SlideShare ist ein Scribd-Unternehmen logo
1 von 32
Downloaden Sie, um offline zu lesen
3/27/2019
DevSecOps: Key Controls
For Modern Security
Success
Eastern Iowa Security Conference
© 2019 Puma Security, LLC | All Rights Reserved
Puma Security, LLCPuma Security, LLC 2
• Principal Security Engineer, Puma Security
– Coder: static analysis engine, cloud automation, security tools
– Security assessments: DevSecOps, cloud, source code, web apps, mobile
apps
• DevSecOps Curriculum Manager, SANS Institute
– SANS Certified Instructor
– Contributing author of SEC540, DEV544, and DEV531
• Education & Training
– Iowa State M.S. Information Assurance, B.S. Computer Engineering
– AWS Certified Developer, CISSP, GSSP, GWAPT
• Contact information
– Email: eric.johnson@pumascan.com
– Twitter: @emjohn20
$WHOAMI
Puma Security, LLCPuma Security, LLC 3
Agenda
• Keys for Modern
Security Success
1. Cloud & DevSecOps Practices
2. Pre-Commit: The Paved Road
3. Commit: CI / CD Security Controls
4. Acceptance: Supply Chain Security
5. Operations: Continuous Security
Compliance
Puma Security, LLCPuma Security, LLC 4
What are the goals and principles in
DevSecOps?
• Make security a first-class problem in
DevOps
• Make security a first-class participant in
DevOps
• Increase trust between dev, ops, and sec
• Integrate security practices and ideas into
DevOps culture
• Wire security into DevOps workflows to
incrementally improve security
SecDevOps / DevSecOps / DevOpsSec / Rugged DevOps
https://memegenerator.net/img/instances/81941458/devsecops.jpg
Puma Security, LLCPuma Security, LLC 5
• Cloud Security
Top 10
• Serverless
Security Top 10
• DevSecOps
Toolchain
• Building a
DevSecOps
Program
Secure Cloud & DevOps Practices (https://www.sans.org/u/OGx)
Puma Security, LLCPuma Security, LLC 6
• Cloud & DevOps Critical Security Controls:
Cloud & DevSecOps Security Controls
IDE SECURITY
PLUGINS
PRE-COMMIT HOOKS
PEER CODE REVIEWS
STATIC CODE
ANALYSIS
SECURITY UNIT TESTS
CONTAINER
SECURITY
INFRASTRUCTURE AS
CODE
SECURITY SMOKE
TESTS
THREAT MODELING
DEPENDENCY
MANAGEMENT
SECURITY
ACCEPTANCE TESTS
BLAMELESS
POSTMORTEMS
CONTINUOUS
MONITORING
PENETRATION
TESTING
THREAT
INTELLIGENCE
PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS
CLOUD
INFRASTRUCTURE
DYNAMIC SECURITY
TESTS
SECRETS
MANAGEMENT
SECURITY
CONFIGURATION
SERVER HARDENING
Puma Security, LLCPuma Security, LLC
#1 Pre-Commit:
The Paved Road
7
Puma Security, LLCPuma Security, LLC 8
Dev, Sec, and Ops teams build secure by
default frameworks, libraries, and services:
• Popularized by Netflix "Gates to
Guardrails"
• Operations: Automated pipelines build,
certify, and publish cloud infrastructure /
machine images
• Development: Secure templates for Web,
APIs, front-end, serverless projects
• Security: Automated security pipeline
scans, unit tests, acceptance tests,
production assertions
Build The Paved Road PRE-COMMIT
http://www.flickr.com/photos/25173673@N03/4785565610/
Puma Security, LLCPuma Security, LLC 9
Network, Cloud, Infrastructure as Code templates for quickly
provisioning certified environments for the development team to
use:
• On-premise or cloud hosted virtual machine gold images
• On-premise or cloud hosted container gold images
• Provisioning cloud network infrastructure
• Deploying API gateway appliances for microservices
• Managing Functions as a Service (FaaS)
Operations Paved Road
Puma Security, LLC 10Puma Security, LLC 10
AWS CloudFormation infrastructure paved road example:
1
2
3
4
5
6
7
8
9
10
11
12
13
LaunchConfiguration:
Type: AWS::AutoScaling::LaunchConfiguration
Metadata:
Properties:
ImageId: !FindInMap [ AWSRegionToAMI, !Ref "AWS::Region", AMI ]
IamInstanceProfile: !Ref InstanceProfile
KeyName: "devsecops"
SecurityGroups:
- !Ref SecurityGroup
