DevOpsSec: Building CI/CD with Security Teams

A presentation at AFCEA West in February 2017 in San Diego, CA, USA by Shawn Wells

Slide 1

Slide 1

DevOpsSec: Building CI/CD with Security Teams Shawn Wells Chief Security Strategist Red Hat Pubic Sector shawn@redhat.com || 443-534-0130

Slide 2

Slide 2

NDA REQUIRED | JIM TYRRELL

Slide 3

Slide 3

Slide 4

Slide 4

Slide 5

Slide 5

Slide 6

Slide 6

Slide 7

Slide 7

Slide 8

Slide 8

RELEASES PER YEAR 1/day 1/hour

Slide 9

Slide 9

INTRO TO CI/CD dev 9 source repository https://www.youtube.com/watch?v=65BnTLcDAJI CI/CD engine container

Slide 10

Slide 10

INTRO TO CI/CD 10 https://www.youtube.com/watch?v=65BnTLcDAJI

Slide 11

Slide 11

Meanwhile, in Government: FISMA from an earlier era 11 ● Written in 2003-2004 ● Pre GovCloud, C2S, MilCloud ● Pre DevOps, Infrastructure as Code ● Multi-year dev/ship cycles common ● Waterfall dominant ● IT was more manual a decade ago

Slide 12

Slide 12

Meanwhile, in Government: FISMA from an earlier era https://www.telos.com/assets/Telos-AWS-white-paper.pdf 12

Slide 13

Slide 13

DevOps + Security 13

Slide 14

Slide 14

Layered Packaging: Separation of Concerns Operations 14 Architects Application developers

Slide 15

Slide 15

Registries: Where do you get your containers? Public and Private Registries CONTAINER ● What security meta-data is available for your images? ● APP ● RUNTIME ● ● 15 Are the images updated regularly? Are there access controls in the registry? How strong are they? OS HOST OS Red Hat Container Registry Policies to control who can deploy which containers ● Certification Catalog ● Trusted content with security updates CONTAINER APP RUNTIME OS HOST OS

Slide 16

Slide 16

Container Contents Matter You need to know … ● ● ● 16 CONTAINER Will what’s inside your container compromise your infrastructure? APPLICATION Are there known vulnerabilities in the application layer? RUNTIME Are the runtime and operating system layers up to date? OS

Slide 17

Slide 17

Community created portfolio of tools and content to assess systems for known vulnerabilities. https://github.com/NSAgov Or direct: https://github.com/OpenSCAP 17

Slide 18

Slide 18

https://github.com/nsagov 18

Slide 19

Slide 19

RHEL7 STIG content, rebased in RHEL 7.3: ● ● 6,180 commits from 95 people 441,055 lines of code Shipping in RHEL 7: ● Intelligence Community: C2S and CS2 ● DoD: RHEL7 Vendor STIG ● Civilian: USGCB/OSPP ● Justice: FBI Criminal Justice Info. Systems (FBI CJIS) OpenSCAP interpreter contains: ● ● 6,811 commits from 74 people 157,775 lines of code “Security Button” RHEL7 Installer: ● 19 6 people, 90 days

Slide 20

Slide 20

20

Slide 21

Slide 21

Atomic Scan Enables multiple container scanners Red Hat container scanning CONTAINER API RED HAT SCANNING INTERFACE 21

Slide 22

Slide 22

Example Pipeline 22

Slide 23

Slide 23

demos!

Slide 24

Slide 24

Thank You

Slide 25

Slide 25

Contact Info LinkedIn: https://www.linkedin.com/in/shawndwells/ EMail: shawn@redhat.com Cell: 443-534-0130 (US EST) Blog: https://shawnwells.io OpenSCAP Slides + Videos: https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References 25