Sunday, April 28, 2019
DevOps + Security: DevSecOps
There are a couple of things that I preach; they may be off the beaten path for security.
Keep it simple. Secure all the things the same way.
I don't like to build snowflakes. Let's build it once and re-use that process.
So, follow the same simple process for the daily online lunch menu, or for exchanging PII between systems.
Secure baseline, hardened config, and make it repeatable.
Generate unique keys for everything and secure all data-in-transit.
Log all the things. This allows people and systems to monitor the things they care about.
As they say, the devil is in the details; what do I mean when I say secure baseline?
1. Start lean, install only the minimal things required to run. This keeps it small, light, and to use a
loaded word, agile. This reduced footprint is ideal for performance and security.
2. Restrict things, people, services and systems you DO NOT WANT.
3. Add what you need, nothing more, nothing less.
4. Software-defined builds, build early build often.
Hardened config is building on top of the secure baseline line item #3.
Add what you need and make sure we are not introducing unintended risk.
1. Run the processes you want separate from the underlying system.
2. Only permit things, people, services and systems you WANT.
3. Software-defined configurations.
Make it repeatable, if you can build one you should be able to build n+1.
Since you can build n+1 build them so that there are no single points of failure. Build them so that you can
scale as needed. If you have n+1 you can always update, patch, upgrade, and fix bugs without introducing
downtime. Availability is a core principle of security. Be able to build them on the fly and be able to tear
them down just as fast. If you don't need it, get rid of it, reduce the risk.
Generate test data for Dev & Test/QA. Prod lives in prod, and nobody plays in prod.