SlideShare ist ein Scribd-Unternehmen logo

Secure application deployment in Apache CloudStack

Als PPTX, PDF herunterladen
Tim Mackey
Tim Mackey

At the Apache CloudStack Collaboration Conference in Montreal, I presented a potential pathway to secure template management in CloudStack. Under this model, cloud providers can assess the templates their users have and potentially advise if deployed instances have application security issues which have either public disclosures, or better still remediation.

Technologie
1 von 17
Secure application deployment
#whoami – Tim Mackey • Current roles: Senior Technical Evangelist; Occasional coder • Previously XenServer Community Manager • Cool things I’ve done • Designed laser communication systems • Early designer of retail self-checkout machines • Embedded special relativity algorithms into industrial control system • Find me • Twitter: @TimInTech • SlideShare: slideshare.net/TimMackey • LinkedIn: www.linkedin.com/in/mackeytim
Security reality No solution is perfect. Defense in depth matters.
Attacks are big business In 2015, 89% of data breaches had a financial or espionage motive Source: Verizon 2016 Data Breach Report
EASY ACCESS TO SOURCE CODE Open source ubiquity makes it an easy target OPEN SOURCE ISN’T MORE OR LESS SECURE THAN CLOSED SOURCE – ITS JUST EASIER TO ACCESS VULNERABILITIES ARE PUBLICIZED EXPLOITS ARE PUBLISHED
Anatomy of a new attack Potential Attack Iterate Test against platforms Document Don’t forget PR department Deploy
DELIVERED CODE OPEN SOURCE CODE SUPPLY CHAIN CODE LEGACY CODE REUSED CODE/CONTAINERS COMMERCIAL CODE INTERNALLY DEVELOPED CODE OUTSOURCED CODE How open source enters a code base
CLOSED SOURCE COMMERCIAL CODE DEDICATED SECURITY RESEARCHERS ALERTING AND NOTIFICATION INFRASTRUCTURE REGULAR PATCH UPDATES DEDICATED SUPPORT TEAM WITH SLA OPEN SOURCE CODE “COMMUNITY”-BASED CODE ANALYSIS MONITOR NEWSFEEDS YOURSELF NO STANDARD PATCHING MECHANISM ULTIMATELY, YOU ARE RESPONSIBLE Who is responsible for code and security?
TRUST BUILD FILES, MANIFESTS, PACKAGE MANAGERS, FILE NAMES EVIDENCE-BASED IDENTIFICATION OF OPEN SOURCE BY SCANNING FILES IN CONTEXT Without evidence, nothing else matters Are packages complete? Determine package context
0 500 1000 1500 2000 2500 3000 3500 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Open Source Vulnerabilities Reported Per Year BDS-exclusive nvd Reference: Black Duck Software Knowledgebase, NVD INCREASING NUMBER OF OSS VULNERABILITIES
Automated tools miss most open source vulnerabilities Static & Dynamic Analysis Only discover common vulnerabilities 3,000+ disclosed in 2014 Less than 1% found by automated tools Undiscovered vulnerabilities are too complex and nuanced All possible security vulnerabilities
What do these all have in common? Heartbleed Shellshock GhostFreak Venom Since: Discovered: 2011 2014 1989 2014 1990’s 2015 2000 2015 2004 2015 Discovered by: Component: OpenSSL Riku, Antti, Matti, Mehta Bash Chazelas OpenSSL Beurdouche GNU C library Qualys researchers QEMU Geffner
Integrating into tools and processes DEVELOP SCM BUILD PACKAGE DEPLOY PRODUCTION BUG TRACKING REMEDIATE AND TRACK LICENSE COMPLIANCE AND SECURITY VULNERABILITIES FULL APP SEC VISIBILITY VIA IBM APPSCAN INTEGRATION BUILD / CI SERVER SCAN APPLICATIONS WITH EACH BUILD VIA CI INTEGRATION DELIVERY PIPELINE SCAN APPLICATIONS AND CONTAINERS BEFORE DELIVERY CONTINUOUS MONITORING OF VULNERABILITIES
Misaligned security investment
A solution should include these components Choose Open Source Proactively choose secure, supported open source SELECT Inventory Open Source Map Existing Vulnerabilities Maintain accurate list of open source components throughout the SDL Identify vulns during development VERIFY Track New Vulnerabilities Alert new vulns in production apps MONITORREMEDIATE Fix Vulnerabilities Tell developers how to remediate
We need your help Knowledge is power • Know what’s running and why • Define proactive vulnerability response process • Don’t let technology hype cycle dictate security Invest in defense in depth models • Don’t rely on perimeter security to do heavy lifting • Do look at hypervisor & container trends in security • Make developers and ops teams part of the solution • Do embed security into deployment process Together we can build a more secure data center
Secure application deployment in Apache CloudStack

Empfohlen

Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Open Source in Application Security
Open Source in Application SecurityOpen Source in Application Security
Open Source in Application SecurityBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open SourceBlack Duck by Synopsys
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 

Empfohlen

Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Open Source in Application Security
Open Source in Application SecurityOpen Source in Application Security
Open Source in Application SecurityBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open SourceBlack Duck by Synopsys
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: Black Duck by Synopsys
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYBlack Duck by Synopsys
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Great Wide Open
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Demystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceDemystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceMirantis
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
 
Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionSecurity O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionBitglass
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 

Weitere ähnliche Inhalte

Was ist angesagt?

Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: Black Duck by Synopsys
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYBlack Duck by Synopsys
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Great Wide Open
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Demystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceDemystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceMirantis
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Black Duck by Synopsys
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 

Was ist angesagt? (18)

Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open Source
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source:
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITY
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
 
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
Open Source and Cyber Security: Open Source Software's Role in Government Cyb...
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Demystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceDemystifying Cloud Security Compliance
Demystifying Cloud Security Compliance
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
 

Ähnlich wie Secure application deployment in Apache CloudStack

Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
 
Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionSecurity O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionBitglass
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksTim Mackey
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceValery Yelanin
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseLumension
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not MarketingArrowECS_CZ
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityVodqaBLR
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for DevopsJerika Phelps
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open SourceFINOS
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Andris Soroka
 

Ähnlich wie Secure application deployment in Apache CloudStack (20)

Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
 
Security O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat ProtectionSecurity O365 Using AI-based Advanced Threat Protection
Security O365 Using AI-based Advanced Threat Protection
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risks
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
FireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment ExperienceFireEye Use Cases — FireEye Solution Deployment Experience
FireEye Use Cases — FireEye Solution Deployment Experience
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 
Question of trust
Question of trustQuestion of trust
Question of trust
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your Enterprise
 
FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not FireEye - Breaches are inevitable, but the outcome is not
FireEye - Breaches are inevitable, but the outcome is not
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibility
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open Source
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
CSO CXO Series Breakfast
CSO CXO Series BreakfastCSO CXO Series Breakfast
CSO CXO Series Breakfast
 

Mehr von Tim Mackey

Open Source 360 Survey Results
Open Source 360 Survey ResultsOpen Source 360 Survey Results
Open Source 360 Survey ResultsTim Mackey
 
XenServer Design Workshop
XenServer Design WorkshopXenServer Design Workshop
XenServer Design WorkshopTim Mackey
 
XenServer Virtualization In Cloud Environments
XenServer Virtualization In Cloud EnvironmentsXenServer Virtualization In Cloud Environments
XenServer Virtualization In Cloud EnvironmentsTim Mackey
 
Selecting the correct hypervisor for CloudStack 4.5
Selecting the correct hypervisor for CloudStack 4.5Selecting the correct hypervisor for CloudStack 4.5
Selecting the correct hypervisor for CloudStack 4.5Tim Mackey
 
