devsecops in the cloud is not just ci/cd: embracing ... in the cloud is not just ci/cd: embracing...
TRANSCRIPT
SESSIONID:SESSIONID:
#RSAC
HenrikJohansson
DevSecOpsInTheCloudIsNotJustCI/CD:EmbracingSecurityAutomation
CSV-T11
SecuritySpecialistSolutionsArchitectAmazonWebServices@henrikjay
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
TerminologyDisclaimer
import re
re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]ugged\s[Dd]ev)[Oo]ps')
=SecurityAutomation
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
TerminologyDisclaimer
import re
re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]ugged\s[Dd]ev)[Oo]ps')
=SecurityAutomation
AtScale
#RSAC
Why/Who/Where/When/What
4
#RSAC
WhyGoalsofDevSecOps
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why- GoalsofDevSecOps
PaceofInnovation…meetPaceofSecurityAutomation
Elasticandautonomoussecurityvalidationofinstancedeployments
Risk/ratingbasedactions
AutomaticIncidentResponseRemediation
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why- GoalsofDevSecOps
PaceofInnovation…meetPaceofSecurityAutomation
Elasticandautonomoussecurityvalidationofinstancedeployments
Risk/ratingbasedactions
AutomaticIncidentResponseRemediation
Securityatscale
#RSAC
WhoMe?
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Purpose
Securityisaserviceteam,notablockerSecurityiseveryone'sjob
Allowflexibilityandfreedom
butcontroltheflowandresult.
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Meetthenewsecurityteam
Operations Engineering
ApplicationSecurity Compliance
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Meetthenewsecurityteam
Operations Engineering
ApplicationSecurity Compliance
Development
#RSAC
Where
3(+)places
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where
1. SecurityoftheCI/CDPipeline• Accessroles• Hardeningbuildservers/nodes
2. SecurityintheCI/CDPipeline• Artifactvalidation• Staticcodeanalysis
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CI/CDforDevOps
VersionControl CIServer
PackageBuilder
DeployServerCommitto
Git/masterDev
Get/PullCode
Images
SendBuildReporttoDevStopeverythingifbuild failed
DistributedBuildsRunTestsinparallel
StagingEnv
TestEnv
CodeConfigTests
ProdEnv
Push
Config InstallCreate
ArtifactRepoDeploymenttemplatesforinfrastructure
Generate
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VersionControl CIServer
PackageBuilder
PromoteProcessBlockcreds
FromgitDev
Get/PullCode
Images
Logforaudit
StagingEnv
TestEnv
CodeConfigTests
ProdEnv
Audit/Validate
ConfigChecksum
ContinuousScan
CI/CDforDevSecOps
SendBuildReporttoSecurityStopeverythingifaudit/validationfailed
Deploymenttemplatesforinfrastructure
Scanhook
#RSAC
Whataboutmyotherstuff?
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where
InfrastructureascodeSplitownershipPre-deployvalidation
ElasticsecurityautomationAPIdrivenAutoscalinggroups– hooksExecutionlayerscaleswithtargets
RuntimesecurityTagbasedtargeting
Rip-n-replace
Continuouspentesting
ImmutableinfrastructureValidationandenforcement
Integratewithmanagedservices
…
3. CloudscaleSecurityakaalltheotherstuffpeoplearereallytalkingabout
#RSAC
When
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
When
EasyAllthetime!
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
When– ControlandValidate
Pre-event- WhenpossibleStoreinfrastructureincoderepository— Validateeachpush(githooks)— Usemanagedmicroservicesasexecutionengine— Scancloudinfrastructuretemplatesforunwanted/riskvaluedconfigurations— ValidateContainerdefinitions
Validatesystemcodeearlyon— Findunwantedlibrariesetc.
