Automating Security Practices for the DevOps Revolution

Similar documents
Qualys Cloud Platform

DevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

Qualys Cloud Platform

Regaining Our Lost Visibility

CLOUD WORKLOAD SECURITY

Real-Time Vulnerability Management Operationalizing the VM process from detection to remediation

AWS Reference Design Document

Real-Time Vulnerability Management Operationalizing the VM process from detection to remediation

Overcoming the Challenges of Automating Security in a DevOps Environment

THE IMPACT OF HYBRID AND MULTI CLOUDS TO CYBERSECURITY PRIORITIES

Unify DevOps and SecOps: Security Without Friction

Development. Architecture QA. Operations

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

Real-Time Vulnerability Management Operationalizing the VM process from detection to remediation

Security as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

SYMANTEC DATA CENTER SECURITY

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

The ADC Guide to Managing Hybrid (IT and DevOps) Application Delivery

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

No Limits Cloud Introducing the HPE Helion Cloud Suite July 28, Copyright 2016 Vivit Worldwide

CREATING A CLOUD STRONGHOLD: Strategies and Methods to Manage and Secure Your Cloud

Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

McAfee Public Cloud Server Security Suite

SIEMLESS THREAT DETECTION FOR AWS

Securing the Modern Data Center with Trend Micro Deep Security

How to manage evolving threats on evolving ICT assets across Enterprise

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Multi-Cloud and Application Centric Modeling, Deployment and Management with Cisco CloudCenter (CliQr)

Continuous Delivery for Cloud Native Applications

Vulnerability Management

Closing the Hybrid Cloud Security Gap with Cavirin

PUBLIC AND HYBRID CLOUD: BREAKING DOWN BARRIERS

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

CloudCenter for Developers

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

Everything visible. Everything secure.

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

RED HAT CLOUDFORMS. Chris Saunders Cloud Solutions

Cloud Computing: Is it safe for you and your customers? Alex Hernandez DefenseStorm

CyberPosture Intelligence for Your Hybrid Infrastructure

Enterprise & Cloud Security

How to Keep UP Through Digital Transformation with Next-Generation App Development

Day One Success for DevSecOps and Automation on Azure

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

Securing Your Cloud Introduction Presentation

Accelerate your Software Delivery Lifecycle with IBM Development and Test Environment Services

QUALYS SECURITY CONFERENCE Qualys CertView. Managing Digital Certificates. Jimmy Graham Senior Director, Product Management, Qualys, Inc.

Growth of Docker hub pulls

Eyes Everywhere: Monitoring Today's Borderless Landscape

Marc Hornbeek DevOps-the-Gray Principal DevOps Consultant, Trace3 Author, DevOps Test Engineering Course The DevOps Institute

VMware Hybrid Cloud Solution

Will your application be secure enough when Robots produce code for you?

Infoblox as Part of the Ecosystem

Best Practices in Securing a Multicloud World

Orchestrating the Continuous Delivery Process

Practical Guide to Platform as a Service.

Cisco Tetration Analytics

RED HAT OPENSHIFT A FOUNDATION FOR SUCCESSFUL DIGITAL TRANSFORMATION

McAfee Cloud Workload Security Product Guide

Building an Effective Cloud Operating Model on AWS

P a g e 1. Teknologisk Institut. Online kursus k SysAdmin & DevOps Collection

SBB. Java User Group 27.9 & Tobias Denzler, Philipp Oser

How to Secure Your Cloud with...a Cloud?

NEXT GENERATION CLOUD SECURITY

Container Security User Guide. April 13, 2018

Modelos de Negócio na Era das Clouds. André Rodrigues, Cloud Systems Engineer

AGILE AND CONTINUOUS THREAT MODELS

DevOps and Continuous Delivery USE CASE

Container Deployment and Security Best Practices

Docker and Oracle Everything You Wanted To Know

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

Tripwire State of Cyber Hygiene Report

Qualys Release Notes

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Multi-Cloud and Application Centric Modeling, Deployment and Management with Cisco CloudCenter (CliQr)

STATE OF MODERN APPLICATIONS IN THE CLOUD

Cloud Essentials for Architects using OpenStack

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

ENTERPRISE-GRADE MANAGEMENT FOR OPENSTACK WITH RED HAT CLOUDFORMS

The Road to Digital Transformation: Increase Agility Building and Managing Cloud Infrastructure. Albert Law Solution Architect Manager

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

85% 89% 10/5/2018. Do You Have A Firewall Around Your Cloud? Conquering The Big Threats & Challenges

Citrix Workspace Cloud

FROM VSTS TO AZURE DEVOPS

Investor presentation

Security Readiness Assessment

Red Hat Roadmap for Containers and DevOps

The Why, What, and How of Cisco Tetration

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0

The ADC Guide to Managing Hybrid (IT and DevOps) Application Delivery. Citrix.com ebook Align Cloud Strategy to Business Goals 1

