SlideShare ist ein Scribd-Unternehmen logo

AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)

Amazon Web Services
Amazon Web Services

Attend this session to learn about security testing your applications in AWS. Effective security testing is challenging, but multiple features and services within AWS make security testing easier. This session covers common approaches to testing, including how we think about testing within AWS, how to apply AWS services to your test setup, remediating findings, and automation.

Technologie
1 von 25
Downloaden Sie, um offline zu lesen
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Alex Lucas, AWS Security November 29, 2016 SEC309 Proactive Security Testing in AWS From Early Implementation to Deployment Penetration Testing
What to expect from this session • How to think about your AWS assets • Threat modeling and attack surface • Security baseline • Testing for security • Automation • Continuous Security • Close
Threat modeling • Why? • External dependencies and assumptions • System edges and entry points • Assets and information flows • Classes of user and action / trust • Risks and mitigations
Threat modeling  assets • What is an asset? • Amazon EC2 instance • Amazon S3 bucket • Amazon RDS • Access management • Networking • Deployment and development
Threat modeling  actors • Users • Services • Access to shared assets
Threat model  architecture Unknown user Authenticated user Web server Cache RDBMS Web admin DB admin DB users? CMS 1.1 Login 1. 2 Post 2.1 Admin
STRIDE Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege
Table of flows, STRIDE etc Data flow ID Description 1.1 An unauthenticated user can logon onto the CMS system with valid credentials at this point a session identifying the user controls their identity. STRIDE • Spoofing – A user could assume an incorrect identity if not checked properly • Repudiation – Attempts to login and failed login attempts may not be traced • Denial of service (DoS) - If the login flow is too expensive (computationally complex) the login call could potentially be used to deny service to other users • Elevation of Privilege (EoP) – Incorrectly logging in a user would result in this
Feature Id Mitigation Description SESSION-104 To address spoofing concerns an external audit of the code by [X] will take place. All changes to the code post-event will undergo code review. AUDIT-7 For repudiation all login attempts will be logged into the application log and stored to Amazon CloudWatch Logs. AUDIT-7-1 In support of LOGIN-102 the team will investigate the feasibility of using CloudWatch alarms with thresholds for failed logins. LOGIN-11 For DoS prevention we will do extensive profiling of the login flow and ensure that failed and successful logins represent log computational burden. A single web server instance should be able to support O(x) login calls simultaneously.
Management layer Private subnetPublic subnet ws Internet gateway Router Route table Route table Endpoint S3 bucket Instance role IAM ElastiCache Route 53CloudFormation KMSAmazon Inspector CloudTrail Config
Security baseline • Core: • Instances are patched and remain so • Instances are safe to use post-startup as long as security groups only expose the expected services to the Internet • Account AWS infrastructure management is correctly controlled • Application: • The application has been security tested
Demo – patch level • Any outstanding security patches? • Using EC2 Simple Systems Manager (SSM) run command.
Build security testing in • Static analysis on code push to central repository • Adding a trigger to look for security issues • Check staging and pre-deployment • Check your application access controls
Demo – source code • AWS CodeCommit trigger to look for AWS stored secrets
Demo – deployment assessment • Using Amazon Inspector to assess a pre-production environment and move it to production.
Security testing • Penetration test request process: https://aws.amazon.com/security/penetration-testing/ • Focus on baseline • Know your tools • Be selective
Demo – network profile • Enumerate Internet endpoints • Confirm availability
Continuous security • Integrated testing • Point in time questions • Monitor for changes
Thank you!
Remember to complete your evaluations!
Related sessions • SEC301 - Audit Your AWS Account Against Industry Best Practices: The CIS AWS Benchmarks • SEC313 - Automating Security Event Response, from Idea to Code to Execution • SAC401 - 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules

Empfohlen

Amazon ECS with Docker | AWS Public Sector Summit 2016
Amazon ECS with Docker | AWS Public Sector Summit 2016Amazon ECS with Docker | AWS Public Sector Summit 2016
Amazon ECS with Docker | AWS Public Sector Summit 2016
Amazon Web Services
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
Amazon Web Services
 
A Tale of Two Pizzas: Accelerating Software Delivery with Developer Tools - D...
A Tale of Two Pizzas: Accelerating Software Delivery with Developer Tools - D...A Tale of Two Pizzas: Accelerating Software Delivery with Developer Tools - D...
A Tale of Two Pizzas: Accelerating Software Delivery with Developer Tools - D...
Amazon Web Services
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
Amazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 
AWS re:Invent 2016: Netflix: Using Amazon S3 as the fabric of our big data ec...
AWS re:Invent 2016: Netflix: Using Amazon S3 as the fabric of our big data ec...AWS re:Invent 2016: Netflix: Using Amazon S3 as the fabric of our big data ec...
AWS re:Invent 2016: Netflix: Using Amazon S3 as the fabric of our big data ec...
Amazon Web Services
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
Amazon Web Services
 