User Transparent Service Migration to the Cloud
User Transparent Service Migration to the CloudUser Transparent Service Migration to the Cloud
User Transparent Service Migration to the CloudTim Mackey
 
CloudOpen Japan - Controlling the cost of your first cloud
CloudOpen Japan - Controlling the cost of your first cloudCloudOpen Japan - Controlling the cost of your first cloud
CloudOpen Japan - Controlling the cost of your first cloudTim Mackey
 
CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5
CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5
CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5Tim Mackey
 
Taming the cost of your first cloud - CCCEU 2014
Taming the cost of your first cloud - CCCEU 2014Taming the cost of your first cloud - CCCEU 2014
Taming the cost of your first cloud - CCCEU 2014Tim Mackey
 
Using Packer to Migrate XenServer Infrastructure to CloudStack
Using Packer to Migrate XenServer Infrastructure to CloudStackUsing Packer to Migrate XenServer Infrastructure to CloudStack
Using Packer to Migrate XenServer Infrastructure to CloudStackTim Mackey
 
Hypervisor Selection in Apache CloudStack 4.4
Hypervisor Selection in Apache CloudStack 4.4Hypervisor Selection in Apache CloudStack 4.4
Hypervisor Selection in Apache CloudStack 4.4Tim Mackey
 
OSCON2014: Understanding Hypervisor Selection in Apache CloudStack
OSCON2014: Understanding Hypervisor Selection in Apache CloudStackOSCON2014: Understanding Hypervisor Selection in Apache CloudStack
OSCON2014: Understanding Hypervisor Selection in Apache CloudStackTim Mackey
 
Make your first CloudStack Cloud successful
Make your first CloudStack Cloud successfulMake your first CloudStack Cloud successful
Make your first CloudStack Cloud successfulTim Mackey
 
Decisions behind hypervisor selection in CloudStack 4.3
Decisions behind hypervisor selection in CloudStack 4.3Decisions behind hypervisor selection in CloudStack 4.3
Decisions behind hypervisor selection in CloudStack 4.3Tim Mackey
 
Hypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStackHypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStackTim Mackey
 
Hypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStackHypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStackTim Mackey
 
Hypervisor Capabilities in Apache CloudStack 4.3
Hypervisor Capabilities in Apache CloudStack 4.3Hypervisor Capabilities in Apache CloudStack 4.3
Hypervisor Capabilities in Apache CloudStack 4.3Tim Mackey
 
Hypervisor selection in CloudStack
Hypervisor selection in CloudStackHypervisor selection in CloudStack
Hypervisor selection in CloudStackTim Mackey
 
Planning a successful private cloud - CloudStack Collaboration Europe 2013
Planning a successful private cloud - CloudStack Collaboration Europe 2013Planning a successful private cloud - CloudStack Collaboration Europe 2013
Planning a successful private cloud - CloudStack Collaboration Europe 2013Tim Mackey
 

Mehr von Tim Mackey (18)

Open Source 360 Survey Results
Open Source 360 Survey ResultsOpen Source 360 Survey Results
Open Source 360 Survey Results
 
XenServer Design Workshop
XenServer Design WorkshopXenServer Design Workshop
XenServer Design Workshop
 
XenServer Virtualization In Cloud Environments
XenServer Virtualization In Cloud EnvironmentsXenServer Virtualization In Cloud Environments
XenServer Virtualization In Cloud Environments
 
Selecting the correct hypervisor for CloudStack 4.5
Selecting the correct hypervisor for CloudStack 4.5Selecting the correct hypervisor for CloudStack 4.5
Selecting the correct hypervisor for CloudStack 4.5
 
User Transparent Service Migration to the Cloud
User Transparent Service Migration to the CloudUser Transparent Service Migration to the Cloud
User Transparent Service Migration to the Cloud
 