Automated Security for the Real-time Enterprise with VMware NSX and Trend Micro Deep Security Chris Van Den Abbeele, Global Solution Architect, Trend

Qualys Indication of Compromise

Aspirin as a Service: Using the Cloud to Cure Security Headaches

Transcription:

Automating Security Practices for the DevOps Revolution Hari Srinivasan Director Product Management, Cloud and Virtualization Security Qualys Inc. 1 Qualys, Inc. 2018

Agenda Transformation of today s IT and IT organization DevOps/DevSecOps DevOps use cases in Securing Cloud DevOps use cases in Securing Containers Qualys Container Security Overview & Demo 2 Qualys, Inc. 2018

Digital Transformation is Driving Transformation of IT landscape Private Clouds Public Clouds Internet Enterprise On Premise Remote End Users 3 Qualys, Inc. 2018

Digital Transformation DevOps Innovation Cloud Migration Container Revolution Scale & Elasticity 4

Digital Transformation More than just adopting new technology Powered by IT innovation Security can t be after thought 5

Digital Transformation Barriers #1 Cyber Threats & Security Concerns #1 Lack of Digitally-Skilled Workforce #2 Lack of Supporting Government Policies and ICT Infrastructure #3 Uncertain Economic Environment #3 Lack of Leadership to Ideate, Plan, and Lead Digital Transformation Strategy 6 1,800 Business Leaders surveyed by Microsoft. Source: https://news.microsoft.com/apac/2017/02/20/80-of-business-leaders-believe-they-need-to-be-a-digital-business-tosucceed-microsoft-study/microsoft-digital-transformation-infographic-asia

Digital Transformation What about Security? DevSecOps! Built-in not bolted-on More Dev than Sec or Ops 7

Security Security Security Security Security Security Security Security as Usual breaks DevOps Automation Plan Code Test Release Package Deploy Operate Monitor Dev Ops wait! wait! wait! wait! wait! wait! 8

DevOps + Security!= DevSecOps 9 Qualys, Inc. 2018

DevSecOps is a Shift in Thinking Time Techniques Tools An opportunity to do different and better things earlier in the development lifecycle Think like Developers: Automation, Integration, Self-Service Collaborate with security vendors: DevOps Integrations, APIs, Self-Service UIs 10

11 The Right Security Tools for the DevOps Process

Same Qualys Platform for DevSecOps Vulnerability Management Find vulnerabilities in operating systems, commercial software, and open source Verification of Fixed vulnerabilities Configuration Compliance Verifying build compliance Detect changes from baseline API Plug-ins UI Web Application Scanning OWASP Top 10 Input Validation Vulnerabilities SQL Injection / Cross-site Scripting Container Security Inventory Tracking Vulnerability Management Events and Change Tracking 12

Qualys Sensors Physical Virtual Cloud/Container Cloud Agents Passive API Legacy data centers Corporate infrastructure Continuous security and compliance scanning Private cloud infrastructure Virtualized Infrastructure Continuous security and compliance scanning Commercial IaaS & PaaS clouds Pre-certified in market place Fully automated with API orchestration Continuous security and compliance scanning Light weight, multiplatform On premise, elastic cloud & endpoints Real-time data collection Continuous evaluation on platform for security and compliance Passively sniff on network Real-time device discovery & identification Identification of APT network traffic Extract malware files from network for analysis Integration with Threat Intel feeds CMDB Integration Log connectors 13 All sensors can be integrated and orchestrated in DevOps pipelines

14 Automating Vulnerability Management & Compliance configuration checks in DevOps Environments

Customer Case Studies CASE STUDY Reduced application releases from 2 weeks to 24 hrs by automating security with Qualys in to DevOps Genealogy Company Custom dashboards per LOB to gain visibility into approved vs. unapproved Images, patch cycles. Beverage MNC Enabling DevOps with automated agent deployment via Azure Security Center 15

CapitalOne Before: Lack of Security Automation Delays Release CASE STUDY Machine Builders VM SCAN/REPORT 48 HOURS Vulnerability Management Teams VM SCAN/REPORT 48 HOURS Two weeks until the Image (AMI) is certified for production 16 Qualys 2018 18 June 2018

CapitalOne After: Introduce Security at the Source Bake Qualys Security into Gold Images and AMI CASE STUDY OS GOLD IMAGE and AMAZON MACHINE IMAGE (AMI) QUALYS ASSESS ON DEV INSTANCES HARDENDED INSTANCES APPROVE and PUBLISH CI/CD PIPELINE Qualys Scanner Qualys Scanner Qualys Agent Public Custom Identify Vulns. & Config. Issues OS Fix & Verify OS Bake Approved Gold Image and AMI Live Instances Qualys Agent 17 Qualys 2018 18 June 2018

Genealogy Company Upgrading security practice with visibility Datacenter migration to AWS by June 2018-77 AWS accounts and expect to grow to 100 by June 2018 - Main application ~2,300 active hosts - External Scans every 4 hrs - Internal Scans every 7 days CASE STUDY Problem? Every production machine updates every 14 days. Need method to track patched vs unpatched and establish clear process. Solution? Scan the Images ahead in build Qualys Tags based on EC2 tags Trend on longetivity. Roll out EC2 dashboard for each LOB Instances with Sev5,4 Approved vs Unapproved with trend 18 Qualys, 2018 18 June 2018

Beverage MNC Company Security automation during deployment in Azure A Hybrid, Multi cloud strategy Primary: AWS, Secondary: Azure. In Azure - 5K virtual machines across few projects. OS Windows (major) and Linux CASE STUDY Problem? Ops wants to simplify the process of security tools rollout Security wants to participate into DevOps in Azure Solution? Qualys integration with Azure Security Center to automate deploying agents DevOps reviews findings and remediates from within ASC Security monitors posture from Qualys 19 Qualys, 2018 18 June 2018

20 Automating Web Application Security in DevOps Environments

Use Case: Automated Integration into DevOps Selenium Qualys WAS Selenium Qualys WAS Jira Issues Jira Issues 21 Image Source: https://www.smashingmagazine.com/2015/01/basic-test-automation-for-apps-games-and-mobile-web/

Qualys Web Security Assessments using Jenkins CI/CD Staging Environment Test / QA Environment Developers Dev Environment Source Control Jenkins API WAS Engine HTTP Qualys Scanner Appliance 22

23 Web Application Assessment Jenkins Plug-in

Security into DevOps process for Containers

Containers are changing the IT landscape Source: Datadog Dockers hosts run an average of 7 containers, 25% of companies run 14+ containers 25 Qualys 2018 18 June 2018 25

Container Components & Lifecycle Docker File Image Image Registry Containers Docker Engine Public Clouds #Apace Image FROM Ubuntu:12.04 RUN apt-get update RUN apt-get install y apache2 ENV APACHE RUN_USER www-dat. AWS EC2 Instance AWS ECS Elastic Container Service myapache:2.2:latest Docker Engine On Premises Host / VM 18 June 2018 26

Container Risks/Threats Impacts to security program 1. Un-validated external software 2. Non-standard configurations 3. Lack of deployment hygiene 4. Unmonitored Container to Container communication (East West traffic) 5. Untracked ephemeral instances 6. Unauthorized access (lack of proper governance) 27 Infosecurity Conference, 2018 18 June 2018

Qualys Container Security Automated, continuous across the complete pipeline PRE-DEPLOYMENT POST DEPLOYMENT Build Registry Host Runtime Jenkins plug-in to check for vulnerabilities in the build pipeline. REST APIs for all feature Inventory, Automated or Trigger based vulnerability scans for Images in the Registry Qualys scanners / agents provide vulnerabilities and compliance posture Container Vulnerabilities Audit log and tracking events in container environments. Create alerts on malicious behavior detection 18 June 2018 31

Qualys Container Security Automated security in the DevOps pipeline Build Registry Jenkins plug-in to check for vulnerabilities in the build pipeline. REST APIs for all feature List and run On Demand or Scheduled scans of Images in the Registry 32 Qualys, Inc. 2018 32

Vulnerability detection for Docker Images Jenkins Plug-in for vulnerability analysis Set FAILURE criteria for image introspection Generate vulnerability analysis job definition to incorporate into Jenkins build process Supports both Pipeline and Freestyle model 33 Qualys, Inc. 2018

Vulnerability detection for Docker Images Jenkins Plug-in for vulnerability analysis Directly review vulnerabilities, the impacted software and configuration information along with remediation Resolve issues, rinse-repeat for a successful build 34 Qualys, Inc. 2018 34

Qualys Container Security REST APIs Complete feature set supported via REST API Provides both List and Detailed views Swagger based API with quick test functionality available directly 35 Qualys, Inc. 2018 35

Qualys Container Security Functional Overview CI/CD Tools UI & REST APIs Image Registry REST APIs & Plug-ins ACTIVE DEPLOYMENTS C 1 C 2 C 1 C 2 C 3 Docker Engine C 4 C 3 C 5 Docker Engine Host / VM ( 1 ) C 4 C 5 REST APIs SIEM Tools Ticketing Systems Host / VM ( 2 ) 37 Qualys, Inc. 2018

Practical Steps Next Week Take an accounting of current security tools are they DevOps friendly with APIs, automation, or selfservice UIs? Identify development teams using DevOps engage and discuss DevSecOps Visible vs. Safe project Cloud vs. On-premise Next Quarter Integrate Qualys into one development lifecycle Security process(es) to overcome tool integration Measure outcomes # vulns identified/fixed before release Host a Project Summit present your project successes and Evangelize DevSecOps to other groups Next 6 Months Create a DevSecOps architecture for on-premise and cloud Replace point solutions with Qualys ($$ savings) Implement self-service and API-based DevSecOps programs Expand to more projects foundational Present at conferences and user groups on DevSecOps 42

Thank You Hari Srinivasan hsrinivasan@qualys.com 43 Qualys, Inc. 2018

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback