Home
About
Presentations

DevOpsSec: Building CI/CD with Security Teams

A presentation at AFCEA West in February 2017 in San Diego, CA, USA by Shawn Wells

DevOpsSec: Building CI/CD with Security Teams Shawn Wells Chief Security Strategist Red Hat Pubic Sector shawn@redhat.com || 443-534-0130

NDA REQUIRED | JIM TYRRELL

RELEASES PER YEAR 1/day 1/hour

INTRO TO CI/CD dev 9 source repository https://www.youtube.com/watch?v=65BnTLcDAJI CI/CD engine container

INTRO TO CI/CD 10 https://www.youtube.com/watch?v=65BnTLcDAJI

Meanwhile, in Government: FISMA from an earlier era 11 ● Written in 2003-2004 ● Pre GovCloud, C2S, MilCloud ● Pre DevOps, Infrastructure as Code ● Multi-year dev/ship cycles common ● Waterfall dominant ● IT was more manual a decade ago

Meanwhile, in Government: FISMA from an earlier era https://www.telos.com/assets/Telos-AWS-white-paper.pdf 12

DevOps + Security 13

Layered Packaging: Separation of Concerns Operations 14 Architects Application developers

Registries: Where do you get your containers? Public and Private Registries CONTAINER ● What security meta-data is available for your images? ● APP ● RUNTIME ● ● 15 Are the images updated regularly? Are there access controls in the registry? How strong are they? OS HOST OS Red Hat Container Registry Policies to control who can deploy which containers ● Certification Catalog ● Trusted content with security updates CONTAINER APP RUNTIME OS HOST OS

Container Contents Matter You need to know … ● ● ● 16 CONTAINER Will what’s inside your container compromise your infrastructure? APPLICATION Are there known vulnerabilities in the application layer? RUNTIME Are the runtime and operating system layers up to date? OS

Community created portfolio of tools and content to assess systems for known vulnerabilities. https://github.com/NSAgov Or direct: https://github.com/OpenSCAP 17

https://github.com/nsagov 18

RHEL7 STIG content, rebased in RHEL 7.3: ● ● 6,180 commits from 95 people 441,055 lines of code Shipping in RHEL 7: ● Intelligence Community: C2S and CS2 ● DoD: RHEL7 Vendor STIG ● Civilian: USGCB/OSPP ● Justice: FBI Criminal Justice Info. Systems (FBI CJIS) OpenSCAP interpreter contains: ● ● 6,811 commits from 74 people 157,775 lines of code “Security Button” RHEL7 Installer: ● 19 6 people, 90 days

20

Atomic Scan Enables multiple container scanners Red Hat container scanning CONTAINER API RED HAT SCANNING INTERFACE 21

Example Pipeline 22

demos!

Thank You

Contact Info LinkedIn: https://www.linkedin.com/in/shawndwells/ EMail: shawn@redhat.com Cell: 443-534-0130 (US EST) Blog: https://shawnwells.io OpenSCAP Slides + Videos: https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References 25

Link for this presentation:

HTML code for embedding:

<p data-notist="shawndwells/82Trgr">View <a href="https://speaking.shawnwells.io/82Trgr"> DevOpsSec: Building CI/CD with Security Teams</a>.</p><script async src="https://on.notist.cloud/embed/002.js"></script>

Share on social media:

Tweet

Shawn Wells
@shawndwells

1 / 25

As presented at AFCEA West 2017

Powered by