from zero to secure continuous deployment
play

From Zero to Secure Continuous Deployment in 60 Minutes Florian - PowerPoint PPT Presentation

Oct 01, 2023 •129 likes •720 views

From Zero to Secure Continuous Deployment in 60 Minutes Florian Barth Matthias Luft 1 o THE Digital Wallet o 20.000.000 users 50 countries 5 offices o 25.000.000,000 rpm (onth ;) ) 100 micro services 10 servers 5 persons doing backend

  1. From Zero to Secure Continuous Deployment in 60 Minutes Florian Barth Matthias Luft 1

  2. o THE Digital Wallet o 20.000.000 users 50 countries 5 offices o 25.000.000,000 rpm (onth ;) ) 100 micro services 10 servers 5 persons doing backend DevOps 2

  3. o Vendor-independent o Established 2001 o 65 employees, 42 FTE consultants o Continuous growth in revenue/profits No venture/equity capital, no external financial o obligations of any kind o Customers predominantly large/very large enterprises Industry, telecommunications, finance o 3

  4. Avengers, assemble! Captain Security DareDeveloper 4

  5. I dare you to create an IaC-based automated CD pipeline! Give me 60 minutes! You have 30, as I will need to secure that thing! I’ll do it in 10! 5

  6. Agenda o Intro CD, DevOps, and key technologies o “Let‘s get our brains and hands dirty “ o Sermons and Preaching by Cpt Security 6

  7. DevOps “DevOps is the philosophy of unifying Development and Operations at the cu culture re, system, practic ice, and tool levels, to achieve accelerated ated and more freque uent deliv ivery ry of value to the customer, by improving quality in order to increase velocity.” Rob England nd, 2014 7

  8. Continuous Delivery “Continuous Delivery (CD) is a software engineering approach in which teams produce software in short cycles, ensuring that the software can be reliab iably ly releas ased at any time. It aims at building lding, testin ting, and releasin asing software faster and more freque uently tly .” DOI: 10.1109/MS.2015.27 8

  9. Continuous Deployment … is often confused with Continuous Delivery and “means that every change goes through the pipeline and automat matically ally gets put into production, resulting in many producti uction n deploym loyments nts every day .” https://ma mart rtin infow owler.com/ r.com/bliki/ iki/Cont ontin inuou uousDel eliver ivery.ht .html ml 9

  10. Immutable Infrastructure o “Servers are cattle not pets” 10

  11. Immutable Infrastructure o “Servers are cattle not pets” o “Servers are syringes es ” o Spawn your infra from a template or recipe o Update te, Test it, Spawn wn new, Trash old 11

  12. Infrastructure-as-Code o Manage und provision data a centers through mach chine ine-readable adable definition files o Version control your infrastructure o Documentation & Evolution o Static/Dynamic analysis 12

  13. Prepare to be steamrolled … o A lot of content and prerequisites o We want to explain the actually difficult parts, not the parts that are routine work. 13

  14. Goal o See the buzzwords in action o Gain a general understanding 14

  15. My First Contact with DevOps o Role: Unifying Dev, Ops, Net, Sec, … o Scale: users growing exponentially o Infra: 5€ “ vServer ” o Stack/Tooling: nginx, php, ssh, vi o CD: “ :w :w ” o Since then we learned a lot! 15

  16. Ingredients Infrastructure Infrastructure Definition App Stack Definition Platform App Source Code Software 16

  17. This is DareDeveloper, Welcome to Infrastructure as Code 17

  18. 18

  19. Demo Terraform 19

  20. This is DareDeveloper, Welcome to App Stack as Code 20

  21. vote result Python node.js sockpuppet node.js queue db redis PostgreSQL worker .NET 21

  22. Demo Docker Compose Service Infra 22

  23. This is DareDeveloper, Welcome to Full Auto CD 23

  24. Artifact Repository Execution push VCS Environment “CI” Service build & test 24

  25. Demo Gitlab Service Config 25

  26. Big Picture :tm: 26

  27. Deployments o Deployment Strategies Rolling Deployment o Green/Blue Deployment o Canary Deployment o o Feedback from Logging & Metrics 27

