DevOps and Security: It’s Happening. Right Now.
Helen BravoDirector of Product Management at [email protected]
• Intro to DevOps
• Integrating security within DevOps
– Problems with traditional controls
– Steps to DevOps security
Agenda
What is DevOps About?
An unstoppable deployment process… in small chunks of time
DevOps is Happening
Companies that have adopted DevOps
Can TRADITIONAL
web application
security controls fit
in…
… a DevOps environment?!
Traditional Web Application Security Controls
• Penetration Testing
• WAF (Web Application Firewall)
• Code Analysis
Penetration Testing- Takes Time!
Penetration Testing
– 300 pages report
– 3 weeks assessment time
– 2 weeks to get it into development
Web Application Firewall (WAF)
Thinking Continuous
Deployment?
Think Continuous
Configuration!
Code Analysis
• Setup time
• Running time
• Analysis time
… just too slow!
… Do Nothing?
Required: A New Secure SDLC Approach
Step by Step
Step 1: Plan for Security
• Identify unsecured APIs and frameworks
• Map security sensitive code portions. E.g. password
changes mechanism, user authentication
mechanism.
• Anticipate regulatory problems, plan for it.
Step 1: Plan for Security
Step 2: Engage the Developers.And Be Engaged
• Connect developers to security– Going to OWASP? Bring a developer with you!
• Is your house on fire? Share the details with your developers.
• Have an open door approach
• Set up an online collaboration platform E.g. Jive, Confluence etc.
Step 2: Engage the Developers. And Be Engaged
Step 3: Arm the Developers
• Secure frameworks:
– Use a secure framework such as Spring Security, JAAS, Apache
Shiro, Symfony2
– ESAPI is a very useful OWASP security framework
• SCA tools that can provide security feedback on pre-commit stage.
– Rapid response
– Small chunks
Step 3: Arm the Developer
Step 3: Automate the Process
• Integrate within your build (Jenkins, Bamboo, TeamCity, etc.)– SAST– DAST
• Fail the build if security does not pass the bar.
Step 3: Automate the Process
Develop Code Commit
Source Control
Build Trigger
Unit Tests
Deploy to
ProductionDeploy to Test Env
Report& Notify
Publish to release repository
Continuous Deployment
Develop Code Commit
Source Control
Build Trigger
Tests
Deploy to
ProductionDeploy to
Test Env
Report&
Notify
Publish to release
repository
Automatic security
testSCA Test
Security within Continuous Deployment
Step 5: Use Old Tools Wisely
Step 5: Use Old Tools Wisely
• Periodic pen testing
• WAF on main functions
• Code review for security sensitive code portions.
Summary
• DevOps is happening. Right Now.
– During the time of this talk, Amazon has released
75 features and bug fixes.
• Security should not be compromised
• Don’t be overwhelmed. Start small
Summary
The 3 Takeaways
1. Plan from the ground
2. Engage with your developers
3. Integrate security into automatic build process.
Questions?