UserData:
"Fn::Base64": !Sub |
#!/bin/bash
yum update -y
Operations Paved Road Example
Gold Image
Least privilege
Admin access
Network configuration
Supply chain security
Puma Security, LLCPuma Security, LLC 11
Templates covering approved technology stacks with protection for
common application security issues and misconfigurations:
• Node.js, Django, Spring Boot, .NET Core, Ruby Rails, Functions,
etc.
• Secrets management storage
• Secure transport configuration (HTTPS)
• Enable authentication / authorization
• Configure password management / single sign on
• Include common libraries for data validation, logging, encoding,
etc.
Development Paved Road
Puma Security, LLC 12Puma Security, LLC 12
.NET Core paved road example w/ security protections pre-
configured:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
public void ConfigureServices(IServiceCollection services)
{
services.Configure<IdentityOptions>(options => {
options.Password.RequiredLength = 15;
options.Lockout.MaxFailedAccessAttempts = 5; }
services.AddMvc(options =>
{
options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser().Build())); });
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseRewriter(new RewriteOptions().AddRedirectToHttps());
app.AddSecurityHeaders();
}
Development Paved Road Example
Password Configuration
Authorization
HTTPS
Puma Security, LLCPuma Security, LLC
#2 Commit:
CI / CD Security Controls
13
Puma Security, LLCPuma Security, LLC
• Integrate tools to automate build, test, acceptance, and
deployment of infrastructure, cloud, and applications into a
repeatable workflow:
Continuous Integration & Delivery Security Controls COMMIT (CI)
14
Puma Security, LLCPuma Security, LLC
• Merging new features requires approval from peers and security
team prior to triggering the build pipeline:
CI / CD Security Controls: Version Control
15
Puma Security, LLCPuma Security, LLC
• Approved merge request triggers automated unit tests, security
scans, audit reports, and fast feedback:
CI / CD Security Controls: Acceptance Testing
16
Puma Security, LLCPuma Security, LLC
• Build pipelines contain artifacts from security scans and
compliance checks:
CI / CD Security Controls: Audit Reports
17
Puma Security, LLCPuma Security, LLC
#3 Acceptance:
Supply Chain Security
18
Puma Security, LLCPuma Security, LLC 19
Serious vulnerabilities can be inherited from open
source libraries, docker images, infrastructure
templates, and serverless functions:
• Carefully review content before usage
• Run tools to automatically the scan code base /
images
• Identify external dependencies
• Check against public vulnerability database(s)
• Integrate supply chain security scanning into
CI/CD
• WARNING: Some tools may not check
transitive dependencies
Supply Chain Security
Puma Security, LLCPuma Security, LLC 20
• OWASP Dependency Check (Java, .NET, Ruby,
Python)
– https://www.owasp.org/index.php/OWASP_Dependency
_Check
• Bundler-Audit (Ruby)
– https://github.com/rubysec/bundler-audit
• NPM Audit / Retire.JS (NodeJS)
– https://retirejs.github.io/retire.js/
– https://docs.npmjs.com/cli/audit
• PHP Security Checker
– https://security.sensiolabs.org/
Supply Chain Security: Application Scanning Tools
DEPENDENCY
MANAGEMENT
ACCEPTANCE
Puma Security, LLCPuma Security, LLC 21
• OWASP Dependency Check scan and vulnerability report in a
Jenkins CI pipeline:
Supply Chain Security: Application Scanning Example
Puma Security, LLCPuma Security, LLC 22
Open source container image security scanning tools:
• Anchore
— https://anchore.com/opensource/
• Actuary
— https://github.com/diogomonica/actuary
• Clair
— https://github.com/coreos/clair
• Falco
— https://github.com/draios/falco
Supply Chain Security: Container Image Scanning Tools
CONTAINER
SECURITY