  28. Docker Build o Gitlab Runner running in a Docker container o Dedicated Docker container for each job in the pipeline o By distributing the runner „ swarm-scale “ build cluster can be formed 28

  29. 29

  30. This is Captain Security, Welcome to Swarm Pwnage! 30

  31. 4446 4444 4445 31

  32. So Far: Build System Breakout o We looked at one particular aspect o Raising awareness for capabilities of the Docker socket Good summary: blog.heroku.com o 32

  33. More Security Challenges o Build System Breakout Traversing to Production Swarm o o Breakout on Production Swarm o Deployment of Vulnerable Code to Production o Registry Overwrite o Leaking of Secrets 33

  34. Build System Breakout o Inherent problem of the requirement to build docker containers in build containers Only configuration-based review of drone.io, o Travis, and Jenkins, but most likely the same issues o Potential Solution: Verify Build Scripts o Build System Zoning o Docker Image Build Without Docker o 34

  35. Docker Image Build Without Docker o Several projects available https://github.com/genuinetools/img o https://bazel.build/ o https://github.com/projectatomic/buildah o o Need to build a custom build image/runner/plugin 35

  36. Build System Breakout – Lateral Movement o Common approach: Build system deploys to production platform o If so: Credentials can be accessed after breakout o Lateral Movement to target systems o 36

  37. Breakout on Production Swarm o Container breakout vulnerabilities are relevant o Cluster escalation vulnerabilities are relevant o Not the scope here! Refer to H2HC 2017 – Pentesting DevOps o 37

  38. Breakout on Production Swarm o In scope: Deploying privileged container Docker: privileged: true in compose file o Kubernetes: privileged flag in deployment o yml o No proper way to restrict container runtime options on a cluster level 38

  39. DoS on Production Swarm o Binding container to relevant (host) port o docker service create -p 22:22 IMAGE … o Potential Solution for both DoS/Breakout: Deployment Verification o 39

  40. Deployment of Vulnerable Images o Probably the most popular “Secure Pipeline” aspect o Possibility has existed longer than containers/DevOps/CD Still a very important aspect o 40

  41. Deployment of Vulnerable Images o Challenge: Scan all of OS packages o App code o App dependencies o o But again: Build Verification Required o 41

  42. Registry Overwrite o Build System must be able to push to registry o Broad registry push access allows to overwrite images o => Review your registry user/role/permission concept! 42

  43. Leaking of Secrets o Builds (and thus repositories) must contain secrets on a regular basis o For example: Registry login credentials o Credentials for application stack o o Secrets in a repository are a bad idea ;-) 43

  44. Secret Injection o All major build systems support secret injection of some kind docker login -u gitlab-ci-token -p o $CI_BUILD_TOKEN $DOCKER_REGISTRY o Ensure usage! Scan repos for secret storage o o Various tools available Support developers o o Awareness o Provide .gitignore /commit hook configs 44

  45. Validate Builds & Deployments o We saw the need for validation to address Build Breakout o App/Image Vulnerabilities o Deployment Mal-/Mis-Configuration o o How to enforce validation? o Build Systems don’t provide mandatory check steps without “manual work”… 45

  46. Architecture Overview 46

  47. What do we want to scan for? o Application Vulnerabilities o OS Package and Library Vulnerabilities o Build Script Breakout As always, hard to detect. o Docker-less builds essential o o Deployment Mal-/Mis-Configuration 47

  48. What do we want to scan for? o Deployment Mal-/Mis-Configuration Capabilities o AppArmor/seccomp profile deactivation o Container running as root o Secrets o Network policies o Namespace sharing o Mount propagation/Volumes o o See CIS Docker/K8s benchmarks as well. 48

