Post on 28-Jul-2015
transcript
Secure DevOps: Overcoming the Risks of Modern Service Delivery
Kurt Bittner & Rick Holland
Forrester Research
Featuring:
2
Agenda
The DevOps Revolution Threat Landscape Best Practices for Secure DevOps Q&A
Chris HooverGVP, Products & Marketing
Perforce Software
Featuring:
3
Today’s Presenters
Kurt BittnerPrincipal Analyst
Application Development and Delivery
Rick HollandPrincipal AnalystSecurity & Risk
Featuring:
4
Agenda
The DevOps Revolution Threat Landscape Best Practices for Secure DevOps Q&A
5
http://www.linkconstructiongroup.net/project.cfm?id=42© Golden Gate Bridge, Highway and Transportation District
Why DevOps?
It’s simple: intense, and increasing competition.
“We don’t compete with other banks. We compete with Apple, Paypal, and Google.” (CIO, Large Banking organization)
Featuring:
6
Fast application delivery = better business results
Less risk Less waste Lower cost Happier customers
October 20, 2014, “The Software-Powered Business”© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
7
Seven Habits Of Highly Successful DevOpsEstablish Trust and Transparency Between Dev And Ops
Streamline Your Application Delivery Pipeline
See Everything Through The Eyes Of The Customer
Adopt A Loosely-Coupled Service-Oriented Architecture
Reward Solution Simplicity and Reliability
Adapt And Improve Using Customer Experience Data
Measure Everyone On Customer Outcomes Achieved
1
2
3
4
5
6
7
© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
The future is already here — it's just not very evenly distributed.
William Gibson
Featuring:
Could you manually deploy an airbag?
What if a hacker deployed your airbag when you are driving at highway speed?
Source: https://farm4.staticflickr.com/3570/3654967093_8181dff16c_o.jpg
10http://blogs-images.forbes.com/sethporges/files/2014/05/googlecar-e1401261602733.jpg
What about kidnapping by hacking an autonomous vehicle?
Featuring:
Software is eating the world
Featuring:
Companies in every industry need toassume a software revolution is coming
Featuring:
13
But security missed the memo
CONTINUOUS FRICTION
© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
14
But security missed the memo
CONTINUOUS NAGGING
© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
15
Agenda
The DevOps Revolution Threat Landscape Best Practices for Secure DevOps Q&A
© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
16
Companies & agencies are overwhelmed
© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
17
>75% of compromises occurred in days
Source: http://www.verizonenterprise.com/DBIR/2014
© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
18
Yet only 25% were discovered in days
Source: http://www.verizonenterprise.com/DBIR/2014/
© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
19
Code Spaces goes out of business Deleted EBS snapshots, S3 buckets, all AMIs
© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
20
The 90s called, wants its security approach back
Static and dynamic code analysis can take days
Bolt on security cannot keep pace with DevOps
© 2015 Forrester Research, Inc. Reproduction Prohibited
21
http://media-cdn.tripadvisor.com/media/photo-s/02/ce/93/e8/auditorium-theatre.jpg
Manual security processes are often little more than Risk Management
Theater
Instead of bright ideas
We have broken bulbsSource: https://farm2.staticflickr.com/1105/1471414696_b7e134d097_o.jpg
23
The perimeter is dead!
https://www.flickr.com/photos/23879276@N00/3318932796
Featuring:
24
Except for the perimeters between our teams Development is the “Department of No.” Operations is the “Department of No” as well. Security is the “Department of Hell No!”
© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
26
Agenda
The DevOps Revolution Threat Landscape Best Practices for Secure DevOps Q&A
Ford’s great innovation: the assembly line
https://upload.wikimedia.org/wikipedia/commons/2/29/Ford_assembly_line_-_1913.jpg
28
Lean Value Stream Mapping
http://en.wikipedia.org/wiki/Value_stream_mapping© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
29
Faster Delivery = Faster Remediation
IdeaUnderstand
NeedsDevelop Test Deploy
Customer Value
3 days 5 days 5 days 3 days
10 days7 days 4 days 9 days
Total = 47 days
1 day
feedback
July 25, 2014 “Define A Software Delivery Strategy For Business Innovation”© 2015 Forrester Research, Inc. Reproduction Prohibited
30
Idea proposed
Understand Needs &
Invent Solutions
Functional Testing
Deploy Solution
Customer Value
Load, Performance, Security, …
Testing
UAT/Exploratory
Testing
ReleaseDecision
Ensure only authorized changes
Automate and control deployments
Make release decisions
based on test data
Provide standard, secure
environments
Develop, Commit & Build
Detect vulnerabilities
Eliminate the “console”
Detect intrusions
Feedback
New Capabilities
Prevention is better than remediation
31
Idea proposed
Understand Needs &
Invent Solutions
Functional Testing
Deploy Solution
Customer Value
Load, Performance, Security, …
Testing
UAT/Exploratory
Testing
ReleaseDecision
Automate and control deployments
Make release decisions
based on test data
Provide standard, secure
environments
Detect vulnerabilities
Eliminate the “console”
Detect intrusions
Feedback
New Capabilities
Ensure only authorized changes
Develop, Commit & Build
Featuring:
32
Don’t forget about the insider threats CERT 2014 US State of Cybercrime Survey
Base: 557 respondents. Software Engineering Institute https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=298318
Insiders commit:
Fraud
Theft of IP
Sabotage
© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
33
Terminated worker cripples employer Deleted 88 virtual servers in seconds
© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
34
Ensure authorized changes with analytics
Quickly identifying unauthorized changes is paramount.
Behavioral analytics can detect a myriad of anomalous or unauthorized changes
© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
35
Identify anomalous/malicious behavior over time: Is Rick accessing code he has never accessed before?
Is Rick accessing code that his peers don’t access?
Are Rick’s work hours unusual? (8-5 CST, but now 2am)
Why is Rick suddenly uploading code to Dropbox?
© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
36
http
://b
log.
jki.n
et/n
ews/
niw
eek-
2012
-fire
-and
-for
get-
bulle
tpro
of-b
uild
s-us
ing-
cont
inuo
us-
inte
grat
ion-
with
-labv
iew
-vid
eo-s
lides
-now
-ava
ilabl
e/
Ensure only authorized changes
Continuous integration ensures healthy code
© 2015 Forrester Research, Inc. Reproduction Prohibited
37
Idea proposed
Understand Needs &
Invent Solutions
Functional Testing
Deploy Solution
Customer Value
Load, Performance, Security, …
Testing
UAT/Exploratory
Testing
ReleaseDecision
Ensure only authorized changes
Automate and control deployments
Make release decisions
based on test data
Develop, Commit &
Build
Detect vulnerabilities
Eliminate the “console”
Detect intrusions
Feedback
New Capabilities
Provide standard, secure environments
* * *
38
http
://w
ww
.flic
kr.c
om/p
hoto
s/38
3924
83@
N00
/385
9128
58
“Infrastructure As Art”
Every hand-crafted environment is unique No auditability of changes Often, no control over change access No repeatability “It works fine in my environment.”
Inconsistency Creates Vulnerability
39
Complexity leads to vulnerability
https://sndrs.ca/page/2/
40
http://www.datacenterknowledge.com/wp-content/uploads/2011/05/ITPAC-Servers-470.jpg
› Standard VM/Container configurations
› Configurations version controlled
› Managed Change authorization
› Changes automated, repeatable, auditable
“Infrastructure As Code”
VersionedRepository
Configuration Info
Configured Environment
TestData
TestData
Configuration Info
ServiceVirtualization
Test Data Management
Deployment Automation
Featuring:
41
Standardized environments make security scalable, finally
Security pros must leverage IT automation tools
Ensure consistent configurations and eliminate drift
© 2015 Forrester Research, Inc. Reproduction Prohibited
Featuring:
42
Standardization made Heartbleed less painful
© 2015 Forrester Research, Inc. Reproduction Prohibited
43
Idea proposed
Understand Needs &
Invent Solutions
Deploy Solution
Customer Value
ReleaseDecision
Ensure only authorized changes
Automate and control deployments
Make release
decisions based on test data
Provide standard, secure
environments
Develop, Commit &
Build
Eliminate the “console”
Detect intrusions
Feedback
New Capabilities
Detect vulnerabilities
Functional Testing
Load, Performance, Security, …
Testing
UAT/Exploratory
Testing
44
Ensure only authorized changes
Automate and control deployments
Provide standard, secure
environments
Develop, Commit &
Build
Detect vulnerabilities
Eliminate the “console”
Detect intrusions
Feedback
New Capabilities
Idea proposed
Understand Needs &
Invent Solutions
Functional Testing
Deploy Solution
Customer Value
Load, Performance, Security, …
Testing
UAT/Exploratory
Testing
Make release decisions based on test data
ReleaseDecision
45
Benefits of basing release decisions on test data
Increased Confidence Reduced Risk
Fewer Incidents
Simplified Release Decisions
46
Idea proposed
Understand Needs &
Invent Solutions
Functional Testing
Deploy Solution
Customer Value
Load, Performance, Security, …
Testing
UAT/Exploratory
Testing
ReleaseDecision
Ensure only authorized changes
Make release decisions
based on test data
Provide standard, secure
environments
Develop, Commit &
Build
Detect vulnerabilities
Eliminate the “console”
Detect intrusions
Feedback
New Capabilities
Automate and control deployments
Automating deployment reduces vulnerability
47
Add slides on ARA– what it is, how it works
htt
p://
h3
049
9.w
ww
3.h
p.c
om/t
5/G
roun
de
d-in
-th
e-C
lou
d/T
ran
sfo
rm-D
evO
ps-
with
-A
pplic
atio
n-R
ele
ase
-Au
tom
atio
n/b
a-p
/59
52
497
#.V
TZ
73
c5G
ceo
Benefits of Automating Deployment
Increase reliabilityEliminate manual errors
A typical quarterly release at one company consisted of a spreadsheet of over 1000 changes that needed to be made to deploy the software.
A THOUSAND OPPORTUNITIES FOR SOMETHING TO GO WRONG.
Increase speed
Reduce cost
Featuring:
48
Three Teams, One Goal
Development, Operations and Security must work together to win, serve and retain customers.
Deliver consistency• Secure customer experiences
• Trustworthy configurations
• Minimize human error
• Few surprises
© 2015 Forrester Research, Inc. Reproduction Prohibited
Q&A
Featuring:
50
Thank you
Kurt BittnerPrincipal Analystkbittner@forrester.com@ksbittner
Rick HollandPrincipal Analystrholland@forrester.com@rickhholland