1. AppSec USA 2014 Denver, Colorado Implications & Opportunities at the Bleeding Edge of DevOps Chris Swan, CTO CohesiveFT @cpswan

2. CTO – CohesiveFT Cloud native networking Chris Swan – why me? Introduction

3. Dockerfile is awesomely productive Great for DevOps Containers don’t contain At least not yet Images have a manifest problem Keep track of your stuff TL;DR

4. What do I mean when I say ‘DevOps’? Part 1

5. Let’s start with a demo Demo time

6. John Boyd’s OODA loop

7. Industrial design maturity – the auto example Design for purpose Design for manufacture Design for operations

8. Industrial design maturity - software Design for purpose Design for manufacture Design for operations DevOps is just an artefact

9. Containers and containment Part 2

10. Containers don’t contain With thanks to Dan Walsh @rhatdan Watch his DockerCon 2014 presentation at http://is.gd/dcrhdwhttp://is.gd/dcrhdw

11. Shocker The issue The response http://stealth.openwall.net/xSports/shocker.c https://news.ycombinator.com/item?id=7910117

12. Because containers aren’t VMs And this has yet to come:

13. Possible to have our cake and eat it?

14. cgroups

15. namespaces mnt mount points, filesystems pid processes net network ipc inter process communication uts hostname devicedevices user UIDs

16. Fine grained control over ‘root’ privileges: deny all "mount" operations; deny access to raw sockets (to prevent packet spoofing); deny access to some filesystem operations, like creating new device nodes, changing the owner of files, or altering attributes (including the immutable flag); deny module loading; etc. capabilities

17. AppArmor and SELinux Mandatory Access Control (MAC)

18. Use of namespaces, capabilities and MAC will improve – Might be a game of ‘whack a mole’ Hard to tell when we’re done (is @solomonstre’s word going to be enough?) Libcontainer can drive other mechanisms – More secure options might come Hardware support might come – Existing rings 1 & 2 aren’t used much, but aren’t really suitable – VT-x introduced ring -1, do we need a ring 0.5? Containers will contain

19. The manifest problem Part 3

20. My Dockerfile from (much) earlier

21. Each active line creates a layer

22. An image binds layers together

23. The image is the unit of deployment

24. Which version of Nginx is that?

25. Which version of OpenSSL is installed?

26. Whilst we want this to be cached in the short term: apt-get install nginx We perhaps don’t want it cached in the long term What are those durations? Problem 1 – non determinism

27. When I run apt-get install nginx I don’t know which version of Nginx I just got Should I? nginx –v > some_log.txt Or maybe? apt-cache policy nginx > some_log.txt Problem 2 – the manifest problem

28. Dockerfile is awesomely productive Great for DevOps Containers don’t contain At least not yet Images have a manifest problem Keep track of your stuff TL;DR

29. Questions? Ask now, or on Twitter: @cpswan Question time