Securing the Pipeline
13 likes•3,687 views
The document provides strategies for enhancing the security of software delivery pipelines, highlighting aspects like secure coding, user account management, and threat analysis. It emphasizes the importance of centralized control and ongoing monitoring, advocating for a proactive approach to security through practices such as automated deployments and secret management. The collaborative effort of DevSecOps is presented as essential for maintaining security without hindering productivity.
Securing the Pipeline
- 1. To m D u c k e r i n g & P a t D o w n e y SECURING THE PIPELINE Ideas, practices and food for thought to improve the security surrounding regular delivery of software to production.
- 2. WHO ARE WE AND WHAT DO WE KNOW? 2 Dev OpsTom & Pat
- 3. WHO ARE WE AND WHAT DO WE KNOW? 3 Dev Ops Sec Tom & Pat
- 4. WHAT HAVE WE SEEN? 4 Insecure & Fast “Over secure” & Slow
- 5. WHAT HAPPENS IN HERE? 5 User accounts Secure coding Algorithm choice Penetration testing What about the pipeline!?
- 6. YOUR BUILD SYSTEM IS PRODUCTION! 6
- 7. SECURING THE PIPELINE From head to tail 7
- 12. WHO COMMITED? 12 commit 4698b247268f053299230843dd1ae68e4d15a7e3 Author: You can put anything here <[email protected]> Date: Mon Jul 6 16:23:06 2015 +0100 #837: Send logs via syslog Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est.
- 14. USE HTTPS OR SSH 14 There’s simply no good reason not to.
- 15. CENTRALISED CONTROL 15 Code Repo User Directory
- 17. HOW MUCH IS *YOUR* CODE? 17
- 18. WHERE TO START? 18 Use modelling and threat analysis to prioritise the susceptible Discover what you depend on Assess the origin of that code for maturity of security practices
- 20. CI SERVER & IT’S AGENTS 20 It’s a remote execution problem Separate agents to avoid compromises Isolate builds using chroots and containers
- 22. PACKAGING 22 Use package system facilities to verify and sign code But lots of them need “root” :( Containers and unikernels offer a possible approach But they’re immature in other ways :(
- 24. DEPLOYMENT EXECUTION 24 Deploy Agent Web Server Service A Data Store Service B Service C Push deployments with: automated key based ssh! and rights to install as root! to all machines! Limit the commands (e.g. via sudo and ssh) Consider a notification and pull based approach
- 26. KEY, CERT & SECRET MANAGEMENT 26 Secrets required for credentials Try to use PKI where you can If it has to be a password then encrypt them per environment. Try not to move private keys Plan for rotation There’s a chaining problem. It’s hard.
- 28. CONTROL VS. AUDIT 28 Stop bad thing from being possible Know when a bad thing happened Impact of the threat is greater than impact on productivity Productivity impacted too much to stop it completely Need to know immediately Acceptable to know afterwards
- 29. THE “NSA” WAY 29 Log all the things Alert on bad things Look for patterns Tell everyone that you’re doing it (unlike the NSA)
- 30. COMPLIANCE 30
- 31. SEGREGATION OF DUTIES 31 Not always explicitly mandated so RTFM Good principle: “no single person…” Bring it forward in the pipeline with pairing, PRs and code reviews
- 32. HOW TO GET THERE? 32
- 33. HOW TO GET THERE? 33 Dev Sec Ops Collaborative Goal
- 34. HOW TO GET THERE? 34 Structured & Objective
- 35. HOW TO GET THERE? 35 No Silver Bullet. Hard things still hard
- 36. QUESTIONS? 36
- 37. Tom Duckering [email protected] @tomduckering Pat Downey [email protected] @pat_downey THANK YOU