Abstract image of a woman sitting on books and studying on a laptop

DevSecOps: Bringing security to the DevOps pipeline

Aarno Aukia, profile picture
Aarno Aukia

The document presents Vshn, a DevOps company in Switzerland, emphasizing continuous security improvement in the DevOps process through automation and best practices in areas like application security, deployment, and operational governance. It highlights significant principles of DevSecOps, including code analysis, dependency management, and incident detection, while also outlining tools used such as Sonarqube, Dependabot, and AquaSec. Additionally, it discusses the implementation of Kubernetes for cloud-native IT governance, showcasing its benefits in security, configuration management, and operational efficiency.

Software
Related topics:
Information SecurityContinuous IntegrationContinuous Improvement
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
VSHN - The DevOps Company Continuous Security improvement in the DevOps process Aarno Aukia, CTO @ VSHN - The DevOps Company
VSHN - The DevOps Company ● About Aarno & VSHN.ch ● From Ops to DevOps ● DevOps/DevSecOps/SecOps? ● Automating Operations to include security ○ Build ○ Test ○ Deployment ○ Ops ● IT Governance benefits 22 Agenda
VSHN - The DevOps Company @aarnoaukia http://about.me/aarno aarno.aukia@vshn.ch ETH → Google → Atrila → VSHN VSHN - The DevOps Company Since 2014, currently 35 VSHNeers in Zürich, Switzerland Helping Developers run applications on any infrastructure making both visitors happy with stability and developers happy with agility 33 About Aarno & VSHN.ch
VSHN - The DevOps Company 4 OPS = Firefighting-as-a-Service ? 4
VSHN - The DevOps Company Capability Maturity Model Integration (CMMI) 55 Operations 2014 How to get to this level?
VSHN - The DevOps Company DevOps: CMMI Level 5: People, Processes & Tools 66
VSHN - The DevOps Company ● Developer education, requirements engineering, design review -> AppSec ● Software Build/Deployment/Operations -> DevSecOps ● Incident detection & management -> SecOps 77 Areas of security improvement
VSHN - The DevOps Company ● Developer education, requirements engineering, design review -> AppSec ● Software Build/Deployment/Operations -> DevSecOps ● Incident detection & management -> SecOps 88 Areas of security improvement
VSHN - The DevOps Company DevSecOps principles 99
VSHN - The DevOps Company ● static code analysis automatically for each commit ● Dependency Management ● (base) container image scanning 1010 Build
VSHN - The DevOps Company Code analysis: sonarqube 1111
VSHN - The DevOps Company 1212 Dependency updates: https://dependabot.com
VSHN - The DevOps Company Container scanning: aquasec 1313
VSHN - The DevOps Company ● smoke tests ● test envs “à discretion” 1414 Test
VSHN - The DevOps Company ● atomic container deployment ● every deployment (and rollback) is a “normal deployment” ● deployment automation removes need for (all) devs root prod access and/or waiting for ops to deploy new dev version 1515 Deployment
VSHN - The DevOps Company ● standardization on (minimal, hardened) OS and container orchestrator ● immutable (application) infrastructure using containers ● process/storage/network separation of applications/environments ● detect/prevent configuration drift between dev/test/stage/prod envs ● documentation & automatic backup of all volumes ● documentation & monitoring of routes/loadbalancers/ingresspoints with enforcing SSL/TLS ● AAI for admin & application ● key & secrets management ● audit logging of control & application planes 1616 Ops
VSHN - The DevOps Company Container isolation 1717 ● Kernel namespacing (process & network) ● Control groups (resource quota to prevent DoS) ● SELinux (additional syscall filter) ● prevent running as root inside container, no user-provided privileged containers (enforce best practice) ● readonly container filesystem (harder to persist exploit at runtime)
VSHN - The DevOps Company AAI: Keycloak 1818 ● Identity & Access Management ● Single sign in/out ● Identity brokering: ○ OpenID Connect (OAuth2, FB/Twitter/Github etc.) ○ SAML2.0 ○ Kerberos ● User federation: LDAP, AD, etc ● 2FA: TOTP/HOTP ● Managing the Authorization groups
VSHN - The DevOps Company Logs: ELK/EFK/Greylog 1919 ● Logging all access and changes through the control plane ● Logging all access to the application and correlate with application logs ● Index, view, filter, aggregate KPI → monitoring ● Store outside of application scope
VSHN - The DevOps Company ● Prometheus ○ time series database ○ open source / CNCF-project ○ well-integrated in docker/kubernetes stats ● NewRelic APM ○ application-level profiling ○ performance tracking ○ exception tracking (backend & frontend) ○ available as SaaS 2020 Metrics: Prometheus / NewRelic
VSHN - The DevOps Company ● “Full Stack Audit” ● Review design document ● Every layer was custom built ○ physical hardware ○ handcrafted servers ○ manual application deployment ● Review each layer ● Review each layer again next year... 2121 Traditional IT governance
VSHN - The DevOps Company ● Standardized components ○ already audited, some even externally certified ○ re-used, economies of scale, CMMI level 5 ○ tech controls (AAI, RBAC, logs/SIEM) implemented once ○ financial controls implemented once ● Infrastructure: private/public cloud ● Ops: Container orchestration platform ● Review design document & platform configuration 2222 Cloud native IT governance
VSHN - The DevOps Company Docker Kubernetes 2323 Layers of abstraction Hardware Operating System Service discovery & Load balancing Application Server Application Cloud/Onprem
VSHN - The DevOps Company ● Red Hat OpenShift ● Rancher RKE ● Canonical ● Docker Datacenter Enterprise ● IBM cloud private ● EKS, AKS, GKE ● APPUiO.ch See also https://thenewstack.io/find-perfect-kubernetes-distribution/ 2424 Kubernetes Distributions
VSHN - The DevOps Company ● Free & open standard ● Adopted by all major vendors (Google, AWS, MS, Redhat, Suse, IBM, etc) ● available as managed service both on-premises and (private) cloud based ● Provides integration in infrastructure (compute, storage, networking) ● Provides optional integration in plattform (e.g. DBaaS, S3) services ● Infrastructure as code, automation, tools for DevOps processes ● Large ecosystem of auxiliary tooling & integration available ● Is being adopted as standard runtime by ISVs (Avaloq, Finnova, Abacus, Adcubum, Ergon, etc) 2525 Benefits of Kubernetes as abstraction
VSHN - The DevOps Company ● prevent configuration drift ○ immutable (application) infrastructure using containers ○ deploy dev/test/stage/prod envs from CI/CD ● prevent manual errors ○ validate configuration in CI/CD before deployment ○ standardization on (minimal, hardened) OS and container orchestrator ○ deployment automation removes need for (most) root prod access ● security by default ○ image scanning, dependency vulnerability management ○ process/storage/network separation of applications/environments ○ volumes & ingresspoints best practice (documentation, monitoring, backup, SSL/TLS/WAF) ○ AAI for admin & application, audit trail logging of CI/CD, control & application planes ○ key & secrets management ● 2626 IT governance controls in container platforms
VSHN - The DevOps Company ● Please do get in touch with feedback ● Twitter: @aarnoaukia ● Linkedin: https://www.linkedin.com/in/aukia/ ● Email: aarno.aukia@vshn.ch 2727 Thank you
VSHN - The DevOps Company The CNCF Landscape 2828
VSHN - The DevOps Company Next Event May 9, 2019 from 6.00pm https://www.meetup.com/Cloud-Native-Computing-Switzerland Please volunteer for Sponsoring & Talks https://cnc-meetup.ch 2929 Cloud Native Computing
Come visit us for a coffee! VSHN AG - Neugasse 10 - CH-8005 Zürich - +41 44 545 53 00 - https://vshn.ch/ - info@vshn.ch https://vshn.ch/kontakt/ Follow us on Twitter! @vshn_ch 30

More Related Content

PDF
Developing Microservices Directly in AKS/Kubernetes
Chakradhar Rao Jonagam
 
PDF
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
kanedafromparis
 
PPTX
Introduction to openshift
MamathaBusi
 
PDF
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
DevOps.com
 
PDF
What are DevOps Application Patterns on AWS…and why do I need them?
DevOps.com
 
PDF
Modernizing Java Apps with Docker
Docker, Inc.
 
PDF
DCEU 18: State of the Docker Engine
Docker, Inc.
 