ACCEPTANCE
Puma Security, LLCPuma Security, LLC 23
• Invoking an Anchore image scan and capturing vulnerability data
in a Jenkins CI pipeline:
Supply Chain Security: Container Image Scanning Example
Puma Security, LLCPuma Security, LLC 24
Hardened infrastructure templates can be used as references:
• DevSec Hardening Templates
— Automated hardening framework using Puppet, Chef, Ansible
— Linux, Windows, SSH, Docker, K8S, Apache, Nginx
— https://github.com/dev-sec
• System Integrity Management Platform (SIMP)
— Hardened Puppet infrastructure configuration and testing
— NIST 800-53, DISA STIG, FIPS 140-2 RHEL & CentOS templates
— https://github.com/simp/
Supply Chain Security: Hardened Infrastructure Templates
INFRASTRUCTURE AS
CODE
ACCEPTANCE
Puma Security, LLCPuma Security, LLC
Managing function dependencies in AWS Lambda can
be achieved using Layers:
• Build pipelines remove third-party libraries from
deployment packages
• CloudOps manages centralized layers containing
approved third-party libraries
• Third-party vendors are leveraging Layers to
further harden function runtime environments:
— PureSec FunctionShield
— Twistlock Defender
Supply Chain Security: FaaS Dependency Management
Lambda function
Layer
Layer
Execution
Environment
25
Puma Security, LLCPuma Security, LLC
#4 Operations:
Continuous Security Compliance
26
Puma Security, LLCPuma Security, LLC 27
Leveraging security configuration tools to automate audit
and compliance checks:
• Test the server and infrastructure configuration against
expected baseline and report any deviations
• Tests should include severity, risk level, and description
information
• Match tests against compliance checklist items or
regulatory policies
• Automated testing tools available for Linux, Unix,
Windows, AWS, Azure and VMWare
Continuous Security Compliance
PRODUCTION
Puma Security, LLCPuma Security, LLC 28
Security compliance / acceptance testing tools:
• InSpec
– https://github.com/inspec/inspec
• OpenSCAP
– https://github.com/OpenSCAP
• Cloud Custodian (AWS, GCP, Azure)
– https://github.com/cloud-custodian/cloud-custodian
• ScoutSuite (AWS, GCP, Azure)
– https://github.com/nccgroup/ScoutSuite
• AWS Benchmark Scanner
– https://github.com/awslabs/aws-security-benchmark
Continuous Security Compliance: Tools
SECURITY
CONFIGURATION
PRODUCTION
Puma Security, LLC 29Puma Security, LLC 29
Running InSpec against a running Docker container:
Example InSpec output results from the Linux baseline profile:
1
2
$ docker run -it --rm -v $(pwd):/share chef/inspec exec baseline -t
docker://container_id
Continuous Security Compliance: InSpec Docker Scan
1
2
3
4
5
6
7
8
9
✅ os-01: Trusted hosts login
✅☑︎ Command find / -name '.rhosts' stdout should be empty
✅ Command find / -name 'hosts.equiv' stdout should be empty
X os-02: Check owner and permissions for /etc/shadow (1 failed)
✅ File /etc/shadow should exist
✅ File /etc/shadow should be file
✅ File /etc/shadow should be owned by "root"
✅ File /etc/shadow should not be executable
X File /etc/shadow group should eq nil
Puma Security, LLCPuma Security, LLC 30
• Exporting InSpec results to JUnit format and integrating with
Jenkins CI:
Continuous Security Compliance: Jenkins InSpec Integration
Puma Security, LLCPuma Security, LLC 31
• Running the AWS CIS Benchmark scan via AWS Config rules:
Continuous Security Compliance: AWS CIS Benchmark Scan
Puma Security, LLCPuma Security, LLC Puma Security, LLC | 2019 32
Thank you for
attending!• Keys for Modern
Security Success
S U M M A R Y
1. Cloud & DevSecOps Practices
2. Pre-Commit: The Paved Road
3. Commit: CI / CD Security Controls
4. Acceptance: Supply Chain Security
5. Operations: Continuous Security
Compliance
Contact Information:
• eric.johnson@pumascan.com
• @emjohn20

Weitere ähnliche Inhalte

Was ist angesagt?

DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowDevOps.com
 

Was ist angesagt? (20)

DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 

Ähnlich wie DevSecOps: Key Controls to Modern Security Success

DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessPuma Security, LLC
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 
Cloud security introduction
Cloud security introductionCloud security introduction
Cloud security introductionCalvin Lee
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
Barracuda, AWS & Securosis: Application Security for the Cloud
Barracuda, AWS & Securosis:  Application Security for the CloudBarracuda, AWS & Securosis:  Application Security for the Cloud
Barracuda, AWS & Securosis: Application Security for the CloudAmazon Web Services
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersMassimiliano Mattetti
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 
Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24 webinar : how to secure your data in the cloud - 06-2018Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24 webinar : how to secure your data in the cloud - 06-2018Outpost24
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMasterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMalcolm Duncanson, CISSP
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPFaiza Mehar
 
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Amazon Web Services
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
ADDO 2022 Putting the Sec in DevSecOps for an AWS Lambda Based System
ADDO 2022 Putting the Sec in DevSecOps for an AWS Lambda Based SystemADDO 2022 Putting the Sec in DevSecOps for an AWS Lambda Based System
ADDO 2022 Putting the Sec in DevSecOps for an AWS Lambda Based SystemCraeg Strong
 
Twelve-factor serverless applications - MAD302 - Santa Clara AWS Summit
Twelve-factor serverless applications - MAD302 - Santa Clara AWS SummitTwelve-factor serverless applications - MAD302 - Santa Clara AWS Summit
Twelve-factor serverless applications - MAD302 - Santa Clara AWS SummitAmazon Web Services
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 

Ähnlich wie DevSecOps: Key Controls to Modern Security Success (20)

DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
 
Cloud security introduction
Cloud security introductionCloud security introduction
Cloud security introduction
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
Barracuda, AWS & Securosis: Application Security for the Cloud
Barracuda, AWS & Securosis:  Application Security for the CloudBarracuda, AWS & Securosis:  Application Security for the Cloud
Barracuda, AWS & Securosis: Application Security for the Cloud
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24 webinar : how to secure your data in the cloud - 06-2018Outpost24 webinar : how to secure your data in the cloud - 06-2018
Outpost24 webinar : how to secure your data in the cloud - 06-2018
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMasterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM Roles
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCP
 
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Top 10 IaaS Highlights for Developers
Top 10 IaaS Highlights for DevelopersTop 10 IaaS Highlights for Developers
Top 10 IaaS Highlights for Developers
 
ADDO 2022 Putting the Sec in DevSecOps for an AWS Lambda Based System
ADDO 2022 Putting the Sec in DevSecOps for an AWS Lambda Based SystemADDO 2022 Putting the Sec in DevSecOps for an AWS Lambda Based System
ADDO 2022 Putting the Sec in DevSecOps for an AWS Lambda Based System
 
Twelve-factor serverless applications - MAD302 - Santa Clara AWS Summit
Twelve-factor serverless applications - MAD302 - Santa Clara AWS SummitTwelve-factor serverless applications - MAD302 - Santa Clara AWS Summit
Twelve-factor serverless applications - MAD302 - Santa Clara AWS Summit
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 

Mehr von Puma Security, LLC

DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsPuma Security, LLC
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsPuma Security, LLC
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructurePuma Security, LLC
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Puma Security, LLC
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Puma Security, LLC
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServicePuma Security, LLC
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanPuma Security, LLC
 

Mehr von Puma Security, LLC (9)

Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless Infrastructure
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata Service
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
 

Kürzlich hochgeladen

Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 

Kürzlich hochgeladen (20)

Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 

DevSecOps: Key Controls to Modern Security Success

  • 1. 3/27/2019 DevSecOps: Key Controls For Modern Security Success Eastern Iowa Security Conference © 2019 Puma Security, LLC | All Rights Reserved
  • 2. Puma Security, LLCPuma Security, LLC 2 • Principal Security Engineer, Puma Security – Coder: static analysis engine, cloud automation, security tools – Security assessments: DevSecOps, cloud, source code, web apps, mobile apps • DevSecOps Curriculum Manager, SANS Institute – SANS Certified Instructor – Contributing author of SEC540, DEV544, and DEV531 • Education & Training – Iowa State M.S. Information Assurance, B.S. Computer Engineering – AWS Certified Developer, CISSP, GSSP, GWAPT • Contact information – Email: eric.johnson@pumascan.com – Twitter: @emjohn20 $WHOAMI
  • 3. Puma Security, LLCPuma Security, LLC 3 Agenda • Keys for Modern Security Success 1. Cloud & DevSecOps Practices 2. Pre-Commit: The Paved Road 3. Commit: CI / CD Security Controls 4. Acceptance: Supply Chain Security 5. Operations: Continuous Security Compliance
  • 4. Puma Security, LLCPuma Security, LLC 4 What are the goals and principles in DevSecOps? • Make security a first-class problem in DevOps • Make security a first-class participant in DevOps • Increase trust between dev, ops, and sec • Integrate security practices and ideas into DevOps culture • Wire security into DevOps workflows to incrementally improve security SecDevOps / DevSecOps / DevOpsSec / Rugged DevOps https://memegenerator.net/img/instances/81941458/devsecops.jpg
  • 5. Puma Security, LLCPuma Security, LLC 5 • Cloud Security Top 10 • Serverless Security Top 10 • DevSecOps Toolchain • Building a DevSecOps Program Secure Cloud & DevOps Practices (https://www.sans.org/u/OGx)
  • 6. Puma Security, LLCPuma Security, LLC 6 • Cloud & DevOps Critical Security Controls: Cloud & DevSecOps Security Controls IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE AS CODE SECURITY SMOKE TESTS THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS CLOUD INFRASTRUCTURE DYNAMIC SECURITY TESTS SECRETS MANAGEMENT SECURITY CONFIGURATION SERVER HARDENING
  • 7. Puma Security, LLCPuma Security, LLC #1 Pre-Commit: The Paved Road 7
  • 8. Puma Security, LLCPuma Security, LLC 8 Dev, Sec, and Ops teams build secure by default frameworks, libraries, and services: • Popularized by Netflix "Gates to Guardrails" • Operations: Automated pipelines build, certify, and publish cloud infrastructure / machine images • Development: Secure templates for Web, APIs, front-end, serverless projects • Security: Automated security pipeline scans, unit tests, acceptance tests, production assertions Build The Paved Road PRE-COMMIT http://www.flickr.com/photos/25173673@N03/4785565610/
  • 9. Puma Security, LLCPuma Security, LLC 9 Network, Cloud, Infrastructure as Code templates for quickly provisioning certified environments for the development team to use: • On-premise or cloud hosted virtual machine gold images • On-premise or cloud hosted container gold images • Provisioning cloud network infrastructure • Deploying API gateway appliances for microservices • Managing Functions as a Service (FaaS) Operations Paved Road
  • 10. Puma Security, LLC 10Puma Security, LLC 10 AWS CloudFormation infrastructure paved road example: 1 2 3 4 5 6 7 8 9 10 11 12 13 LaunchConfiguration: Type: AWS::AutoScaling::LaunchConfiguration Metadata: Properties: ImageId: !FindInMap [ AWSRegionToAMI, !Ref "AWS::Region", AMI ] IamInstanceProfile: !Ref InstanceProfile KeyName: "devsecops" SecurityGroups: - !Ref SecurityGroup UserData: "Fn::Base64": !Sub | #!/bin/bash yum update -y Operations Paved Road Example Gold Image Least privilege Admin access Network configuration Supply chain security
  • 11. Puma Security, LLCPuma Security, LLC 11 Templates covering approved technology stacks with protection for common application security issues and misconfigurations: • Node.js, Django, Spring Boot, .NET Core, Ruby Rails, Functions, etc. • Secrets management storage • Secure transport configuration (HTTPS) • Enable authentication / authorization • Configure password management / single sign on • Include common libraries for data validation, logging, encoding, etc. Development Paved Road
  • 12. Puma Security, LLC 12Puma Security, LLC 12 .NET Core paved road example w/ security protections pre- configured:1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 public void ConfigureServices(IServiceCollection services) { services.Configure<IdentityOptions>(options => { options.Password.RequiredLength = 15; options.Lockout.MaxFailedAccessAttempts = 5; } services.AddMvc(options => { options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder() .RequireAuthenticatedUser().Build())); }); } public void Configure(IApplicationBuilder app, IHostingEnvironment env) { app.UseRewriter(new RewriteOptions().AddRedirectToHttps()); app.AddSecurityHeaders(); } Development Paved Road Example Password Configuration Authorization HTTPS
  • 13. Puma Security, LLCPuma Security, LLC #2 Commit: CI / CD Security Controls 13
  • 14. Puma Security, LLCPuma Security, LLC • Integrate tools to automate build, test, acceptance, and deployment of infrastructure, cloud, and applications into a repeatable workflow: Continuous Integration & Delivery Security Controls COMMIT (CI) 14
  • 15. Puma Security, LLCPuma Security, LLC • Merging new features requires approval from peers and security team prior to triggering the build pipeline: CI / CD Security Controls: Version Control 15
  • 16. Puma Security, LLCPuma Security, LLC • Approved merge request triggers automated unit tests, security scans, audit reports, and fast feedback: CI / CD Security Controls: Acceptance Testing 16
  • 17. Puma Security, LLCPuma Security, LLC • Build pipelines contain artifacts from security scans and compliance checks: CI / CD Security Controls: Audit Reports 17
  • 18. Puma Security, LLCPuma Security, LLC #3 Acceptance: Supply Chain Security 18
  • 19. Puma Security, LLCPuma Security, LLC 19 Serious vulnerabilities can be inherited from open source libraries, docker images, infrastructure templates, and serverless functions: • Carefully review content before usage • Run tools to automatically the scan code base / images • Identify external dependencies • Check against public vulnerability database(s) • Integrate supply chain security scanning into CI/CD • WARNING: Some tools may not check transitive dependencies Supply Chain Security
  • 20. Puma Security, LLCPuma Security, LLC 20 • OWASP Dependency Check (Java, .NET, Ruby, Python) – https://www.owasp.org/index.php/OWASP_Dependency _Check • Bundler-Audit (Ruby) – https://github.com/rubysec/bundler-audit • NPM Audit / Retire.JS (NodeJS) – https://retirejs.github.io/retire.js/ – https://docs.npmjs.com/cli/audit • PHP Security Checker – https://security.sensiolabs.org/ Supply Chain Security: Application Scanning Tools DEPENDENCY MANAGEMENT ACCEPTANCE
  • 21. Puma Security, LLCPuma Security, LLC 21 • OWASP Dependency Check scan and vulnerability report in a Jenkins CI pipeline: Supply Chain Security: Application Scanning Example
  • 22. Puma Security, LLCPuma Security, LLC 22 Open source container image security scanning tools: • Anchore — https://anchore.com/opensource/ • Actuary — https://github.com/diogomonica/actuary • Clair — https://github.com/coreos/clair • Falco — https://github.com/draios/falco Supply Chain Security: Container Image Scanning Tools CONTAINER SECURITY ACCEPTANCE
  • 23. Puma Security, LLCPuma Security, LLC 23 • Invoking an Anchore image scan and capturing vulnerability data in a Jenkins CI pipeline: Supply Chain Security: Container Image Scanning Example
  • 24. Puma Security, LLCPuma Security, LLC 24 Hardened infrastructure templates can be used as references: • DevSec Hardening Templates — Automated hardening framework using Puppet, Chef, Ansible — Linux, Windows, SSH, Docker, K8S, Apache, Nginx — https://github.com/dev-sec • System Integrity Management Platform (SIMP) — Hardened Puppet infrastructure configuration and testing — NIST 800-53, DISA STIG, FIPS 140-2 RHEL & CentOS templates — https://github.com/simp/ Supply Chain Security: Hardened Infrastructure Templates INFRASTRUCTURE AS CODE ACCEPTANCE
  • 25. Puma Security, LLCPuma Security, LLC Managing function dependencies in AWS Lambda can be achieved using Layers: • Build pipelines remove third-party libraries from deployment packages • CloudOps manages centralized layers containing approved third-party libraries • Third-party vendors are leveraging Layers to further harden function runtime environments: — PureSec FunctionShield — Twistlock Defender Supply Chain Security: FaaS Dependency Management Lambda function Layer Layer Execution Environment 25
  • 26. Puma Security, LLCPuma Security, LLC #4 Operations: Continuous Security Compliance 26
  • 27. Puma Security, LLCPuma Security, LLC 27 Leveraging security configuration tools to automate audit and compliance checks: • Test the server and infrastructure configuration against expected baseline and report any deviations • Tests should include severity, risk level, and description information • Match tests against compliance checklist items or regulatory policies • Automated testing tools available for Linux, Unix, Windows, AWS, Azure and VMWare Continuous Security Compliance PRODUCTION
  • 28. Puma Security, LLCPuma Security, LLC 28 Security compliance / acceptance testing tools: • InSpec – https://github.com/inspec/inspec • OpenSCAP – https://github.com/OpenSCAP • Cloud Custodian (AWS, GCP, Azure) – https://github.com/cloud-custodian/cloud-custodian • ScoutSuite (AWS, GCP, Azure) – https://github.com/nccgroup/ScoutSuite • AWS Benchmark Scanner – https://github.com/awslabs/aws-security-benchmark Continuous Security Compliance: Tools SECURITY CONFIGURATION PRODUCTION
  • 29. Puma Security, LLC 29Puma Security, LLC 29 Running InSpec against a running Docker container: Example InSpec output results from the Linux baseline profile: 1 2 $ docker run -it --rm -v $(pwd):/share chef/inspec exec baseline -t docker://container_id Continuous Security Compliance: InSpec Docker Scan 1 2 3 4 5 6 7 8 9 ✅ os-01: Trusted hosts login ✅☑︎ Command find / -name '.rhosts' stdout should be empty ✅ Command find / -name 'hosts.equiv' stdout should be empty X os-02: Check owner and permissions for /etc/shadow (1 failed) ✅ File /etc/shadow should exist ✅ File /etc/shadow should be file ✅ File /etc/shadow should be owned by "root" ✅ File /etc/shadow should not be executable X File /etc/shadow group should eq nil
  • 30. Puma Security, LLCPuma Security, LLC 30 • Exporting InSpec results to JUnit format and integrating with Jenkins CI: Continuous Security Compliance: Jenkins InSpec Integration
  • 31. Puma Security, LLCPuma Security, LLC 31 • Running the AWS CIS Benchmark scan via AWS Config rules: Continuous Security Compliance: AWS CIS Benchmark Scan
  • 32. Puma Security, LLCPuma Security, LLC Puma Security, LLC | 2019 32 Thank you for attending!• Keys for Modern Security Success S U M M A R Y 1. Cloud & DevSecOps Practices 2. Pre-Commit: The Paved Road 3. Commit: CI / CD Security Controls 4. Acceptance: Supply Chain Security 5. Operations: Continuous Security Compliance Contact Information: • eric.johnson@pumascan.com • @emjohn20

