DevOps Panel Discussion


DevOps Panel DiscussionTable of ContentsDevOps? . 2DevOps is an Extension of Agile Thinking . 4DevOps Has Four Focus Areas . 5Infrastructure as Code . 6What is IaC? . 7Code that does what, exactly?. 9DevOps tools . 15DevOps Has Four Focus Areas . 18DevOps tools . 21Carnegie Mellon University. 28Copyright 2015 Carnegie Mellon University . 28Page 1 of 28

DevOps?DevOps ?DevOps (a portmanteau of "development" and "operations”) emphasizescommunication, collaboration, and integration between software developersand information technology (IT) operations personnel. [1][1] Alignment with Cyber COI Challenges and GapsSEI Webinar6 2015 Carnegie Mellon University**006 Announcer: And welcomeback to the SEI virtual event, CyberCOI Alignment, or Challenges andGaps. This is our final presentationfor today. It will be a DevOps panel,moderated by SEI CTO Dr. Kevin Fall.And just a reminder for everyone, ifanybody's just joining us, to take alook at that Files tab where you coulddownload the resources from today'sevent. And also, upon exiting today'sevent, please fill out our survey, asyour feedback is always greatlyappreciated.Now I'd like to introduce Dr. Fall.He's a Deputy Director and ChiefTechnologer, Technology Officer, ofthe SEI, where he directs theresearch and development portfolioof the SEI's technical programs incybersecurity, software architecture,process improvement, measurementPage 2 of 28

and estimating, and unique technicalsupport to sponsors.Joining him as panelists will be JoeYankel, who is a team lead within theSecure Lifecycle Solutions team hereat CERT, and also Hasan Yasar, whois the Technical Manager of theSecure Lifecycle Solutions Group hereat CERT division within the SEI.So now I'm going to turn it over toDr. Fall to get us going.Presenter: Okay. Thank you,Shane. Good afternoon everyone,from Pittsburgh, Pennsylvania. We'regoing to have a discussion hereabout DevOps and its relationship tocybersecurity and the dynamic threat.So thought maybe we'd just first startoff by just saying and sort of levelsetting with what do we defineDevOps to be?Hasan Yasar: Yeah, so the DevOpsis actually very industry term known,and the basic definition is theemphasized communication,collaboration, integration betweensoftware developers and informationtechnology and operations personnel.So it's a industry term.Page 3 of 28

DevOps is an Extension of Agile ThinkingDevOps is an Extension of Agile ThinkingAgileDevOpsEmbrace constant changeEmbrace constant testing,deliveryEmbed Customer in team tointernalize expertise onrequirements and domainEmbed Operations in teamto internalize expertise ondeployment andmaintenanceCERT Alignment with Cyber COI Challenges and GapsSEI Webinar7 2015 Carnegie Mellon University**007 However, the DevOps is aextension of HI methodologies. Itrequires a lot of knowledge and skillsnecessary to take the project frominception throughout sustaining andto be continued within a dedicatedproject team. So it's a practice toenable the team to achieve the levelof coordination and understandingnecessary to automateinfrastructures. So it's a kind of likeindustry term known, but we wouldlike to really cover up the processand methodologies. How can we getthat process and methodologiesautomation, especially how industryis deploying in a faster and quickerrelease in a large-scale application?We would like to get the deploymenttechniques into the agile operation ofthe cyber threat or cyber maneuversand make it faster and real, that typePage 4 of 28

of thing. We would like to get theDevOps in that realm.So that is the basic principles of DevOps.DevOps Has Four Focus AreasDevOps Has Four Focus AreasCollaboration between team rolesInfrastructure as Code: Scripted Infrastructure ConfigurationAutomation of Tasks / Processes / WorkflowsMonitoring Applications and InfrastructureCERT Alignment with Cyber COI Challenges and GapsSEI Webinar8 2015 Carnegie Mellon University**008 And these are thecollaboration, infrastructure as acode, automation and monitoring. Sothose are four principles of DevOps.And mainly infrastructure as codeand automation will be really directlyaddressing the dynamic cyber threatand . And anything else,Joe, you want to add to?Joe Yankel: No. We'll continue onwith the--get a little more in-depthon infrastructure as code.Presenter: All right. So this seconditem's infrastructure as code. So howdoes that relate to the automationaspect for DevOps?Page 5 of 28

Infrastructure as CodeInfrastructure as CodeScripted configuration of systems and environmentsEnables: Automated environment creation / provisioning Automated infrastructure testing Parity between Development, QA, Staging, and Production environments Sharing and versioning of environmental configurations Collaborative environment definition between Dev and OpsCERT Alignment with Cyber COI Challenges and GapsSEI Webinar9 2015 Carnegie Mellon University**009 Hasan Yasar: So infrastructure ascode definition is kind of scriptedconfiguration of systems andenvironment. So what basicallymeans, and based on the technologychanges and virtualization, thatmakes enable to have theconfiguration of environment. Sowhat environment means, can be avirtual host, can be any applicationsreside on it. Can be a little testingplatform. Can be infrastructured.Can be a network platform. That canbe all scripted and all configured. Sodepends on the changes, and insteadof really manual configurations.So scripted can run automatedconfiguration, push any VMs onto, onthe fly, or can push any environmenton the fly, including networkconfiguration and some of the searchconfiguration, possible networkPage 6 of 28

changes. Then on the fly and in. So it's basically scriptingall the infrastructures have a codeand put in repositories and change itdynamically. That we can describethat way. So basically the main goalsand technical challenges really havesome sort of configuration. So if youget configurations treated as a codein a platform, it's easy to, to deployit, and then easy to monitor, easy toversioning and then change itdynamically. So basically I'm goingto jump to the folder.What is IaC?What is IaC?A program that creates infrastructure* A concretely defined description of theenvironment is good material for conversationbetween team members.CERT Alignment with Cyber COI Challenges and GapsSEI Webinar13 2015 Carnegie Mellon University**013 The benefits, asthey're describing, so in a generalknown term, it can be they will openthe environment operation insecurity. So in a practice way, thatcan be multiple section of thedifferent, the configuration ofenvironment. Can be application, asPage 7 of 28

I said, can be a networkconfiguration, or it can be a platformand dynamically change it. Anddepends on the needs.Presenter: Okay. So given theDevOps cadence, and then with theautomation and infrastructures code,we're faced with a dynamic sort ofevolving cyber threat that changesregularly. How does those type ofcapabilities allow us to better countersome of the threats that we mightface?Hasan Yasar: That one goes to Joe.Joe Yankel: Yeah. I could speak tothat a little bit. So one of the thingswe're going for with DevOps is-and infrastructures code, is we want theability to quickly deploy our applications,continuously update them, and deliver those.Page 8 of 28

Code that does what, exactly?Code that does what, exactly? Creates VMs Vagrant, VirtualBox, VMware Provisions VMs or hardware with specific dependencies, configurations,networking, application code, Dynamic reconfiguration of networks,systems and applications Docker container, Shell script, Chef, Puppet, Fabric, Ansible, etc.CERT Alignment with Cyber COI Challenges and GapsSEI Webinar14 2015 Carnegie Mellon University**014 So in the case of maybe a dynamicchanging threat, if we can detectthose things then we can have theaction of--if our infrastructure ischecked in as code, we can thendynamically put out a newinfrastructure. Immediately. So theidea here is that I make a smallchange in software. I don't onlydeploy that one application. Iactually deploy my entireenvironment. My network, thoseapplications, their IP addresses.They all can be pushed dynamicallyand basically give me a brand-newsystem. So systems of systems canbe built on the fly. So we're goingfor continuous delivery. Continuousdeployment. That means everychange I make I can build my entiresystem. So we've often approacheddynamic changes with just buildingspecialized software to reconfigure itself.Page 9 of 28

Well, in DevOps, every day, we wantto possibly push out a brand-newbuild. Using that same, thosetechniques, we could, essentially,we've detected a threat. Why notrebuild our environment, the entirething? So it's kind of a different wayof addressing. Something we doevery day in software developmentusing agile approaches in DevOps toget multiple builds per day, forinstance. We could have aenvironment deployed at the push ofa button. So we're really going forspeed here. Currently-Presenter: And agility.Joe Yankel: Speed and agility.Currently it's a manual process. Wedetect a threat, a human actor getsinvolved. Makes manualconfiguration changes.But with DevOps, we've alreadyimplemented a lot of tooling,automation, scripting to build thisenvironment up. So even a minorchange can give me a newenvironment. Well, why not trigger anew environment based off of threatdetection? I've detected a threat.I've been compromised as well. I'lldeploy my environment again. I myhost was compromised, that host isgone. I have a new host, learningthe same code or an updated versionof the code. So that's where we'regoing with, with DevOps, in the nextphases of helping the COI here.Hasan Yasar: And I looked at acouple other things as well. As youPage 10 of 28

described, it's really getting a fasterautomation and deployment, howindustry's addressing the applicationdeployment in faster ways, in a largescale user base, and taking thatconcept and using a threat factor. Soif there is any threat changes,depends on the size, depends on thecomplexity, maybe we can throw outwhole applications through it and--orwe can just have the minorconfiguration. That can be IPconfiguration changes on a box.That can be some applicationconfiguration changes. The otherthings, if you know some simulatedvariable before, by changing thevariables then we can push the newapplication settings probably. Or ifyou know the signature of any, thatany threat that be captured, we cando some sort of changeson a mission itself, then we canthrow another version of applicationor infrastructure in a faster way. Asyou know, that is really important.And one of the topic in cyberwill address the needs ina higher speed and as quick a way aspossible. To achieve that there's aquicker way and a faster way wehave the automatedmission behind it, which is themission has to do that, which is a PCI, which is what'shappening in industry, and take thatconcept, putting the cyber threatenvironment and change itdynamically.Presenter: Okay. So the DevOpsframework and infrastructure as codehas been largely focused onPage 11 of 28

infrastructure in the sense of VMs,computing platforms, end points.Certainly the cyber threat isapplicable to the networkinfrastructure as well, and we've gotat the same time software-definednetworks and other kinds of moreprogrammable infrastructure. What'sthe relationship of that type ofDevOps and infrastructure as codepart with what could happen withmore dynamically programmablenetwork infrastructure?Hasan Yasar: So the networkingconfiguration, I think about anyfirewall box, any other switch. So ifyou have a versioning on that boxitself and then we can change thefirewall role, rules, on the fly anddepends on the threat, then we candeploy new version into it, into box.It can be a maybe stand-alonemission itself, and again, changingthe configuration and deploydynamically. And that configurationis going to be treated as a code, sowe have a versioning. So we can goback and if threat is changed againwe can go back to previous versionor a different version that we plantedbefore and push it dynamically againinto the network environment. It canbe one of the server, it can be manyservers.So also other things then that's veryindustry things is use it right now asa document container, so we cantreat as an application container, andthen throw into another host maybe.Let's say if the host is compromised,then we can throw another host andPage 12 of 28

throw an application into it and it hasconfiguration in it, so that can beanother environment as apart of the OS or a part of theconfiguration of the network.Anything else you want, Joe?Joe Yankel: Ah, I think you're o

DevOps Has Four Focus Areas Collaboration between team roles Infrastructure as Code: Scripted Infrastructure Configuration Automation of Tasks / Processes / Workflows Monitoring Applications and Infrastructure **008 And these are the . collaboration, infrastructure as a . code, automation and monitoring. So . those are four principles of DevOps.