DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing...

SESSIONID:SESSIONID:

HenrikJohansson

DevSecOpsInTheCloudIsNotJustCI/CD:EmbracingSecurityAutomation

CSV-T11

SecuritySpecialistSolutionsArchitectAmazonWebServices@henrikjay

TerminologyDisclaimer

import re

re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]ugged\s[Dd]ev)[Oo]ps')

=SecurityAutomation

TerminologyDisclaimer

import re

re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]ugged\s[Dd]ev)[Oo]ps')

=SecurityAutomation

AtScale

Why/Who/Where/When/What

WhyGoalsofDevSecOps

Why- GoalsofDevSecOps

PaceofInnovation…meetPaceofSecurityAutomation

Elasticandautonomoussecurityvalidationofinstancedeployments

Risk/ratingbasedactions

AutomaticIncidentResponseRemediation

Why- GoalsofDevSecOps

PaceofInnovation…meetPaceofSecurityAutomation

Elasticandautonomoussecurityvalidationofinstancedeployments

Risk/ratingbasedactions

AutomaticIncidentResponseRemediation

Securityatscale

WhoMe?

Purpose

Securityisaserviceteam,notablockerSecurityiseveryone'sjob

Allowflexibilityandfreedom

butcontroltheflowandresult.

Meetthenewsecurityteam

Operations Engineering

ApplicationSecurity Compliance

Meetthenewsecurityteam

Operations Engineering

ApplicationSecurity Compliance

Development

3(+)places

1. SecurityoftheCI/CDPipeline• Accessroles• Hardeningbuildservers/nodes

2. SecurityintheCI/CDPipeline• Artifactvalidation• Staticcodeanalysis

CI/CDforDevOps

VersionControl CIServer

PackageBuilder

DeployServerCommitto

Git/masterDev

Get/PullCode

Images

SendBuildReporttoDevStopeverythingifbuild failed

DistributedBuildsRunTestsinparallel

StagingEnv

TestEnv

CodeConfigTests

ProdEnv

Config InstallCreate

ArtifactRepoDeploymenttemplatesforinfrastructure

Generate

VersionControl CIServer

PackageBuilder

PromoteProcessBlockcreds

FromgitDev

Get/PullCode

Images

Logforaudit

StagingEnv

TestEnv

CodeConfigTests

ProdEnv

Audit/Validate

ConfigChecksum

ContinuousScan

CI/CDforDevSecOps

SendBuildReporttoSecurityStopeverythingifaudit/validationfailed

Deploymenttemplatesforinfrastructure

Scanhook

Whataboutmyotherstuff?

InfrastructureascodeSplitownershipPre-deployvalidation

ElasticsecurityautomationAPIdrivenAutoscalinggroups– hooksExecutionlayerscaleswithtargets

RuntimesecurityTagbasedtargeting

Rip-n-replace

Continuouspentesting

ImmutableinfrastructureValidationandenforcement

Integratewithmanagedservices

3. CloudscaleSecurityakaalltheotherstuffpeoplearereallytalkingabout

EasyAllthetime!

When– ControlandValidate

Pre-event- WhenpossibleStoreinfrastructureincoderepository— Validateeachpush(githooks)— Usemanagedmicroservicesasexecutionengine— Scancloudinfrastructuretemplatesforunwanted/riskvaluedconfigurations— ValidateContainerdefinitions

Validatesystemcodeearlyon— Findunwantedlibrariesetc.

ForceinfrastructurechangesthroughtemplatesBlockifneeded/unsure

When– ControlandValidate

Post-event- AlwaysFollow-uponsensitiveAPI’s— IAM,SecurityGroups/Firewall,Encryptionkeys,Logging,etc.— Alert/Inform

Usesourceoftruth— Lockedtoexecutionfunction(ReadOnly)

Validatesource— HumanorMachine/CICD

Decideonremediation

When- Trigger

Trigger:Perchange— APIbased— Eventlogs

PerdayPerframework— Overallinfrastructure,componentsandresources— Onecomponentmultipleframeworks

WhatGivemesomeexamples

Givemesomeexamples

SecurityvalidationinaelasticinfrastructureImplement->Validate->DecideTerminateuponfailure

AutomaticIncidentResponseRemediationAutohealloggingDisableoffender

Integratehost-basedandcloud-basedImmutableinfrastructure- Isolateinstance

Example– Autoisolation

Modify/etc/pam.d/sshd

Executescriptuponlogonsessionoptionalpam_exec.so/path/trigger.sh

Triggercloudbasedeventasmarker#!/bin/bashINSTANCE_ID=$(wget-q-O- http://169.254.169.254/latest/meta-data/instance-id)REGION=$(wget-q-O- http://169.254.169.254/latest/meta-data/placement/availability-zone|sed's/.\\{1\\}$//')DATE=$(date)awsec2--region$REGIONcreate-tags--resources$INSTANCE_ID--tags\"Key=Tainted,Value=$DATE\”

