Automating Security Practices for the DevOps Revolution Hari Srinivasan Director Product Management, Cloud and Virtualization Security Qualys Inc. 1 Qualys, Inc. 2018
Agenda Transformation of today s IT and IT organization DevOps/DevSecOps DevOps use cases in Securing Cloud DevOps use cases in Securing Containers Qualys Container Security Overview & Demo 2 Qualys, Inc. 2018
Digital Transformation is Driving Transformation of IT landscape Private Clouds Public Clouds Internet Enterprise On Premise Remote End Users 3 Qualys, Inc. 2018
Digital Transformation DevOps Innovation Cloud Migration Container Revolution Scale & Elasticity 4
Digital Transformation More than just adopting new technology Powered by IT innovation Security can t be after thought 5
Digital Transformation Barriers #1 Cyber Threats & Security Concerns #1 Lack of Digitally-Skilled Workforce #2 Lack of Supporting Government Policies and ICT Infrastructure #3 Uncertain Economic Environment #3 Lack of Leadership to Ideate, Plan, and Lead Digital Transformation Strategy 6 1,800 Business Leaders surveyed by Microsoft. Source: https://news.microsoft.com/apac/2017/02/20/80-of-business-leaders-believe-they-need-to-be-a-digital-business-tosucceed-microsoft-study/microsoft-digital-transformation-infographic-asia
Digital Transformation What about Security? DevSecOps! Built-in not bolted-on More Dev than Sec or Ops 7
Security Security Security Security Security Security Security Security as Usual breaks DevOps Automation Plan Code Test Release Package Deploy Operate Monitor Dev Ops wait! wait! wait! wait! wait! wait! 8
DevOps + Security!= DevSecOps 9 Qualys, Inc. 2018
DevSecOps is a Shift in Thinking Time Techniques Tools An opportunity to do different and better things earlier in the development lifecycle Think like Developers: Automation, Integration, Self-Service Collaborate with security vendors: DevOps Integrations, APIs, Self-Service UIs 10
11 The Right Security Tools for the DevOps Process
Same Qualys Platform for DevSecOps Vulnerability Management Find vulnerabilities in operating systems, commercial software, and open source Verification of Fixed vulnerabilities Configuration Compliance Verifying build compliance Detect changes from baseline API Plug-ins UI Web Application Scanning OWASP Top 10 Input Validation Vulnerabilities SQL Injection / Cross-site Scripting Container Security Inventory Tracking Vulnerability Management Events and Change Tracking 12
Qualys Sensors Physical Virtual Cloud/Container Cloud Agents Passive API Legacy data centers Corporate infrastructure Continuous security and compliance scanning Private cloud infrastructure Virtualized Infrastructure Continuous security and compliance scanning Commercial IaaS & PaaS clouds Pre-certified in market place Fully automated with API orchestration Continuous security and compliance scanning Light weight, multiplatform On premise, elastic cloud & endpoints Real-time data collection Continuous evaluation on platform for security and compliance Passively sniff on network Real-time device discovery & identification Identification of APT network traffic Extract malware files from network for analysis Integration with Threat Intel feeds CMDB Integration Log connectors 13 All sensors can be integrated and orchestrated in DevOps pipelines
14 Automating Vulnerability Management & Compliance configuration checks in DevOps Environments
Customer Case Studies CASE STUDY Reduced application releases from 2 weeks to 24 hrs by automating security with Qualys in to DevOps Genealogy Company Custom dashboards per LOB to gain visibility into approved vs. unapproved Images, patch cycles. Beverage MNC Enabling DevOps with automated agent deployment via Azure Security Center 15
CapitalOne Before: Lack of Security Automation Delays Release CASE STUDY Machine Builders VM SCAN/REPORT 48 HOURS Vulnerability Management Teams VM SCAN/REPORT 48 HOURS Two weeks until the Image (AMI) is certified for production 16 Qualys 2018 18 June 2018
CapitalOne After: Introduce Security at the Source Bake Qualys Security into Gold Images and AMI CASE STUDY OS GOLD IMAGE and AMAZON MACHINE IMAGE (AMI) QUALYS ASSESS ON DEV INSTANCES HARDENDED INSTANCES APPROVE and PUBLISH CI/CD PIPELINE Qualys Scanner Qualys Scanner Qualys Agent Public Custom Identify Vulns. & Config. Issues OS Fix & Verify OS Bake Approved Gold Image and AMI Live Instances Qualys Agent 17 Qualys 2018 18 June 2018
Genealogy Company Upgrading security practice with visibility Datacenter migration to AWS by June 2018-77 AWS accounts and expect to grow to 100 by June 2018 - Main application ~2,300 active hosts - External Scans every 4 hrs - Internal Scans every 7 days CASE STUDY Problem? Every production machine updates every 14 days. Need method to track patched vs unpatched and establish clear process. Solution? Scan the Images ahead in build Qualys Tags based on EC2 tags Trend on longetivity. Roll out EC2 dashboard for each LOB Instances with Sev5,4 Approved vs Unapproved with trend 18 Qualys, 2018 18 June 2018
Beverage MNC Company Security automation during deployment in Azure A Hybrid, Multi cloud strategy Primary: AWS, Secondary: Azure. In Azure - 5K virtual machines across few projects. OS Windows (major) and Linux CASE STUDY Problem? Ops wants to simplify the process of security tools rollout Security wants to participate into DevOps in Azure Solution? Qualys integration with Azure Security Center to automate deploying agents DevOps reviews findings and remediates from within ASC Security monitors posture from Qualys 19 Qualys, 2018 18 June 2018
20 Automating Web Application Security in DevOps Environments
Use Case: Automated Integration into DevOps Selenium Qualys WAS Selenium Qualys WAS Jira Issues Jira Issues 21 Image Source: https://www.smashingmagazine.com/2015/01/basic-test-automation-for-apps-games-and-mobile-web/
Qualys Web Security Assessments using Jenkins CI/CD Staging Environment Test / QA Environment Developers Dev Environment Source Control Jenkins API WAS Engine HTTP Qualys Scanner Appliance 22
23 Web Application Assessment Jenkins Plug-in
Security into DevOps process for Containers
Containers are changing the IT landscape Source: Datadog Dockers hosts run an average of 7 containers, 25% of companies run 14+ containers 25 Qualys 2018 18 June 2018 25
Container Components & Lifecycle Docker File Image Image Registry Containers Docker Engine Public Clouds #Apace Image FROM Ubuntu:12.04 RUN apt-get update RUN apt-get install y apache2 ENV APACHE RUN_USER www-dat. AWS EC2 Instance AWS ECS Elastic Container Service myapache:2.2:latest Docker Engine On Premises Host / VM 18 June 2018 26
Container Risks/Threats Impacts to security program 1. Un-validated external software 2. Non-standard configurations 3. Lack of deployment hygiene 4. Unmonitored Container to Container communication (East West traffic) 5. Untracked ephemeral instances 6. Unauthorized access (lack of proper governance) 27 Infosecurity Conference, 2018 18 June 2018
Qualys Container Security Automated, continuous across the complete pipeline PRE-DEPLOYMENT POST DEPLOYMENT Build Registry Host Runtime Jenkins plug-in to check for vulnerabilities in the build pipeline. REST APIs for all feature Inventory, Automated or Trigger based vulnerability scans for Images in the Registry Qualys scanners / agents provide vulnerabilities and compliance posture Container Vulnerabilities Audit log and tracking events in container environments. Create alerts on malicious behavior detection 18 June 2018 31
Qualys Container Security Automated security in the DevOps pipeline Build Registry Jenkins plug-in to check for vulnerabilities in the build pipeline. REST APIs for all feature List and run On Demand or Scheduled scans of Images in the Registry 32 Qualys, Inc. 2018 32
Vulnerability detection for Docker Images Jenkins Plug-in for vulnerability analysis Set FAILURE criteria for image introspection Generate vulnerability analysis job definition to incorporate into Jenkins build process Supports both Pipeline and Freestyle model 33 Qualys, Inc. 2018
Vulnerability detection for Docker Images Jenkins Plug-in for vulnerability analysis Directly review vulnerabilities, the impacted software and configuration information along with remediation Resolve issues, rinse-repeat for a successful build 34 Qualys, Inc. 2018 34
Qualys Container Security REST APIs Complete feature set supported via REST API Provides both List and Detailed views Swagger based API with quick test functionality available directly 35 Qualys, Inc. 2018 35
Qualys Container Security Functional Overview CI/CD Tools UI & REST APIs Image Registry REST APIs & Plug-ins ACTIVE DEPLOYMENTS C 1 C 2 C 1 C 2 C 3 Docker Engine C 4 C 3 C 5 Docker Engine Host / VM ( 1 ) C 4 C 5 REST APIs SIEM Tools Ticketing Systems Host / VM ( 2 ) 37 Qualys, Inc. 2018
Practical Steps Next Week Take an accounting of current security tools are they DevOps friendly with APIs, automation, or selfservice UIs? Identify development teams using DevOps engage and discuss DevSecOps Visible vs. Safe project Cloud vs. On-premise Next Quarter Integrate Qualys into one development lifecycle Security process(es) to overcome tool integration Measure outcomes # vulns identified/fixed before release Host a Project Summit present your project successes and Evangelize DevSecOps to other groups Next 6 Months Create a DevSecOps architecture for on-premise and cloud Replace point solutions with Qualys ($$ savings) Implement self-service and API-based DevSecOps programs Expand to more projects foundational Present at conferences and user groups on DevSecOps 42
Thank You Hari Srinivasan hsrinivasan@qualys.com 43 Qualys, Inc. 2018