PPTX
Building Developer Pipelines with PKS, Harbor, Clair, and Concourse
VMware Tanzu
 
Developing Microservices Directly in AKS/Kubernetes
Chakradhar Rao Jonagam
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
kanedafromparis
 
Introduction to openshift
MamathaBusi
 
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
DevOps.com
 
What are DevOps Application Patterns on AWS…and why do I need them?
DevOps.com
 
Modernizing Java Apps with Docker
Docker, Inc.
 
DCEU 18: State of the Docker Engine
Docker, Inc.
 
Building Developer Pipelines with PKS, Harbor, Clair, and Concourse
VMware Tanzu
 

What's hot (20)

PPTX
Top 5 benefits of docker
John Zaccone
 
PDF
Docker in Production, Look No Hands! by Scott Coulton
Docker, Inc.
 
PDF
Back to the Future: Containerize Legacy Applications
Docker, Inc.
 
PDF
A Story of Cultural Change: PayPal's 2 Year Journey to 150,000 Containers wit...
Docker, Inc.
 
PDF
What HPC can learn from DevOps?
Walid Shaari
 
PDF
Red Hat OpenShift on Bare Metal and Containerized Storage
Greg Hoelzer
 
PDF
DCEU 18: Desigual Transforms the In-Store Experience with Docker Enterprise C...
Docker, Inc.
 
PDF
OpenShift Meetup 8th july 2019 at ConSol - OpenShift v4
Robert Bohne
 
PDF
DCEU 18: Docker Enterprise Platform and Architecture
Docker, Inc.
 
PPT
Docker benefits v0.1
Dayanand Shanmugham
 
PDF
Docker to the Rescue of an Ops Team
Rachid Zarouali
 
PDF
Docker for any type of workload and any IT Infrastructure
Docker, Inc.
 
PPTX
LlinuxKit security, Security Scanning and Notary
Docker, Inc.
 
PDF
Developer joy for distributed teams with CodeReady Workspaces | DevNation Tec...
Red Hat Developers
 
PPTX
Docker - A curtain raiser to the Container world
zekeLabs Technologies
 
PDF
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
NETWAYS
 
PPTX
Docker, the Future of Distributed Applications | Docker Tour de France 2014
Julien Barbier
 
PDF
Automating CICD Pipeline with GitLab and Docker Containers for Java Applications
Jelastic Multi-Cloud PaaS
 
PPTX
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Docker, Inc.
 
PDF
DCEU 18: Docker Container Security
Docker, Inc.
 
Top 5 benefits of docker
John Zaccone
 
Docker in Production, Look No Hands! by Scott Coulton
Docker, Inc.
 
Back to the Future: Containerize Legacy Applications
Docker, Inc.
 
A Story of Cultural Change: PayPal's 2 Year Journey to 150,000 Containers wit...
Docker, Inc.
 
What HPC can learn from DevOps?
Walid Shaari
 
Red Hat OpenShift on Bare Metal and Containerized Storage
Greg Hoelzer
 
DCEU 18: Desigual Transforms the In-Store Experience with Docker Enterprise C...
Docker, Inc.
 
OpenShift Meetup 8th july 2019 at ConSol - OpenShift v4
Robert Bohne
 
DCEU 18: Docker Enterprise Platform and Architecture
Docker, Inc.
 
Docker benefits v0.1
Dayanand Shanmugham
 
Docker to the Rescue of an Ops Team
Rachid Zarouali
 
Docker for any type of workload and any IT Infrastructure
Docker, Inc.
 
LlinuxKit security, Security Scanning and Notary
Docker, Inc.
 
Developer joy for distributed teams with CodeReady Workspaces | DevNation Tec...
Red Hat Developers
 
Docker - A curtain raiser to the Container world
zekeLabs Technologies
 
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
NETWAYS
 
Docker, the Future of Distributed Applications | Docker Tour de France 2014
Julien Barbier
 
Automating CICD Pipeline with GitLab and Docker Containers for Java Applications
Jelastic Multi-Cloud PaaS
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Docker, Inc.
 
DCEU 18: Docker Container Security
Docker, Inc.
 

Similar to DevSecOps: Bringing security to the DevOps pipeline (20)

PDF
Continuous security improvements in the DevOps process
Aarno Aukia
 
PDF
DevSecOps - Security in DevOps
Aarno Aukia
 
PDF
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
PDF
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
PDF
IT Governance and Security Architecture in Docker, Kubernetes, OpenShift
Aarno Aukia
 
PDF
Next gen software operations models in the cloud
Aarno Aukia
 
PDF
A guide to modern software development 2018
Peter Bittner
 
PDF
Application Portability using Cloud Native Technology: Docker, Kubernetes
Aarno Aukia
 
PDF
Wie macht man aus Software einen Online-Service in der Cloud
Aarno Aukia
 
PDF
Security in the DevOps pipeline of containerized core application: Case Study...
Aarno Aukia
 
PDF
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
William Caban
 
PDF
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
PPTX
AzureDay Kyiv 2016 Release Management
Sergii Kryshtop
 
PDF
8 - OpenShift - A look at a container platform: what's in the box
Kangaroot
 
PDF
Cloud Native Development
Manuel Garcia
 
PDF
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
PDF
DevOps Foundations
Amr Fawzy
 
PDF
Devops with Python by Yaniv Cohen DevopShift
Yaniv cohen
 
PDF
DevSecOps: Putting the Sec into the DevOps
shira koper
 
PDF
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
Continuous security improvements in the DevOps process
Aarno Aukia
 
DevSecOps - Security in DevOps
Aarno Aukia
 
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
IT Governance and Security Architecture in Docker, Kubernetes, OpenShift
Aarno Aukia
 
Next gen software operations models in the cloud
Aarno Aukia
 
A guide to modern software development 2018
Peter Bittner
 
Application Portability using Cloud Native Technology: Docker, Kubernetes
Aarno Aukia
 
Wie macht man aus Software einen Online-Service in der Cloud
Aarno Aukia
 
Security in the DevOps pipeline of containerized core application: Case Study...
Aarno Aukia
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
William Caban
 
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
AzureDay Kyiv 2016 Release Management
Sergii Kryshtop
 
8 - OpenShift - A look at a container platform: what's in the box
Kangaroot
 
Cloud Native Development
Manuel Garcia
 
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
DevOps Foundations
Amr Fawzy
 
Devops with Python by Yaniv Cohen DevopShift
Yaniv cohen
 
DevSecOps: Putting the Sec into the DevOps
shira koper
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 

More from Aarno Aukia (20)

PDF
DevOps for AI: running LLMs in production with Kubernetes and KubeFlow
Aarno Aukia
 
PDF
The printing press of 2021 - using GitLab to publish the VSHN Handbook
Aarno Aukia
 
PDF
Applikationsmodernisierung: Der Weg von Legacy in die Cloud
Aarno Aukia
 
PDF
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
Aarno Aukia
 
PDF
Kubecon 2019 Recap
Aarno Aukia
 
PDF
My broken container is gone - how to debug containers on container platforms
Aarno Aukia
 
PDF
Automated Server Administration for DevSecOps
Aarno Aukia
 
PDF
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
Aarno Aukia
 
PDF
Moving Applications to the cloud
Aarno Aukia
 
PDF
Migration von Applikationen in die Cloud
Aarno Aukia
 
PDF
IPv6 on Container Plattforms
Aarno Aukia
 
PDF
Cloud Native Computing & DevOps
Aarno Aukia
 
PDF
Cloud Native Computing
Aarno Aukia
 
PDF
Cloud Native Computing Meetup Zürich Jan 11 2018
Aarno Aukia
 
PDF
Wie nutzen wir Cloud-Infrastruktur @ VSHN.ch
Aarno Aukia
 
PDF
Scalable Web Applications with 100% open source
Aarno Aukia
 
PDF
SecDevOps 2017
Aarno Aukia
 
PDF
Cloud Native Computing Meetup Zürich
Aarno Aukia
 
PDF
DevOps for E-Commerce
Aarno Aukia
 
PDF
Scalable Python with Docker, Kubernetes, OpenShift
Aarno Aukia
 
DevOps for AI: running LLMs in production with Kubernetes and KubeFlow
Aarno Aukia
 
The printing press of 2021 - using GitLab to publish the VSHN Handbook
Aarno Aukia
 
Applikationsmodernisierung: Der Weg von Legacy in die Cloud
Aarno Aukia
 
Von der Straße in die Cloud: Optimierung von Logistikprozessen mit Docker, Ku...
Aarno Aukia
 
Kubecon 2019 Recap
Aarno Aukia
 
My broken container is gone - how to debug containers on container platforms
Aarno Aukia
 
Automated Server Administration for DevSecOps
Aarno Aukia
 
Wir arbeiten in der Cloud – eine Herausforderung für das IT Management?
Aarno Aukia
 
Moving Applications to the cloud
Aarno Aukia
 
Migration von Applikationen in die Cloud
Aarno Aukia
 
IPv6 on Container Plattforms
Aarno Aukia
 
Cloud Native Computing & DevOps
Aarno Aukia
 
Cloud Native Computing
Aarno Aukia
 
Cloud Native Computing Meetup Zürich Jan 11 2018
Aarno Aukia
 
Wie nutzen wir Cloud-Infrastruktur @ VSHN.ch
Aarno Aukia
 
Scalable Web Applications with 100% open source
Aarno Aukia
 
SecDevOps 2017
Aarno Aukia
 
Cloud Native Computing Meetup Zürich
Aarno Aukia
 
DevOps for E-Commerce
Aarno Aukia
 
Scalable Python with Docker, Kubernetes, OpenShift
Aarno Aukia
 

Recently uploaded (20)

PPTX
Bandicam Screen Recorder 8.2.1 Build 2529 Crack
goldheera888
 
PDF
solman-7.0-ehp1-sp21-incident-management
Giuseppe Caselli
 
PDF
Odoo Construction Management System by CandidRoot
CandidRoot Solutions Private Limited
 
PPTX
Swiggy API Scraping A Comprehensive Guide on Data Sets and Applications.pptx
FoodData Scrape
 
PPTX
Presentation - Summer Internship at Samatrix.io_template_2.pptx
omchoksi99
 
PDF
WhatsApp Chatbots The Key to Scalable Customer Support.pdf
Quick Message
 
PDF
Top 10 Project Management Software for Small Teams in 2025.pdf
Tech Qafila
 
PPTX
FLIGHT TICKET API | API INTEGRATION PLATFORM
philipnathen82
 
PPTX
StacksandQueuesCLASS 12 COMPUTER SCIENCE.pptx
manivarsh
 
PPTX
Greedy best-first search algorithm always selects the path which appears best...
abihanaqvi8
 
PPTX
Foundations of Marketo Engage: Nurturing
bbedford2
 
PPTX
Improving Audience Engagement ROI with ERP-Powered Insights
SatishKumar2651
 
PDF
Coding with GPT-5- What’s New in GPT 5 That Benefits Developers.pdf
DianApps Technologies
 
PPTX
ESDS_SAP Application Cloud Offerings.pptx
AAlam20
 
PDF
Adlice Diag Crack With Serial Key Free Download 2025
roppashagger
 
PPTX
MCP empowers AI Agents from Zero to Production
innovaterz
 
PDF
Building an Inclusive Web Accessibility Made Simple with Accessibility Analyzer
Accessibility Analyzer
 
PPTX
Folder Lock 10.1.9 Crack With Serial Key
alishamir792
 
PPTX
Human Computer Interaction lecture Chapter 2.pptx
ubaidzafar2
 
PDF
How to Set Realistic Project Milestones and Deadlines
Orangescrum
 
Bandicam Screen Recorder 8.2.1 Build 2529 Crack
goldheera888
 
solman-7.0-ehp1-sp21-incident-management
Giuseppe Caselli
 
Odoo Construction Management System by CandidRoot
CandidRoot Solutions Private Limited
 
Swiggy API Scraping A Comprehensive Guide on Data Sets and Applications.pptx
FoodData Scrape
 
Presentation - Summer Internship at Samatrix.io_template_2.pptx
omchoksi99
 
WhatsApp Chatbots The Key to Scalable Customer Support.pdf
Quick Message
 
Top 10 Project Management Software for Small Teams in 2025.pdf
Tech Qafila
 
FLIGHT TICKET API | API INTEGRATION PLATFORM
philipnathen82
 
StacksandQueuesCLASS 12 COMPUTER SCIENCE.pptx
manivarsh
 
Greedy best-first search algorithm always selects the path which appears best...
abihanaqvi8
 
Foundations of Marketo Engage: Nurturing
bbedford2
 
Improving Audience Engagement ROI with ERP-Powered Insights
SatishKumar2651
 
Coding with GPT-5- What’s New in GPT 5 That Benefits Developers.pdf
DianApps Technologies
 
ESDS_SAP Application Cloud Offerings.pptx
AAlam20
 
Adlice Diag Crack With Serial Key Free Download 2025
roppashagger
 
MCP empowers AI Agents from Zero to Production
innovaterz
 
Building an Inclusive Web Accessibility Made Simple with Accessibility Analyzer
Accessibility Analyzer
 
Folder Lock 10.1.9 Crack With Serial Key
alishamir792
 
Human Computer Interaction lecture Chapter 2.pptx
ubaidzafar2
 
How to Set Realistic Project Milestones and Deadlines
Orangescrum
 

DevSecOps: Bringing security to the DevOps pipeline

  • 1. VSHN - The DevOps Company Continuous Security improvement in the DevOps process Aarno Aukia, CTO @ VSHN - The DevOps Company
  • 2. VSHN - The DevOps Company ● About Aarno & VSHN.ch ● From Ops to DevOps ● DevOps/DevSecOps/SecOps? ● Automating Operations to include security ○ Build ○ Test ○ Deployment ○ Ops ● IT Governance benefits 22 Agenda
  • 3. VSHN - The DevOps Company @aarnoaukia http://about.me/aarno [email protected] ETH → Google → Atrila → VSHN VSHN - The DevOps Company Since 2014, currently 35 VSHNeers in Zürich, Switzerland Helping Developers run applications on any infrastructure making both visitors happy with stability and developers happy with agility 33 About Aarno & VSHN.ch
  • 4. VSHN - The DevOps Company 4 OPS = Firefighting-as-a-Service ? 4
  • 5. VSHN - The DevOps Company Capability Maturity Model Integration (CMMI) 55 Operations 2014 How to get to this level?
  • 6. VSHN - The DevOps Company DevOps: CMMI Level 5: People, Processes & Tools 66
  • 7. VSHN - The DevOps Company ● Developer education, requirements engineering, design review -> AppSec ● Software Build/Deployment/Operations -> DevSecOps ● Incident detection & management -> SecOps 77 Areas of security improvement
  • 8. VSHN - The DevOps Company ● Developer education, requirements engineering, design review -> AppSec ● Software Build/Deployment/Operations -> DevSecOps ● Incident detection & management -> SecOps 88 Areas of security improvement
  • 9. VSHN - The DevOps Company DevSecOps principles 99
  • 10. VSHN - The DevOps Company ● static code analysis automatically for each commit ● Dependency Management ● (base) container image scanning 1010 Build
  • 11. VSHN - The DevOps Company Code analysis: sonarqube 1111
  • 12. VSHN - The DevOps Company 1212 Dependency updates: https://dependabot.com
  • 13. VSHN - The DevOps Company Container scanning: aquasec 1313
  • 14. VSHN - The DevOps Company ● smoke tests ● test envs “à discretion” 1414 Test
  • 15. VSHN - The DevOps Company ● atomic container deployment ● every deployment (and rollback) is a “normal deployment” ● deployment automation removes need for (all) devs root prod access and/or waiting for ops to deploy new dev version 1515 Deployment
  • 16. VSHN - The DevOps Company ● standardization on (minimal, hardened) OS and container orchestrator ● immutable (application) infrastructure using containers ● process/storage/network separation of applications/environments ● detect/prevent configuration drift between dev/test/stage/prod envs ● documentation & automatic backup of all volumes ● documentation & monitoring of routes/loadbalancers/ingresspoints with enforcing SSL/TLS ● AAI for admin & application ● key & secrets management ● audit logging of control & application planes 1616 Ops
  • 17. VSHN - The DevOps Company Container isolation 1717 ● Kernel namespacing (process & network) ● Control groups (resource quota to prevent DoS) ● SELinux (additional syscall filter) ● prevent running as root inside container, no user-provided privileged containers (enforce best practice) ● readonly container filesystem (harder to persist exploit at runtime)
  • 18. VSHN - The DevOps Company AAI: Keycloak 1818 ● Identity & Access Management ● Single sign in/out ● Identity brokering: ○ OpenID Connect (OAuth2, FB/Twitter/Github etc.) ○ SAML2.0 ○ Kerberos ● User federation: LDAP, AD, etc ● 2FA: TOTP/HOTP ● Managing the Authorization groups
  • 19. VSHN - The DevOps Company Logs: ELK/EFK/Greylog 1919 ● Logging all access and changes through the control plane ● Logging all access to the application and correlate with application logs ● Index, view, filter, aggregate KPI → monitoring ● Store outside of application scope
  • 20. VSHN - The DevOps Company ● Prometheus ○ time series database ○ open source / CNCF-project ○ well-integrated in docker/kubernetes stats ● NewRelic APM ○ application-level profiling ○ performance tracking ○ exception tracking (backend & frontend) ○ available as SaaS 2020 Metrics: Prometheus / NewRelic
  • 21. VSHN - The DevOps Company ● “Full Stack Audit” ● Review design document ● Every layer was custom built ○ physical hardware ○ handcrafted servers ○ manual application deployment ● Review each layer ● Review each layer again next year... 2121 Traditional IT governance
  • 22. VSHN - The DevOps Company ● Standardized components ○ already audited, some even externally certified ○ re-used, economies of scale, CMMI level 5 ○ tech controls (AAI, RBAC, logs/SIEM) implemented once ○ financial controls implemented once ● Infrastructure: private/public cloud ● Ops: Container orchestration platform ● Review design document & platform configuration 2222 Cloud native IT governance
  • 23. VSHN - The DevOps Company Docker Kubernetes 2323 Layers of abstraction Hardware Operating System Service discovery & Load balancing Application Server Application Cloud/Onprem
  • 24. VSHN - The DevOps Company ● Red Hat OpenShift ● Rancher RKE ● Canonical ● Docker Datacenter Enterprise ● IBM cloud private ● EKS, AKS, GKE ● APPUiO.ch See also https://thenewstack.io/find-perfect-kubernetes-distribution/ 2424 Kubernetes Distributions
  • 25. VSHN - The DevOps Company ● Free & open standard ● Adopted by all major vendors (Google, AWS, MS, Redhat, Suse, IBM, etc) ● available as managed service both on-premises and (private) cloud based ● Provides integration in infrastructure (compute, storage, networking) ● Provides optional integration in plattform (e.g. DBaaS, S3) services ● Infrastructure as code, automation, tools for DevOps processes ● Large ecosystem of auxiliary tooling & integration available ● Is being adopted as standard runtime by ISVs (Avaloq, Finnova, Abacus, Adcubum, Ergon, etc) 2525 Benefits of Kubernetes as abstraction
  • 26. VSHN - The DevOps Company ● prevent configuration drift ○ immutable (application) infrastructure using containers ○ deploy dev/test/stage/prod envs from CI/CD ● prevent manual errors ○ validate configuration in CI/CD before deployment ○ standardization on (minimal, hardened) OS and container orchestrator ○ deployment automation removes need for (most) root prod access ● security by default ○ image scanning, dependency vulnerability management ○ process/storage/network separation of applications/environments ○ volumes & ingresspoints best practice (documentation, monitoring, backup, SSL/TLS/WAF) ○ AAI for admin & application, audit trail logging of CI/CD, control & application planes ○ key & secrets management ● 2626 IT governance controls in container platforms
  • 27. VSHN - The DevOps Company ● Please do get in touch with feedback ● Twitter: @aarnoaukia ● Linkedin: https://www.linkedin.com/in/aukia/ ● Email: [email protected] 2727 Thank you
  • 28. VSHN - The DevOps Company The CNCF Landscape 2828
  • 29. VSHN - The DevOps Company Next Event May 9, 2019 from 6.00pm https://www.meetup.com/Cloud-Native-Computing-Switzerland Please volunteer for Sponsoring & Talks https://cnc-meetup.ch 2929 Cloud Native Computing
  • 30. Come visit us for a coffee! VSHN AG - Neugasse 10 - CH-8005 Zürich - +41 44 545 53 00 - https://vshn.ch/ - [email protected] https://vshn.ch/kontakt/ Follow us on Twitter! @vshn_ch 30