CloudOpen Japan - Controlling the cost of your first cloud
CloudOpen Japan - Controlling the cost of your first cloudCloudOpen Japan - Controlling the cost of your first cloud
CloudOpen Japan - Controlling the cost of your first cloud
 
CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5
CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5
CloudStack Day Japan 2015 - Hypervisor Selection in CloudStack 4.5
 
Taming the cost of your first cloud - CCCEU 2014
Taming the cost of your first cloud - CCCEU 2014Taming the cost of your first cloud - CCCEU 2014
Taming the cost of your first cloud - CCCEU 2014
 
Using Packer to Migrate XenServer Infrastructure to CloudStack
Using Packer to Migrate XenServer Infrastructure to CloudStackUsing Packer to Migrate XenServer Infrastructure to CloudStack
Using Packer to Migrate XenServer Infrastructure to CloudStack
 
Hypervisor Selection in Apache CloudStack 4.4
Hypervisor Selection in Apache CloudStack 4.4Hypervisor Selection in Apache CloudStack 4.4
Hypervisor Selection in Apache CloudStack 4.4
 
OSCON2014: Understanding Hypervisor Selection in Apache CloudStack
OSCON2014: Understanding Hypervisor Selection in Apache CloudStackOSCON2014: Understanding Hypervisor Selection in Apache CloudStack
OSCON2014: Understanding Hypervisor Selection in Apache CloudStack
 
Make your first CloudStack Cloud successful
Make your first CloudStack Cloud successfulMake your first CloudStack Cloud successful
Make your first CloudStack Cloud successful
 
Decisions behind hypervisor selection in CloudStack 4.3
Decisions behind hypervisor selection in CloudStack 4.3Decisions behind hypervisor selection in CloudStack 4.3
Decisions behind hypervisor selection in CloudStack 4.3
 
Hypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStackHypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStack
 
Hypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStackHypervisor Selection in CloudStack and OpenStack
Hypervisor Selection in CloudStack and OpenStack
 
Hypervisor Capabilities in Apache CloudStack 4.3
Hypervisor Capabilities in Apache CloudStack 4.3Hypervisor Capabilities in Apache CloudStack 4.3
Hypervisor Capabilities in Apache CloudStack 4.3
 
Hypervisor selection in CloudStack
Hypervisor selection in CloudStackHypervisor selection in CloudStack
Hypervisor selection in CloudStack
 
Planning a successful private cloud - CloudStack Collaboration Europe 2013
Planning a successful private cloud - CloudStack Collaboration Europe 2013Planning a successful private cloud - CloudStack Collaboration Europe 2013
Planning a successful private cloud - CloudStack Collaboration Europe 2013
 

Kürzlich hochgeladen

Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 

Kürzlich hochgeladen (20)

Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 

Secure application deployment in Apache CloudStack

  • 2. #whoami – Tim Mackey • Current roles: Senior Technical Evangelist; Occasional coder • Previously XenServer Community Manager • Cool things I’ve done • Designed laser communication systems • Early designer of retail self-checkout machines • Embedded special relativity algorithms into industrial control system • Find me • Twitter: @TimInTech • SlideShare: slideshare.net/TimMackey • LinkedIn: www.linkedin.com/in/mackeytim
  • 3. Security reality No solution is perfect. Defense in depth matters.
  • 4. Attacks are big business In 2015, 89% of data breaches had a financial or espionage motive Source: Verizon 2016 Data Breach Report
  • 5. EASY ACCESS TO SOURCE CODE Open source ubiquity makes it an easy target OPEN SOURCE ISN’T MORE OR LESS SECURE THAN CLOSED SOURCE – ITS JUST EASIER TO ACCESS VULNERABILITIES ARE PUBLICIZED EXPLOITS ARE PUBLISHED
  • 6. Anatomy of a new attack Potential Attack Iterate Test against platforms Document Don’t forget PR department Deploy
  • 7. DELIVERED CODE OPEN SOURCE CODE SUPPLY CHAIN CODE LEGACY CODE REUSED CODE/CONTAINERS COMMERCIAL CODE INTERNALLY DEVELOPED CODE OUTSOURCED CODE How open source enters a code base
  • 8. CLOSED SOURCE COMMERCIAL CODE DEDICATED SECURITY RESEARCHERS ALERTING AND NOTIFICATION INFRASTRUCTURE REGULAR PATCH UPDATES DEDICATED SUPPORT TEAM WITH SLA OPEN SOURCE CODE “COMMUNITY”-BASED CODE ANALYSIS MONITOR NEWSFEEDS YOURSELF NO STANDARD PATCHING MECHANISM ULTIMATELY, YOU ARE RESPONSIBLE Who is responsible for code and security?
  • 9. TRUST BUILD FILES, MANIFESTS, PACKAGE MANAGERS, FILE NAMES EVIDENCE-BASED IDENTIFICATION OF OPEN SOURCE BY SCANNING FILES IN CONTEXT Without evidence, nothing else matters Are packages complete? Determine package context
  • 10. 0 500 1000 1500 2000 2500 3000 3500 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Open Source Vulnerabilities Reported Per Year BDS-exclusive nvd Reference: Black Duck Software Knowledgebase, NVD INCREASING NUMBER OF OSS VULNERABILITIES
  • 11. Automated tools miss most open source vulnerabilities Static & Dynamic Analysis Only discover common vulnerabilities 3,000+ disclosed in 2014 Less than 1% found by automated tools Undiscovered vulnerabilities are too complex and nuanced All possible security vulnerabilities
  • 12. What do these all have in common? Heartbleed Shellshock GhostFreak Venom Since: Discovered: 2011 2014 1989 2014 1990’s 2015 2000 2015 2004 2015 Discovered by: Component: OpenSSL Riku, Antti, Matti, Mehta Bash Chazelas OpenSSL Beurdouche GNU C library Qualys researchers QEMU Geffner
  • 13. Integrating into tools and processes DEVELOP SCM BUILD PACKAGE DEPLOY PRODUCTION BUG TRACKING REMEDIATE AND TRACK LICENSE COMPLIANCE AND SECURITY VULNERABILITIES FULL APP SEC VISIBILITY VIA IBM APPSCAN INTEGRATION BUILD / CI SERVER SCAN APPLICATIONS WITH EACH BUILD VIA CI INTEGRATION DELIVERY PIPELINE SCAN APPLICATIONS AND CONTAINERS BEFORE DELIVERY CONTINUOUS MONITORING OF VULNERABILITIES
  • 15. A solution should include these components Choose Open Source Proactively choose secure, supported open source SELECT Inventory Open Source Map Existing Vulnerabilities Maintain accurate list of open source components throughout the SDL Identify vulns during development VERIFY Track New Vulnerabilities Alert new vulns in production apps MONITORREMEDIATE Fix Vulnerabilities Tell developers how to remediate
  • 16. We need your help Knowledge is power • Know what’s running and why • Define proactive vulnerability response process • Don’t let technology hype cycle dictate security Invest in defense in depth models • Don’t rely on perimeter security to do heavy lifting • Do look at hypervisor & container trends in security • Make developers and ops teams part of the solution • Do embed security into deployment process Together we can build a more secure data center

Hinweis der Redaktion

  1. Image: http://morguefile.com/p/209940
  2. http://www.istockphoto.com/photo/computer-crime-concept-gm516607038-89059287?st=9174601 http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
  3. http://www.istockphoto.com/photo/person-in-hooded-sweater-using-a-laptop-on-wooden-table-gm464503138-58544934?st=cf78f31 http://www.istockphoto.com/photo/cloud-computing-gm518556682-90104967
  4. http://www.istockphoto.com/photo/strength-in-unity-gm514713440-88219133?st=af7fa36