This document summarizes a presentation on taking a DevOps approach to security. Some key points include: DevOps improves security posture through practices like configuration management, automation, and immutable infrastructure. However, security tools have not kept pace with DevOps velocity. The presentation advocates integrating security practices into DevOps workflows, such as through continuous security testing, centralized logging, and managing vulnerabilities through standardized base images. Moving forward, software-defined security can help leverage cloud visibility and automate security responses in real-time.

1. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in partwithout the express consent of Amazon.com, Inc.
SEC312 | November 13, 2014| Las Vegas, NV
SEC312Taking a DevOpsApproach to Security
Paul Fisher –Alert Logic
Guest Speaker: George Miranda –Chef Software

2. Speaker Introduction
George Miranda
Engineer & Evangelist
Chef Software, Inc.
@gmiranda23
www.linkedin.com/in/gmiranda23
Paul Fisher
VP Technology Operations
Alert Logic, Inc.
@fisherpk
www.linkedin.com/in/fisherpk/

3. Session Overview
More organizations are embracing DevOps to realize compelling business benefits such as faster yet safer feature release cadence, increased application stability, and rapid response to shifting market conditions.However, security and compliance monitoring tools have not kept up and often represent the single largest remaining hurdle to Continuous Delivery.
Topics covered in this session:
•HowDevOpsImprovesyourSecurityPosture
•OvercomingChallengesinDevOpsEnvironments

4. DevOps Improves Security Posture

5. Configuration Management
“We suffer sometimes from the hubris of believing that control is a matter of applying sufficient force, or a sufficiently detailed set of instructions.”
Mark Burgess, Father of Configuration Management
Author of “In Search of Certainty”

6. Automation and Convergent Infrastructure
“A system’s desired configuration state can be said to be defined by fixed points. Most configuration management systems (e.g.: CFEngine, Chef, Puppet, PowerShell DSC) are based on this idea: they provide means to declare what must happen instead of requiring imperative workflows that prescribe what to do.”
Mark Burgess, Father of Configuration Management
Author of “In Search of Certainty”

7. Emergence of DevOps
“You got your Devin my Ops!”
“You got your Ops in my Dev!”

8. Driving Toward Immutable Infrastructure
“This is what I call disposable computing. Throw away a broken process rather than trying to fix it. Machines can be made expendable as long as the total software is designed for it. Not much of it is today, but we’re getting there. Nature shows that this is a good way of scaling services.”
Mark Burgess, Father of Configuration Management
Author of “In Search of Certainty”

9. Infrastructure as Code
•Converge on a regular interval
•Configuration management is idempotent
•All persistent changes must be in source control
•Manual intervention discouraged
•Out-of-band changes will be lost

10. Security & Compliance Implications

11. Continuous Delivery Patterns

12. Test Driven Infrastructure

13. Continuous Security
Security Posture
Auditing & Compliance
End-to-End
Visibility
Disaster Recovery & BusinessContinuity
Remediation & Fast Resolution
Continuous Detection/ Protection
Automated Configuration & Scaling

14. Overcoming Security Challenges

15. Overcoming Security Challenges
•Challenges for security technology and practice today
–AWS Shared Responsibility Model
–Challenges remain for customers
•Leveraging DevOps for security
–Best practices for blending DevOps with security
•Toward software-defined security
–Embracing new reality of AWS cloud infrastructure

16. AWS Shared Responsibility Model
Customer
Responsibility
Foundation
Services
Hosts
•Logical network segmentation
•Perimeter security services
•External DDoS, spoofing, and scanning prevented
•Hardened hypervisor
•System image library
•Root access for customer
•Access management
•Patch management
•Configuration hardening
•Security monitoring
•Log analysis
Apps
•Secure coding and best practices
•Software and virtual patching
•Configuration management
•Access management
•Application level attack monitoring
•Network threat detection
•Security monitoring
Networks
Cloud
Service Provider
Responsibility
Compute
Storage
DB
Network

17. 2014: Security Top Cloud Pain Point
31%
17%
12%
11%
11%
10%
9%
8%
7.4%
7%
7%
7%
5%
5%
4%
Security
Pricing/Budget/Cost
Human Change Management
Security of Data, Control of Data Locality, Sovereignty
Compliance
Migration/Integration
Internal Resources/Expertise
Management
Lack of Internal Process
Vendor/Provider Issues
Organizational Challenges
Contractual/Legal Issues
Service Reliability/Availability
Network
Lack of Standards

18. Application Security TechnologyChallenges
Network Changes
Host Identity
Auto Scaling

19. Security at Odds with DevOps Velocity
Traditional security/compliance is slow
Mature DevOpsvelocity is fast
Security practice does not keep up

