Continuous Security and DevOps:

Similar documents
DEVOPS AND THE FUTURE OF ENTERPRISE SECURITY

AWS London Loft: CloudFormation Workshop

Building a Self-Defending Border. Shane Baldacchino, Solutions Architect, AWS Marcus Santos, Solutions Architect, AWS

Serverless Architecture Hochskalierbare Anwendungen ohne Server. Sascha Möllering, Solutions Architect

Advanced Techniques for DDoS Mitigation and Web Application Defense

Security as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS

CLOUD WORKLOAD SECURITY

Driving DevOps Transformation in Enterprises

The Long Road from Capistrano to Kubernetes

Cloud Security Strategy - Adapt to Changes with Security Automation -

At Course Completion Prepares you as per certification requirements for AWS Developer Associate.

AWS Remote Access VPC Bundle

AWS Web Application Firewall. Darren Weiner Cloud Architect/Engineer

Amazon Web Services. Block 402, 4 th Floor, Saptagiri Towers, Above Pantaloons, Begumpet Main Road, Hyderabad Telangana India

Information Security Policy

ARCHITECTING WEB APPLICATIONS FOR THE CLOUD: DESIGN PRINCIPLES AND PRACTICAL GUIDANCE FOR AWS

Cloud Native Security. OpenShift Commons Briefing

Introduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

Understanding Perimeter Security

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

Cloud Computing /AWS Course Content

Overcoming the Challenges of Automating Security in a DevOps Environment

OptiSol FinTech Platforms

ActiveNET. #202, Manjeera Plaza, Opp: Aditya Park Inn, Ameerpetet HYD

Securing Microservices Containerized Security in AWS

Minfy MS Workloads Use Case

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

CPM. Quick Start Guide V2.4.0

AWS Solutions Architect Associate (SAA-C01) Sample Exam Questions

Cloud Computing. Amazon Web Services (AWS)

Architecting for Greater Security in AWS

Aspirin as a Service: Using the Cloud to Cure Security Headaches

Amazon Web Services Training. Training Topics:

Course Overview This five-day course will provide participants with the key knowledge required to deploy and configure Microsoft Azure Stack.

AWS Solution Architect Associate

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

TestkingPass. Reliable test dumps & stable pass king & valid test questions

NGF0502 AWS Student Slides

PCI DSS Compliance. White Paper Parallels Remote Application Server

Zombie Apocalypse Workshop


Swift Web Applications on the AWS Cloud

Serverless The Future of the Cloud?!

Continuous Opportunity: DevOps & Security

Training on Amazon AWS Cloud Computing. Course Content

Serverless and APIs: Rethinking Curriculum in Higher Education. Munir Mandviwalla and Jeremy Shafer Temple University

TIBCO Cloud Integration Security Overview

AWS 101. Patrick Pierson, IonChannel

Architecting Microsoft Azure Solutions (proposed exam 535)

SaaS. Public Cloud. Co-located SaaS Containers. Cloud

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

Securing Serverless Architectures

Cloud security 2.0: Joko nyt pilveen voi luottaa?

DevOps on AWS Deep Dive on Continuous Delivery and the AWS Developer Tools

How to go serverless with AWS Lambda

DevOps Tooling from AWS

We are ready to serve Latest IT Trends, Are you ready to learn? New Batches Info

Magento Commerce Architecture and Security Model Last updated: Aug 2017

Microservices on AWS. Matthias Jung, Solutions Architect AWS

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Getting Started with AWS Security

Ahead in the Cloud. Matt Wood TECHNOLOGY EVANGELIST

Additional Security Services on AWS

McAfee Public Cloud Server Security Suite

DevOps Course Content

AALOK INSTITUTE. DevOps Training

FAST TRACK YOUR AMAZON AWS CLOUD TECHNICAL SKILLS. Enterprise Website Hosting with AWS

Hackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm

HashiCorp Vault on the AWS Cloud

Continuous Innovation DevOps and agile Deployment with AWS. Mickael Zewde

Launching a Highly-regulated Startup in the Cloud

Ingress Kubernetes Tutorial

HTTP Security Headers Explained

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Enroll Now to Take online Course Contact: Demo video By Chandra sir

What to expect from the session Technical recap VMware Cloud on AWS {Sample} Integration use case Services introduction & solution designs Solution su

Microsoft Exam Questions and Answers (PDF) Microsoft Exam Questions BrainDumps

CASE STUDY Application Migration and optimization on AWS

Document Sub Title. Yotpo. Technical Overview 07/18/ Yotpo

Securing Your Amazon Web Services Virtual Networks

Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

ADC im Cloud - Zeitalter

CSV-W14 - BUILDING AND ADOPTING A CLOUD-NATIVE SECURITY PROGRAM

4/4/2018 F5 Government Symposium 2018 AWS and F5 Deep Dive

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

AWS Reference Architecture - CloudGen Firewall Auto Scaling Cluster

Puppet on the AWS Cloud

Elastic Load Balancing

Logging in the age of

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Xerox Audio Documents App

Netflix OSS Spinnaker on the AWS Cloud

LINUX, WINDOWS(MCSE),

Architecting for the.

