prepare to defend thyself with blue/green
TRANSCRIPT
My Story-
about.me/Fabian.Lim
● Xxxxxxxxxx Engineer
○ http://tech.gov.sg
● Passionate about CICD
● Cultural Hacking
● Always Thinking about Red Teaming Possibilities
GitHub
Source Code Check in
Jenkins
Build Tools
S3
Artifact Repository
CodePipeline
Deployment Tools
CodeDeploy
Production Environment
EC2
CICD Pipeline is awesome
GitHub
Source Code Check in
Jenkins
Build Tools
S3
Artifact Repository
CodePipeline
Deployment Tools
CodeDeploy
Production Environment
EC2
Code change is introduced
GitHub
Source Code Check in
Jenkins
Build Tools
S3
Artifact Repository
CodePipeline
Deployment Tools
CodeDeploy
Production Environment
EC2
Build starts, and passes!
GitHub
Source Code Check in
Jenkins
Build Tools
S3
Artifact Repository
CodePipeline
Deployment Tools
CodeDeploy
Production Environment
EC2
Artifact is dropped into repository
GitHub
Source Code Check in
Jenkins
Build Tools
S3
Artifact Repository
CodePipeline
Deployment Tools
CodeDeploy
Production Environment
EC2
CD Tool picks up new artifact for testing
GitHub
Source Code Check in
Jenkins
Build Tools
S3
Artifact Repository
CodePipeline
Deployment Tools
CodeDeploy
Production Environment
EC2
CD Tool uses new artifact to deploy
GitHub
Source Code Check in
Jenkins
Build Tools
S3
Artifact Repository
CodePipeline
Deployment Tools
CodeDeploy
Production Environment
EC2
New/latest code is deployed on an instance!
GitHub
Source Code Check in
Jenkins
Build Tools
S3
Artifact Repository
CodePipeline
Deployment Tools
CodeDeploy
Production Environment
EC2
Shoot, I need to revert the previous code change! The whole CICD process repeats...
GitHub
Source Code Check in
Jenkins
Build Tools
S3
Artifact Repository
CodePipeline
Deployment Tools
CodeDeploy
Production Environment
EC2
Code change is introduced
GitHub
Source Code Check in
Jenkins
Build Tools
S3
Artifact Repository
CodePipeline
Deployment Tools
CodeDeploy
Production Environment
EC2
Build starts, passes!
GitHub
Source Code Check in
Jenkins
Build Tools
S3
Artifact Repository
CodePipeline
Deployment Tools
CodeDeploy
Production Environment
EC2
Artifact is dropped into repository
GitHub
Source Code Check in
Jenkins
Build Tools
S3
Artifact Repository
CodePipeline
Deployment Tools
CodeDeploy
Production Environment
EC2
CD Tool picks up new artifact for testing
GitHub
Source Code Check in
Jenkins
Build Tools
S3
Artifact Repository
CodePipeline
Deployment Tools
CodeDeploy
Production Environment
EC2
CD Tool uses new artifact to deploy
GitHub
Source Code Check in
Jenkins
Build Tools
S3
Artifact Repository
CodePipeline
Deployment Tools
CodeDeploy
Production Environment
EC2
Changes in code is deployed on the same instance
Downsides
● Downtime (SLA)● Previous State of
Deployment is overwritten● Resistance to
Infrastructure Changes● Relatively Sequential
(Traffic Jam Scenario)
GitHub
Source Code Check in
Jenkins
Continuous Integration
S3
Artifact Repository Code
Pipeline
Continuous Deployment
CodeDeploy
Production Environment
CodePipeline Code
Deploy EC2
EC2
Red outline indicates current CICD workflow
Blue-green to the rescue!
(LIV
E)
GitHub
Source Code Check in
Jenkins
Continuous Integration
S3
Artifact Repository Code
Pipeline
Continuous Deployment
CodeDeploy
Production Environment
CodePipeline Code
Deploy EC2
EC2
Red outline indicates current CICD workflow
Code change is introduced
(LIV
E)
GitHub
Source Code Check in
Jenkins
Continuous Integration
S3
Artifact Repository Code
Pipeline
Continuous Deployment
CodeDeploy
Production Environment
CodePipeline Code
Deploy EC2
EC2
Red outline indicates current CICD workflow
Build starts, and passes!
(LIV
E)
GitHub
Source Code Check in
Jenkins
Continuous Integration
S3
Artifact Repository Code
Pipeline
Continuous Deployment
CodeDeploy
Production Environment
CodePipeline Code
Deploy EC2
EC2
Red outline indicates current CICD workflow
Artifact is dropped into repository
(LIV
E)
GitHub
Source Code Check in
Jenkins
Continuous Integration
S3
Artifact Repository Code
Pipeline
Continuous Deployment
CodeDeploy
Production Environment
CodePipeline Code
Deploy EC2
EC2
Red outline indicates current CICD workflow
CD Tool picks up new artifact for testing
(LIV
E)
GitHub
Source Code Check in
Jenkins
Continuous Integration
S3
Artifact Repository Code
Pipeline
Continuous Deployment
CodeDeploy
Production Environment
CodePipeline Code
Deploy EC2
EC2
Red outline indicates current CICD workflow
CD Tool picks up new artifact for deployment
(LIV
E)
GitHub
Source Code Check in
Jenkins
Continuous Integration
S3
Artifact Repository Code
Pipeline
Continuous Deployment
CodeDeploy
Production Environment
CodePipeline Code
Deploy EC2
EC2
Red outline indicates current CICD workflow
Changes in code is deployed on green, going live
(LIV
E)
(LIV
E)
GitHub
Source Code Check in
Jenkins
Continuous Integration
S3
Artifact Repository Code
Pipeline
Continuous Deployment
CodeDeploy
Production Environment
CodePipeline Code
Deploy EC2
EC2
Red outline indicates current CICD workflow
Completely switch over to green, decommission blue
(LIV
E)
GitHub
Source Code Check in
Jenkins
Continuous Integration
S3
Artifact Repository Code
Pipeline
Continuous Deployment
CodeDeploy
Production Environment
CodePipeline Code
Deploy EC2
EC2
Red outline indicates current CICD workflow
Known good code / state is preserved on blue
(LIV
E)
GitHub
Source Code Check in
Jenkins
Continuous Integration
S3
Artifact Repository Code
Pipeline
Continuous Deployment
CodeDeploy
Production Environment
CodePipeline Code
Deploy EC2
EC2
Red outline indicates current CICD workflow
Completely switch over to blue, decommission green
(LIV
E)
How does blue-green defend thy
stack?
● Minimise Downtime● Preserved Last Known
Deployment● Robust Infrastructure● Parallel Pipelines
Preserved Last Known
Deployment
● Rollback enabled● Debugging● Forensics
○ Take it offline and isolate
○ Selfie* anyone?
*https://alldaydevops2016.sched.org/event/8614/taking-a-selfie-just-try-to-resist-doing-forensics-the-devsecops-way
● Resilient to Security Testing and Fire Drills
● Restore to known good state○ “Refresh” stack
Robust Infrastructure
Robust Infrastructure
● Vulnerability Management○ Quick to patch zero days
- app to infra layers○ One New Zero-Day
Vulnerability Discovered on Average Every Week*
*https://www.symantec.com/en/aa/about/newsroom/press-releases/2016/symantec_0413_01
Parallel Pipelines
● Why stop at blue-green?● Go RAINBOW!● Scale
○ Restore to multiple states on multiple instances
Crawl? ● Virtualization
● Infrastructure and Security as Code
● Build a CICD process
● Plan for Security Testing
● Identify where Blue-Green is relevant*
*https://d0.awsstatic.com/whitepapers/AWS_Blue_Green_Deployments.pdf
Walk
Run
Walk.
● Automate Existing CICD Process
● Incorporate Security Testing
● Manually implement Blue-Green where relevant
Crawl
Run
GitHub
Source Code Check in
Jenkins
Continuous Integration
S3
Artifact Repository Code
Pipeline
Continuous Deployment
CodeDeploy
Production Environment
CodePipeline Code
Deploy EC2
EC2
Just securing the end product isn’t enough, it’s the WHOLE pipeline that’s the attack vector
(LIV
E)
Red arrows indicate attack vectors
GitHub
Source Code Check in
Jenkins
Continuous Integration
S3
Artifact Repository Code
Pipeline
Continuous Deployment
CodeDeploy
Production Environment
CodePipeline Code
Deploy EC2
EC2
Emphasize on securing pipeline as much as end-product
(LIV
E)
Red team* it; to fix it.
GoalMethod
*https://alldaydevops2016.sched.org/event/861E/operationalizing-red-team-for-fun-and-profit
https://github.com/fabianlim1989/DefendThyselfBlueGreen