Markerbench

Perspectives on technology, security, and current events.

about me

I’m Andrew Jaquith, CTO and SVP, Cloud Strategy of SilverSky and former analyst with Forrester and Yankee Group. My interests include security, anything mobile, app development, visualization, good writing and spirited discussion.

topics

applications · big data · books · dev ops · humor · metrics · research · security · vendor-bashing · visualization

twitter

The DevOps Security Handbook: Building Security in With Chef, Part III

- - posted in DevOps, security | Comments

Introduction

This is the third in a series of occasional posts about security and DevOps. The ultimate goal of this series is to show how to build a reasonably secure Apache web server using the popular DevOps automation tool Chef. The server will be suitable for serving static content such as that generated by OctoPress. Each post explores a new aspect of Chef.

If you read the first and second posts in this series, you learned how to set up the Chef workstation and server; created webserver and base roles; created a test environment and a virtual machine; and built a partially hardened server called tester.local. This server has a minimized Apache configuration, and a restricted OpenSSH configuration.

In this post, I will demonstrate one of the most challenging aspects of any server automation project: copying sensitive keying materials, such as SSL private keys, to server nodes. Although SSL certificates themselves are not sensitive, certificate private keys are. In order to use Chef to truly “build security in,” these materials must be securely conveyed from the Chef server to the target server nodes. To do this, you will use Chef’s encrypted data bag feature and an add-on feature called chef-vault. You will create a custom cookbook recipe that performs all of the necessary decryption and file-creation actions on the target node. At the end of this post, you will possess a repeatable, reliable and secure method for conveying SSL keying materials or other secrets to target nodes.

The DevOps Security Handbook: Building Security in With Chef, Part II

- - posted in DevOps, security | Comments

Introduction

This is the second in a series of occasional posts about security and DevOps. The ultimate goal of this series is to show how to build a reasonably secure Apache web server using the popular DevOps automation tool Chef. The server I am describing how to build will be suitable for serving static content. Readers of this blog know that I am a fan of static blogging tools like Octopress, which I use to generate this website.

If you read the first post in this series, you learned how to set up the Chef workstation and server account. You created an Apache server role and a test environment; set up a virtual machine; and built your first node. In this post, I will show you how to create a new role called base that includes security enhancements to OpenSSH. You will also fine-tune Apache to remove non-essential modules.

The DevOps Security Handbook: Building Security in With Chef, Part I

- - posted in DevOps, security | Comments

Introduction

This is the first in a series of posts about Chef, an infrastructure automation platform. The goal of this series is to describe how to build a reasonably secure Apache web server. By using Chef, we can quickly and efficiently build identical web servers with assurance that they will work the same way, every time, and have the security properties we want.

Building Security in Using Chef

- - posted in DevOps, security | Comments

Lately I have been spending a lot of time with a new best friend. This new friend is reliable; he does everything according to plan and always exactly the same way. The results are exactly the same every time, too. And he speaks to me in a language that I understand — the language of food.

I am not talking about a new buddy gourmand, about a pal I go out to restaurants with, or about a super-reliable project manager. My new best friend is a technology called Chef, made by OpsCode.

New Web Adventures With Heroku

- - posted in applications, dev ops | Comments

Many ardent followers of this blog know that among other things, one of my professional hobbies is application development. I am a “weekend programmer.” I always have a side project or two going, but do not professionally program (much) as part of my day job. That’s not necessarily for lack of talent (cough), but for lack of desire to make my living from it. That said, as the CTO of a cloud security software company, it’s rather good to know how software is built these days. As a bonus, by staying close to dev via a hobby or two, I can relate better to my colleagues who actually do make their living from programming.