SlideShare a Scribd company logo

Devopssecfail

Download as PPTX, PDF
C
cacois

This document discusses various anti-patterns in DevOps security, highlighting how security testing often remains manual and emphasizing the need for automation to mitigate risks. It outlines several anti-patterns such as the 'Exceptions', 'Multiverse', 'Configurator', and others, each illustrating common pitfalls that can hinder security and reliability in software development. The author advocates for proactive failure management and continuous improvement in DevOps practices to ensure robust security measures are in place.

Software
1 of 55
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
DevOpsSecFAIL DevOps Security Anti Patterns Dr. Constantine Aaron Cois Carnegie Mellon University
Me @aaroncois www.codehenge.net github.com/cacois Disclaimer: Though I am an employee of the Software Engineering Institute at Carnegie Mellon University, this work was not funded by the SEI and does not reflect the work or opinions of the SEI or its customers.
DevOps
DevOps
DevOpsSec DevOps is a Risk Mitigation strategy, built on Situational Awareness, Automation, and Repetition
DevOpsSec But security is where a lot of DevOps implementations Fall Down
THE EXCEPTION Anti-pattern
TheException You automate… …builds …functional tests …deployment …reporting
TheException You automate… …builds …functional tests …deployment …reporting …the coffee machine Image: https://lh4.ggpht.com/z_w-yCMvUcrqZd_6eXlt7E24YvSHEak1k5lNvk5GGNYmzMaBQkH1oe3emhZk0scIWg=w300
TheException But security testing is still manual pen testing, done only on release
Automate Security Testing removes… …Human error …infrequent execution …Excuses
There are great projects out there OWASP ZAP https://www.owasp.org/index.php/OWAS P_Zed_Attack_Proxy_Project http://gauntlt.org/ GAUNTLT BE MEAN TO YOUR CODE AND LIKE IT Help improve them!
THE MULTIVERSE Anti-pattern
Image: https://artcritique.files.wordpress.com/2014/01/multiverse-and-schrodingers-cat-in-play.png
Dev TheMultiverse
StagingDev Test Prod TheMultiverse
Staging Test Prod TheMultiverse App
StagingDev Prod TheMultiverse App
Dev Test Prod TheMultiverse App
StagingDev Test TheMultiverse App
StagingDev Test Prod TheMultiverse
StagingDev Test Prod TheMultiverse
StagingDev Test Prod TheMultiverse
StagingDev Test Prod TheMultiverse
StagingDev Test Prod TheMultiverse
StagingDev Test TheMultiverse App
When nothing looks the same you can never be sure your app will behave the same
When nothing looks the same you can never be sure your app security features will behave the same
THE CONFIGURATOR Anti-pattern
TheConfigurator Manual configuration, done buy your best and brightest... Image: http://2vga1o5mew51s6gu7x0mnk7kf.wpengine.netdna-cdn.com/wp-content/uploads/main/2013_06/A-Cat-Snatching-Wires-Out-of-a-Server.jpg
TheConfigurator …will still lead to an unmanageable, unpredictable, and unrepeatable solution Image: http://assorted-images.s3.amazonaws.com/datacenterinfrastructure/messy%20data%20center.png
TheConfigurator If it’s not Automated it’s not Done
TheConfigurator If it’s not Automated it’s not Done Secure
THE INFILTRATOR Anti-pattern
TheInfiltrator He sneaks in… …and alters production …but he works for you! http://blog.landesk.com/wp-content/uploads/sites/4/2012/05/ninja.jpg
There is always a reason to make a manual changes But don’t do it!
Unexpected manual changes are often… Undocumented, Unauditable, Unrepeatable
Unexpected manual changes are often… Undocumented, Unauditable, Unrepeatable Insecure
Protip Configure production to alert the entire team when manually accessed. Transparency is key
THE SURVIVOR Anti-pattern
We’ve all been there… Intrusions overnight… …lock it down… …cascading system failures… …it’s all crashing…
It feels like…
But it ends You survive You’re out of the woods. Just glad its over. Going to go sleep for 18 hours… …and then back to normal.
Survivor mentality defeats continuous improvement When do we analyze what went wrong? How do we prevent similar failures in the future? All failures must result in codified change to DevOps process.
This attitude persists… …when we don’t expect failure. We should always expect failure. Be ready for it. Plan for it
After action rules for failure Understand exactly what went wrong Never let the same failure happen twice Propagate fixes across the enterprise Ensure that you teach the next generation
THE COLLEGE PARTY Anti-pattern
TheCollegeParty Software libraries are your guests, and everyone’s invited http://36.media.tumblr.com/2c189abde1066433264d5038df6172b8/tumblr_mlyab4PZvk1qjgvbto2_1280.jpg
TheCollegeParty 99% of Global 2000 companies will be using open source code in mission-critical apps by 20161 1 http://www.zdnet.com/article/scan-open-source-use-to-minimize-risks-optimize-benefits/
TheCollegeParty Do you know what’s in your app? Code we wrote Code someone else wrote Image: http://acardiac.blogspot.com/
THE SKYDIVER Anti-pattern
http://marvinqeleys.blogspot.com/2011/09/skydiving-sky-surf.html
TheSkydiver Once you jump, you can’t return to the plane. You are committed. Permanently. This is not how we should model our deployments.
TheSkydiver Rollback is essential Never be left without an escape route to completely working software.
QUESTIONS? Any

More Related Content

Viewers also liked (15)

PDF
Cp tbwa corporate cristal festival
TBWA\Corporate
 
PPT
Customer service example
julietteswett
 
PPTX
Making it Easier to Make a Difference in the World
Dr. Chris Stout
 
PDF
11 Ridiculous Things You Could Buy With Your Student Debt
Mashable
 
PDF
Ericsson ConsumerLab: Internet goes mobile - Nigeria
Ericsson
 
PPTX
Cotabox - Novembro 2015
Fernando Tomé
 
PDF
The good, the bad, the pretty and the ugly
Oliver Reichenstein
 
PPT
اخرستوس آنستى
Mera Louis
 
PDF
The chasm between brands and people is deep and teeming with crocodiles [auto...
Ben Shipley
 
PDF
Top 10 Quotes About Editing
Scribendi
 
PPTX
Universidad nacional de educación enrique guzmán
Junior Gutierrez Chanco
 
PPT
O型人飲食的探討:
yct.Ken Chang
 
PPT
慕尼黑
tinaho
 
PDF
What it Takes to Make a Moonshot—via Google[X] / #CannesLions #OgilvyCannes
Ogilvy
 
PPS
Anti aging presentation3 pp
Holisticdoc1
 
Cp tbwa corporate cristal festival
TBWA\Corporate
 
Customer service example
julietteswett
 
Making it Easier to Make a Difference in the World
Dr. Chris Stout
 
11 Ridiculous Things You Could Buy With Your Student Debt
Mashable
 
Ericsson ConsumerLab: Internet goes mobile - Nigeria
Ericsson
 
Cotabox - Novembro 2015
Fernando Tomé
 
The good, the bad, the pretty and the ugly
Oliver Reichenstein
 
اخرستوس آنستى
Mera Louis
 
The chasm between brands and people is deep and teeming with crocodiles [auto...
Ben Shipley
 
Top 10 Quotes About Editing
Scribendi
 
Universidad nacional de educación enrique guzmán
Junior Gutierrez Chanco
 
O型人飲食的探討:
yct.Ken Chang
 
慕尼黑
tinaho
 
What it Takes to Make a Moonshot—via Google[X] / #CannesLions #OgilvyCannes
Ogilvy
 
Anti aging presentation3 pp
Holisticdoc1
 

Similar to Devopssecfail (20)

PPTX
6 Most Common Threat Modeling Misconceptions
Cigital
 
PDF
The Limits of Unit Testing by Craig Stuntz
QA or the Highway
 
PDF
The limits of unit testing by Craig Stuntz
QA or the Highway
 
PDF
Exception Handling: Designing Robust Software in Ruby (with presentation note)
Wen-Tien Chang
 
PDF
SELJE - VFP and IT Security.pdf
Eric Selje
 
PDF
_Best practices towards a well-polished DevSecOps environment (1).pdf
Enov8
 
PDF
Building a Modern Security Engineering Organization. Zane Lackey
Yandex
 
PDF
GOTO Amsterdam 2016 - The DevOps Disaster
Bert Jan Schrijver
 
PDF
Building a Modern Security Engineering Organization
Zane Lackey
 
PDF
Agile Testing…or Walking Dead Testing?
Ana María del Carmen García Oterino
 
PDF
Using security to drive chaos engineering - April 2018
Dinis Cruz
 
PDF
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Positive Hack Days
 
PDF
DevSecOps at Agile 2019
Elizabeth Ayer
 
PPTX
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
Izar Tarandach
 
PPTX
Reversing malware analysis training part1 lab setup guide
Cysinfo Cyber Security Community
 
PPT
App locker
Concentrated Technology
 
PPTX
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
PDF
Continuous Deployment Pipeline for Systems - Presented at Ohio LinuxFest 2017...
garrett honeycutt
 
PPTX
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
Andrey Karpov
 
PDF
JUG Bonn June 2021 - The DevOps disaster
Bert Jan Schrijver
 
6 Most Common Threat Modeling Misconceptions
Cigital
 
The Limits of Unit Testing by Craig Stuntz
QA or the Highway
 
The limits of unit testing by Craig Stuntz
QA or the Highway
 
Exception Handling: Designing Robust Software in Ruby (with presentation note)
Wen-Tien Chang
 
SELJE - VFP and IT Security.pdf
Eric Selje
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
Enov8
 
Building a Modern Security Engineering Organization. Zane Lackey
Yandex
 
GOTO Amsterdam 2016 - The DevOps Disaster
Bert Jan Schrijver
 
Building a Modern Security Engineering Organization
Zane Lackey
 
Agile Testing…or Walking Dead Testing?
Ana María del Carmen García Oterino
 
Using security to drive chaos engineering - April 2018
Dinis Cruz
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Positive Hack Days
 
DevSecOps at Agile 2019
Elizabeth Ayer
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
Izar Tarandach
 
Reversing malware analysis training part1 lab setup guide
Cysinfo Cyber Security Community
 
App locker
Concentrated Technology
 
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
Continuous Deployment Pipeline for Systems - Presented at Ohio LinuxFest 2017...
garrett honeycutt
 
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
Andrey Karpov
 
JUG Bonn June 2021 - The DevOps disaster
Bert Jan Schrijver
 
Ad

More from cacois (7)

PPTX
Machine Learning for Modern Developers
cacois
 
PPTX
Avoiding Callback Hell with Async.js
cacois
 
PPTX
Node.js Patterns for Discerning Developers
cacois
 
PPTX
Hadoop: The elephant in the room
cacois
 
PPTX
High-Volume Data Collection and Real Time Analytics Using Redis
cacois
 
PPTX
Automate your Development Environments with Vagrant
cacois
 
PPTX
Node.js: A Guided Tour
cacois
 
Machine Learning for Modern Developers
cacois
 
Avoiding Callback Hell with Async.js
cacois
 
Node.js Patterns for Discerning Developers
cacois
 
Hadoop: The elephant in the room
cacois
 
High-Volume Data Collection and Real Time Analytics Using Redis
cacois
 
Automate your Development Environments with Vagrant
cacois
 
Node.js: A Guided Tour
cacois
 
Ad

Recently uploaded (20)

PDF
10 posting ideas for community engagement with AI prompts
Pankaj Taneja
 
PPTX
Contractor Management Platform and Software Solution for Compliance
SHEQ Network Limited
 
PDF
AWS_Agentic_AI_in_Indian_BFSI_A_Strategic_Blueprint_for_Customer.pdf
siddharthnetsavvies
 
PDF
Adobe Illustrator Crack Full Download (Latest Version 2025) Pre-Activated
imang66g
 
PDF
Why Are More Businesses Choosing Partners Over Freelancers for Salesforce.pdf
Cymetrix Software
 
PDF
MiniTool Power Data Recovery Crack New Pre Activated Version Latest 2025
imang66g
 
PDF
On Software Engineers' Productivity - Beyond Misleading Metrics
Romén Rodríguez-Gil
 
PDF
Enhancing Healthcare RPM Platforms with Contextual AI Integration
Cadabra Studio
 
PDF
New Download FL Studio Crack Full Version [Latest 2025]
imang66g
 
PPTX
Presentation about Database and Database Administrator
abhishekchauhan86963
 
PDF
How Agentic AI Networks are Revolutionizing Collaborative AI Ecosystems in 2025
ronakdubey419
 
PPT
Why Reliable Server Maintenance Service in New York is Crucial for Your Business
Sam Vohra
 
PPTX
Web Testing.pptx528278vshbuqffqhhqiwnwuq
studylike474
 
PDF
How to Download and Install ADT (ABAP Development Tools) for Eclipse IDE | SA...
SAP Vista, an A L T Z E N Company
 
PDF
Salesforce Pricing Update 2025: Impact, Strategy & Smart Cost Optimization wi...
GetOnCRM Solutions
 
PDF
advancepresentationskillshdhdhhdhdhdhhfhf
jasmenrojas249
 
PPT
Brief History of Python by Learning Python in three hours
adanechb21
 
PDF
What companies do with Pharo (ESUG 2025)
ESUG
 
PPTX
Farrell__10e_ch04_PowerPoint.pptx Programming Logic and Design slides
bashnahara11
 
PDF
Step-by-Step Guide to Install SAP HANA Studio | Complete Installation Tutoria...
SAP Vista, an A L T Z E N Company
 
10 posting ideas for community engagement with AI prompts
Pankaj Taneja
 
Contractor Management Platform and Software Solution for Compliance
SHEQ Network Limited
 
AWS_Agentic_AI_in_Indian_BFSI_A_Strategic_Blueprint_for_Customer.pdf
siddharthnetsavvies
 
Adobe Illustrator Crack Full Download (Latest Version 2025) Pre-Activated
imang66g
 
Why Are More Businesses Choosing Partners Over Freelancers for Salesforce.pdf
Cymetrix Software
 
MiniTool Power Data Recovery Crack New Pre Activated Version Latest 2025
imang66g
 
On Software Engineers' Productivity - Beyond Misleading Metrics
Romén Rodríguez-Gil
 
Enhancing Healthcare RPM Platforms with Contextual AI Integration
Cadabra Studio
 
New Download FL Studio Crack Full Version [Latest 2025]
imang66g
 
Presentation about Database and Database Administrator
abhishekchauhan86963
 
How Agentic AI Networks are Revolutionizing Collaborative AI Ecosystems in 2025
ronakdubey419
 
Why Reliable Server Maintenance Service in New York is Crucial for Your Business
Sam Vohra
 
Web Testing.pptx528278vshbuqffqhhqiwnwuq
studylike474
 
How to Download and Install ADT (ABAP Development Tools) for Eclipse IDE | SA...
SAP Vista, an A L T Z E N Company
 
Salesforce Pricing Update 2025: Impact, Strategy & Smart Cost Optimization wi...
GetOnCRM Solutions
 
advancepresentationskillshdhdhhdhdhdhhfhf
jasmenrojas249
 
Brief History of Python by Learning Python in three hours
adanechb21
 
What companies do with Pharo (ESUG 2025)
ESUG
 
Farrell__10e_ch04_PowerPoint.pptx Programming Logic and Design slides
bashnahara11
 
Step-by-Step Guide to Install SAP HANA Studio | Complete Installation Tutoria...
SAP Vista, an A L T Z E N Company
 

Devopssecfail

Editor's Notes

  • #5: In case you aren’t good at Where’s Waldo, here is security. It was mentioned twice in the wikipedia article, which is three less times than the word ‘Patrick’, but one more time than the word ‘portmandeau’.
  • #16: We start with dev. The first environment for our app.
  • #17: But then, of course, we have a pipeline of environments that get us to production. At very least, we need a test (or QA) environment and a staging environment.
  • #18: And our app migrates from dev…
  • #19: …to test…
  • #20: …to staging…
  • #21: …and eventually to production.
  • #22: A really common pitfall in devops comes when we don’t maintain rigorous, 100% parity between these environments – or when we create a multiverse. Let’s say the testers open a few new ports on servers in the test environment, to access some specialized logs.
  • #23: Some late-night firefighting causes some IT ops and networking folks to change some configurations in prod to restore functionality. InfoSec also locks down a few networking settings, in response to some potential attacks they are seeing. This is all done at 4am after 8 hours of fighting, so it’s not immediately recorded, but the guys involved know what happened.
  • #24: And, of course, the developers need more access in their dev environment. Some more ports open…
  • #25: …some more packages and libraries installed…
  • #26: …and update some libraries to the latest version…
  • #27: But now we have a problem – all of these changes mean our app has the potential to work in some of our environments, but not in others. This may be an obvious failure, leading to a failed deployment, or it may just lead to an undetected security hole in production, that doesn’t exist in any of the other environments. Without complete environmental parity, all of our testing on non-production environments dramatically loses value.
  • #28: What caused this? MANUAL CONFIGURATION. ANY AND ALL MANUAL CONFIGURATION IS DANGEROUS. Extremely dangerous. This means that all production firefighting has to go through automated channels to make changes? Sound like it will slow you down? It may, especially if everyone isn’t used to (and on board with) the process and the tools. But if you have full parity in all prior environments, and a solid automated deployment strategy that everyone is comfortable using, it won’t. And you will always have maximal confidence that anything that works in dev will work in prod, including security features.
  • #29: What caused this? MANUAL CONFIGURATION. ANY AND ALL MANUAL CONFIGURATION IS DANGEROUS. Extremely dangerous. This means that all production firefighting has to go through automated channels to make changes? Sound like it will slow you down? It may, especially if everyone isn’t used to (and on board with) the process and the tools. But if you have full parity in all prior environments, and a solid automated deployment strategy that everyone is comfortable using, it won’t. And you will always have maximal confidence that anything that works in dev will work in prod, including security features.
  • #33: By which I mean something automated. We can’t keep the tacit knowledge in the humans. We don’t want to just create expert humans, we want to create a customized, expert process for our project.
  • #34: By which I mean something automated. We can’t keep the tacit knowledge in the humans. We don’t want to just create expert humans, we want to create a customized, expert process for our project.
  • #36: While we’re at it, let’s talk about those “unavoidable”, ‘necessary” changes to production to keep systems up and running
  • #40: PINK SOMBRERO – Babcock Jenkins
  • #45: By which I mean something automated. We can’t keep the tacit knowledge in the humans. We don’t want to just create expert humans, we want to create a customized, expert process for our project. This tends to happen when we don’t expect failure. We should always expect failure, and be ready for it. PLAN for it. And by the way…How did you fix it? Are those changes propagated back into the automated pipeline?
  • #46: By which I mean something automated. We can’t keep the tacit knowledge in the humans. We don’t want to just create expert humans, we want to create a customized, expert process for our project. This tends to happen when we don’t expect failure. We should always expect failure, and be ready for it. Plan for it. USE it.
  • #47: By which I mean something automated. We can’t keep the tacit knowledge in the humans. We don’t want to just create expert humans, we want to create a customized, expert process for our project.
  • #51: Now, I say this for two reasons. 1) it probably scares you a little bit, and I enjoy that. But 2) do not make the mistake of trying prohibition. It won’t work, and it will make it harder to keep track and regulate your security posture. InfoSec needs to work with developers and ops to mitigate this risk. This is important – InfoSec needs to understand DevOps, and work within a devops process to address this risk. That means working within CI, working with automation. If you say “We need 2 weeks to assess and approve any new open source library you want to use”, guess what? You lose! You are now the primary bottleneck in the DevOps pipeline, and everyone else will be trying to mitigate YOU.