ExecutecloudfunctiononmarkerdetectionRemovefromloadbalancer/scalinggroups(willauto-heal)Blockin/outgoingtrafficusingcloudcontrols

Example– Autoisolation

Don’tforgetsafeguards!HowmanyinstancescanIisolatebeforeIfisolated>x:

wake_human()Remember,xcouldbe0

Examplelogging

DetectCloudloggingdisabled

PriorityEnablelogging

ForensicsHavethishappenedbefore

CountermeasuresIfnum_disabled>x:#xcouldbezerobasedontypeanduser

disable_user()

Alert!

Cool…soIjustfixthings??Well…yes...but...

Failureisalwaysanoption,nowatscriptspeed

Weforgottotellyou…

Noproperalerting,loggingorfollow-uponautomatedevents

Yougotscripts…theygotscripts

Howdoyouminimizeriskoffailedremediationfunctions?

Implementremediationframework

Theanatomyofremediation

Continuous/Eventbased

Executionconstraints

Willactionriskbreakingsomething

Willchangeaffectcost

Isthereasourceoftruth

PriorityAction Forensic Counter

measures Alerts Log

Execute

Attheendoftherainbow…Whatarewetryingtoaccomplish?

MinimizerelyingonhumansAutomationdoesn’tsleep,eatorneedcoffeeinthemorning

Preventbadconfigurationsbeforetheyareimplemented

Autocorrect/remediateviolationswherepossible

Daily/instantbenchmarkvalidationofinfrastructureValidateagainstindustryframeworksExtendtoremediation

Yournextstep

LookthroughyourinfrastructuresecurityrunbookWhatcanyouautomate?Howcanyouvalidate?

Example:OSSvalidationforCISAWSFoundationFrameworkhttps://github.com/awslabs/aws-security-benchmark

OSSCodetolearnfrom

git-secrets - Preventsyoufromcommittingpasswordsandothersensitiveinformationtoagit repository.

aws-security-benchmark - Benchmarkscriptsmappedagainsttrustedsecurityframeworks.

aws-config-rules - [Node,Python,Java]RepositoryofsampleCustomRulesforAWSConfig

Netflix/security_monkey - MonitorspolicychangesandalertsoninsecureconfigurationsinanAWSaccount.

Netflix/edda - EddaisaServicetotrackchangesinyourclouddeployments.

ThreatResponse - OpenSourceSecuritySuiteforhardeningandrespondinginAWS.

CloudSploit – Capturingthingslikeopensecuritygroups,misconfiguredVPCsandmore.

Stelligent/Cfn_nag – LooksforpatternsinCloudFormation templatesthatmayindicateinsecureinfrastructure.

Capitalone/cloud-custodian - RulesengineforAWSfleetmanagement.

Remember

It’sactuallynotwho,when,whereorwhat...It’sjusthow

DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing...

Documents

CI/CD with Docker on AWS

Transforming Organizations with CI/CD

CI-CD and DevOps with Ruby

Developing Infrastructure Code for CI & CD

GitLab CIPipeline GitLab CI 6. CI/CD Mkdocs Pipeline GitLab CI Déploiement sur Netlify 7. CI/CD Maven - Apache Tomcat Premier exemple Essai local Pipeline GitLab CI Initialisation

GitLab CI/CD - An Overview · DevOps Porto - Filipa Lacerda @filipalacerda gitlab.com/filipa GitLab CI/CD - An Overview

Automate your Jenkins CI/CD Pipeline with Automated REST ...CI/CD Pipeline with Automated REST and SOAP API Testing Deploy API Fortress for Jenkins CI/CD pipeline on-premises or hybrid

Achieving CI/CD with Kubernetes

Java PaaS – Enabling CI, CD, and DevOps - Huihoodocs.huihoo.com/javaone/...PaaS-Truly-Enabling-CI-CD-and-DevOps.pdfJava PaaS – Enabling CI, CD, and DevOps. AuthX Overview Who We

CI/CD for mobile at HERE

CI / CD with fabric8

Continuous Integration + Continuous Deployment CI+CD

GitHub & GitLab CI/CD

Fabric8 CI/CD

How Docker simplifies CI/CD

of...GI0 Vl CI QI E Ql QI0! CL'6 I-C CI CI CI CO Pt CI CI IO CI ~G CD CI CI CD CD CD CO CI Gl C0 0 IU IL ZCL L C 0 I-ttl C ID Cl IO CI I D E al QQ CL QI E Ql QD 0 CO0 (3 CO 0 Cl I

From ci to cd

CI/CD Best Practices

Practice CI/CD with Docker

6 AWS Services / Serverless CI CD