  49. Tooling? o Some “Container Security” tools/scanners start to provide the above. … some really do not. o o No tool recommendation here, no extensive technical evaluation performed. o The slides above provide your evaluation checklist 49

  50. Security Zoning o Captain Security’s favorite approach: Use dedicated environments per application project/stack/team. o Basically remove multi-tenancy from the vulnerability list o o We saw above how easy it is to deploy the complete infrastructure. o Granularity of zoning depends on your environment. E.g. according to business unites, protection need/classification , … o 50

  51. Network Isolation o Old controls still relevant in the old world o Build system/production swarm only needs filtered outbound network access Proxy-based whitelisting o o Very feasible! o Of course no prevention, but raising the bar. 51

  52. Empower & Collaborate o As a security team, provide Training in the new CD approaches o Repository scaffolding o o Commit hooks including checks for included secrets o .gitignore o .gitlab-ci.yml including all scanning checks o Provide scanning checks as well ;-) Container security policies (e.g. K8s Pod Security o Policies) available in the cluster 52

  53. Empower & Collaborate o If implemented properly and securely: Immutable infrastructures are immutable o o And easy to baseline! Executable and version-able o infrastructure/design documentation Automated security checks o Timely patching o Centralized secret management o 53

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

One Size Does Not Fit All: An Empirical Study of Containerized Continuous Deployment Workflows

One Size Does Not Fit All: An Empirical Study of Containerized Continuous Deployment Workflows

One Size Does Not Fit All: An Empirical Study of Containerized Continuous Deployment Workflows Yang Zhang, Bogdan Vasilescu, Huaimin Wang, Vladimir Filkov November 7, 2018 Continuous Delivery/Deployment It is the ability to release A software

513 views • 19 slides
Continuous Improvement Toolkit QFD (Quality Function Deployment) Continuous Improvement Toolkit .

Continuous Improvement Toolkit QFD (Quality Function Deployment) Continuous Improvement Toolkit .

Continuous Improvement Toolkit QFD (Quality Function Deployment) Continuous Improvement Toolkit . www.citoolkit.com The Continuous Improvement Map Managing Deciding & Selecting Planning & Project Management* Risk PDPC Decision

690 views • 11 slides
CONTINUOUS DEPLOYMENT WITH SINGULARITY Large Scale Mission-Critical Service and Job Deployment

CONTINUOUS DEPLOYMENT WITH SINGULARITY Large Scale Mission-Critical Service and Job Deployment

CONTINUOUS DEPLOYMENT WITH SINGULARITY Large Scale Mission-Critical Service and Job Deployment Gregory Chomatas @gchomatas PAAS TEAM Implement & maintain: the deploy & build tools the PAAS platform (mesos clusters) load balancer

621 views • 35 slides
Deployment & Distribution Engineering Secure Software Last Revised: November 6, 2020

Deployment & Distribution Engineering Secure Software Last Revised: November 6, 2020

Deployment & Distribution Engineering Secure Software Last Revised: November 6, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 SE Doesnt End at Release Deployment counts too Despite our best efforts to produce

487 views • 20 slides
Case Study - Continuous Deployment at Outbrain Itai Hochman VP Engineering at Outbrain

Case Study - Continuous Deployment at Outbrain Itai Hochman VP Engineering at Outbrain

Case Study - Continuous Deployment at Outbrain Itai Hochman VP Engineering at Outbrain Continuous Deployment Outbrain Few Facts From Releases to CD Culture Architecture Tools Outbrain enables readers to discover

549 views • 35 slides
Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment pain The vision The Octomizer: TVM for everyone 2 Simple, secure, and efficient Drive TVM adoption Expand the set of users who can deployment of

370 views • 14 slides
Microservice Deployment Software Engineering II Sharif University of Technology MohammadAmin

Microservice Deployment Software Engineering II Sharif University of Technology MohammadAmin

Microservice Deployment Software Engineering II Sharif University of Technology MohammadAmin Fazli Topics Continuous Integration & Microservices Continuous Delivery Deployment Artifacts Custom Images Environments

