More Related Content Similar to Adding the Sec to Your DevOps Pipelines (SEC332-R1) - AWS re:Invent 2018 (20) More from Amazon Web Services (20) Adding the Sec to Your DevOps Pipelines (SEC332-R1) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Adding the Sec to Your DevOps Pipelines
S E C 3 3 2
Welcome to the Workshop and have a seat.
Please visit http://bit.ly/2CVczI0 and follow the setup
instructions to complete the pre-requisite for this workshop.
If you need to create a new AWS account,
visit http://bit.ly/2P45JHn
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Adding the Sec to Your DevOps Pipelines
Armando Leite
Sr. Manager
Solutions Prototyping
S E C 3 3 2
Adam McLean
Solutions Developer
Solutions Prototyping
Aravind Kodandaramaiah
Solutions Developer
Solutions Prototyping
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Dev(Sec)Ops Overview
Security in the Pipeline
Pipeline Build-Out
Take home challenge
Wrap-up
Q&A
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is DevOps?
What is DevSecOps?
Reliability Speed ScaleRapid Delivery
Improved
Collaboration
Combination of Practices and tools
SecDev Ops
Adding Sec to Dev/__/Ops
Security
Securing the Pipeline
Auditing
Workloads
Operations
Security in the Pipeline
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security in the Pipeline
Source Control Build Testing & Staging Production Maintain
AWS
CodeCommit
AWS
CloudFormation
AWS
CodeBuild
AWS Step
Functions
AWS
X-Ray
AWS
CodePipeline
AWS Step
Functions
AWS
CodeDeploy
AWS Elastic
Beanstalk
AWS Systems
Manager
Amazon
GuardDuty
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
COMMIT CHANGES BUILD ARTIFACTS DEPLOY TO TEST ENVIRONMENT
RUN INTEGRATION, SECURITY,
LOAD AND OTHER TESTS
DEPLOY TO
PRODUCTION ENVIRONMENT
MANAGE RUNTIME
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What you will do today?
1. Build a CI/CD Pipeline.
2. Implement security IN the Pipeline.
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pipeline Pre-requisite check
http://bit.ly/2CVczI0
5 Min
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The base Pipeline
Source
Source Code
CodeCommit
Launch & Install
Lambda
AWS
CodePipeline
Build AMI
Lambda
SSM Automation
EC2 Instance
Golden
AMI
Build source code
CodeBuild
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The final Pipeline
Source
Source Code
CodeCommit
Static Code Analysis
CodeBuild
Launch & Install
Lambda
AWS
CodePipeline
EC2 Instance
Vulnerability check
Lambda
Build AMI
Lambda
Amazon
Inspector
SSM
Automation
Golden
AMI
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Your turn – Build the base pipeline
Source
Source Code
CodeCommit
Launch & Install
Lambda
AWS
CodePipeline
Build AMI
Lambda
Build source code
CodeBuild
Golden
AMI
http://bit.ly/2zlngjB 25 Min
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Is the base Pipeline working?
Source
Source Code
CodeCommit
Launch & Install
Lambda
AWS
CodePipeline
Build AMI
Lambda
Static code analysis
CodeBuild
Golden
AMI
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Static Code Analysis
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Your turn - Add static code analysis to the Pipeline
Source
Source Code
CodeCommit
Launch & Install
Lambda
AWS
CodePipeline
Build AMI
Lambda
SSM Automation
EC2 Instance
Golden
AMI
Static code analysis
CodeBuild
http://bit.ly/2D1uk8u
8 Min
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Did the Pipeline find the embedded credentials?
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Your Turn – Remove the embedded Credentials
Source
Source Code
CodeCommit
Launch & Install
Lambda
AWS
CodePipeline
Build AMI
Lambda
Static code analysis
CodeBuild
Golden
AMI
http://bit.ly/2F7Wd1p 12 Min
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Vulnerability Assessment with Amazon Inspector
What is Amazon Inspector?
Vulnerability assessment service in the cloud.
• Application / EC2 security assessment
• Selectable built-in rules
• Runtime Behavioral Analysis
• CVE (common vulnerabilities and exposures)
• AWS Security Best Practices
• Weak Security Configuration(CIS Security Benchmarks)
• Network Reachability
• Security findings – guidance and management
• Automatable via APIs
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Your turn - Add Vulnerability assessment to the Pipeline
Source
Source Code
CodeCommit
Launch & Install
Lambda
AWS
CodePipeline
Build AMI
Lambda
SSM Automation
EC2 Instance
Golden
AMI
Static code analysis
CodeBuild
Vulnerability Check
Lambda
Amazon
Inspector
http://bit.ly/2RwEsKB
20 Min
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Did the Pipeline catch the vulnerability?
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What did Amazon Inspector find?
Finding Recommendation
A security flaw was found in the
chap_server_compute_md5() function
Use your Operating
System's update
feature to update
package kernel-
0:4.14.62-
65.117.amzn1
The vmacache_flush_all function in mm/vmacache.c
mishandles sequence number overflows.
Use your Operating
System's update
feature to update
package kernel-
0:4.14.62-
65.117.amzn1
Fix
yum –y update kernel
yum –y update kernel
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Your Turn – Fix the vulnerability
Source
Source Code
CodeCommit
Launch & Install
Lambda
AWS
CodePipeline
Build AMI
Lambda
Static code analysis
CodeBuild
Vulnerability Check
Lambda
Golden
AMI
http://bit.ly/2RzgvCk
20 Min
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Your Turn – Launch the AMI
http://bit.ly/2zxg18e 15 Min
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat detection and continuous monitoring with
Amazon GuardDuty
GuardDuty Monitors
• Unusual API calls.
• Potentially unauthorized deployments that indicate a possible account
compromise.
• Potentially compromised instances or reconnaissance by attackers.
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How GuardDuty Works
Threat intel,
ML/AI
Anomaly
Detection
SIEM
and/or
Remediate
Reconnaissance
Instance Compromise
Account Compromise
DNS Logs
CloudTrail Events
HIGH
MEDIUM
LOW
FindingsData SourcesThreat Detection Types
VPC Flow logs Amazon
GuardDuty
AWS Cloud
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Your Turn - Cleanup AWS Resources
http://bit.ly/2Dl7A4k
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
36. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Aravind Kodandaramaiah
karavind@amazon.com
Adam Mclean
apmclean@amazon.com
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.