Slides from my talk on Infrastructure as Code: Towards Verifiable Infrastructure Security delivered at StepIN Summit 2019 (Bangalore)
Infrastructure as Code
Towards Verifiable Infrastructure Security
Head of Technology, Appsecco
About Me – Abhisek Datta
• Head of Technology (appsecco.com)
• A boutique security consulting company
• TechWing @ null0x00 (null.co.in)
• An Open Security Community
• Security Researcher
• Discovered vulnerabilities in MS Office, Internet
Explorer, HP SiteScope etc.
• Open Source Contributor
• Wireplay, RbWinDBG etc.
Attackers Attack What They See
• Real world examples?
Name any major
company and its
What is the root cause?
In spite of so much investment in security, why does low hanging fruits still
exist for an attacker to exploit?
• We react to security issues
• Lack of visibility
• Lack for formal security
especially for infrastructure
What is the root cause? (In my opinion)
How to be Proactively Secure?
How to Establish Trust
How does trust looks like?
A DFD representing the Transaction Flow in an Online Banking Application
sender for high
How do we Proactively Secure Infrastructure?
The Challenge of Security at Scale
This is the Amazon Microservices Graph
Scale is really
How do we solve this? (My Opinion)
• Instead of responding to vulnerabilities, we must
proactively prevent them .. Continuously
• We do this by applying the principles of Secure
Software Development Life-cycle while building
Infrastructure as Code (IaC)
What is it?
• The process of provisioning and managing
infrastructure through machine readable code &
• It is an alternative approach compared to managing
physical hardware and provisioning them with
interactive setup and configuration tools
The Tooling with an Example
1. Setup 3 EC2
instances in AWS
2. Setup an EFS for
3. Deploy workload
4. Get output
Image Source: https://docs.microsoft.com/en-us/azure/devops/learn/what-is-infrastructure-as-code
Options for Adoption - Infrastructure
IaaS Platform Tools Vendor
GCP, AWS, Azure Terraform, Ansible,
AWS Cloud Formations AWS
Azure Azure Resource
Google Cloud Deployment Manager Google
What can be done with it?
• Codify infrastructure
• Version control
• Test & Verify
• Bug Fix
• Automated & Continuous Deployment
What is it really?
Enterprise Security Requirements
Can we agree, that the most important requirement is
To not get breached?
How to be secure?
Secure Software Development Lifecycle
Mapping SSDLC to Infrastructure as Code
SSDLC Secure Infrastructure
Security Requirements Security Requirements
Secure Architecture Secure Architecture
Secure Development Infrastructure as Code
Security Testing Static Analysis and Verification
Release Management Release Management
An Example of Verifying Infrastructure
A journey towards adopting infrastructure as code
An example network architecture
Codify the Infrastructure (Example for AWS)
The Threat Model
• Add security controls (mitigations) in architecture
• Edit code to include the required resources and
• Push to repository
• This triggers CI/CD
• CI/CD runs test cases on code (if any)
• CI/CD update the live infrastructure
How does it all look like?
That’s all for now..