securing the pipeline
TRANSCRIPT
To m D u c k e r i n g & P a t D o w n e y
SECURING THE PIPELINEIdeas, practices and food for thought to improve the security surrounding regular delivery of software to
production.
WHAT HAPPENS IN HERE?
5
User accounts Secure coding
Algorithm choice
Penetrationtesting
What about the pipeline!?
PIPELINE
8
WorkstationCode Repo
CI Server
Build Agent
Deploy Agent
Pkg Repo
Local Cache
Prod.
Staging
QA
3rd party code
Devs
PIPELINE
9
WorkstationCode Repo
CI Server
Build Agent
Deploy Agent
Pkg Repo
Local Cache
Prod.
Staging
QA
3rd party code
Devs
WHO COMMITED?
12
commit 4698b247268f053299230843dd1ae68e4d15a7e3 Author: You can put anything here <[email protected]> Date: Mon Jul 6 16:23:06 2015 +0100
#837: Send logs via syslog Lorem ipsum dolor sit amet, consetetur sadipscing elitr,
sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est.
PIPELINE
16
WorkstationCode Repo
CI Server
Build Agent
Deploy Agent
Pkg Repo
Local Cache
Prod.
Staging
QA
3rd party code
Devs
WHERE TO START?
18
Use modelling and threat analysis to prioritise the susceptible
Discover what you depend on
Assess the origin of that code for maturity of security practices
PIPELINE
19
WorkstationCode Repo
CI Server
Build Agent
Deploy Agent
Pkg Repo
Local Cache
Prod.
Staging
QA
3rd party code
Devs
CI SERVER & IT’S AGENTS
20
It’s a remote execution problem
Separate agents to avoid compromises
Isolate builds using chroots and containers
PIPELINE
21
WorkstationCode Repo
CI Server
Build Agent
Deploy Agent
Pkg Repo
Local Cache
Prod.
Staging
QA
3rd party code
Devs
PACKAGING
22
Use package system facilities to verify and sign code
But lots of them need “root” :(
Containers and unikernels offer a possible approach
But they’re immature in other ways :(
PIPELINE
23
WorkstationCode Repo
CI Server
Build Agent
Deploy Agent
Pkg Repo
Local Cache
Prod.
Staging
QA
3rd party code
Devs
DEPLOYMENT EXECUTION
24
Deploy Agent
Web Server
Service A
Data Store
Service B
Service C
Push deployments with:
automated key based ssh!
and rights to install as root!
to all machines!
Limit the commands (e.g. via sudo and ssh)
Consider a notification and pull based approach
KEY, CERT & SECRET MANAGEMENT
26
Secrets required for credentials
Try to use PKI where you can
If it has to be a password then encrypt them per environment.
Try not to move private keys
Plan for rotation
There’s a chaining problem. It’s hard.
CONTROL VS. AUDIT
28
Stop bad thing from being possible Know when a bad thing happened
Impact of the threat is greater than impact on
productivity
Productivity impacted too much to stop it
completely
Need to know immediately
Acceptable to know afterwards
THE “NSA” WAY
29
Log all the things
Alert on bad things
Look for patterns
Tell everyone that you’re doing it (unlike the NSA)
SEGREGATION OF DUTIES
31
Not always explicitly mandated so RTFM
Good principle: “no single person…”
Bring it forward in the pipeline with pairing, PRs and code reviews