591 views • 39 slides
Climbing the Mountain of Continuous Deployment Presented by:

Climbing the Mountain of Continuous Deployment Presented by:

DW9 DevOps Case Study Wednesday, November 7th, 2018 2:45 PM Climbing the Mountain of Continuous Deployment Presented by:

720 views • 27 slides
Context : Deployment of secure and reliable energy management devices Issues : Large

Context : Deployment of secure and reliable energy management devices Issues : Large

ANOMALY DETECTION USING HARDWARE PERFORMANCE COUNTERS ON A LARGE SCALE IOT DEPLOYMENT Context : Deployment of secure and reliable energy management devices Issues : Large scale deployment Resources constrained IoT devices

413 views • 3 slides
Continuous deployment with Jenkins and Salt LinuxCon CloudOpen ContainerCon North America 2015,

Continuous deployment with Jenkins and Salt LinuxCon CloudOpen ContainerCon North America 2015,

Continuous deployment with Jenkins and Salt LinuxCon CloudOpen ContainerCon North America 2015, Seattle Anirban Saha About me Techie Traveller Thinker Author of Salt Cookbook Deployment Should be Simple Stable

698 views • 26 slides
Strategy Deployment: From OGSMs to Hoshin Kanri Tony Hayes Global Director, Continuous

Strategy Deployment: From OGSMs to Hoshin Kanri Tony Hayes Global Director, Continuous

Strategy Deployment: From OGSMs to Hoshin Kanri Tony Hayes Global Director, Continuous Improvement Trina Poston Senior Continuous Improvement Consultant 2 3 Theres not a single thing we are doing that we cant do better - Dick

204 views • 17 slides
Continuous Delivery for DC/OS with Spinnaker Will Gorman @willgorman Deploying software is

Continuous Delivery for DC/OS with Spinnaker Will Gorman @willgorman Deploying software is

Continuous Delivery for DC/OS with Spinnaker Will Gorman @willgorman Deploying software is challenging Why continuous delivery? Decrease risks of deployment Decrease cost of deployment Decrease delay between feature development

643 views • 52 slides
Continuous Delivery of Debian packages Michael Prokop Terminology Continuous Integration

Continuous Delivery of Debian packages Michael Prokop Terminology Continuous Integration

Continuous Delivery of Debian packages Michael Prokop Terminology Continuous Integration well known from software development Continuous Deployment Q/A criteria says OK? Ship/deploy! Continuous Delivery release whenever

526 views • 48 slides
Python tooling for continuous Python tooling for continuous deployment deployment PyParis

Python tooling for continuous Python tooling for continuous deployment deployment PyParis

Python tooling for continuous Python tooling for continuous deployment deployment PyParis Novembre 2018 PyParis Novembre 2018 Arthur Lutz - Logilab Arthur Lutz - Logilab 1 Introduction /me Introduction /me Arthur Lutz @arthurlutz

438 views • 19 slides
Secure Border Gateway Protocol (S-BGP): Real World Performance & Deployment Issues Stephen

Secure Border Gateway Protocol (S-BGP): Real World Performance & Deployment Issues Stephen

Secure Border Gateway Protocol (S-BGP): Real World Performance & Deployment Issues Stephen Kent, Charles Lynn, Joanne Mikkelson, and Karen Seo BBN Technologies A Part of Outline BGP Model BGP security concerns & requirements

528 views • 20 slides
Exclude Human Continuous Deployment and OpenShift by Valdas Marimas Join at Slido.com with

Exclude Human Continuous Deployment and OpenShift by Valdas Marimas Join at Slido.com with

Exclude Human Continuous Deployment and OpenShift by Valdas Marimas Join at Slido.com with #devdays2019 1 A few words about me My name is Valdas Mazrimas, I am full stack javascript engineer @ Metasite Business Solutions. Join at

1.1k views • 40 slides
A Data Mo del and A Query Language for Ob ject-Orien ted Databases Mano jit Sark ar

A Data Mo del and A Query Language for Ob ject-Orien ted Databases Mano jit Sark ar

A Data Mo del and A Query Language for Ob ject-Orien ted Databases Mano jit Sark ar and Stev en P . Reiss Departmen t of Computer Science Bro wn Univ ersit y Pro vidence, Rho de Island 02912 CS-92-57 Decem b

174 views • 15 slides
Association of the United States Army 11 October 2017 Ms. Beryl Hancock Chief, Manpower Policy,

Association of the United States Army 11 October 2017 Ms. Beryl Hancock Chief, Manpower Policy,

Association of the United States Army 11 October 2017 Ms. Beryl Hancock Chief, Manpower Policy, Plans and Programs Division Chief, CP26 Proponency Office Deputy Chief of Staff G-1, HQDA Agenda Civilian Career Program 26 Manpower and

868 views • 57 slides
A view into a new GN3Plus Service Jerry Sobieski (NORDUnet) TERENA Architecture Workshop Nov 13,

A view into a new GN3Plus Service Jerry Sobieski (NORDUnet) TERENA Architecture Workshop Nov 13,

Testbeds as a Service Building Future Networks A view into a new GN3Plus Service Jerry Sobieski (NORDUnet) TERENA Architecture Workshop Nov 13, 2013 From Innovation to Infrastructure Network Innovation requires testing to prove out...

360 views • 24 slides
COVID update NSFT Board of Directors 24 September 2020 NSFT COVID response strategic priorities

COVID update NSFT Board of Directors 24 September 2020 NSFT COVID response strategic priorities

COVID update NSFT Board of Directors 24 September 2020 NSFT COVID response strategic priorities Minimise all causes of mortality amongst patients under the care of NSFTs teams and services Continue to provide high quality mental health

363 views • 10 slides
(z+rr) x ,?-i r{ j. r,1l srf,>lt ..i{f rt tiD llr.rqC /r.-q-1t Heavy Flavorrr

(z+rr) x ,?-i r{ j. r,1l srf,>lt ..i{f rt tiD llr.rqC /r.-q-1t Heavy Flavorrr

acez'av!y I rlribat'!'-l 1.ta! (nuc) rv.r1 '.5r.1 (z+rr) x ,?-i r{ j. r,1l srf,>lt ..i{f rt tiD llr.rqC /r.-q-1t Heavy Flavorrr Theory lJr(,e.,x(.il|Nr (l,rl.r sets I Very tr,'.rl lrel(1. scl{al!,' ! t ti)pr(s (d(( l,) l.',1rt

1.15k views • 76 slides
Background A bubble generated inside microfluidic channel is actuated via acoustic waves,

Background A bubble generated inside microfluidic channel is actuated via acoustic waves,

Background A bubble generated inside microfluidic channel is actuated via acoustic waves, which set up a streaming flow around the bubble. Red blood cells introduced in the fluid will deform differently near the bubble due to different

171 views • 3 slides
AST 1420 Galactic Structure and Dynamics Third integral Henon & Heiles (1964) potential

AST 1420 Galactic Structure and Dynamics Third integral Henon & Heiles (1964) potential

AST 1420 Galactic Structure and Dynamics Third integral Henon & Heiles (1964) potential Surface of section in (y,v y ) at E=1/8 Do all orbits in an axisymmetric potential have a third integral? No! Potentials for which all orbits

1.07k views • 102 slides
Parallel Programming Patterns: Data Parallelism Ralph Johnson University of Illinois at Urbana-

Parallel Programming Patterns: Data Parallelism Ralph Johnson University of Illinois at Urbana-

Parallel Programming Patterns: Data Parallelism Ralph Johnson University of Illinois at Urbana- Champaign rjohnson@illinois.edu www.upcrc.illinois.edu Pattern language Set of patterns that an expert (or a community) uses Patterns are

504 views • 38 slides

More recommend