You Are What You Eat.
When it comes to food, we all know what’s considered “good” and what’s “bad”.
We all know the story: a farm, a kid, a Commodore 64, and a modem maxing out at 300 bps. A few unexpected phone bills later, and young Ian Allison is figuring out how to game the system so he can keep using his newfound gateway to the world of tech. According to Ian, that is where he began building the foundation of skills for his career in computer security.
The DevOps pipeline is constantly changing. Therefore relevant security controls must be applied contextually.
We want to be secure, but I think all of us would rather spend our time developing and deploying software. Keeping up with server updates and all of the other security tasks is like cleaning your home - you know it has to be done, but you really just want to enjoy your clean home. The good news is you can hire a “service” to keep your application security up-to-date, giving you more time to develop.
At the recent All Day DevOps conference, Akash Mahajan (@makash), a Founder/Director at Appsecco, discussed how to harden your system’s security with Ansible. In addition to his role at Appsecco, Akash is also involved as a local leader with the Open Web Application Security Project (OWASP).
Misconfiguration. During his presentation, Akash mentioned the OWASP Top 10 Security Vulnerabilities list, zeroing in on #5 - Security Misconfiguration. To determine if you comply with the guidelines, #5 on the list asks:
I am sure no one reading this article still uses the default administrator password, but can we say the same of your peers? Have you gotten around to installing the latest software patches on your server?
Automation. If a task can be automated, developers automate it. So we should automate our security tasks too, where we can. OWASP provides guidance here, suggesting you should:
This is all part of security hardening, which is, “the process where we identify default configuration present on a system and apply changes that will change the configuration to secure values.” This can be applied to your network, transport, application, and kernel networking parameters.
Ansible Playbooks. Ansible is one of the solutions Akash likes to work with, but there are others solutions on the market that provide similar value. Without trying to endorse or evaluate one solution over another, let me share perspectives from Akash’s experience with his tool set.
Why does he like it? It boils down to playbooks. An Ansible playbook is a codified security document, allowing you to describe the desired state of a system, rather than the specific steps of how to get to that state. As Akash points out, things change - it is better to have the end state described rather than have to change commands when the system changes.
Other advantages of playbooks include:
The bottom line is you can, and you should, automate your security hardening process. Your users and other stakeholders will thank you, and, most of all, you will thank yourself because you can spend more time on the things you love to do.
Ansible is just one example of a solution that can be used to automate your security tasks. If you want to know more, Akash goes into further detail on getting started with Ansible in his full All Day DevOps conference session (just 30 minutes). The other 56 presentations from the All Day DevOps Conference are also available online, free-of-charge here.
This blog series is reviewing sessions from the All Day DevOps conference from November which hosted over 13,500 registered attendees. Last week I discussed, “DevOps at Massive Scale”. Next week, look for “Operationalizing a Red Team for Fun and Profit”, delivered by Intuit’s own Ian Allison.
When you have a billion users, people notice. That’s where our story about DevOps and Yahoo! starts. For Kishore Jalleda and Gopal Mor, both engineers at Yahoo!, when something goes wrong on a Yahoo! page, people will notice. Correction: a lot of people will notice.
“The big problems are where people don't realize they have one in the first place.” - W. Edwards Deming, patron saint of DevOps.
Damien has 5,000 jobs. While you might gasp at that workload, Damien is not stressing out. All 5,000 jobs are automated within his team’s Jenkins pipelines. How does he do it? Damien follows four key principles to keep his cool in the job jungle: self-service, security, simplicity, and extensibility. But you might be surprised that one of his most important survival techniques is treating his pipeline as “not code.”