Deep Dive on Microservices and Amazon ECS by Raul Frias, Solutions Architect,...
Deep Dive on Microservices and Amazon ECS by Raul Frias, Solutions Architect,...Deep Dive on Microservices and Amazon ECS by Raul Frias, Solutions Architect,...
Deep Dive on Microservices and Amazon ECS by Raul Frias, Solutions Architect,...
Amazon Web Services
 

Empfohlen

Amazon ECS with Docker | AWS Public Sector Summit 2016
Amazon ECS with Docker | AWS Public Sector Summit 2016Amazon ECS with Docker | AWS Public Sector Summit 2016
Amazon ECS with Docker | AWS Public Sector Summit 2016
Amazon Web Services
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
Amazon Web Services
 
A Tale of Two Pizzas: Accelerating Software Delivery with Developer Tools - D...
A Tale of Two Pizzas: Accelerating Software Delivery with Developer Tools - D...A Tale of Two Pizzas: Accelerating Software Delivery with Developer Tools - D...
A Tale of Two Pizzas: Accelerating Software Delivery with Developer Tools - D...
Amazon Web Services
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
Amazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 
AWS re:Invent 2016: Netflix: Using Amazon S3 as the fabric of our big data ec...
AWS re:Invent 2016: Netflix: Using Amazon S3 as the fabric of our big data ec...AWS re:Invent 2016: Netflix: Using Amazon S3 as the fabric of our big data ec...
AWS re:Invent 2016: Netflix: Using Amazon S3 as the fabric of our big data ec...
Amazon Web Services
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
Amazon Web Services
 
Deep Dive on Microservices and Amazon ECS by Raul Frias, Solutions Architect,...
Deep Dive on Microservices and Amazon ECS by Raul Frias, Solutions Architect,...Deep Dive on Microservices and Amazon ECS by Raul Frias, Solutions Architect,...
Deep Dive on Microservices and Amazon ECS by Raul Frias, Solutions Architect,...
Amazon Web Services
 
AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...
AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...
AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...
Amazon Web Services
 
Infrastructure Continuous Delivery Using AWS CloudFormation
Infrastructure Continuous Delivery Using AWS CloudFormationInfrastructure Continuous Delivery Using AWS CloudFormation
Infrastructure Continuous Delivery Using AWS CloudFormation
Amazon Web Services
 
Microsoft Best Practices on AWS
Microsoft Best Practices on AWSMicrosoft Best Practices on AWS
Microsoft Best Practices on AWS
Amazon Web Services
 
Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...
Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...
Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...
Amazon Web Services
 
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
Amazon Web Services
 
ENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWS
Amazon Web Services
 
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
Amazon Web Services
 
Cloud-Native DevOps: Simplifying application lifecycle management with AWS | ...
Cloud-Native DevOps: Simplifying application lifecycle management with AWS | ...Cloud-Native DevOps: Simplifying application lifecycle management with AWS | ...
Cloud-Native DevOps: Simplifying application lifecycle management with AWS | ...
Amazon Web Services
 
Running Containerised Applications at Scale on AWS
Running Containerised Applications at Scale on AWSRunning Containerised Applications at Scale on AWS
Running Containerised Applications at Scale on AWS
Amazon Web Services
 
SRV417 Deep Dive on Elastic Load Balancing
SRV417 Deep Dive on Elastic Load BalancingSRV417 Deep Dive on Elastic Load Balancing
SRV417 Deep Dive on Elastic Load Balancing
Amazon Web Services
 
Introduction to AWS X-Ray
Introduction to AWS X-RayIntroduction to AWS X-Ray
Introduction to AWS X-Ray
Amazon Web Services
 
Hack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 ThreatsHack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 Threats
Amazon Web Services
 
(CMP401) Elastic Load Balancing Deep Dive and Best Practices
(CMP401) Elastic Load Balancing Deep Dive and Best Practices(CMP401) Elastic Load Balancing Deep Dive and Best Practices
(CMP401) Elastic Load Balancing Deep Dive and Best Practices
Amazon Web Services
 
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Amazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
Amazon Web Services
 
Deep Dive on Elastic Load Balancing
Deep Dive on Elastic Load BalancingDeep Dive on Elastic Load Balancing
Deep Dive on Elastic Load Balancing
Amazon Web Services
 
How to Design for High Availability & Scale with AWS
How to Design for High Availability & Scale with AWSHow to Design for High Availability & Scale with AWS
How to Design for High Availability & Scale with AWS
Blazeclan Technologies Private Limited
 