Hinweis der Redaktion

  1. 10 years in corporate America, large FI. Dev ---> AppSec risk assessment / audits. Co-founder of Puma Security, where we focus on modern static analysis, DevSecOps automation, secure development lifecycle consulting, cloud security assessments. Many of the real life experiences and war stories from our endeavors led to me co-authoring SEC540 with Jim Bird, Frank Kim, Ben Allen a modern Cloud Security and DevSecOps Automation course.
  2. Goals for today is to introduce you to the phases of DevSecOps, and discuss what I believe to be the key security controls in DevSecOps.
  3. DevSecOps means different things to folks working in different disciplines of InfoSec. DevOps itself originates from a software development methodology to support the speed of Agile by delivering changes out to the real world faster, rather than letting them build up over time. Toolchain relies heavily on dev tools, source control (git), CI (Jenkins), Cloud (Infrastructure / Services) historically used only by development teams. - For this reason, Application security folks (OWASP junkies) will say that DevSecOps == AppSec. As a whole, DevSecOps is much bigger than Dev & AppSec. - Operations: Infrastructure as Code allows us to rapidly build and provision on-premise and cloud networks. Network Security teams can leverage DevSecOps to automate network scans, look for anomalies in traffic, provision network device configuration of firewalls, switches, routers, etc. ALL in code through CI / CD. - SOC / IR: Chris Rothe from Red Canary - Writing AV signatures, detectors in yaml / Ruby DSL test cases and automatically running acceptance testing with Rspec. Forensics: Student took our 540 class, and after 4 days of watching pipelines build apps, containers, cloud infrastructure, suddenly light bulb came on Overall, DevSecOps is a methodology with massive support from the open source community.
  4. Free resource created by the SEC540 authors, link is on the slide. Eric, Ben Allen, Jim Bird, Frank, Ben Hagen, Ory Segal from PureSec.
  5. The First Key To Modern Security success: Build The Paved Road. Things that we can do before code is written.
  6. The Netflix devsecops journey is very mature at this point & is well documented on their github repositories, white papers, presentations at AWS RE:Invent. Success stories from Facebook, Twitter, Etsy, and other early DevSecOps adopters all include this paved road concept. Here's key #1 to modern security success: Iteration Zero builds a paved road template for engineers to start with. Take the up front time to build a repeatable, code-driven template for the long haul. Operations creates ansible / terraform scripts for building the gold images / container base images / networks for hosting the development stack. Development - creating a scaffoldoing template with approved packages for crypto, validation, authN, authZ, etc. pre-configured. File -> New -> Web API project. Security - Pipelines for continuously assessing DSC of the cloud, running unit tests, acceptance tests. Checking for high risk code changes.
  7. Infrastructure as Code to build gold images -> Vagrant for acceptance testing a temporary vm, and packer to export the image to VMWare, AWS, GCP, or Azure VMs. Dockerfile to private container registries holding gold docker images. Terraform / CloudFormation / Puppet to build cloud infrastructure with secure by default FaaS, api gateways, VPC networks, etc.
  8. CVE-2019-5736: Example of patching runc - Malicious container escape -. Patching AMI and redeploying infrastructure.
  9. Example: .NET MVC: https://github.com/johnstaveley/SecurityEssentials
  10. Learn to love these tools. Automate all of the things. No tool is worth purchasing if the API does not support everything that you can do from the user interface. Jenkins, Azure DevOps, Team City, Circle CI.
  11. Interesting notes from class: Forensics pipelines, pen testing pipelines (app sec pipeline), audit pipelines, copy editing SANS materials.
  12. High risk code reviews, comments, tracking requirements down to a single line of code that was modified to address the requirement.
  13. cfn-nag - security scanner against the templates. Puppet-lint-security, terrascan, custom security tests, high risk code checks.
  14. Auditing evidence for compliance. Look, we ran our security scanner, results were clean on each build. The cloud infrastructure meets the AWS CIS Benchmark.
  15. In my opinion, largest problem facing InfoSec today. SANS DevSecOps survey: 80% code we didn't write.
  16. App side - nuget, maven, npm not new issues. What is new - gold images can be downloaded from the chef supermarket, puppet forge, and aws marketplace. Docker images. Taking a step further - aws waf marketplace download firewall rules. Or Serverless app repository to install and execute serverless functions.
  17. Audit / compliance / security start managing desired state config smoke tests after deployments.