ForceinfrastructurechangesthroughtemplatesBlockifneeded/unsure
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
When– ControlandValidate
Post-event- AlwaysFollow-uponsensitiveAPI’s— IAM,SecurityGroups/Firewall,Encryptionkeys,Logging,etc.— Alert/Inform
Usesourceoftruth— Lockedtoexecutionfunction(ReadOnly)
Validatesource— HumanorMachine/CICD
Decideonremediation
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
When- Trigger
Trigger:Perchange— APIbased— Eventlogs
PerdayPerframework— Overallinfrastructure,componentsandresources— Onecomponentmultipleframeworks
#RSAC
WhatGivemesomeexamples
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Givemesomeexamples
SecurityvalidationinaelasticinfrastructureImplement->Validate->DecideTerminateuponfailure
AutomaticIncidentResponseRemediationAutohealloggingDisableoffender
Integratehost-basedandcloud-basedImmutableinfrastructure- Isolateinstance
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example– Autoisolation
Modify/etc/pam.d/sshd
Executescriptuponlogonsessionoptionalpam_exec.so/path/trigger.sh
Triggercloudbasedeventasmarker#!/bin/bashINSTANCE_ID=$(wget-q-O- http://169.254.169.254/latest/meta-data/instance-id)REGION=$(wget-q-O- http://169.254.169.254/latest/meta-data/placement/availability-zone|sed's/.\\{1\\}$//')DATE=$(date)awsec2--region$REGIONcreate-tags--resources$INSTANCE_ID--tags\"Key=Tainted,Value=$DATE\”
ExecutecloudfunctiononmarkerdetectionRemovefromloadbalancer/scalinggroups(willauto-heal)Blockin/outgoingtrafficusingcloudcontrols
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example– Autoisolation
Don’tforgetsafeguards!HowmanyinstancescanIisolatebeforeIfisolated>x:
wake_human()Remember,xcouldbe0
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Examplelogging
DetectCloudloggingdisabled
PriorityEnablelogging
ForensicsHavethishappenedbefore
CountermeasuresIfnum_disabled>x:#xcouldbezerobasedontypeanduser
disable_user()
Alert!
#RSAC
Cool…soIjustfixthings??Well…yes...but...
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Risks
Failureisalwaysanoption,nowatscriptspeed
Weforgottotellyou…
Noproperalerting,loggingorfollow-uponautomatedevents
Yougotscripts…theygotscripts
Howdoyouminimizeriskoffailedremediationfunctions?
#RSAC
Implementremediationframework
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Theanatomyofremediation
Continuous/Eventbased
Executionconstraints
Willactionriskbreakingsomething
Willchangeaffectcost
Isthereasourceoftruth
PriorityAction Forensic Counter
measures Alerts Log
Know
Execute
#RSAC
Attheendoftherainbow…Whatarewetryingtoaccomplish?
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goals
MinimizerelyingonhumansAutomationdoesn’tsleep,eatorneedcoffeeinthemorning
Preventbadconfigurationsbeforetheyareimplemented
Autocorrect/remediateviolationswherepossible
Daily/instantbenchmarkvalidationofinfrastructureValidateagainstindustryframeworksExtendtoremediation
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Yournextstep
LookthroughyourinfrastructuresecurityrunbookWhatcanyouautomate?Howcanyouvalidate?
Example:OSSvalidationforCISAWSFoundationFrameworkhttps://github.com/awslabs/aws-security-benchmark
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
OSSCodetolearnfrom
git-secrets - Preventsyoufromcommittingpasswordsandothersensitiveinformationtoagit repository.
aws-security-benchmark - Benchmarkscriptsmappedagainsttrustedsecurityframeworks.
aws-config-rules - [Node,Python,Java]RepositoryofsampleCustomRulesforAWSConfig
Netflix/security_monkey - MonitorspolicychangesandalertsoninsecureconfigurationsinanAWSaccount.
Netflix/edda - EddaisaServicetotrackchangesinyourclouddeployments.
ThreatResponse - OpenSourceSecuritySuiteforhardeningandrespondinginAWS.
CloudSploit – Capturingthingslikeopensecuritygroups,misconfiguredVPCsandmore.
Stelligent/Cfn_nag – LooksforpatternsinCloudFormation templatesthatmayindicateinsecureinfrastructure.
Capitalone/cloud-custodian - RulesengineforAWSfleetmanagement.
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remember
It’sactuallynotwho,when,whereorwhat...It’sjusthow