Академический Документы
Профессиональный Документы
Культура Документы
Risk
OpenShift Commons Briefing
Tim Mackey – Senior Technologist – Black Duck
Software
Security Driven Development and Deployment
Security Service
Domain VM VM
Container
Container
Container
Container
Container
Container
Minimal OS Minimal OS
Hypervisor
Control
Compromised
Container
Compute
Container
Security Service
Container
Container
Minimal OS
Domain Container VM
Compromised
Vulnerable Container
VM
Container
Hypervisor
Container
Container
Minimal OS
Networking
Container
Container
VM
Storage
Container
Container
Minimal OS
Question Everything and Continually Reevaluate Trust
Deploy
Potential Attack
Test against platforms
Document
Iterate
Upstream Embargo
Patch Expires
Media
Git://id
Coverage
Vuln: CVE-2016-5195 –
AKA “Dirty Cow”
Patches Available
Timing is Opportunity
Media
Git://id National
Coverage
Vulnerability
Database
Vuln: CVE-2016-5195 –
AKA “Dirty Cow” Highest Security Risk
Patches Available
Security Analysis Isn't Only SAST/IAST/DAST
Vulnerability Analysis
- Identifies vulnerable dependencies
All possible security vulnerabilities
- 3000+ disclosures in 2015
- 4000+ disclosures in 2016
- Most vulnerabilities found by researchers
We’re all Researchers – Report What You Find
OpenSSH
Apache(CVE-2004-1653):
Struts (CVE-2017-5638):
Heartbleed:
AllowTCPForwarding
WhyVulnerability
in 2017? response
creates open
time IoT
matters
proxy
Open Source
Development Risk
Maturity Model
LEVEL 1 – BLISSFUL IGNORANCE
No policies in place to manage open
source security and licensing risks.
Unknown versions and dependencies.
No documentation of intent.
LEVEL 2 – AWAKENING
Inconsistent manual processes to
identify and report on open source
usage. Conceptual awareness of
license requirements. Unaware of
security implications of open
source usage.
LEVEL 3 – UNDERSTANDING
Manual review processes, and basic
tooling. Primary focus on license
compliance. Accuracy is difficult to
maintain. Provides limited insight into
security vulnerabilities.
BUG TRACKING
RISK ASSESSMENT
Build a Risk Profile for All Containers – Even the Builders
Deployment
Git SCM Trigger
Trigger
Registry
Security Staging
Scan Tests
Registry Registry
Production
Git SCM Trigger
Trigger
Build Pipelines
Support Ongoing Monitoring for Changes in Risk
BUG TRACKING
TEST
DEVELOP BUILD PACKAGE DEPLOY PRODUCTION
AUTOMATION
RISK ASSESSMENT
Black Duck Value Across the SDLC
Hub Scan
Engine
External
Registries
Image Annotation
Black Duck
Hub Notifications Policy Engine KnowledgeBase
ImageStream Events
Customer Black Duck
Hosted Hosted
Layer Container Security For Maximum Impact – Success
Criteria
Secure Platform with Red Hat OpenShift Container Platform and Atomic Host
Administer DISA STIG: CVE, CCE, CPE, CVSS, OVAL, and XCCDF
Scan all container images in an OpenShift deployment as the are created, modified and used
Annotations automatically updated as new disclosures occur – without the need for rescan
Is this real or just boring slides?