Enhancing security
 through tight collaboration

aka

OWASP PCI DevOps

 

  • OWASP: Web Application Security - thanks, lads!
  • PCI-DSS: Payment Card Industry Data Security Standard
  • DevOps: Development, Testing and Operations
    • Different people together, not just automation

Kalle Hallivuori @ Solinor.com

@korpiq

Done stuff

  • Programming 1982 -
  • IT Support 1989 -
  • Application development 1996 -
  • IT solution development 1997 -
  • Service development 1998 -
  • Process development 2004 -

Been called names

  • CS dropout 1993 - 1997
  • Scrum Master 2009 - 2010
  • Operations Manager 2011 - 2012
  • Software Architect 2012 - 2013
  • Actually a Generalist?

Through the painful mistakes of others, I have come to value

  • Software development as a service process rather than projects
  • Unix Web = MicroServices over Enterprise Service Bus

(That is, while there is value in the items on the right,
 I value the items on the left more.)

Disclaimer

I may or may not be at liberty to disclose any true experience.

I may or may not make up details or generalities.

Audience would do well to resort to reasoning and judgement.

 

On a totally unrelated and irrational note,
 I always wanted to be Linus Torvalds instead of Linus Torvalds.

Why?

 
 
 

6 months

¥€$

Time to Market

Analysis

 

Design

 

Development

 

Testing

 

Deployment

5 days

3 days

6 days

4 days

2 days

or, according to Poppendieck

Cycle Time

Feedback

3 months

2 weeks

2 weeks

1 month

By magic! Looks like a

Value Stream

Problem?

 
 
 

 

¥€$

Analysis

 

Design

 

Development

 

Testing

 

Deployment

Feedback

Learning

Learning

Learning

Learning

Learning

Hand-over queues lose information,
and therefore responsibility.

Forgetting

Forgetting

Forgetting

Forgetting

Solution

DevOps

Feedback

Learning

What?

DevOps

  • All specialists together -> Live knowledge
  • No hand-overs -> Full responsibility
  • Immediate feedback -> Rapid adaptation
  • Natural for startups; strange for large departmentalised corporations

DevOps
is not Scrum

I asked Jim "Cope" Coplien last week in person.

Cope is determined about taking everything not directly related to actual implementation of production software out of the team, including prototyping, specification and indeed deployment and operation of production systems.

Motivation there is to leave only determinable and well planned work to be executed by the actual Scrum team. Work by the rest of the organisation may take indeterminate times.

Many DevOps teams presumably do great "Scrum-butt"

DevOps
Principles

  • Sit together to enable continuous communication about work
  • Pair specialists whenever and wherever multiple discipline expertise is needed
  • Automate all mundane work ruthlessly - from executable specifications to packaging, systems-wide testing, deployment and monitoring
  • Reserve time to search for opportunities and implement enhancements to work practices

DevOps
Security

  • Like bugs in zero-defects Scrum, security issues can be handled immediately
  • All work is visible to whole team
  • Enthusiastic, professional team spirit prevents sloppiness
  • Everyone learns enough about each other's work to be able to review and criticize it
  • Security steps are easy to introduce and whether they are being followed becomes evident to all
    • style and complexity checks
    • test results - team spirit can not allow a single failing test
    • production systems' status monitor visible to whole team

How?

DevOps
seating

Diplomat:
Scrum Master,
manager, secretary,
what have you

Testing specialist:
development of
quality measures,
executable specifications

Domain specialist: understand
and develop solutions
particular to business

Generalist: automation,
development of
quality of work

IT administrator:
deployment and
monitoring of
systems and
machinery

Operator:
solves users' issues
domain expert

?

YMMV

Facing
each other
is GREAT!

learn from real use

search for better ways

plan system structure

WE RULE!

DevOps
PCI compliance

I am not going to delve into PCI DSS proper.
This just to give some idea how to meet strict security requirements.

  • 100% code review by a team member for every feature
    • pair coding makes this a breeze :)
    • OWASP gets paid extra attention
  • Executable security specifications can be written straight after functional ones
  • Only administrators and operators can access production systems, but others pair with them as necessary to solve issues
  • Automation makes test setups identical to production systems, which is great for introspection, but access to production can still be restricted with several steps not seen in testing

DevOps
problems

Disparity of operations and development work is hard.

  • System administrators and operators work on the rhythm of audits, machine problems, user issues
  • Developers and testers work on each new feature until it is finished
  • People need to be willing to develop into team members, sharing trust, goals, and effort
  • Automation requires a lot of creativity and persistence

Sana viikon vaihteeksi
Word for gear of week

Discipline comes from within

Responsibility is a social agreement

Thanks!
-
Ask Questions!

DevOps Finland!
http://www.meetup.com/devops-finland/

Kalle Hallivuori @ Solinor.com

@korpiq

Slides available at http://kato.iki.fi/owasp-pci-devops

Creative Commons License
owasp-pci-devops-slides by Kalle Hallivuori is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Images from OpenClipArt.org except DevOps circles from Wikipedia, and some by myself. Iznogoud is a trademark of Edition Tabary (Sarl). Fnord.