2017-02-21 afcea west building continuous integration & deployment (ci/cd) pipelines in...
TRANSCRIPT
![Page 1: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/1.jpg)
DevOpsSec: Building CI/CDwith Security Teams
Shawn WellsChief Security StrategistRed Hat Pubic [email protected] || 443-534-0130
![Page 2: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/2.jpg)
NDA REQUIRED | JIM TYRRELL
![Page 3: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/3.jpg)
![Page 4: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/4.jpg)
![Page 5: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/5.jpg)
![Page 6: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/6.jpg)
![Page 7: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/7.jpg)
![Page 8: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/8.jpg)
1/dayRELEASES PER YEAR
1/hour
![Page 9: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/9.jpg)
9
INTRO TO CI/CD
https://www.youtube.com/watch?v=65BnTLcDAJI
sourcerepository
CI/CDengine
dev container
![Page 10: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/10.jpg)
10
INTRO TO CI/CD
https://www.youtube.com/watch?v=65BnTLcDAJI
![Page 11: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/11.jpg)
Meanwhile, in Government:FISMA from an earlier era
● Written in 2003-2004
● Pre GovCloud, C2S, MilCloud
● Pre DevOps, Infrastructure as Code
● Multi-year dev/ship cycles common
● Waterfall dominant
● IT was more manual a decade ago
11
![Page 12: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/12.jpg)
https://www.telos.com/assets/Telos-AWS-white-paper.pdf
Meanwhile, in Government:FISMA from an earlier era
12
![Page 13: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/13.jpg)
13
DevOps + Security
![Page 14: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/14.jpg)
14
Layered Packaging: Separation of Concerns
Operations Architects Application developers
![Page 15: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/15.jpg)
Public and Private Registries
● What security meta-datais available for your images?
● Are the images updatedregularly?
● Are there access controls inthe registry? How strong arethey?
15
Registries: Where do you get your containers?
● Red Hat Container Registry
● Policies to control who can deploy which containers
● Certification Catalog
● Trusted content with security updates
HOST OS
CONTAINER
OS
RUNTIME
APP
HOST OS
CONTAINER
OS
RUNTIME
APP
![Page 16: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/16.jpg)
You need to know . . .
● Will what’s inside your containercompromise your infrastructure?
● Are there known vulnerabilitiesin the application layer?
● Are the runtime and operatingsystem layers up to date?
16
Container Contents Matter
CONTAINER
OS
RUNTIME
APPLICATION
![Page 17: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/17.jpg)
17
Community created portfolio of tools and contentto assess systems for known vulnerabilities.
https://github.com/NSAgovOr direct: https://github.com/OpenSCAP
![Page 18: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/18.jpg)
18
https://github.com/nsagov
![Page 19: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/19.jpg)
19
RHEL7 STIG content, rebased in RHEL 7.3:
● 6,180 commits from 95 people● 441,055 lines of code
OpenSCAP interpreter contains:
● 6,811 commits from 74 people● 157,775 lines of code
“Security Button” RHEL7 Installer:
● 6 people, 90 days
Shipping in RHEL 7:
● Intelligence Community: C2S and CS2
● DoD: RHEL7 Vendor STIG
● Civilian: USGCB/OSPP
● Justice: FBI Criminal Justice Info. Systems(FBI CJIS)
![Page 20: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/20.jpg)
20
![Page 21: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/21.jpg)
Atomic ScanEnables multiple container scanners
21
Red Hat container scanning
API
RED HATCONTAINER SCANNING INTERFACE
![Page 22: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/22.jpg)
Example Pipeline
22
![Page 23: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/23.jpg)
demos!
![Page 24: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/24.jpg)
Thank You
![Page 25: 2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pipelines in Partnership with Security Teams](https://reader031.vdocuments.site/reader031/viewer/2022030313/58ed2b9a1a28ab99628b46ef/html5/thumbnails/25.jpg)
25
Contact Info
LinkedIn: https://www.linkedin.com/in/shawndwells/
EMail: [email protected]
Cell: 443-534-0130 (US EST)
Blog: https://shawnwells.io
OpenSCAP Slides + Videos:https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References