CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE - PowerPoint PPT Presentation

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT JULIEN VEHENT MOZILLA SECURITY MOZILLA SECURITY tip: navigate with left/right arrows 1 of 49 06/07/2016 19:00 1

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ $WHOAMI $WHOAMI Firefox Services Security Lead Infrastructure defense & incident response sec tools coder: MIG, sops, TLS Observatory, ... 50% ops, 50% dev, 50% security @jvehent on twitter 2 of 49 06/07/2016 19:00 2

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ THIS TALK IS ABOUT THIS TALK IS ABOUT DEVOPS DEVOPS AND AND SECURITY SECURITY 3 of 49 06/07/2016 19:00 3

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ IT'S ABOUT AVOIDING THIS IT'S ABOUT AVOIDING THIS 4 of 49 06/07/2016 19:00

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ MEET SAMANTHA MEET SAMANTHA She's a Full Stack developer 5 of 49 06/07/2016 19:00 5

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ SAM USED TO WORK @SLOWCORP SAM USED TO WORK @SLOWCORP She didn't like it much Internal private repos Manual deployment by ops, would take weeks Different platform between dev & prod No access to cool tools everyone else uses 6 of 49 06/07/2016 19:00 6

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ SPEED MATTERS SPEED MATTERS Traditional ops where deployments take entire weeks aren't acceptable anymore. To compete, startups need fast release cycles. 15min from patch to prod is the new standard! 7 of 49 06/07/2016 19:00 7

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ SAM NOW WORKS AT MOZILLA SAM NOW WORKS AT MOZILLA She gets to use all the cool stuff! 8 of 49 06/07/2016 19:00 8

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ WHAT'S THE COOL STUFF WHAT'S THE COOL STUFF Code in public Github repo Circle/Travis CI to run tests Docker to build and deploy applications Continuous Deployment via Jenkins in AWS Logs in Kibana, monitoring in Datadog 9 of 49 06/07/2016 19:00 9

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ 10 of 49 06/07/2016 19:00 10

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ IN AN IDEAL WORLD, ALL DEPLOYS ARE IN AN IDEAL WORLD, ALL DEPLOYS ARE AUTOMATED AND INSTANTANEOUS AUTOMATED AND INSTANTANEOUS in the real world, we're not quite there yet, but you get the point 11 of 49 06/07/2016 19:00 11

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ SECURITY VERSUS DEVOPS SECURITY VERSUS DEVOPS AKA. AKA. THE WRONG WAY THE WRONG WAY DevOps team optimizes for fast iterations Security team optimizes for fewer incidents Both sides typically work against each other, actively arming both the roadmap and security of the product 12 of 49 06/07/2016 19:00 12

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ SECURITY INTO SECURITY INTO DEVOPS DEVOPS 1. Test Driven Security (TDS) integrated into the delivery pipeline. Use security tests to gradual improve application & infrastructure security. 2. Monitoring & blocking attacks, via fraud detection techniques and incident response. 3. Managing risks throughout the life-cycle of the service. 13 of 49 06/07/2016 19:00 13

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ CONTINUOUS SECURITY AT MOZILLA CONTINUOUS SECURITY AT MOZILLA Walkthrough through the life-cycle of a project, from inception to retirement 14 of 49 06/07/2016 19:00 14

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ SAM IS BUILDING A NEW SERVICE SAM IS BUILDING A NEW SERVICE CuteFox: a REST API that sends webpush noti�cations to Firefox users with photos of cute foxes. 15 of 49 06/07/2016 19:00 15

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ 16 of 49 06/07/2016 19:00 16

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ WHEN THE PROJECT STARTS, WHEN THE PROJECT STARTS, WE TALK RISK TOGETHER WE TALK RISK TOGETHER RRA: RAPID RISK ASSESSMENT RRA: RAPID RISK ASSESSMENT A ~30min friendly discussion between the devs, ops, products managers and security team to go over the business risks of the project 17 of 49 06/07/2016 19:00 17

DONE REMOTELY! DONE REMOTELY! Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ 18 of 49 06/07/2016 19:00 18

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ A risk summary table from the RRA 19 of 49 06/07/2016 19:00 19

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ RRA OUTPUTS RECOMMENDATIONS RRA OUTPUTS RECOMMENDATIONS We capture those recommendation into a "Risk Summary" bug. The bug stays open for the lifetime of the service and serves as a tracker for security discussions related to the project 20 of 49 06/07/2016 19:00 20

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ THE PROJECT TEAM UNDERSTANDS THE RISKS THE PROJECT TEAM UNDERSTANDS THE RISKS THEIR PROJECT IS EXPOSED TO. THEIR PROJECT IS EXPOSED TO. 21 of 49 06/07/2016 19:00 21

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ SAM GOES CODING SAM GOES CODING 22 of 49 06/07/2016 19:00 22

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ WE HELP SAM AVOID WE HELP SAM AVOID COMMON WEBAPP VULNERABILITIES COMMON WEBAPP VULNERABILITIES Mozilla Web Security Guidelines wiki.mozilla.org/Security/Guidelines/Web_Security OWASP ZAP Scanning github.com/zaproxy/ZAP-Baseline-Scan Require baseline security on all websites (CSP, Secure Cookies, TLS Only, ...) 23 of 49 06/07/2016 19:00 23

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ TEST DRIVEN SECURITY FOR WEB APPLICATIONS TEST DRIVEN SECURITY FOR WEB APPLICATIONS 24 of 49 06/07/2016 19:00 24

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ ZAP EXAMPLE IN CIRCLECI ZAP EXAMPLE IN CIRCLECI test: override: - docker run mozilla/cutefox & # pull down the ZAP docker container - docker pull owasp/zap2docker-weekly # Run ZAP against the application - > docker run -t owasp/zap2docker-weekly zap-baseline.py -t http://172.17.0.2:8080/ # Shut down the application container - > docker kill $(docker ps |grep mozilla/cutefox | awk '{print $1}') 25 of 49 06/07/2016 19:00 25

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ PASS/FAIL OUTPUT, LIKE UNIT TESTS PASS/FAIL OUTPUT, LIKE UNIT TESTS PASS: Absence of Anti-CSRF Tokens [40014] WARN: Web Browser XSS Protection Not Enabled [10016] x 3 http://172.17.0.2:8080/ http://172.17.0.2:8080//robots.txt http://172.17.0.2:8080//sitemap.xml 26 of 49 06/07/2016 19:00 26

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ TEST DRIVEN SECURITY TEST DRIVEN SECURITY Similar to TDD: Write the security tests �rst, let them fail, implement the security control then verify the tests pass Security team writes the tests Developers implement the controls 27 of 49 06/07/2016 19:00 27

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ WE ALSO ASK SAM TO WE ALSO ASK SAM TO KEEP HER APP UP TO DATE KEEP HER APP UP TO DATE Node.JS: NSP, Greenkeeper.io Python: requires.io, pip --outdated Go: govend 28 of 49 06/07/2016 19:00 28

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ TDS FOR DEPENDENCY MANAGEMENT TDS FOR DEPENDENCY MANAGEMENT 29 of 49 06/07/2016 19:00 29

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ DEVELOPERS OWN THE OPERATIONAL SECURITY DEVELOPERS OWN THE OPERATIONAL SECURITY OF THEIR APPLICATION OF THEIR APPLICATION We don't bolt it on top with WAFs and so on, we build security into the app directly 30 of 49 06/07/2016 19:00 30

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ THEN WE DEPLOY THEN WE DEPLOY 31 of 49 06/07/2016 19:00 31

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ MEET MAX MEET MAX He's the Ops guy 32 of 49 06/07/2016 19:00 32