Modern Dev Ops and security Robin Sillem Newcastle
Modern Dev. Ops and security Robin Sillem Newcastle OWASP chapter 21/11/17
The threat environment Assets • Large quantity of sensitive personal data • Large amounts of money being paid out Attacks • Information disclosure - individuals • Tampering - fraud • Damage - reputational
Modern Dev. Ops and SDLC • • Increased rate of delivery Increased team prioritisation autonomy Increased use of automation Increased involvement in operations Increased use of automation Increased use of open source Increased use of cloud Increased control over build and configuration
Services (code) We build services, code is one part of that • Teams owns its services • Micro-service architectures • API design. Data at rest and in transit • Separation of authentication and audit concerns • Automated code inspection • Automated dependency inspection • Immutable deployables (containers) • Hardened base images • Test automation
Infrastructure • • Hosting. Depends on data. Public/private cloud Infrastructure as code - Terraform Immutable servers – Packer, AMIs. Patching? Hardened base images Well defined security boundaries, firewalls Dev. Ops culture – teams owns its infrastructure Automated infrastructure documentation
Working environment • • • Virtual machines via RDP over VPN Whitelisted tooling. Who decides? VMs under team’s control, sizing etc Build pipeline under team’s control Dev, Test, PT environments under team’s control Practices – multidisciplinary pairing
Behavioural boundaries • • Separation of development and operations Discovery, Alpha, Beta, Live Governance gates, funding Governance gates, technical Tech radar Peer review Publication of documentation
- Slides: 7