November15,2016

MultiSecurity CheckpointsonDevOpsplatform

Hasan Yasar, Technical ManagerSecure Lifecycle Solutions, Software Engineering Institute, Carnegie Mellon University

November15,2016

Copyright2016CarnegieMellonUniversity

ThismaterialisbaseduponworkfundedandsupportedbytheDepartmentofDefenseunderContractNo.FA8721-05-C-0003withCarnegieMellonUniversityfortheoperationoftheSoftwareEngineeringInstitute,afederallyfundedresearchanddevelopmentcenter.

Anyopinions,findingsandconclusionsorrecommendationsexpressedinthismaterialarethoseoftheauthor(s)anddonotnecessarilyreflecttheviewsoftheUnitedStatesDepartmentofDefense.

NOWARRANTY.THISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIALISFURNISHEDONAN“AS-IS”BASIS.CARNEGIEMELLONUNIVERSITYMAKESNOWARRANTIESOFANYKIND,EITHEREXPRESSEDORIMPLIED,ASTOANYMATTERINCLUDING,BUTNOTLIMITEDTO,WARRANTYOFFITNESSFORPURPOSEORMERCHANTABILITY,EXCLUSIVITY,ORRESULTSOBTAINEDFROMUSEOFTHEMATERIAL.CARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITHRESPECTTOFREEDOMFROMPATENT,TRADEMARK,ORCOPYRIGHTINFRINGEMENT.

[DistributionStatementA]Thismaterialhasbeenapprovedforpublicreleaseandunlimiteddistribution.PleaseseeCopyrightnoticefornon-USGovernmentuseanddistribution.

Thismaterialmaybereproducedinitsentirety,withoutmodification,andfreelydistributedinwrittenorelectronicformwithoutrequestingformalpermission.Permissionisrequiredforanyotheruse.RequestsforpermissionshouldbedirectedtotheSoftwareEngineeringInstituteatpermission@sei.cmu.edu.

CarnegieMellon® and CERT® areregisteredmarksofCarnegieMellonUniversity.

DM-0004210

November15,2016

MultiSecurity Checkpoints

Fundamentals- Process

November15,2016

WhatWikipediasays…

• DevOps (a portmanteau of "development" and "operations”)emphasizes communication, collaboration, and integrationbetween software developers and information technology(IT) operations personnel. [1]

[1]http://en.wikipedia.org/wiki/DevOps

November15,2016

Jez Humble,https://youtu.be/L1w2_AY82WYDaveWest,http://sdtimes.com/analyst-watch-water-scrum-fall-is-the-reality-of-agile/

Business

Research

Budget

Document

WaterDevelopment

Scrum

Integrate

Test

Release

QAOperations

Fall- -

November15,2016

DevOps isanExtensionofAgileThinking

• Embrace constantchange

• EmbedCustomer inteamtointernalizeexpertiseonrequirementsanddomain

Agile

Embraceconstanttesting,delivery

EmbedOperations inteamtointernalizeexpertiseondeploymentandmaintenance

DevOps

November15,2016

SharedGoals CollaborationBusinessNeeds

DevOps

November15,2016

Multiple DimensionsofDevOpsCulture• Developer and Ops collaborate

(Ops includes security)• Developers and Operations

support releases beyond deployment

• Dev and Ops have access to stakeholders who understand business and mission goals

Culture

ProcessandPractices

SystemandArchitecture

Automationand

MeasurementAutomation/Measurement• Automaterepetitiveanderror-

pronetasks(e.g.,build,testing,anddeploymentmaintainconsistentenvironments)

• Staticanalysisautomation(architecturehealth)

• Performancedashboards

Process and Practices• Pipeline streamlining• Continuous-delivery practices

(e.g., continuous integration; test automation; script-driven, automated deployment; virtualized, self-service environments)

System and Architecture• Architected to support test

automation and continuous-integration goals

• Applications that support changes without release (e.g., late binding)

• Scalable, secure, reliable, etc.

November15,2016

MultiSecurity Checkpoints

DevOpsPlatform- Platform

November15,2016

ContinuousIntegration(CI)Model

November15,2016

Integrationandcommunication,evenamongtools,isthekey!