Hybrid IT: A Stepping Stone to All-In - Pop-up Loft TLV 2017
Hybrid IT: A Stepping Stone to All-In - Pop-up Loft TLV 2017Hybrid IT: A Stepping Stone to All-In - Pop-up Loft TLV 2017
Hybrid IT: A Stepping Stone to All-In - Pop-up Loft TLV 2017
Amazon Web Services
 
AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)
AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)
AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)
Amazon Web Services
 
Achieve Scale & Velocity with AWS OpsWorks for Chef Automate
Achieve Scale & Velocity with AWS OpsWorks for Chef AutomateAchieve Scale & Velocity with AWS OpsWorks for Chef Automate
Achieve Scale & Velocity with AWS OpsWorks for Chef Automate
Amazon Web Services
 
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017 AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
Amazon Web Services
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at Scale
Amazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...
AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...
AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...
Amazon Web Services
 
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
Amazon Web Services
 
ENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWS
Amazon Web Services
 
Cloud-Native DevOps: Simplifying application lifecycle management with AWS | ...
Cloud-Native DevOps: Simplifying application lifecycle management with AWS | ...Cloud-Native DevOps: Simplifying application lifecycle management with AWS | ...
Cloud-Native DevOps: Simplifying application lifecycle management with AWS | ...
Amazon Web Services
 
Hack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 ThreatsHack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 Threats
Amazon Web Services
 
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Amazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
Amazon Web Services
 
AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)
AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)
AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)
Amazon Web Services
 
Achieve Scale & Velocity with AWS OpsWorks for Chef Automate
Achieve Scale & Velocity with AWS OpsWorks for Chef AutomateAchieve Scale & Velocity with AWS OpsWorks for Chef Automate
Achieve Scale & Velocity with AWS OpsWorks for Chef Automate
Amazon Web Services
 

Was ist angesagt? (20)

AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...
AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...
AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...
 
Infrastructure Continuous Delivery Using AWS CloudFormation
Infrastructure Continuous Delivery Using AWS CloudFormationInfrastructure Continuous Delivery Using AWS CloudFormation
Infrastructure Continuous Delivery Using AWS CloudFormation
 
Microsoft Best Practices on AWS
Microsoft Best Practices on AWSMicrosoft Best Practices on AWS
Microsoft Best Practices on AWS
 
Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...
Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...
Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...
 
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
 
ENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWS
 
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
 
Cloud-Native DevOps: Simplifying application lifecycle management with AWS | ...
Cloud-Native DevOps: Simplifying application lifecycle management with AWS | ...Cloud-Native DevOps: Simplifying application lifecycle management with AWS | ...
Cloud-Native DevOps: Simplifying application lifecycle management with AWS | ...
 
Running Containerised Applications at Scale on AWS
Running Containerised Applications at Scale on AWSRunning Containerised Applications at Scale on AWS
Running Containerised Applications at Scale on AWS
 
SRV417 Deep Dive on Elastic Load Balancing
SRV417 Deep Dive on Elastic Load BalancingSRV417 Deep Dive on Elastic Load Balancing
SRV417 Deep Dive on Elastic Load Balancing
 
Introduction to AWS X-Ray
Introduction to AWS X-RayIntroduction to AWS X-Ray
Introduction to AWS X-Ray
 
Hack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 ThreatsHack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 Threats
 
(CMP401) Elastic Load Balancing Deep Dive and Best Practices
(CMP401) Elastic Load Balancing Deep Dive and Best Practices(CMP401) Elastic Load Balancing Deep Dive and Best Practices
(CMP401) Elastic Load Balancing Deep Dive and Best Practices
 
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
Auto-Scaling Web Application Security in Amazon Web Services (SEC308) | AWS r...
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 
Deep Dive on Elastic Load Balancing
Deep Dive on Elastic Load BalancingDeep Dive on Elastic Load Balancing
Deep Dive on Elastic Load Balancing
 
How to Design for High Availability & Scale with AWS
How to Design for High Availability & Scale with AWSHow to Design for High Availability & Scale with AWS
How to Design for High Availability & Scale with AWS
 
Hybrid IT: A Stepping Stone to All-In - Pop-up Loft TLV 2017
Hybrid IT: A Stepping Stone to All-In - Pop-up Loft TLV 2017Hybrid IT: A Stepping Stone to All-In - Pop-up Loft TLV 2017
Hybrid IT: A Stepping Stone to All-In - Pop-up Loft TLV 2017
 
AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)
AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)
AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)
 
Achieve Scale & Velocity with AWS OpsWorks for Chef Automate
Achieve Scale & Velocity with AWS OpsWorks for Chef AutomateAchieve Scale & Velocity with AWS OpsWorks for Chef Automate
Achieve Scale & Velocity with AWS OpsWorks for Chef Automate
 

Ähnlich wie AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)

선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
Amazon Web Services Korea
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
Amazon Web Services
 

Ähnlich wie AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309) (20)

AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017 AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at Scale
 
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
 
Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John Hildebrandt
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Infrastructure Provisioning & Automation For Large Enterprises
Infrastructure Provisioning & Automation For Large EnterprisesInfrastructure Provisioning & Automation For Large Enterprises
Infrastructure Provisioning & Automation For Large Enterprises
 
AWS Security
AWS Security AWS Security
AWS Security
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
APN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA PartnersAPN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA Partners
 
Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Accelerating cloud adoption for your regulated workloads - AWS PS Summit Canb...
Accelerating cloud adoption for your regulated workloads - AWS PS Summit Canb...Accelerating cloud adoption for your regulated workloads - AWS PS Summit Canb...
Accelerating cloud adoption for your regulated workloads - AWS PS Summit Canb...
 
AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial Services
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security Checklist
 
Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3Blue Chip Tek Connect and Protect Presentation #3
Blue Chip Tek Connect and Protect Presentation #3
 
9 Security Best Practices
9 Security Best Practices9 Security Best Practices
9 Security Best Practices
 
Sicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudSicurezza e Compliance nel Cloud
Sicurezza e Compliance nel Cloud
 
Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Kürzlich hochgeladen

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 

Kürzlich hochgeladen (20)

ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)

  • 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Alex Lucas, AWS Security November 29, 2016 SEC309 Proactive Security Testing in AWS From Early Implementation to Deployment Penetration Testing
  • 2. What to expect from this session • How to think about your AWS assets • Threat modeling and attack surface • Security baseline • Testing for security • Automation • Continuous Security • Close
  • 3. Threat modeling • Why? • External dependencies and assumptions • System edges and entry points • Assets and information flows • Classes of user and action / trust • Risks and mitigations
  • 4. Threat modeling  assets • What is an asset? • Amazon EC2 instance • Amazon S3 bucket • Amazon RDS • Access management • Networking • Deployment and development
  • 5. Threat modeling  actors • Users • Services • Access to shared assets
  • 6. Threat model  architecture Unknown user Authenticated user Web server Cache RDBMS Web admin DB admin DB users? CMS 1.1 Login 1. 2 Post 2.1 Admin
  • 8. Table of flows, STRIDE etc Data flow ID Description 1.1 An unauthenticated user can logon onto the CMS system with valid credentials at this point a session identifying the user controls their identity. STRIDE • Spoofing – A user could assume an incorrect identity if not checked properly • Repudiation – Attempts to login and failed login attempts may not be traced • Denial of service (DoS) - If the login flow is too expensive (computationally complex) the login call could potentially be used to deny service to other users • Elevation of Privilege (EoP) – Incorrectly logging in a user would result in this
  • 9. Feature Id Mitigation Description SESSION-104 To address spoofing concerns an external audit of the code by [X] will take place. All changes to the code post-event will undergo code review. AUDIT-7 For repudiation all login attempts will be logged into the application log and stored to Amazon CloudWatch Logs. AUDIT-7-1 In support of LOGIN-102 the team will investigate the feasibility of using CloudWatch alarms with thresholds for failed logins. LOGIN-11 For DoS prevention we will do extensive profiling of the login flow and ensure that failed and successful logins represent log computational burden. A single web server instance should be able to support O(x) login calls simultaneously.
  • 10. Management layer Private subnetPublic subnet ws Internet gateway Router Route table Route table Endpoint S3 bucket Instance role IAM ElastiCache Route 53CloudFormation KMSAmazon Inspector CloudTrail Config
  • 11. Security baseline • Core: • Instances are patched and remain so • Instances are safe to use post-startup as long as security groups only expose the expected services to the Internet • Account AWS infrastructure management is correctly controlled • Application: • The application has been security tested
  • 12. Demo – patch level • Any outstanding security patches? • Using EC2 Simple Systems Manager (SSM) run command.
  • 13.
  • 14. Build security testing in • Static analysis on code push to central repository • Adding a trigger to look for security issues • Check staging and pre-deployment • Check your application access controls
  • 15. Demo – source code • AWS CodeCommit trigger to look for AWS stored secrets
  • 16.
  • 17. Demo – deployment assessment • Using Amazon Inspector to assess a pre-production environment and move it to production.
  • 18.
  • 19. Security testing • Penetration test request process: https://aws.amazon.com/security/penetration-testing/ • Focus on baseline • Know your tools • Be selective
  • 20. Demo – network profile • Enumerate Internet endpoints • Confirm availability
  • 21.
  • 22. Continuous security • Integrated testing • Point in time questions • Monitor for changes
  • 25. Related sessions • SEC301 - Audit Your AWS Account Against Industry Best Practices: The CIS AWS Benchmarks • SEC313 - Automating Security Event Response, from Idea to Code to Execution • SAC401 - 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules