DevOpsSecFAILDevOps Security Anti Patterns
Dr. Constantine Aaron Cois
Carnegie Mellon University
Me
@aaroncois
www.codehenge.net
github.com/cacois
Disclaimer: Though I am an employee of the Software Engineering Institute at Carnegie Mellon University, this work was not funded by the SEI and does not reflect the work or opinions of the SEI or its customers.
DevOps
DevOps
DevOpsSec
DevOps is a
Risk Mitigation strategy,
built on
Situational Awareness,
Automation,and
Repetition
DevOpsSec
But security is where
a lot of DevOpsimplementations
Fall Down
THE EXCEPTIONAnti-pattern
TheException
You automate…
…builds
…functional tests
…deployment
…reporting
TheException
You automate…
…builds
…functional tests
…deployment
…reporting
…the coffee machine
Image: https://lh4.ggpht.com/z_w-yCMvUcrqZd_6eXlt7E24YvSHEak1k5lNvk5GGNYmzMaBQkH1oe3emhZk0scIWg=w300
TheException
But security testing is still
manual pen testing, done only
on release
Automate Security Testing removes…
…Human error
…infrequent execution
…Excuses
There are great projects out there
OWASP ZAPhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project http://gauntlt.org/
GAUNTLTBE MEAN TO YOUR CODE AND LIKE IT
Help improve them!
THE MULTIVERSEAnti-pattern
Image: https://artcritique.files.wordpress.com/2014/01/multiverse-and-schrodingers-cat-in-play.png
Dev
TheMultiverse
StagingDev
Test
Prod
TheMultiverse
Staging
Test
Prod
TheMultiverse
App
StagingDev
Prod
TheMultiverse
App
Dev
Test
Prod
TheMultiverse
App
StagingDev
Test
TheMultiverse
App
StagingDev
Test
Prod
TheMultiverse
StagingDev
Test
Prod
TheMultiverse
StagingDev
Test
Prod
TheMultiverse
StagingDev
Test
Prod
TheMultiverse
StagingDev
Test
Prod
TheMultiverse
StagingDev
Test
TheMultiverse
App
When nothing
looks the sameyou can never be sure your
app will
behave the same
When nothing
looks the sameyou can never be sure your
app security features will
behave the same
THE CONFIGURATORAnti-pattern
TheConfigurator
Manual configuration, done buy your
best and brightest...
Image: http://2vga1o5mew51s6gu7x0mnk7kf.wpengine.netdna-cdn.com/wp-content/uploads/main/2013_06/A-Cat-Snatching-Wires-Out-of-a-Server.jpg
TheConfigurator
…will still lead to an
unmanageable, unpredictable,
and
unrepeatablesolution
Image: http://assorted-images.s3.amazonaws.com/datacenterinfrastructure/messy%20data%20center.png
TheConfigurator
If it’s not
Automatedit’s not
Done
TheConfigurator
If it’s not
Automatedit’s not
Done Secure
THE INFILTRATORAnti-pattern
TheInfiltrator
He sneaks in…
…and alters production
…but he works for you!
http://blog.landesk.com/wp-content/uploads/sites/4/2012/05/ninja.jpg
There is always a reason to make a manual changes
But don’t do it!
Unexpected manual changes are often…
Undocumented,
Unauditable,
Unrepeatable
Unexpected manual changes are often…
Undocumented,
Unauditable,
Unrepeatable
Insecure
Protip
Configure production to alert the entire team when manually
accessed.
Transparency is key
THE SURVIVORAnti-pattern
We’ve all been there…
Intrusions overnight…
…lock it down…
…cascading system failures…
…it’s all crashing…
It feels like…
But it ends
You survive
You’re out of the woods. Just glad its over.
Going to go sleep for 18 hours…
…and then back to normal.
Survivor mentality defeats continuous improvement
When do we analyze what went wrong?
How do we prevent similar failures in the future?
All failures must result in codified change to DevOps process.
This attitude persists…
…when we don’t expect failure.
We should always expect failure.
Be ready for it.
Plan for it
After action rules for failure
Understand exactly what went wrong
Never let the same failure happen twice
Propagate fixes across the enterprise
Ensure that you teach the next generation
THE COLLEGE PARTYAnti-pattern
TheCollegeParty
Software libraries are
your guests, and
everyone’s invited
http://36.media.tumblr.com/2c189abde1066433264d5038df6172b8/tumblr_mlyab4PZvk1qjgvbto2_1280.jpg
TheCollegeParty
99%of Global 2000 companies
will be using open source code in
mission-critical apps by 20161
1 http://www.zdnet.com/article/scan-open-source-use-to-minimize-risks-optimize-benefits/
TheCollegeParty
Do you know what’s in your
app?
Code we wrote
Code someone else wrote
Image: http://acardiac.blogspot.com/
THE SKYDIVERAnti-pattern
http://marvinqeleys.blogspot.com/2011/09/skydiving-sky-surf.html
TheSkydiver
Once you jump, you can’t return to the plane.
You are committed.
Permanently.
This is not how we should model our deployments.
TheSkydiver
Rollback is
essential
Never be left without an escape route to completely working software.
QUESTIONS?Any