achieving secure devops: overcoming the risks of modern service delivery

Secure DevOps: Overcoming the Risks of Modern Service Delivery

Kurt Bittner & Rick Holland

Forrester Research

Featuring:

2

Agenda

The DevOps Revolution Threat Landscape Best Practices for Secure DevOps Q&A

Chris HooverGVP, Products & Marketing

Perforce Software

Featuring:

3

Today’s Presenters

Kurt BittnerPrincipal Analyst

Application Development and Delivery

Rick HollandPrincipal AnalystSecurity & Risk

Featuring:

4

Agenda

The DevOps Revolution Threat Landscape Best Practices for Secure DevOps Q&A

5

http://www.linkconstructiongroup.net/project.cfm?id=42© Golden Gate Bridge, Highway and Transportation District

Why DevOps?

It’s simple: intense, and increasing competition.

“We don’t compete with other banks. We compete with Apple, Paypal, and Google.” (CIO, Large Banking organization)

Featuring:

6

Fast application delivery = better business results

Less risk Less waste Lower cost Happier customers

October 20, 2014, “The Software-Powered Business”© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

7

Seven Habits Of Highly Successful DevOpsEstablish Trust and Transparency Between Dev And Ops

Streamline Your Application Delivery Pipeline

See Everything Through The Eyes Of The Customer

Adopt A Loosely-Coupled Service-Oriented Architecture

Reward Solution Simplicity and Reliability

Adapt And Improve Using Customer Experience Data

Measure Everyone On Customer Outcomes Achieved

1

2

3

4

5

6

7

© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

The future is already here — it's just not very evenly distributed.

William Gibson

Featuring:

Could you manually deploy an airbag?

What if a hacker deployed your airbag when you are driving at highway speed?

Source: https://farm4.staticflickr.com/3570/3654967093_8181dff16c_o.jpg

10http://blogs-images.forbes.com/sethporges/files/2014/05/googlecar-e1401261602733.jpg

What about kidnapping by hacking an autonomous vehicle?

Featuring:

Software is eating the world

Featuring:

Companies in every industry need toassume a software revolution is coming

Featuring:

13

But security missed the memo

CONTINUOUS FRICTION

© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

14

But security missed the memo

CONTINUOUS NAGGING

© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

15

Agenda

The DevOps Revolution Threat Landscape Best Practices for Secure DevOps Q&A

© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

16

Companies & agencies are overwhelmed

© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

17

>75% of compromises occurred in days

Source: http://www.verizonenterprise.com/DBIR/2014

© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

18

Yet only 25% were discovered in days

Source: http://www.verizonenterprise.com/DBIR/2014/

© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

19

Code Spaces goes out of business Deleted EBS snapshots, S3 buckets, all AMIs

© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

20

The 90s called, wants its security approach back

Static and dynamic code analysis can take days

Bolt on security cannot keep pace with DevOps

© 2015 Forrester Research, Inc. Reproduction Prohibited

21

http://media-cdn.tripadvisor.com/media/photo-s/02/ce/93/e8/auditorium-theatre.jpg

Manual security processes are often little more than Risk Management

Theater

Instead of bright ideas

We have broken bulbsSource: https://farm2.staticflickr.com/1105/1471414696_b7e134d097_o.jpg

23

The perimeter is dead!

https://www.flickr.com/photos/23879276@N00/3318932796

Featuring:

24

Except for the perimeters between our teams Development is the “Department of No.” Operations is the “Department of No” as well. Security is the “Department of Hell No!”

© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

26

Agenda

The DevOps Revolution Threat Landscape Best Practices for Secure DevOps Q&A

Ford’s great innovation: the assembly line

https://upload.wikimedia.org/wikipedia/commons/2/29/Ford_assembly_line_-_1913.jpg

28

Lean Value Stream Mapping

http://en.wikipedia.org/wiki/Value_stream_mapping© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

29

Faster Delivery = Faster Remediation

IdeaUnderstand

NeedsDevelop Test Deploy

Customer Value

3 days 5 days 5 days 3 days

10 days7 days 4 days 9 days

Total = 47 days

1 day

feedback

July 25, 2014 “Define A Software Delivery Strategy For Business Innovation”© 2015 Forrester Research, Inc. Reproduction Prohibited

30

Idea proposed

Understand Needs &

Invent Solutions

Functional Testing

Deploy Solution

Customer Value

Load, Performance, Security, …

Testing

UAT/Exploratory

Testing

ReleaseDecision

Ensure only authorized changes

Automate and control deployments

Make release decisions

based on test data

Provide standard, secure

environments

Develop, Commit & Build

Detect vulnerabilities

Eliminate the “console”

Detect intrusions

Feedback

New Capabilities

Prevention is better than remediation

31

Idea proposed

Understand Needs &

Invent Solutions

Functional Testing

Deploy Solution

Customer Value

Load, Performance, Security, …

Testing

UAT/Exploratory

Testing

ReleaseDecision

Automate and control deployments

Make release decisions

based on test data

Provide standard, secure

environments

Detect vulnerabilities

Eliminate the “console”

Detect intrusions

Feedback

New Capabilities

Ensure only authorized changes

Develop, Commit & Build

Featuring:

32

Don’t forget about the insider threats CERT 2014 US State of Cybercrime Survey

Base: 557 respondents. Software Engineering Institute https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=298318

Insiders commit:

Fraud

Theft of IP

Sabotage

© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

33

Terminated worker cripples employer Deleted 88 virtual servers in seconds

© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

34

Ensure authorized changes with analytics

Quickly identifying unauthorized changes is paramount.

Behavioral analytics can detect a myriad of anomalous or unauthorized changes

© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

35

Identify anomalous/malicious behavior over time: Is Rick accessing code he has never accessed before?

Is Rick accessing code that his peers don’t access?

Are Rick’s work hours unusual? (8-5 CST, but now 2am)

Why is Rick suddenly uploading code to Dropbox?

© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

36

http

://b

log.

jki.n

et/n

ews/

niw

eek-

2012

-fire

-and

-for

get-

bulle

tpro

of-b

uild

s-us

ing-

cont

inuo

us-

inte

grat

ion-

with

-labv

iew

-vid

eo-s

lides

-now

-ava

ilabl

e/

Ensure only authorized changes

Continuous integration ensures healthy code

© 2015 Forrester Research, Inc. Reproduction Prohibited

37

Idea proposed

Understand Needs &

Invent Solutions

Functional Testing

Deploy Solution

Customer Value

Load, Performance, Security, …

Testing

UAT/Exploratory

Testing

ReleaseDecision

Ensure only authorized changes

Automate and control deployments

Make release decisions

based on test data

Develop, Commit &

Build

Detect vulnerabilities

Eliminate the “console”

Detect intrusions

Feedback

New Capabilities

Provide standard, secure environments

* * *

38

http

://w

ww

.flic

kr.c

om/p

hoto

s/38

3924

83@

N00

/385

9128

58

“Infrastructure As Art”

Every hand-crafted environment is unique No auditability of changes Often, no control over change access No repeatability “It works fine in my environment.”

Inconsistency Creates Vulnerability

39

Complexity leads to vulnerability

https://sndrs.ca/page/2/

40

http://www.datacenterknowledge.com/wp-content/uploads/2011/05/ITPAC-Servers-470.jpg

› Standard VM/Container configurations

› Configurations version controlled

› Managed Change authorization

› Changes automated, repeatable, auditable

“Infrastructure As Code”

VersionedRepository

Configuration Info

Configured Environment

TestData

TestData

Configuration Info

ServiceVirtualization

Test Data Management

Deployment Automation

Featuring:

41

Standardized environments make security scalable, finally

Security pros must leverage IT automation tools

Ensure consistent configurations and eliminate drift

© 2015 Forrester Research, Inc. Reproduction Prohibited

Featuring:

42

Standardization made Heartbleed less painful

© 2015 Forrester Research, Inc. Reproduction Prohibited

43

Idea proposed

Understand Needs &

Invent Solutions

Deploy Solution

Customer Value

ReleaseDecision

Ensure only authorized changes

Automate and control deployments

Make release

decisions based on test data

Provide standard, secure

environments

Develop, Commit &

Build

Eliminate the “console”

Detect intrusions

Feedback

New Capabilities

Detect vulnerabilities

Functional Testing

Load, Performance, Security, …

Testing

UAT/Exploratory

Testing

44

Ensure only authorized changes

Automate and control deployments

Provide standard, secure

environments

Develop, Commit &

Build

Detect vulnerabilities

Eliminate the “console”

Detect intrusions

Feedback

New Capabilities

Idea proposed

Understand Needs &

Invent Solutions

Functional Testing

Deploy Solution

Customer Value

Load, Performance, Security, …

Testing

UAT/Exploratory

Testing

Make release decisions based on test data

ReleaseDecision

45

Benefits of basing release decisions on test data

Increased Confidence Reduced Risk

Fewer Incidents

Simplified Release Decisions

46

Idea proposed

Understand Needs &

Invent Solutions

Functional Testing

Deploy Solution

Customer Value

Load, Performance, Security, …

Testing

UAT/Exploratory

Testing

ReleaseDecision

Ensure only authorized changes

Make release decisions

based on test data

Provide standard, secure

environments

Develop, Commit &

Build

Detect vulnerabilities

Eliminate the “console”

Detect intrusions

Feedback

New Capabilities

Automate and control deployments

Automating deployment reduces vulnerability

47

Add slides on ARA– what it is, how it works

htt

p://

h3

049

9.w

ww

3.h

p.c

om/t

5/G

roun

de

d-in

-th

e-C

lou

d/T

ran

sfo

rm-D

evO

ps-

with

-A

pplic

atio

n-R

ele

ase

-Au

tom

atio

n/b

a-p

/59

52

497

#.V

TZ

73

c5G

ceo

Benefits of Automating Deployment

Increase reliabilityEliminate manual errors

A typical quarterly release at one company consisted of a spreadsheet of over 1000 changes that needed to be made to deploy the software.

A THOUSAND OPPORTUNITIES FOR SOMETHING TO GO WRONG.

Increase speed

Reduce cost

Featuring:

48

Three Teams, One Goal

Development, Operations and Security must work together to win, serve and retain customers.

Deliver consistency• Secure customer experiences

• Trustworthy configurations

• Minimize human error

• Few surprises

© 2015 Forrester Research, Inc. Reproduction Prohibited

Q&A

Featuring:

50

Thank you

Kurt BittnerPrincipal Analystkbittner@forrester.com@ksbittner

Rick HollandPrincipal Analystrholland@forrester.com@rickhholland