20. InfoSec Ends Up Being Marginalized
“The problem for the security person who is used to turning around security reviews in a month or two weeks is they're just being shoved out of the game. There's no way with how Infosec is currently configured that they can keep up with that. So, Infosec gets all the complaints about being marginalized and getting in the way of doing what needs getting done.”
Gene Kim, former CTO of Tripwire
Author of “The Phoenix Project: A Novel About IT, DevOps”
& “Helping Your Business Win”

21. Integrating Security with DevOps
•Leveraging DevOps practice for better security
–Prevent attack vectors with immutable systems
–Adopt strategy of phoenix upgrades
–Robust auditingand centralized log collection
–Embrace end-to-end continuous deployment
–Manage vulnerabilities with base imagesand configuration management

22. Prevent Attacks with Immutable Systems
Build secure base imagesthatare representative of your infrastructure system base.
Design file system layout to separate code from data, and lock down to minimum required permissions. Should expand to network as well.
Leverage SANS Checklist and CIS Benchmark resources for system level security best practices and guidance.
Leverage configuration management tools to standardize allsoftware versions and configurations.
Design Secure
Immutable Infrastructure

23. Adopt Strategy of Phoenix Upgrades
Embrace phoenix upgrades
•Stand up new instances, don’t upgrade
•Route traffic between old and new instances
•Rich service metrics and automate rollback
•Advanced routing can enable selective rollout
Results
•Creates evergreen systems, avoiding configuration drift and technical debt
•Enforces refresh of all system components as complete artifact, tested as a holistic system
•Greatly reduces security risks when combine with immutable instances and configuration management

24. Centralize Robust Auditing & Logging
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule -delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1024
-a exit,always -S unlink -S rmdir
-a exit,always -S stime.*
……
Implement Local Auditing
#Sample syslog-ng configuration
#Lots of configuration required
........
# Send *ALL* System Logs to Log Appliance
destination df_log_appliance_forward {
tcp("my-log-appliance" port(514));
};
log {
source(s_all);
destination(df_log_appliance_forward);
};
CollectImportant Logs
CentralizeLog Collection for Search and Filtering

25. Embrace Complete Continuous Deployment
End-to-end continuous deployment
•Configuration management (Chef)
•Standardized environment images (Packer)
•Environment/subsystem orchestration layer
•Production-like environments in Dev & Testmust include
–Secure immutable systems
–Phoenix upgrades
–Complete logging, metrics, & monitoring
Results
•Holistic system validation & testing
•Continuous validation of secure configuration
#Sample Alert Logic Chef NodeDef
{
"name": "cloud-api-node",
"versions": {
"1.6.0": {
"vm_type": "squeeze64",
],
"install_phase": {
"run_list": [
"app-version-install@4.1.0",
]
},
….
LeverageConfiguration
Management
Leverage Standardized
Environment Images
Build an Orchestration Layer
#Sample Packer Configuration
{
"builders": [{
"type": "amazon-ebs",
"access_key": "{{user `aws_access`}}" ,
"secret_key": "{{user `aws_secret`}}" ,
"region": "us-east-1",
"source_ami": "ami-de0d9eb7",
"instance_type": "t1.micro",
"ssh_username": "ubuntu",
"ami_name": "packer-ex {{timestamp}}"
}]

26. Manage Vulnerabilities with Base Images
Manage Vulnerabilities
•Conduct normal vulnerability scanning
•Identify vulnerabilities that exist in base images versus application-specific packages
•Remediate at appropriate level as part of continuous delivery process
Results
•Less work, done more reliably
•Patching fits naturally into phoenix upgrades
•Continuous delivery allows frequent scanning in test environments to have real value
•Fixes potentialvulnerabilities systematically

27. Moving to Software Defined Security
•Significant opportunity remains in front of us
•AWS ready to accelerate security technology
–Leverageend-to-end visibility available
–Transformperiodic assessment into real-time automated responses
–Protect automatically with real-time reconfiguration

28. Leverage End-to-End Visibility
•Use APIs and AWS CloudTraillogs to see everything
•Automatically track and react to every deploy

29. Transform Assessment to be Real-Time
•Shrinkassessment-remediation cycle from weeks to minutes

30. Protect with Automatic Reconfiguration
•React in Real-Timeto As-Deployedsystems
•Automatic reconfiguresecurity infrastructure

31. Contact Us
Paul Fisher
VP Technology Operations
Alert Logic
pfisher@alertlogic.com
@fisherpk
George Miranda
Engineer & Evangelist
Chef Software, Inc.
gmiranda@getchef.com
@gmiranda23

32. http://bit.ly/awsevals