The Information Security world has yet to embrace the DevOps culture. The concepts of fast paced, always moving, continuously delivered software and services still clash with the cautious methods of information security. The disconnect is accentuated by difficulties security teams encounter adapting legacy policies to devops and the cloud. Security policies typically focus on hardening, monitoring and updating systems and services, which must be done at each level of the stack. The continuous delivery techniques advocated by DevOps often rely on third-party infrastructure that do not grant infrastructure-level access to customers, which forces security teams to rethink controls.
The lack of physical, and sometimes virtual, access requires forensics and incident response to be approached differently.
Scanning for vulnerabilities inside containers is not possible on production systems.
Logs correlation may become difficult when systems have no names and live for only a few hours.
And, above all, the approach to network security monitoring (IDS/IPS, sniffers, etc…), which security teams spent years perfecting, is useless in cloud environments that don’t grant access to network equipments.
Mozilla has been operating full devops for several years now. As a security lead in the Cloud Services organization, integrating security into devops is a major part of my job, and I want to describe our approach in this presentation. The talk is focused on three main parts:
Implementing and testing security controls: in which we talk about Test Driven Security in the CI/CD pipeline.
Monitoring and responding to attacks: an overview of techniques that help increase the security coverage of cloud-based, immutable and continously delivered infrastructures.
Maturing DevOps Security: a discussion on bringing security into the culture of the organization
We will discuss the challenges, both cultural and technical, in adopting a DevOps culture in security. The audience will be given pointers to build and test controls into the continuous integration and continuous delivery pipelines.
Julien manages the CloudSec team and is responsible for the security of Firefox’s backend services (Firefox accounts, Sync, addons.mozilla.org, Push, Hello, …). Mozilla CloudSec consults with developers and operations teams on risks and security, and builds security tools for the infrastructure. Julien is the author of the Mozilla Server Side TLS guidelines, Cipherscan, Mozilla InvestiGator (MIG), SOPS and many smaller tools to help DevOps integrate security in the organization.