Amazon Web Services (AWS) Training Course Content

Microservices without the Servers: AWS Lambda in Action

Transcription:

Continuous Security and DevOps: Three Keys for Modern Security Success 2017 Frank Kim All Rights Reserved

Introduction Frank Kim ThinkSec Founder SANS Institute Former CISO Curriculum Lead Management and Application Security Author & Instructor MGT514, DEV540, DEV541 Shout out to Eric Johnson Summit Co-Chair Author of many of these slides 2

Security Perceptions DevOps is just another excuse for developers to have root access in production. - Traditional security expert 3

Wall of Confusion Walls of Confusion I want change! I want stability! Development Operations Image concept: http://dev2ops.org/2010/02/what-is-devops 4

#1 Champion Change

Embracing Change It s not the strongest that survive or the most intelligent that survive. It s the ones that are most adaptable to change. - Charles Darwin 6

Monolith Architecture Security Controls Common security controls are applied to each trust boundary in the monolith architecture: Public Subnet Private Subnet 1 2 3 Client Browser ELB Web Server Spring Boot / Tomcat MySQL Database Server 1. Security Controls 2. Security Controls 3. Security Controls Web Application Firewall Authentication, Authorization System Authentication, TLS HTTPS, Rate Limiting Access control, Validation Encryption at rest

Microservice Architecture How does this change in a microservice architecture? Public Subnet Private Subnet Single Page App Human Resources Account Management MySQL Database Server Mobile App Employee IoT Factory Device Customer Service Discount Coupons EBS Volume Coupon Bucket

Microservice Architecture Attack Surface Consider the attack surface in a modern microservice architecture: Public Subnet Private Subnet Single Page App Human Resources Account Management MySQL Database Server Mobile App Employee IoT Factory Device Customer Service Discount Coupons EBS Volume Coupon Bucket

Microservice API Gateway Architecture Adding an API Gateway to provide perimeter security controls: Authorization Access Control Public Subnet Private Subnet Single Page App Human Resources Account Management MySQL Database Server Mobile App API Gateway Employee IoT Factory Device Customer Service Discount Coupons EBS Volume Coupon Bucket

Serverless Computing Serverless refers to new, non-traditional architecture Does not use dedicated containers Event-triggered computing requests Ephemeral environment Servers fully managed by 3 rd party (e.g. AWS) Referred to as Functions as a service (FaaS) Example Technologies AWS Lambda, MS Azure Functions, Google Cloud Functions Amazon API Gateway

Serverless Security Benefits How does serverless improve security? Attack surface is smaller No servers to patch No long running servers That can be scanned or attacked That can have malware installed on them Fewer compromised servers If malware is installed the next request brings up new, clean server

Serverless Security Concerns How does serverless make security harder? Attack surface is bigger (but different) Anyone can deploy a function Cost to deploy a function is effectively zero (not charged for idle time) Difficult to track and delete functions Authentication and access control Who has permission to deploy functions? How do you lock down what each function can do? Compliance Which functions will handle sensitive data and where is it stored? Are there multitenancy risks? Is your implementation itself compliance?

Serverless and Application Security Application security is even more important with serverless If attackers have less infrastructure to attack The focus naturally shifts to the application Every function crosses a trust boundary Functions are designed to independent Therefore each function must be secured independently Apply application security best practices Input validation / sanitization must be performed in each function Perform code review and automated scans Review dependencies and libraries used by functions

AWS WAF Security Automations Architecture 15 access logs Application Load Balancer requests to honeypot endpoint Amazon API Gateway S3 Log Bucket Amazon CloudFront SQL Injection & XSS protection Bad bot & scraper protection Scanner & HTTP flood protection AWS Lambda Access Handler AWS Lambda Log Parser CloudWatch Event hourly AWS WAF Known attacker / bad IP protection IP whitelist / blacklist AWS Lambda IP Lists Parser Image credit: http://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/architecture.html Third-party IP reputation lists

#2 Seize the Simple

Keep it Simple Simplicity is the ultimate form of sophistication. Leonardo Da Vinci 17

Hunt the Bug Can you identify the bug in this code snippet? 1 2 3 4 5 6 7 8 9 10 11 12 <% String theme = request.getparameter("look"); if (theme == null && session!= null) { theme = (String)session.getAttribute("look"); } if (session!=null) session.setattribute("look", theme); %> <link rel="stylesheet" type="text/css" media="all" href="<%= request.getcontextpath() %> /ui/theme/<%= theme %>/colors.css" /> 18

Hunt the Bug Can you identify the bug in this code snippet? 1 2 3 4 5 6 7 8 9 10 11 12 <% String theme = request.getparameter("look"); if (theme == null && session!= null) { theme = (String)session.getAttribute("look"); } if (session!=null) session.setattribute("look", theme); %> <link rel="stylesheet" type="text/css" media="all" href="<%= request.getcontextpath() %> /ui/theme/<%= theme %>/colors.css" /> 19