November15,2016

November15,2016

Humanactions/inputstothesoftwaredevelopmentprocess

November15,2016

Actionsperformedbyautonomoussystems

November15,2016

MultiSecurity Checkpoints

TeamIntegration- People

November15,2016

DevOpsandSecurity

November15,2016

DevOpsandSecurity

November15,2016

Rugged{Secure}Dev{Sec}Ops

• DevOpsisaRiskMitigationstrategy,builtonSituationalAwareness,Automation,and Repetition• ButsecurityiswherealotofDevOpsimplementationsfalldown

• Goal:– Protectingprivateuserdata– Restrictingaccesstodata/systems– Protectingcompanydata/IP– Standardscompliance– Safeguardingdisposition/transition

November15,2016

TeamComposition

Developers

• Features• Quality

Attributes• Efficiency• Performance• Users• Authentication• Authorization

ITOps

• Deployment• Maintenance• Updates• Changepolicy• Failure• Dataloss• Risk

prevention

QA

• Testable• Issue

tracking• Bug

Reports• Usability• HelpDesk

SecurityTeam

• DataPrivacy• Intrusion

detection• Threatvectors• CVEs• Package

security• Authentication• Authorization• Security

StandardsCompliance

November15,2016

DevOps:MultipleTeamIntegrations

November15,2016

DevOps:MultipleTeamIntegrations+WithSecurityTeam

November15,2016

DevOps:MultipleTeamIntegrations+WithSecurityTeam

November15,2016

MultiSecurity Checkpoints

PlatformSecurityinDevOps

November15,2016

Evolutionofsoftwaredevelopment

• Customdevelopment– context:• Softwarewaslimited

§ Size§ Function§ Audience

• Eachorganizationemployeddevelopers• Eachorganizationcreatedtheirown

software

• Shareddevelopment– ISVs(COTS)–context:

• Functionlargelyunderstood§ Automatingexistingprocesses

• Grownbeyondabilityforusingorganizationtodevelopeconomically

• Outsideofcorecompetitivenessbyacquirers

Supplychain:practicallynone Supplychain:softwaresupplier

Olddays… Inthesedays…

November15,2016

Developmentisnowassembly

GeneralLedger

SQLServer WebSphere

HTTPserver

XMLParser

OracleDB SIPservletcontainer

GIFlibrary

Like“PlugNPlay”

Note:hypotheticalapplicationcomposition

Collectivedevelopment– context:• Toolargeforsingle

organization• Toomuchspecialization• Toolittlevalueinindividual

components

Supplychain:long

November15,2016

Softwaresupplychainforassembledsoftware

• Complexityofacquisition,developmentanddeployment

• Visibility&awareness

Source:“ScopeofSupplierExpansionandForeignInvolvement”graphicinDACSwww.softwaretechnews.com SecureSoftwareEngineering,July2005article“SoftwareDevelopmentSecurity:ARiskManagementPerspective”synopsisofMay 2004GAO-04-678report“DefenseAcquisition:KnowledgeofSoftwareSuppliersNeededtoManageRisks”

November15,2016

Reducingsoftwaresupplychainriskfactors

Softwaresupplychainriskforaproductneedstobereducedtoacceptablelevel

Supplierfollowspracticesthatreducesupplychainrisks

Deliveredorupdatedproductisacceptablysecure

Product

Distribution

Operational Product Control

Productisusedinasecuremanner

Methodsoftransmittingtheproducttothepurchaserguardagaintampering

ProductSecurity

Supplier Capability

November15,2016

SupplyChainHygiene:Recommendations• Suppliersecuritycommitmentevidence

• Supplieremployeesareeducatedastosecurityengineeringpractices• Supplierfollowssuitablesecuritydesignpractices

• Evaluateaproduct’sthreatresistance• Whatproductcharacteristicsminimizeopportunitiestoenterandchangethe

product’ssecuritycharacteristics?

