dev r02 integrating security with devops toolchains

2020-03-01 58浏览

1.#RSAC SESSIONID:DEV-R02 INTEGRATING SECURITY WITH DEVOPS TOOLCHAINS Aaron Rinehart Dr. Chenxi Wang Chief Enterprise Security Architect UnitedHealth Group @aaronrinehart Founder, General Partner Rain Capital @chenxiwang
2.Speakers Introduction #RSAC Aaron Rinehart Chief Enterprise Security Architect UnitedHealth Group @aaronrinehart Chenxi Wang, Ph.D. General Partner, Rain Capital OWASP, Board of Directors @chenxiwang 2
3.SessionOutline:We Will Cover #RSAC • DevOps Movement & Security • 3 Different Practitioner TransformationStories:Good, Bad, and Ugly • Recommendations • New Techniques & Trends • Shift back toward Product Delivery • Applying what you learned 3
4.An Ongoing Journey In IT Transformation #RSAC Infrastructure Physical Virtual Cloud Containers Today Applications Software delivery model Monolithic multitiered SOA Micro Services Major releases Managed updates Agile Continuous delivery 4
5.How DevOps Takes Hold In A Company #RSAC Stage 1 A few change agents. Downloaded Docker, experiment with it. Small, isolated deployments Individual Individual Champions champions Grassroot Grassroot campaigns campaigns Stage 2 Multiple teams get involved. Meetups, informal training sessions happening Microservices as a design principle. Cloud-native as an infrastructure guideline Stage 4 Budget allocated, leading to new architecture design and technology build out Budget Budget allocation allocation & build buildout out & leadership Leadership buy-in buy-in 5 Stage 3 Dev leadership gets involved. Sometimes all the way to the CIO level. Sets company going forward strategy.
6.#RSAC Journeys of Three Different Companies Different industries, different approaches
7.Cloud-based Financial Service Startup #RSAC ● Environment ○ On AWS, with many APIs ○ Using micro-services and containers extensively ○ DevOps is king ● Requirements ○ Developer freedom and ease of use ○ Security vulnerability management ○ Clear traceability from container to code 7
8.Central Jenkins Workflow Central Jenkins CLONE FROM GIT SCAN CODE & PKGS/ LIBS SCAN IMAGE TEAM1 CI Scan fails Test fails INTEGRATION TESTING WITH BRONZE IMAGE GOLD REGISTRY BRONZE REGISTRY
9.Security Meets Business Demand #RSAC ● Developer freedom and ease of use ○ Dev owns and manages their own CI ○ Central CI is automatically triggered ○ Supports multiple tech stacks ● Robust security vulnerability management ○ Central CI is on the critical path to deployment ○ Can fail build if scan fails ● Clear traceability from container to code ○ Central CI does consistent container tagging 9
10.#RSAC Target - the Need to Move at Speed of Business
11.Target - The Need to Move At Speed of Business ● Holiday season at Target ○ ○ 70,000 new workers 170 million store transactions ● Prior to 2014 ○ ○ ○ Nearly everything is monolithic Many grass root micro-services/agile initiatives Pull store location info into a new application takes 6 months ● 2014 - Target gets a new CIO ○ ○ Corporate-wide mandate for microservices Cloud first development 11 #RSAC
12.Target - DevOps Journey #RSAC Late 2014 2015 Embrace CI 10 deployments per week Experiment with small number of APIs Foster DevOps communities 30 days app onboarding Identify & remove frictions 2015 & 2016 Late 2016 30 APIs 80 deployments per week >100 APIs 42 TB of API traffic/month 500 M requests/month 27 billion requests/month 5 days app onboarding 12 90 deployments per day
13.Target - Security’s Journey #RSAC Built a central security platform, focus on API-based development - build security functions & security APIs centrally decentralized product APIs A big focus on real-time security feedback loop - Every day security operations metrics feedback to both security leads and engineering teams Pushsecure-by-default:extend built-in security upstream as much as you can Emphasized logging, telemetry, and near real-time visibility - Process 6 TB of logs a day 13
14.#RSAC UnitedHealth Group
15.UnitedHealth Group “The Road from Rugged to Chaos” • DevOps Transformation @UHG • Building Security Tools into the Pipeline w/ Gauntlt • Journey into Security + Chaos Engineering •ChaoSlingr:Open Source Contribution 15 #RSAC
16.“The Road from Rugged to Chaos” #RSAC 16
17.“The Road from Rugged to Chaos” #RSACGauntlt:“Be Mean to Your Code” Driving Security Testing into thePipeline:Automated Vulnerability Scanning • An open source application vulnerability scanner engine that enables a self-service vulnerability resolution solution • Automates use of multiple vulnerability security scanning tools • Provides packages allowing developers to easily run self-service security checks against their applications • Scans begin immediately and take only minutes to completehttps://github.com/gauntlt/James Wickett 17
18.“The Road from Rugged to Chaos” #RSAC 18
19.Security + Chaos = Security Experimentation #RSAC 19
20.“The Road from Rugged to Chaos” #RSAC 20
21.“The Road from Rugged to Chaos” #RSAC 21
22.“The Road from Rugged to Chaos” #RSAC 22
23.“The Road from Rugged to Chaos” #RSAC 23
24.“The Road from Rugged to Chaos” #RSAC 24
25.ChaoSlingr:First UHG Open Source Tool #RSAC 25
26.#RSAC Summary
27.DevOps is Not A Destination #RSAC • All 3 companies still transforming • DevSecOps is a journey • Focus on • Continuous Improvement • Real-time feedback loop • Driving a metrics-driven culture 27
28.Some Useful Tips #RSAC • Start small • One change at a time • Expect and embrace failure • Fail small, fail fast • Remove friction • Drive out complexity • Avoid Analysis Paralysis • DevOps is a living organism 28
29.Key Takeaways & Recommendations #RSAC • DevOps is not a fad, it is the future • It’s a culture shift, not just about technology • Security needs to focus on • Automation — Identify where human adds value & automate everything else • Real-time feedback loop — Build real-time visibility & close-loop control • Build security for Ops, not for security teams — Provide insight/hooks/control for actional operations • #JFDI 29
30.Apply What You Have Learned Today #RSAC • Next week youshould:'>should: