Continuous Security in a DevOps world

Keyboard shortcuts

Action

Key

Play / Pause

K or space

Mute / Unmute

Toggle fullscreen mode

Select next subtitles

Select next audio track

Show slide in full page or toggle automatic source change

Seek 5s backward

left arrow

Seek 5s forward

right arrow

Seek 10s backward

shift + left arrow or J

Seek 10s forward

shift + right arrow or L

Seek 60s backward

control + left arrow

Seek 60s forward

control + right arrow

Decrease volume

shift + down arrow

Increase volume

shift + up arrow

Decrease playback rate

Increase playback rate

Seek to end

end

Seek to beginning

beginning

Loading Click here to add:

Subscribe to notifications

When subscribed to notifications, an email will be sent to you for all added annotations.

Your user account has no email address.

Information on this media

52 views

The Information Security world has yet to embrace the DevOps culture. The concepts of fast paced, always moving, continuously delivered software and services still clash with the cautious methods of information security. The disconnect is accentuated by difficulties security teams encounter adapting legacy policies to devops and the cloud.
Security policies typically focus on hardening, monitoring and updating systems and services, which must be done at each level of the stack. The continuous delivery techniques advocated by DevOps often rely on third-party infrastructure that do not grant infrastructure-level access to customers, which forces security teams to rethink controls.

The lack of physical, and sometimes virtual, access requires forensics and incident response to be approached differently.
Scanning for vulnerabilities inside containers is not possible on production systems.
Logs correlation may become difficult when systems have no names and live for only a few hours.
And, above all, the approach to network security monitoring (IDS/IPS, sniffers, etc…), which security teams spent years perfecting, is useless in cloud environments that don’t grant access to network equipments.

Mozilla has been operating full devops for several years now. As a security lead in the Cloud Services organization, integrating security into devops is a major part of my job, and I want to describe our approach in this presentation. The talk is focused on three main parts:

Implementing and testing security controls: in which we talk about Test Driven Security in the CI/CD pipeline.
Monitoring and responding to attacks: an overview of techniques that help increase the security coverage of cloud-based, immutable and continously delivered infrastructures.
Maturing DevOps Security: a discussion on bringing security into the culture of the organization

We will discuss the challenges, both cultural and technical, in adopting a DevOps culture in security. The audience will be given pointers to build and test controls into the continuous integration and continuous delivery pipelines.

Julien Vehent

Julien manages the CloudSec team and is responsible for the security of Firefox’s backend services (Firefox accounts, Sync, addons.mozilla.org, Push, Hello, …). Mozilla CloudSec consults with developers and operations teams on risks and security, and builds security tools for the infrastructure. Julien is the author of the Mozilla Server Side TLS guidelines, Cipherscan, Mozilla InvestiGator (MIG), SOPS and many smaller tools to help DevOps integrate security in the organization.

https://sec2016.rmll.info

Creation date: July 5, 2016

Speakers: Julien Vehent

Company: RMLL

License: CC BY SA v4

Links:

Latest annotations RSS feed

Information on this media

Julien Vehent

Other media in the channel "Sécurité"