A trip through the security of DevOps tools

23 Feb 2017
14:30 - 14:55

A trip through the security of DevOps tools

Nowadays, security has become a very hot issue.

With the DevOps philosophy spreading everywhere and the growing idea that now you could build a new project within a few days, some projects have started to leave security aside to focus on quickly delivering functionalities instead.

But how can we ignore today that the lack of security awareness comes with a price?

This presentation will be a feedback from two developers working on IRMA (Incident Response and Malware Analysis), an open source project we’ve been developing since 2014 (https://github.com/quarkslab/irma).

From Virtualization to Automation, we will talk about security pitfalls and difficulties we’ve been through and we’d also like to share our experience on how to use those Devops tools in secure environments: Who to trust? Which tools are more secured than others? How to combine everything in an offline environment due to security constraints? Do you really trust the Internet?

For example, we’ll focus on userland isolation versus hardware virtualization, on web-hosted virtual machine boxes versus home-made/hosted ones.

We’ll also speak about good and bad practices, e.g. the usual “curl https://mywebsite/install.sh | sudo bash” or privileged users in Ansible runs.

Finally, we’ll talk about practical issues we’ve been facing for all our products: the offline (aka I-cant-connect-my-server-to-the-Evil-Internet) installation. How do you manage external dependencies? Security updates?