• Createacentralizedprivaterepositoriesofvetted3rd partycomponentsforalldevelopers

• Establishgoodproductdistributionpractices• Recognizethatsupplychainrisksareaccumulated• Monitorfornewvulnerabilitiesandknowwheretheyareintheenterprisetofix

• Minimizevariationofcomponentstomakethingseasier(multipleversions,duplicatedutility)

November15,2016

• Development,operations, teamsengineerinfrastructureandapplication

• Operationsmaintainscontinuousdeliveryprocess• Developerswriteandpushcode

• Continuousintegrationserverinternallydeployscode• Docker run/VMprovision• Build• Test

• QAteamevaluatestheapplicationforcorrectness• Continuousdeliveryprocessdeployscodetoproductionservers• Operationsmaintainsproductionservers

PlatformSecurityOverview

November15,2016

PlatformSecurityOverviewwithSecurityHighlights

• Development,operations,andsecurityteamsengineerinfrastructureandapplication

• Operationsmaintainscontinuousdeliveryprocess• Developerswriteandpushcode• Codepushtriggerssecurityanalysisviasecuritycontroller• Continuousintegrationserverinternallydeployscode

• Docker run/VMprovision• Build• Test• Automatedsecurityscan

• QAteamevaluatestheapplicationforcorrectness• Continuousdeliveryprocessdeployscodetoproductionservers• Operationsmaintainsproductionservers

November15,2016

MultiSecurity CheckpointsAppSec andDevOps- IntegratingSecuritypracticesintoDevOps

November15,2016

DevLifecycle

November15,2016

Dev+BusinesLifecycle

November15,2016

DevOpsLifecycle

November15,2016

Whereareopportunitiesforsecurityprocesses?

November15,2016

DevOpsLifecycle

ThreatModeling,Securityasaqualityattribute

November15,2016

DevOpsLifecycle

Secure/hardenedenvironments

November15,2016

DevOpsLifecycle

Security-focusedcodereview

November15,2016

DevOpsLifecycle

AutomatedSecurityTesting(Staticanalysis,etc)

November15,2016

DevOpsLifecycle

MoreSecurityTesting(PenTesting,FuzzTesting)

November15,2016

DevOpsLifecycle

Securityreview/acceptancetesting

November15,2016

SecureDevOpsLifecycle

November15,2016

Securitymustbeaddressedwithoutbreakingtherapiddelivery,continuous

feedbackmodel

November15,2016

SecureDevOpsLifecycle

Devs

November15,2016

SecureDevOpsLifecycle

Devs

ConstantFeedbacktoDev

November15,2016

Automation(CI/CD)andSecurity§ Noteverythingcanbe,needstobe,orshouldbe,automated§ Drawperimetersaroundthingsyoutrustandletthatguidewhere

humaninteractionandverificationisneeded

§ Keeptrackofsecurityassessments

§ Regimentedcodemanagement§ Knowwhatsourcecodecontributedtoabuildthat’sin

productionsopatchesarefastandconfident

§ Performmanualreviewsasleastaspossible(NOTtoblockCD)§ staticanalysis§ (peer)Codereview§ Penntesting(oranysecuritytestingtools)

November15,2016

Post-ProductionMonitoringwithSecurityMindset

• MonitorauditlogsproducedbyCI/CDforanomalies

• Monitorproductionapplicationstoassurenothingchangesoutsideofthenormalchangeprocess

• Monitorfornewvulnerabilities/threats(acatalogofrunningcomponentshelps!)

November15,2016

MultiSecurity CheckpointsPracticalSecurityintegrationScenariosCI/CD

November15,2016

SecureDevOpsLifecycle

• Pausingformanualstepsistypical

• Optimizethemanualwork!

• Persisttheoutputofanytools/work

November15,2016

Scenario -1

November15,2016

Scenario -1

November15,2016

Scenario -2

November15,2016

Scenario -2

November15,2016

Scenario -3

November15,2016

MultiSecurity Checkpoints

Demo

AllvideosareinSEIYouTubechannelhttps://www.youtube.com/user/TheSEICMU/featuredOrinSecureDevOpssectionhttps://www.youtube.com/playlist?list=PLSNlEg26NNpx3fYrfZokWuye9RVMCnCsc

November15,2016

Section (optional)Picture

(optional)

MoreonSEIDevOpsBloghttps://insights.sei.cmu.edu/devops

November15,2016

ContactInformation

HasanYasarTechnicalManager,SecureLifecycleSolutionshyasar@sei.cmu.edu@securelifecycle

WebResources(CERT/SEI)

http://www.cert.org/

http://www.sei.cmu.edu/

November15,2016

November15,2016