Professional Documents
Culture Documents
DevOps
How DevOps can keep
application security from
being an afterthought
A lot of Dev and Ops people look at their security teams with
disdain. "Those guys are just blockers... All they do is throw
obstacles in my way and say no. They'll never be DevOps or
even Agile." In return many security people see the emergence
of DevOps as creating a wilder, less managed environment in
which they would face more risk and greater security
challenges.
--- James Turnbull, Puppet Labs
I recognize that my code will be used in ways I cannot
anticipate, in ways it was not designed, and for longer
than it was ever intended.
--- Rugged Manifesto (Josh Corman, David Rice, Jeff Williams)
My Observation: prevailing view of security as separate
from development and operations, DevOps or no DevOps.
History of DevOps
DevOps comes from a need for innovation on the systems side of
technology work.
ESM (Enterprise Systems Management)
mid-2000s
ITIL as a governance framework largely superseded by ITIL Lite Visible
Ops approach
shift from large vendor focused to more open source and smaller vendor
offerings.
What is DevOps?
More collaborative relationship between
development teams and operations teams
System administrators participating in an
agile development process alongside
developers
Fusion of:
Toolchains of monitoring and provisioning tools,
CI, automated testing etc
agile processes
Development teams /operations team cooperation
Secure SDLC
Standard Phase
Security Task
Notes
Kickoff
Requirements
Design
Defensive threat
modeling
Development
Testing
Adversarial threat
modeling (pen-tests)
Functional, integration,
system, UAT
Implementation
Security configuration
Smoke tests
Security maintenance
checklist
Decommissioning
Back-out security
configuration
Automating Security
What to automate
SAST (Static Application Security Testing)
Examine source code, byte code or application binaries
for conditions indicative of a security vulnerability
Involves tools that help with either a) Review or b)
Static Analysis
Separation of Duties
Deconflicting DevOps and traditional
attitudes
Management support for secure
SDLC/secure DevOps/Rugged DevOps
process
Single boss for security work across Dev
and Ops, with management and
business backing
IT Separation of Duties is fine as far as it
goes, but dont let an overzealous admin
misinterpret it.
Conclusions
Identify and engage champions and process
enthusiasts
Operations owns static infrastructure baseline;
development owns application
Single manager overseeing security
Developers have same environment as production
Development, test and production all use security
Build security into automated testing and
provisioning
Train your people developers and operators in
security
Notes
DAST. Fault-injection can include Trusted
Computing Base (TCB) testing including the
loading of shared libraries or DLLs at run-time.
Dynamic testing can include concurrency
checking and many other factors.
Tools:
SAST: HP/Fortify, IBM, Veracode, Checkmarx,
Grammatech, Amorize, Coverity, Klocwork and
Parasoft, FindBugs, PMD and FxCop
DAST: WebScarab
Resources
http://architects.dzone.com/articles/short-history
devops
https://buildsecurityin.us-cert.gov/bsi/articles/k
nowledge/sdlc/326BSI.html
ITIL Lite, Malcolm Fry,
http://www.best-management-practice.com/Publicat
ions-Library/IT-Service-Management-ITIL/ITIL-200
7-Edition/ITIL-Lite-A-Road-Map-to-Implementing-P
artial-or-Full-ITIL
/
http://www.infoq.com/news/2010/06/rugged-soft
ware-