Overcoming the Challenges of Automating Security in a DevOps Environment

Similar documents
AUTOMATING SECDEVOPS WORKSHOP

Automating Security Practices for the DevOps Revolution

Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

DevOps A How To for Agility with Security

DevOps Course Content

PRAGMATIC SECURITY AUTOMATION FOR CLOUD

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Security as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS

Taking Control of Your Application Security

Container Deployment and Security Best Practices

Hackproof Your Cloud Responding to 2016 Threats

CLOUD WORKLOAD SECURITY

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Test Automation Strategies in Continuous Delivery. Nandan Shinde Test Automation Architect (Tech CoE) Cognizant Technology Solutions

Getting Started with AWS Security

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

Weaving Security into Every Application

CSV-W14 - BUILDING AND ADOPTING A CLOUD-NATIVE SECURITY PROGRAM

Cloud Security Strategy - Adapt to Changes with Security Automation -

DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

Secure DevOps: A Puma s Tail

DevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

Who done it: Gaining visibility and accountability in the cloud

Understanding Perimeter Security

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

NEXT GENERATION CLOUD SECURITY

Aspirin as a Service: Using the Cloud to Cure Security Headaches

Qualys Cloud Platform

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

THE MAIN APPLICATION SECURITY TECHNOLOGIES TO ADOPT BY 2018

Securing Serverless Architectures

10 FOCUS AREAS FOR BREACH PREVENTION

TM DevOps Use Case. 2017TechMinfy All Rights Reserved

AGILE AND CONTINUOUS THREAT MODELS

How Can Testing Teams Play a Key Role in DevOps Adoption?

Five Essential Capabilities for Airtight Cloud Security

Docker Universal Control Plane Deploy and Manage On-Premises, Your Dockerized Distributed Applications

Put Security Into Your DevOps NOW. Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018

CyberPosture Intelligence for Your Hybrid Infrastructure

TM DevOps Use Case TechMinfy All Rights Reserved

AWS Web Application Firewall. Darren Weiner Cloud Architect/Engineer

Logging, Monitoring, and Alerting

Secure Development Lifecycle

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Everything visible. Everything secure.

Securing Microservices Containerized Security in AWS

DevOps Tooling from AWS

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

SUSE s vision for agile software development and deployment in the Software Defined Datacenter

Qualys Cloud Platform

Hardening AWS Environments. Automating Incident Response. AWS Compromises

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

A10 HARMONY CONTROLLER

DevSecOps Securing the Stack

Will your application be secure enough when Robots produce code for you?

Marc Hornbeek DevOps-the-Gray Principal DevOps Consultant, Trace3 Author, DevOps Test Engineering Course The DevOps Institute

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Title: Planning AWS Platform Security Assessment?

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

Securing Your Cloud Introduction Presentation

Orchestrating the Continuous Delivery Process

Regaining Our Lost Visibility

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

AppSec in a DevOps World

Strengthen and Scale security using DevSecOps

AWS Reference Design Document

Architecting for Greater Security in AWS

INTRODUCING CISCO SECURITY FOR AWS

Development. Architecture QA. Operations

THE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security

SaaS. Public Cloud. Co-located SaaS Containers. Cloud

Vulnerability Management

Incident Response and Forensics in your Pyjamas

Application Security at Scale

Hackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm

Introduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS

Securing the Modern Data Center with Trend Micro Deep Security

Cisco Tetration Analytics

Russ McRee Bryan Casper

Micro Focus Fortify Application Security

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Rethink Your Workstation Strategy with Amazon AppStream 2.0

Cloud Essentials for Architects using OpenStack

Netflix OSS Spinnaker on the AWS Cloud

BEST PRACTICES TO PROTECTING AWS CLOUD RESOURCES

Red Hat Roadmap for Containers and DevOps

Modelos de Negócio na Era das Clouds. André Rodrigues, Cloud Systems Engineer

Turbo boost your digital app test automation with Jenkins

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Deep Dive on AWS CodeStar

DevSecOps Agility with Security

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

AWS Well Architected Framework

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Additional Security Services on AWS

Transcription:

SESSION ID: LAB-W02 Overcoming the Challenges of Automating Security in a DevOps Environment Murray Goldschmidt Chief Operating Officer Sense of Security @ITsecurityAU Michael McKinnon Director, Commercial Services Sense of Security @bigmac

Learning Lab Agenda Item Description Duration DevSecOps Lab Intro App Sec Automation Monitoring & Self-Healing Mitigations & Conclusions Introduction and attack demonstration of a DevSecOps Lab Environment on Amazon AWS Challenges with securing first party and third party code, and static and dynamic code scanning Implementing continuous monitoring and selfhealing Overview of how the AWS attack we demonstrated could be successfully mitigated. 30 minutes 30 minutes 30 minutes 30 minutes

Automation is Everywhere Source: https://www.wired.com/2017/01/cafe-x-robot-barista/

Adversaries are using Automation Source: http://www.zdnet.com/article/new-dark-web-scheme-letswannabe-cybercriminals-get-in-on-ransomware-for-free/

Silos Don t Work Developers Operations Security 5

Why does Automation matter?

Security Automation in DevOps We look at a generic development pipeline Code Commit Build Test Deploy UAT Production 1. Development Environment 2. Source Code Repository 3. Build Platform (CI) 4. Deployment Process (CD) 5. Staging / Production Hosting Environment

DevSecOps Securing the Stack DevSecOps Stack Security Traditional DevOps Application Security

DevOps Coverage: Speed & Timing Custom Application (1 ST party code, 3 rd party libraries, etc.) Application Framework (Tomcat, Apache,.Net, IIS etc.) Network & OS (Linux, Windows, etc.) Cloud Platform (Amazon RDS, S3, Lambda, etc.) Core Infrastructure (Fabric Functions: AWS IAM, EC2, Azure)

Collapse the Vertical Plane Page 12

Stretch into Horizontal Plane Page 13

Produces the DevOps Pipeline Code Commit Build Test Deploy UAT Production Page 14

Staging Environment IDE Source Code Repository CI Build Server Continuous Deployment Production Environment Security Automation Coding Helpers Supply Chain Risk Tools Config & Vulnerability Management Code Analysis App Scanning Continuous Monitoring

Welcome to our DevSecOps Lab Qualys Appliance Nexus IQ Server Jenkins CI/CD Server One or more instances of Application Server Subnet 10.1.1.0/24 Subnet 10.2.1.0/24 VPC 10.1.0.0/16 VPC 10.2.0.0/16

DevSecOps Lab AWS Kill Chain Attack We played this video during the learning lab: https://www.youtube.com/watch?v=fm4cqlxqqfs

Application Security Automation 1. Addressing the need to identify defects earlier. 2. Writing and testing your in-house first party code. 3. Testing and inspecting libraries and third party code.

Defense in Depth Layer #1 The developer has an opportunity to avoid introducing a security vulnerability in their IDE. Layer #3 Automated dynamic scanning of the application detects the same vulnerability if it gets this far. Code Commit Build Test Deploy UAT Production Layer #2 Static code analysis triggered by the code commit action identifies the vulnerability build fails. Layer #4 Continuous Monitoring & Vulnerability Management detects the exposed vulnerability. Add comprehensive Manual Pen Test.

Automating Quality Code

Good Quality Code Problem Statement Why do you need to address code quality? Vulnerabilities caused by coding may lead to unacceptable risk. Well written code performs better If well understood, has less risk of being vulnerable. Likely to have better bottom line results on the final application.

Pop Quiz! When is the best time to address coding defects?

Identify Defects As Soon As Possible $ $ $ Application Lifecycle Source: Veracode

Shifting Left Staging Environment IDE Source Code Repository CI Build Server Continuous Deployment Production Environment

Guardrail Approach Idea Design Code Test Production Risk Analysis Design Review Code Review Penetration Test Guardrail Guardrail Guardrail Guardrail Image adapted from: Michael Brunton-Spall

Scanning Code at the IDE Demonstration SAST in the IDE (Veracode Greenlight)

Early Dev, Mid Dev & Build Coverage on Commit Page 27

Automating Security at the Deploy Layer Preventing a deployment if something fails. Using Scan 1218389 Checks Failed POST BUILD TASK : FAILURE END OF POST BUILD TASK: 0 ESCALATE FAILED POST BUILD TASK TO JOB STATUS Build step Post build task changed build result to FAILURE Finished: FAILURE Page 28

Third Party Libraries

Third Party Code Problem Statement Why do you need to address third party library risk? Embedding third party code in your application has huge advantages, but comes at the risk of latent exposure to vulnerabilities. Many open source library repositories have little or no vetting of contributors, meaning third party code cannot be trusted blindly. When vulnerabilities are discovered in a shared library, it is important to quickly identify your exposure.

The Software Supply Chain Problem 44% of applications contain critical vulnerabilities in an open source component. ~ Veracode Source: https://www.grammatech.com/ Page 31

Defense in Depth Layer #1 The developer has an opportunity to avoid introducing a security vulnerability in their IDE. Layer #3 Automated dynamic scanning of the application detects the same vulnerability if it gets this far. Code Commit Build Test Deploy UAT Production Layer #2 Static code analysis triggered by the code commit action identifies the vulnerability build fails. Layer #4 Continuous Monitoring & Vulnerability Management detects the exposed vulnerability. Add comprehensive Manual Pen Test.

Monitoring & Self-Healing 1. Cloud environments require proper configuration management. 2. Visibility is key to knowing if your DevOps stack is secure. 3. Self-healing is a growing trend and worth implementing.

Cloud Configuration

Configuration Monitoring Problem Statement Why is your cloud environment configuration important? Complex environments have complex and diverse configurations. Cloud configurations aren t always visible, and we need that visibility to understand the real configuration. We need to have assurance that our configuration standard is being enforced and is compliant.

Continuous Monitoring

Page 37 It s all about Visibility Custom Application (1 ST party code, 3 rd party libraries, etc.) Application Framework (Tomcat, Nginx, Apache, etc.) Network & OS (Linux, Windows, etc.) Cloud Platform (Amazon RDS, S3, Lambda, etc.) Core Infrastructure (Fabric Functions: AWS IAM, EC2, Azure, etc.)

Continuous Monitoring

Self-Healing

Self-Healing - Problem Statement Why is Self-Healing important? Respond to changes in your environment immediately, reverting changes - malicious or accidental. Assurance that your stack configuration is compliant to your risk appetite at all times. Alert you to take action for improvement if it does detect unwanted changes (or alert of a security incident).

Event Driven Security, Self-Healing, or RASP The techniques we re about to look at in our lab are all known by different names: Event Driven Security responding to events RASP Runtime Application Self Protection Self-Healing we think this describes it nicely! There may be subtle difference in implementation, but for the large part we consider they all do the same thing.

We re Going Serverless! "Serverless computing solutions execute logic in environments with no visible VM or OS. Services such as Amazon Web Services Lambda are disrupting many cloud development and operational patterns. Technology and service provider product managers must prepare for the change. - Gartner

AWS Lambda It s Serverless A stateless, programmatic function that responds to events based on triggers. Other Platforms: Microsoft Azure: Azure Functions AWS Lambda Google Cloud Platform: Google Cloud Functions

Event Driven Security / Self-Healing To implement automated self-healing using a serverless solution we generally need a few things: 1. A well defined event that we can respond to (i.e. an open port, or a new user account being created) 2. A near real-time source of logging data to listen for the event. 3. Something to do if the event is triggered.

Demo Demo Lambda locking a user out after they try to create another user account. Or disable user without 2-factor?

AWS Kill Chain Mitigations

DevSecOps Lab AWS Kill Chain Qualys Appliance Nexus IQ Server Jenkins CI/CD Server One or more instances of Application Server Subnet 10.1.1.0/24 Subnet 10.2.1.0/24 VPC 10.1.0.0/16 VPC 10.2.0.0/16 ap-southeast-2

DevSecOps Lab AWS Kill Chain 1 1 Qualys Appliance Nexus IQ Server Jenkins CI/CD Server One or more instances of Application Server Subnet 10.1.1.0/24 Subnet 10.2.1.0/24 VPC 10.1.0.0/16 VPC 10.2.0.0/16 ap-southeast-2

Time Line ID Attack Countermeasure Process 1 Vulnerability Identification External Vuln Scanning Automation extend to Continuous Monitoring Countermeasure Technology Qualys (VM + Cont Mon, WAS) Veracode (Dynamic) 1 Vulnerability Prevention (OS, Framework, Environment etc.) 1 Vulnerability Prevention (First Party Code) 1 Vulnerability Prevention (3 rd Party Code) Config Mgt Patch Mgt Security in SDLC Security in SDLC Active: IPS Passive: Qualys (VM, Policy Compliance) Active SDLC WAF RASP (e.g. Veracode) Veracode (Greenlight, Static) Veracode (SCA) Sonatype

DevSecOps Lab AWS Kill Chain 2 2 Qualys Appliance Nexus IQ Server Jenkins CI/CD Server One or more instances of Application Server Subnet 10.1.1.0/24 Subnet 10.2.1.0/24 VPC 10.1.0.0/16 VPC 10.2.0.0/16 ap-southeast-2

Time Line ID Attack Countermeasure Process Countermeasure Technology 2 Vulnerability Prevention (3 rd Party Code) Security in SDLC Veracode (SCA) Sonatype 2 Shell Binding, Tools Download etc. Restrict unsolicited outbound access 2 Vulnerability Prevention Configuration Management Patch Management Self-Healing / Tamper Resistance Application Whitelisting AWS Lambda Functions (DIY) Dome9 Clarity Diagram Dome9 Clarity VPC Log Review IPS Qualys (VM, Policy Compliance) 2 Vulnerability Prevention (First Party Code) Security in SDLC WAF RASP (e.g. Veracode) Veracode (Greenlight, Static)

DevSecOps Lab AWS Kill Chain 3 3 Qualys Appliance Nexus IQ Server Jenkins CI/CD Server One or more instances of Application Server Subnet 10.1.1.0/24 Subnet 10.2.1.0/24 VPC 10.1.0.0/16 VPC 10.2.0.0/16 ap-southeast-2

Time Line ID Attack Countermeasure Process Countermeasure Technology 3 Pivot, Vuln Identification Restrict unsolicited traffic intra-vpc, intra-account, VPC- WAN etc. Active Automation Dome9 AWS Security Group Rule Tamper Resistance Visual Dome9 Clarity Diagram Dome9 Clarity VPC Log Review Passive Qualys VM + Cont Mon

DevSecOps Lab AWS Kill Chain 4 4 Qualys Appliance Nexus IQ Server Jenkins CI/CD Server One or more instances of Application Server Subnet 10.1.1.0/24 Subnet 10.2.1.0/24 VPC 10.1.0.0/16 VPC 10.2.0.0/16 ap-southeast-2

Time Line ID Attack Countermeasure Process Countermeasure Technology 4 Vulnerability Prevention (OS, Framework, Environment etc.) As Per Previous Depends on Vuln Type: Config Mgt Patch Mgt Security in SDLC Active: IPS Passive: Qualys (VM, Policy Compliance) SDLC Veracode, Sonatype etc

DevSecOps Lab AWS Kill Chain Qualys Appliance Nexus IQ Server Subnet 10.1.1.0/24 Jenkins CI/CD Server 5 5 One or more instances of Application Server Subnet 10.2.1.0/24 VPC 10.1.0.0/16 VPC 10.2.0.0/16 ap-southeast-2

Time Line ID Attack Countermeasure Process Countermeasure Technology 5 Cloud, Account Creation, Priv Escalation, Priv Abuse Access Controls and Permissions RBAC Permissions on business need to know/use Active Dome9 IAM Protection AWS Lambda Functions (DIY)

Applying Security Automation

Applying Security Automation in DevOps Look for opportunities in your SDLC to automatically identify defects earlier in the pipeline i.e. Shift Left Examine all your security tools and investigate whether exposed API s can be leveraged to provide automated control/feedback. Review your cloud based architecture for opportunities to apply automated checking of configuration and continuous monitoring. Remember to protect the full stack of tools, processes and technology in your DevOps pipeline. It s not just about the output!

Sense of Security Pty Ltd www.senseofsecurity.com.au info@senseofsecurity.com.au Office: +61 2 9290 4444

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback