Saturday, Jun 9, 2018

Presented at DrupalHackCamp: Bucharest, Romania, 8-10 June 2018. DevSecOps and Drupal gives and overview of the DevSecOps process and mindset and also how to use it to deliver Drupal applications (or anything really) with security built in.

Slides

Link to slides

Slide Content

1. DevSecOps and Drupal: Securing Your Applications in a Modern IT Landscape

2. About me

I am Will Hall My role is Digital Architect which means I have all video conferencing applications installed. I support code projects in Drupal (PHP), Python, Ruby, JavaScript; using Docker, Ansible, GitLab, GitLab CI and Bash… I don’t understand it all. You can find me at @hn_will Hello!

3. Imposters and security… Personal Vulnerabilities

4. The History of Musical Notation

La, la, la, la, la. We’ll get to why this is relevant soon. 1

5. “ Music is oral history.

However, in its history it was unable to be communicated easily across time & space.

6. Compressed history of musical notation

  • Boethius (480-525 AD)
    • Letter associated with notes
  • Gregory the Great (600 AD)
    • First seven letters, Uppercase and Lowercase. Also introduced lines (similar to stave) with words moving up and down. ◉ Franco of Cologne (1200 AD) Symbols for length of notes.

7. Standards take time, effort, evolution

8. DevOps is filled with incomplete standards We have so much to compete with when joining code to infrastructure. So many additional variables.

9. What is DevSecOps? Because everyone needs a buzzword 2

10. Development Team Favourite phrase: Works On My Machine DevOps Operations Team Favourite phrase: Server is up, must be application errors.

11. Security Team Favourite Phrase: No

12. DevOps OperationsDevelopment DevOps

13. DevOps is fixated on the successful movement of products between environments

14. DevSecOps Operations Development Security DevSecOps

15. DevSecOps is fixated on the secure, successful movement of secure products between secure environments

16. DevOps is moving products Is that an oversimplification? 3

17. DevOps delusion first lastsecond Our process is easy…

18. €89,526,124 That’s a lot of money 100% Total success! 185,244 users And a lot of users

19. Global our office

20. The internet is held together by string, glue and uncommented code.

21. Testing Automation Doing the same things over and over again 4

22. Let’s review some testing concepts Static Analysis Testing Checking the code against standards.

What is acceptable, what is not:

  • Build Testing: Does the application build with its dependencies?
  • Smoke Testing: Is it broken now?
  • Unit Testing: Testing the functionality of code. Inputs and outputs.
  • Functional Testing: Testing functions/features inside the application.
  • Security Testing: Testing elements of security.

23. You don’t need to be a plumber to like pipelines.

###24. Pipelines Code Static Analysis Unit Test Build Test Functional Test Smoke Test Local testing?

25. Where is security testing inside your pipelines? 🤷

26. Security you can automate:

  • Secrets Management (secure your pipeline)
  • Dependency/Vulnerabilty Scanning
  • Vulnerability Attacks
  • Load Testing/DDoS Simulations

27. Let’s get real.

  • Everything should be in a container.
  • Containers should have the minimum required.
  • We should process jobs in parallel.

28. Let’s demo this…Or in practice, use my pre-completed examples 😲

29. We probably already know what our greatest weakness is…

30. Testing Tools Because choosing things is hard 5

31. Secrets Management

  • How do you achieve minimum required access?
  • Where do you inject secrets?
  • How do you control access?
  • Tools:
    • Hashicorp Vault
    • Docker Secrets
    • Keybase

32. Vulnerability Databases

When standing on the “shoulders of giants”, we can see further, but we also don’t know all of our dependencies:

33. Vulnerability Attacks

Attack your known weaknesses: - Bad users - Tools: - Kali Linux 😈 - Fuzzing - Brute forcing - Module enumeration - Metasploit - Burp Portswigger…

34. Security Auditing: DevSecOps does not replace Security Audits, it augments the pipeline to allow greater focus.

35. What you need to do now Actionable items for you 6

36. Automate your build

  • If you are building manually, stop. Automate.
  • If you already use Jenkins, that is fine, if not, don’t start on it.
  • GitOps - This should be your new search topic…
  • Or:
    • GitLab CI
    • Drone.io
    • CircleCI

37. Clusters/Orchestrations

  • Clusters and orchestration of containers are the future of application delivery.
  • Learn Docker
  • Learn Kubernetes (and probably use services; EKS, RDS on AWS).

38. Automate your security

  • Test your weaknesses
  • Reduce your effort
  • Speed is essential - time is your non-transferable resource

39. We probably already know what our greatest strength is… Each other.

40. Any questions?

41. Credits

Special thanks to all the people who made and released these awesome resources for free:

  • Presentation template by SlidesCarnival
  • Photographs by Pixabay