team with devops transform your security · open and clear communication – ensuring that the team...

© Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0

Paul Czarkowski@pczarkowski

Transform your Security Team with DevOps

© Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0

Paul Czarkowski@pczarkowski

Transform your DevOps Practice with Security

Cover w/ Image

Agenda

■ Who I Am

■ Compliance

■ DevOps

■ DevOps + Compliance

■ Q+A

Compliance ?

What is Compliance ?

Self Imposed

● CIS Controls / Benchmarks

● Security Technical Implementation Guide (STIG)

● Allowed opensource licenses

Regulatory

● PCI (US)

● HIPAA (US)

● Sarbanes-Oxley (US)

● EU GDPR

● NZ Information Security Manual (NZISM)

Verification

Validation of compliance based onControls in place.

● Checklists● External Auditors

Checklists

Practice, Policy or Procedure established to meet compliance

requirements.

● Spreadsheets● Checklists● Sharepoint Pages

Specifications

Documentation of requirements that need to be met in order to be

compliant.

● PDFs● Verbose

Compliance Controls Audit

Example of Compliance Specifications

ComplianceOfficer Operations Security

Officer Auditor

DevOps

http://blog.d2-si.fr/2016/02/22/devopsconnection/

Rugged DevOps

DevSecOps

Secure DevOps

https://www.devsecopsdays.com/articles/its-just-a-name

DevOps + Compliance

Embedded OS(Windows & Linux)

NSX-T

CPI (15 methods)

v1

v2

v3...

CVEs

Product UpdatesJava | .NET | NodeJS

Pivotal Application Service (PAS)

Application Code & Frameworks Buildpacks | Spring Boot | Spring Cloud |

Steeltoe

Elastic | Packaged Software | Spark

Pivotal Container Service (PKS)

>cf push >kubectl run

YOU build the containerWE build the container

vSphereAzure &

Azure StackGoogle CloudAWSOpenstack

PivotalNetwork

“3Rs”

Github

Concourse

Concourse

Pivotal ServicesMarketplace

Pivotal and Partner Products

Continuousdelivery

Public Cloud Services

Customer Managed Services

Ope

n S

ervi

ce B

roke

r A

PI

Repair — CVEs

Repave Rotate — Credhub

PIVOTAL CLOUD FOUNDRY OPS

Powered by BOSH

BOSH is an open source tool for release engineering, deployment, lifecycle management, and monitoring of distributed systems.

BOSHPackaging w/ embedded OS

Server provisioning on any IaaS

Software deployment across availability zones

Health monitoring (server AND processes)

Self-healing w/ Resurrector

Storage management

Rolling upgrades via canaries

Easy scaling of clusters

Culture

Adopting a DevOps culture

Despite varying approaches to describing high-performance teams there is a set of common characteristics that are recognised to lead to success.

● Participative leadership – using a democratic leadership style that involves and engages team members● Effective decision-making – using a blend of rational and intuitive decision making methods, depending on that

nature of the decision task● Open and clear communication – ensuring that the team mutually constructs shared meaning, using effective

communication methods and channels● Valued diversity – valuing a diversity of experience and background in team, contributing to a diversity of

viewpoints, leading to better decision making and solutions● Mutual trust – trusting in other team members and trusting in the team as an entity● Clear goals – goals that are developed using SMART criteria; also each goal must have personal meaning and

resonance for each team member, building commitment and engagement● Defined roles and responsibilities – each team member understands what they must do (and what they must not

do) to demonstrate their commitment to the team and to support team success● Positive atmosphere – an overall team culture that is open, transparent, positive, future-focused and able to

deliver success

https://en.wikipedia.org/wiki/High-performance_teams

https://en.wikipedia.org/wiki/Leadership#Styles

https://en.wikipedia.org/wiki/Decision_making

https://en.wikipedia.org/wiki/SMART_criteria

https://imgur.com/gallery/kMJWs

https://www.slideshare.net/KarenMartinGroup/value-stream-mapping-in-office-service-setttings

Mappable Processes that include Security / Compliance

Application Release

● Vulnerability Scanning

● Security Scanning (sql injection etc)

● License Scanning

● Attribution

Compliance Audits


● Security Scanning (sql injection etc)

● Package updates

● OS inspection

Infrastructure Provisioning

● OS Hardening

● Firewalling

● User Management

● Remote logging and auditing

● Intrusion Detection


Value Stream map for Provisioning a New Server

Current State

PrepareRequest

Network/ VLANs

Launch VM/ Install OS

Test Compliance Deliver

1-5days

1-5days

1-5days

1-5days

1-2days

1-2days

1-2days

1-2days


Future State

Deploy VM

ConfigureVM

Test Compliance Deliver

1-5days

1-5days

1-5days

1-2hours

1-2hours

1-2Hours


Future State

Automation

● Implements STIG controls via Ansible playbooks● Opensource project started at Rackspace● Plays well with existing config management● Easily override problematic controls

● Extends RSPEC for Compliance testing● Similar to Serverspec, but better.● Easy to go from serverspec to inspec● Inspec-STIG is all of STIG already written into

inspec tests.

Source: @petecheslock

Example of Compliance Specifications

Measurement

Sharing

What’s Next ?

Other Security / Compliance tools

● Gauntlt ( Security Testing Framework )

● Metasploit ( Penetration Testing)

● Syntribos ( API security testing)

● Pivotal LicenseFinder ( Scanning licenses of dependencies )

● Snort ( Intrusion Detection )

● Fossology ( license compliance )

● OpenVAS ( vulnerability scanning )

● OSSEC ( Intrustion Detection )

Questions ?

team with devops transform your security · open and clear communication – ensuring that the team...

Documents