTY, GLASS HALF FULL “... we estimate that fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.” “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.” Gartner Inc. September 2016
  • 10. …utilizing billions of available libraries, frameworks and utilities ● Not all are created equal, some are healthy and some are not ● All go bad over time, they age like milk, not like wine ● Data shows enterprises consumed an average 229,000 software components annually, of which 17,000 had a known security vulnerability. Applications are ‘assembled’…
  • 11. ● Cloud ● DevOps ● Open Source Software innovation explosion ● Containers/Microservices ● Digital transformation THE PERFECT STORM
  • 12. NEW PARADIGM …. AND SECURITY ON DEVOPS REUSE MICROSERVICES AUTOMATION IMMUTABILITY PERVASIVE ACCESS SPEED SOFTWARE DEFINED CONTAINERS RAPID TECH CURN FLEXIBLE DEPLOYS
  • 13. NEW PARADIGM …. AND SECURITY ON DEVOPS REUSE MICROSERVICES AUTOMATION IMMUTABILITY PERVASIVE ACCESS SPEED SOFTWARE DEFINED CONTAINERS RAPID TECH CURN FLEXIBLE DEPLOYS MANAGEMENT RISKS
  • 14. YOU MANAGE RISK BY ● Securing the Assets ● Securing the Dev ● Securing the Ops ● Securing the APIs OPEN SOURCE WAY
  • 15. SECURING THE ASSETS ● Building code ○ Watching for changes in how things get built ○ Signing the builds ● Built assets ○ Scripts, binaries, packages (RPMs), containers (OCI images), machine images (ISOs, etc.) ○ Registries (Service, Container, App) ○ Repositories (Local on host images assets) Safe at Titan Missile Museum https://upload.wikimedia.org/wikipedia/commons/5/59/Red_Safe%2C_Titan_Missile_Museum.jp g
  • 16. Is your public sources secure and available?
  • 17. SECURING THE SOFTWARE ASSETS - E.G. IMAGE REGISTRY Public and private registries ● Do you require a private registry? ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? Who can push images to the registry?
  • 18. SECURING THE ASSETS HEALTH - Security freshness ● Freshness Grade for container security. ● Monitor image registry to automatically replace affected images ● Use policies to gate what can be deployed: e.g. if a container requires root access, prevent deployment
  • 19. SECURING THE DEVELOPMENT PROCESS ● Potentially lots of parallel builds ● Source code ○ Where is it coming from? ○ Who is it coming from? ● Supply Chain Tooling ○ CI tools (e.g. Jenkins) ○ Testing tools ○ Scanning Tools (e.g. Black Duck, Sonatype) Boeing's Everett factory near Seattle https://upload.wikimedia.org/wikipedia/commons/c/c8/At_Boeing%27s_Everett_factory_near_Seattle_%289130160595%29.jpg Creative Commons
  • 20. Security & continuous integration ● Layered packaging model supports separation of concerns ● Integrate security testing into your build / CI process ● Use automated policies to flag builds with issues ● Trigger automated rebuilds MANAGING CONTAINER BUILDS Operations Architects Application developers
  • 22. SECURING THE OPERATIONS Deployment ○ Trusted registries and repos ○ Signature authenticating and authorizing ○ Image scanning ○ Policies ○ Ongoing assessment with automated remediation Mission Control - Apollo 13 https://c1.staticflickr.com/4/3717/9460197822_9f6ab3f30c_b.jpg
  • 24. SCAN YOUR IMAGES (ATOMIC SCAN)
  • 25. SECURING THE OPERATIONS Lifecycle ○ Blue Green or A/B or Canary, continuous deployments ○ Monitoring deployments ○ Possibly multiple environments
  • 26. SECURING THE OPERATIONS - LOGGING EFK Stack ● ElasticSearch, Fluentd, Kibana ● Based on log aggregation ● Event system - all events container, system, kubernetes, captured by EFK and issues or errors ● Good for ad hoc analytics ● Good for post mortem forensics because of extensive log information
  • 27. SECURING THE OPERATIONS - MONITORING AND METRICS
  • 28. MONITORING: HAWKULAR ● REST API to store and retrieve availability, counter, and gauge measurements ● Visualization and alerting ● Application performance management ● Integration with ManageIQ (cloud mgmt) ● Most associated with large scale central IT teams with lots of apps
  • 29. MONITORING: PROMETHEUS ● Time series data model identified by metric name and key/value pairs ● Collection happens via a pull model over HTTP ● Values reliability even under failure conditions over 100% accuracy ● Most associated with web-scale DevSecOps
  • 30. SECURING THE APIs DEVOPS LIFECYCLE SAAS/APP PAAS IAAS A P I Modern Architectures are API driven requiring a DevOps approach to API management. Visibility, routing, and authorization are key security concerns. Cloud Based Services CI/CD
  • 31. THE SECURITY ECOSYSTEM ● Identity and Access management / Privileged Access Management ● External Certificate Authorities ● External Vaults / Key Management solutions ● Container content scanners & vulnerability management tools ● Container runtime analysis tools ● Security Information and Event Monitoring (SIEM) For enhanced security, or to meet existing policies, integrate with enterprise security tools, such as
  • 32. SECURITY ECOSYSTEM: OPENSHIFT PRIMED Sysdig NGINX AquaSecurityJFrog, Inc. Signal Sciences Cisco Contiv Aporeto big switch Sonatype f5 Black Duck NeuVector Treasure Data Contrail Tremolo nuagenetworks dynatrace Avi Networks @danieloh30
  • 33. THANK YOU & QUESTIONS Contacting me: [email protected] / @danieloh30