DevSecOps
1. Overview
-Gartner published first raport on DevSecOps in May 2016
- Traditional IT departments are fragmented, with Development, Security, and Operations all having different leadership and reporting structures..
-DevSecOps builds on the idea that cross-functional teams must work together and that everyone is responsible for security
- Process experts and coaches often say that DevOps is not about tooling
-Engineers and technologists grow tired of process quickly and want real-world examples of how processes can be implemented
- The "automate everything" mantra of the DevOps movement is central to DevSecOps as well
DevSecOps Automation;
-Software version control
-Continous integration
-Continous testing
-Configuration managment and deployment
-Continous monitoring
-Conterization
-Container orchestration
DevSecOps can be used to enforce proper cybersecurity practices within an automated DevOps CI/CD pipeline.
Plan < - -> Deploy
Code < - integration -> Operator
Build < - -> Monitor
Test < - ->
Measuring DevSecOps Success
-Deployment frequency (fast and frequent releases)
-Lead time (code to cash cycle)
-Detection of threats, vulnerabilities, and malware
-Mean time to repair and remediation
-Efficiency of rollback and recovery
Agile Development
-As Agile processes have became popular, cross-functional development teams have started using extreme programming and Scrum methodologies to improve productivity
-By breaking up large releases that could take months into small batches of features changes that only take days or weeks, teams can drastically shorten time to market.
-Teams also practice "Kaizen" (continous improvment) to improve systems over time based on feedback from customer
-As Agile teams become more productive, Potentially Shippable Increments build up in staging and Quality Assurance (QA)
-Even though Agile teams can develop applications faster, these products often aren't pushed to production any faster than normal.
Operations:
-Operations teams can streamline their processes to increase the frequency of releases to production.
-This helps Agile development teams receive feedback from customers in a timely manner and use it to improve applications.
-Operations teams can iterate through release deployments to mimic the iteration cadence of the development team
Release Management
-Release management is the process of coordinating the deployment of finished application increments to production.
-Staging is the interim area where application sub-releases are tested prior to use by customers.
-in highly regulated industries, many approvals are required before code can be released into production.
Release Gating
-Governance, risk managment, auditing, and compliance groups have had to change the way they approve software releases in order to accommodate Agile's fast and frequent releases.
-Automation is necessery for this rapid approval process.
-Many vendors and open-source projects have sprung up to help automate the Continuous Deployment process.
Security
-To comply regulatioons and corporate policy, security deparments must verify that software adheres to governance requirements.
-By involving security personnel in the automation process, DevOps practioners can improve the throughput of security checkpoints and approvals.
-DevSecOps is the evolution of DevOps that emphasizes the importance of security in the software release pipeline.
Security Monitoring
-After applications and systems have been promoted to production, they are continuously monitored for vulnerabilities.
-Depending on the severity of an identified vulnerability, applications might be removed from production or simply cleansed of the vulnerability
-Typically, remediation involves the development organization, as refactoring may be requierd in order to update component libraries to versions that have eliminated the threat.
Release-and-Adapt
-Lessons learned production performance often prompt subsequent iterations of software enhancement to remediate performance and security defects
- A release-and-adapt cadence is the process through which key performance indicators are communicated back to developers so that remedial may be taken
2. Cyber security concepts
a) Attack Surfaces
-The attack surface of a system is the collection of points (attack vectors) where an authorized user (attacker) may enter to inject data to or extract data from an environment
-Keeping the attack surface as small as possible is a basic security environment.
b) Malware and Vulnerabilities
-Malware is malicious software that attackers deploy to infect individual computers or an entire digital network.
-Malware explosits target system vulnerabilities that can be hijacked, such as bugs in legitmate software (e.g. browser or web application plugins)
c) the OpenSCAP Project
- the Security Content Automation Protocol (SCAP) is a US security standard maintained by the National Institute odf Standards and Technology (NIST)
-The OpenSCAP Project is a collection of open-source tools for implementing and enforcing this standard
d) The Center for Internet Security (CIS)
-the Center for Internet Security (CIS) provides security benchmarks and the National Checklist Program (NCP) defined nby the NIST
-They offer guidance on the security configurations of the operating system, database, virtualization, framework, and applications.
-In addition to the benchmark documents, the CIS also provides downloadable tools for secure configuration scanning
e) Malware and Vulnerability Scanners
- Scanners can be deployed to network hosts and run in memory-resident mode to monitor activity in real time.
- By monitoring multpile sensor points, scanners can log vulnerabilities so that DevSecOps stakeholders become aware of the need for remedial action.
- Scanners should be used to interrogate new and existing software to determine whether any system or application may be infected by threat actors or attackers
-there are two types of scanning
*dynamic scanning
** is a method of code ananlysis that identifies vulnerabilities in a runtime enviorment.
** dynamic test monitor system memory, functional behavior, response time, and the overall performance of the system.
** automated scanning tools can be used to analyze applications for which you do not have access to the orginal source code.
*static scanning
** is a method of analysis performed in a non-runtime enviorment
** typically, a static analysis tool will inspect program code for all possible runtime behavior and seek out flaws and potentiall vurneable code.
** although they were developed separately, static and dynamic scanning are not in opposition to one another
** there are strengths and weaknesses associated with both approaches, and many DevSecOps processes benefit from using both.
f) The Cloud Controls Matrix (CCM)
-The Cloud Security Alliance (CSA) has consolidated most security compliance methods
3.
4.
5.
6.
7.
8.
9.
10.
11.
-Gartner published first raport on DevSecOps in May 2016
- Traditional IT departments are fragmented, with Development, Security, and Operations all having different leadership and reporting structures..
-DevSecOps builds on the idea that cross-functional teams must work together and that everyone is responsible for security
- Process experts and coaches often say that DevOps is not about tooling
-Engineers and technologists grow tired of process quickly and want real-world examples of how processes can be implemented
- The "automate everything" mantra of the DevOps movement is central to DevSecOps as well
DevSecOps Automation;
-Software version control
-Continous integration
-Continous testing
-Configuration managment and deployment
-Continous monitoring
-Conterization
-Container orchestration
DevSecOps can be used to enforce proper cybersecurity practices within an automated DevOps CI/CD pipeline.
Plan < - -> Deploy
Code < - integration -> Operator
Build < - -> Monitor
Test < - ->
Measuring DevSecOps Success
-Deployment frequency (fast and frequent releases)
-Lead time (code to cash cycle)
-Detection of threats, vulnerabilities, and malware
-Mean time to repair and remediation
-Efficiency of rollback and recovery
Agile Development
-As Agile processes have became popular, cross-functional development teams have started using extreme programming and Scrum methodologies to improve productivity
-By breaking up large releases that could take months into small batches of features changes that only take days or weeks, teams can drastically shorten time to market.
-Teams also practice "Kaizen" (continous improvment) to improve systems over time based on feedback from customer
-As Agile teams become more productive, Potentially Shippable Increments build up in staging and Quality Assurance (QA)
-Even though Agile teams can develop applications faster, these products often aren't pushed to production any faster than normal.
Operations:
-Operations teams can streamline their processes to increase the frequency of releases to production.
-This helps Agile development teams receive feedback from customers in a timely manner and use it to improve applications.
-Operations teams can iterate through release deployments to mimic the iteration cadence of the development team
Release Management
-Release management is the process of coordinating the deployment of finished application increments to production.
-Staging is the interim area where application sub-releases are tested prior to use by customers.
-in highly regulated industries, many approvals are required before code can be released into production.
Release Gating
-Governance, risk managment, auditing, and compliance groups have had to change the way they approve software releases in order to accommodate Agile's fast and frequent releases.
-Automation is necessery for this rapid approval process.
-Many vendors and open-source projects have sprung up to help automate the Continuous Deployment process.
Security
-To comply regulatioons and corporate policy, security deparments must verify that software adheres to governance requirements.
-By involving security personnel in the automation process, DevOps practioners can improve the throughput of security checkpoints and approvals.
-DevSecOps is the evolution of DevOps that emphasizes the importance of security in the software release pipeline.
Security Monitoring
-After applications and systems have been promoted to production, they are continuously monitored for vulnerabilities.
-Depending on the severity of an identified vulnerability, applications might be removed from production or simply cleansed of the vulnerability
-Typically, remediation involves the development organization, as refactoring may be requierd in order to update component libraries to versions that have eliminated the threat.
Release-and-Adapt
-Lessons learned production performance often prompt subsequent iterations of software enhancement to remediate performance and security defects
- A release-and-adapt cadence is the process through which key performance indicators are communicated back to developers so that remedial may be taken
2. Cyber security concepts
a) Attack Surfaces
-The attack surface of a system is the collection of points (attack vectors) where an authorized user (attacker) may enter to inject data to or extract data from an environment
-Keeping the attack surface as small as possible is a basic security environment.
b) Malware and Vulnerabilities
-Malware is malicious software that attackers deploy to infect individual computers or an entire digital network.
-Malware explosits target system vulnerabilities that can be hijacked, such as bugs in legitmate software (e.g. browser or web application plugins)
c) the OpenSCAP Project
- the Security Content Automation Protocol (SCAP) is a US security standard maintained by the National Institute odf Standards and Technology (NIST)
-The OpenSCAP Project is a collection of open-source tools for implementing and enforcing this standard
d) The Center for Internet Security (CIS)
-the Center for Internet Security (CIS) provides security benchmarks and the National Checklist Program (NCP) defined nby the NIST
-They offer guidance on the security configurations of the operating system, database, virtualization, framework, and applications.
-In addition to the benchmark documents, the CIS also provides downloadable tools for secure configuration scanning
e) Malware and Vulnerability Scanners
- Scanners can be deployed to network hosts and run in memory-resident mode to monitor activity in real time.
- By monitoring multpile sensor points, scanners can log vulnerabilities so that DevSecOps stakeholders become aware of the need for remedial action.
- Scanners should be used to interrogate new and existing software to determine whether any system or application may be infected by threat actors or attackers
-there are two types of scanning
*dynamic scanning
** is a method of code ananlysis that identifies vulnerabilities in a runtime enviorment.
** dynamic test monitor system memory, functional behavior, response time, and the overall performance of the system.
** automated scanning tools can be used to analyze applications for which you do not have access to the orginal source code.
*static scanning
** is a method of analysis performed in a non-runtime enviorment
** typically, a static analysis tool will inspect program code for all possible runtime behavior and seek out flaws and potentiall vurneable code.
** although they were developed separately, static and dynamic scanning are not in opposition to one another
** there are strengths and weaknesses associated with both approaches, and many DevSecOps processes benefit from using both.
f) The Cloud Controls Matrix (CCM)
-The Cloud Security Alliance (CSA) has consolidated most security compliance methods
3.
4.
5.
6.
7.
8.
9.
10.
11.
Komentarze
Prześlij komentarz