AngularJS ngsanitize Output encoding automatically applied for: HTML tags using ngbind directive (e.g. ng-bind) Output from Angular expressions (e.g. {{var}} ) When certain HTML tags should be allowed, use the ngbindhtml directive (e.g. ng-bind-html) Output is tokenized Tokens are passed through a whitelist Non-whitelist tokens are encoded 20

ngsanitize Examples ngbind <div ng-controller="examplecontroller"> <label>enter name: <input type="text" ng-model="name"></label><br> Hello <span ng-bind="name"></span>! </div> Angular expression <div ng-controller="examplecontroller" class="expressions"> Expression:<input type='text' ng-model="expr" size="80"/> <button ng-click="addexp(expr)">evaluate</button> <ul> <li ng-repeat="expr in exprs track by $index"> [ <a href="" ng-click="removeexp($index)">x</a> ] <code>{{expr}}</code> => <span ng-bind="$parent.$eval(expr)"></span> </li> </ul> </div> 21

Content Security Policy (CSP) AngularJS uses features that violate standard CSP rules eval() and Function(string) generated functions are used to improve performance when evaluating expressions Inline styles are used to inject custom styling (e.g. ngcloak and nghide) Linking to angular-csp.css will allow the directives to work when CSP is blocking inline styles 22

ngcsp The ngcsp (e.g. ng-csp) directive will instruct AngularJS to not use CSP-breaking features <!doctype html> <html ng-app ng-csp>... </html> 23

Static Analysis Tools Security tools for static analysis: Free / open source: Find Security Bugs, Phan, Puma Scan, Brakeman, Bandit, Flawfinder, QARK Commercial: HP Fortify, Checkmarx, Coverity, IBM AppScan Source, Klocwork, Veracode, Brakeman Pro 24

Secure Code Spell Checker 25

#3 Automate Everything

Critical Security Controls (CSC) 27

Infrastructure as Code Different approaches to set up and manage systems 1) Traditional: manual checklists and scripts, ad hoc changes/fixes made by system administrators at runtime 2) Modern: treating Infrastructure as Code and configuration management as system engineering Configuration management with scripts is not scalable or traceable and is error prone Leads to configuration drift over time Configuration management tools Chef, Puppet, Ansible, Salt/Saltstack, CFEngine

AWS CloudFormation Example Creating an EC2 instance 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 InstancePublic: Type: AWS::EC2::Instance Properties: IamInstanceProfile:!Ref InstanceProfilePhotoReadOnly ImageId:!FindInMap [Images,!Ref "AWS::Region", ecs] InstanceType: "t2.micro" KeyName: "secretkey" SecurityGroupIds: -!Ref SecurityGroupPublic SubnetId:!Ref SubnetPublic UserData: Fn::Base64:!Sub #!/bin/bash -xe yum update -y 29

Retrieving All EC2 Instances 1 2 3 Command line call to retrieve all AWS EC2 instances: aws ec2 describe-instances --output json jq '.Reservations[].Instances[] [.LaunchTime,.InstanceType,.InstanceId,.SecurityGroups[].GroupId,.Tags[].Value]' Output: 1 2 3 4 5 6 7 8 9 [ "2017-01-08T18:51:46.000Z", "t2.micro", "i-0500510e3f808d2ee", "sg-7caf4600", "prod-springline-aws-web", "Springboot MVC target application, "SANS\\app.user" ] [ "2017-01-08T18:55:02.000Z", "t2.micro", "i-0e74e490c2ebc5d37", "sg-79af4605","qa-springline-aws-web", "QA Springboot MVC target application, "SANS\\app.user" ] 30

Blue/Green Deployment Divert traffic from one environment to another Each running a different version of the application Benefits of blue/green deployments Reduced downtime Improved ability to rollback Faster deployment of features and bug fixes Use blue/green deploys when you have: Immutable infrastructure Well defined environment boundary Ability to automate changes

AWS EC2 Container Service (ECS) Example Deployment process Use original blue service and task def Create new green service and task def Map new green service to ELB Scale up green service by increasing number of tasks Remove blue service, setting tasks to 0 Blue Green Blue Green ECS Container Instance ECS Container Instance Service Description Task Definition Blue ECS Service Service Description Task Definition Green ECS Service

Swapping the AWS ECS Service Create a new green ECS Service aws cloudformation deploy --template-file green-web-ecs-service.yaml --stack-name green-web-ecs-service Increase the desired count for the green service aws ecs update-service --cluster DM-ecs --service $GreenService --desired-count 1 Turn off the blue service when ready aws ecs update-service --cluster DM-ecs --service $BlueService --desired-count 0

Getting to Yes 34

Three Keys for Security Success Champion Change Seize the Simple Automate Everything 35

Questions? Frank Kim frank.kim@thinksec.com @fykim 2017 Frank Kim All Rights Reserved

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback