Automating Security Practices for the DevOps Revolution

Transcription

1 Automating Security Practices for the DevOps Revolution Hari Srinivasan Director Product Management, Cloud and Virtualization Security Qualys Inc. 1 Qualys, Inc. 2018

2 Agenda Transformation of today s IT and IT organization DevOps/DevSecOps DevOps use cases in Securing Cloud DevOps use cases in Securing Containers Qualys Container Security Overview & Demo 2 Qualys, Inc. 2018

3 Digital Transformation is Driving Transformation of IT landscape Private Clouds Public Clouds Internet Enterprise On Premise Remote End Users 3 Qualys, Inc. 2018

4 Digital Transformation DevOps Innovation Cloud Migration Container Revolution Scale & Elasticity 4

5 Digital Transformation More than just adopting new technology Powered by IT innovation Security can t be after thought 5

6 Digital Transformation Barriers #1 Cyber Threats & Security Concerns #1 Lack of Digitally-Skilled Workforce #2 Lack of Supporting Government Policies and ICT Infrastructure #3 Uncertain Economic Environment #3 Lack of Leadership to Ideate, Plan, and Lead Digital Transformation Strategy 6 1,800 Business Leaders surveyed by Microsoft. Source:

7 Digital Transformation What about Security? DevSecOps! Built-in not bolted-on More Dev than Sec or Ops 7

8 Security Security Security Security Security Security Security Security as Usual breaks DevOps Automation Plan Code Test Release Package Deploy Operate Monitor Dev Ops wait! wait! wait! wait! wait! wait! 8

9 DevOps + Security!= DevSecOps 9 Qualys, Inc. 2018

10 DevSecOps is a Shift in Thinking Time Techniques Tools An opportunity to do different and better things earlier in the development lifecycle Think like Developers: Automation, Integration, Self-Service Collaborate with security vendors: DevOps Integrations, APIs, Self-Service UIs 10

11 11 The Right Security Tools for the DevOps Process

12 Same Qualys Platform for DevSecOps Vulnerability Management Find vulnerabilities in operating systems, commercial software, and open source Verification of Fixed vulnerabilities Configuration Compliance Verifying build compliance Detect changes from baseline API Plug-ins UI Web Application Scanning OWASP Top 10 Input Validation Vulnerabilities SQL Injection / Cross-site Scripting Container Security Inventory Tracking Vulnerability Management Events and Change Tracking 12

13 Qualys Sensors Physical Virtual Cloud/Container Cloud Agents Passive API Legacy data centers Corporate infrastructure Continuous security and compliance scanning Private cloud infrastructure Virtualized Infrastructure Continuous security and compliance scanning Commercial IaaS & PaaS clouds Pre-certified in market place Fully automated with API orchestration Continuous security and compliance scanning Light weight, multiplatform On premise, elastic cloud & endpoints Real-time data collection Continuous evaluation on platform for security and compliance Passively sniff on network Real-time device discovery & identification Identification of APT network traffic Extract malware files from network for analysis Integration with Threat Intel feeds CMDB Integration Log connectors 13 All sensors can be integrated and orchestrated in DevOps pipelines

14 14 Automating Vulnerability Management & Compliance configuration checks in DevOps Environments

15 Customer Case Studies CASE STUDY Reduced application releases from 2 weeks to 24 hrs by automating security with Qualys in to DevOps Genealogy Company Custom dashboards per LOB to gain visibility into approved vs. unapproved Images, patch cycles. Beverage MNC Enabling DevOps with automated agent deployment via Azure Security Center 15

16 CapitalOne Before: Lack of Security Automation Delays Release CASE STUDY Machine Builders VM SCAN/REPORT 48 HOURS Vulnerability Management Teams VM SCAN/REPORT 48 HOURS Two weeks until the Image (AMI) is certified for production 16 Qualys June 2018

17 CapitalOne After: Introduce Security at the Source Bake Qualys Security into Gold Images and AMI CASE STUDY OS GOLD IMAGE and AMAZON MACHINE IMAGE (AMI) QUALYS ASSESS ON DEV INSTANCES HARDENDED INSTANCES APPROVE and PUBLISH CI/CD PIPELINE Qualys Scanner Qualys Scanner Qualys Agent Public Custom Identify Vulns. & Config. Issues OS Fix & Verify OS Bake Approved Gold Image and AMI Live Instances Qualys Agent 17 Qualys June 2018

18 Genealogy Company Upgrading security practice with visibility Datacenter migration to AWS by June AWS accounts and expect to grow to 100 by June Main application ~2,300 active hosts - External Scans every 4 hrs - Internal Scans every 7 days CASE STUDY Problem? Every production machine updates every 14 days. Need method to track patched vs unpatched and establish clear process. Solution? Scan the Images ahead in build Qualys Tags based on EC2 tags Trend on longetivity. Roll out EC2 dashboard for each LOB Instances with Sev5,4 Approved vs Unapproved with trend 18 Qualys, June 2018

19 Beverage MNC Company Security automation during deployment in Azure A Hybrid, Multi cloud strategy Primary: AWS, Secondary: Azure. In Azure - 5K virtual machines across few projects. OS Windows (major) and Linux CASE STUDY Problem? Ops wants to simplify the process of security tools rollout Security wants to participate into DevOps in Azure Solution? Qualys integration with Azure Security Center to automate deploying agents DevOps reviews findings and remediates from within ASC Security monitors posture from Qualys 19 Qualys, June 2018

20 20 Automating Web Application Security in DevOps Environments

21 Use Case: Automated Integration into DevOps Selenium Qualys WAS Selenium Qualys WAS Jira Issues Jira Issues 21 Image Source:

22 Qualys Web Security Assessments using Jenkins CI/CD Staging Environment Test / QA Environment Developers Dev Environment Source Control Jenkins API WAS Engine HTTP Qualys Scanner Appliance 22

23 23 Web Application Assessment Jenkins Plug-in

24 Security into DevOps process for Containers

25 Containers are changing the IT landscape Source: Datadog Dockers hosts run an average of 7 containers, 25% of companies run 14+ containers 25 Qualys June

26 Container Components & Lifecycle Docker File Image Image Registry Containers Docker Engine Public Clouds #Apace Image FROM Ubuntu:12.04 RUN apt-get update RUN apt-get install y apache2 ENV APACHE RUN_USER www-dat. AWS EC2 Instance AWS ECS Elastic Container Service myapache:2.2:latest Docker Engine On Premises Host / VM 18 June

27 Container Risks/Threats Impacts to security program 1. Un-validated external software 2. Non-standard configurations 3. Lack of deployment hygiene 4. Unmonitored Container to Container communication (East West traffic) 5. Untracked ephemeral instances 6. Unauthorized access (lack of proper governance) 27 Infosecurity Conference, June 2018

28 Qualys Container Security Automated, continuous across the complete pipeline PRE-DEPLOYMENT POST DEPLOYMENT Build Registry Host Runtime Jenkins plug-in to check for vulnerabilities in the build pipeline. REST APIs for all feature Inventory, Automated or Trigger based vulnerability scans for Images in the Registry Qualys scanners / agents provide vulnerabilities and compliance posture Container Vulnerabilities Audit log and tracking events in container environments. Create alerts on malicious behavior detection 18 June

29 Qualys Container Security Automated security in the DevOps pipeline Build Registry Jenkins plug-in to check for vulnerabilities in the build pipeline. REST APIs for all feature List and run On Demand or Scheduled scans of Images in the Registry 32 Qualys, Inc

30 Vulnerability detection for Docker Images Jenkins Plug-in for vulnerability analysis Set FAILURE criteria for image introspection Generate vulnerability analysis job definition to incorporate into Jenkins build process Supports both Pipeline and Freestyle model 33 Qualys, Inc. 2018

31 Vulnerability detection for Docker Images Jenkins Plug-in for vulnerability analysis Directly review vulnerabilities, the impacted software and configuration information along with remediation Resolve issues, rinse-repeat for a successful build 34 Qualys, Inc

32 Qualys Container Security REST APIs Complete feature set supported via REST API Provides both List and Detailed views Swagger based API with quick test functionality available directly 35 Qualys, Inc

33 Qualys Container Security Functional Overview CI/CD Tools UI & REST APIs Image Registry REST APIs & Plug-ins ACTIVE DEPLOYMENTS C 1 C 2 C 1 C 2 C 3 Docker Engine C 4 C 3 C 5 Docker Engine Host / VM ( 1 ) C 4 C 5 REST APIs SIEM Tools Ticketing Systems Host / VM ( 2 ) 37 Qualys, Inc. 2018

34 Practical Steps Next Week Take an accounting of current security tools are they DevOps friendly with APIs, automation, or selfservice UIs? Identify development teams using DevOps engage and discuss DevSecOps Visible vs. Safe project Cloud vs. On-premise Next Quarter Integrate Qualys into one development lifecycle Security process(es) to overcome tool integration Measure outcomes # vulns identified/fixed before release Host a Project Summit present your project successes and Evangelize DevSecOps to other groups Next 6 Months Create a DevSecOps architecture for on-premise and cloud Replace point solutions with Qualys ($$ savings) Implement self-service and API-based DevSecOps programs Expand to more projects foundational Present at conferences and user groups on DevSecOps 42

35 Thank You Hari Srinivasan 43 Qualys, Inc. 2018