$30 off During Our Annual Pro Sale. View Details »

Towards Verifiable Infrastructure Security

Abhisek Datta
August 23, 2019
Technology
0
170

Towards Verifiable Infrastructure Security

Slides from my talk on Infrastructure as Code: Towards Verifiable Infrastructure Security delivered at StepIN Summit 2019 (Bangalore)

Abhisek Datta

August 23, 2019
Tweet

More Decks by Abhisek Datta

See All by Abhisek Datta
Kubernetes from an Attacker's Perspective - fwd:CloudSec 2020
abhisek
0
330
Kubernetes 101 for Penetration Testers - null Mumbai
abhisek
5
3.6k
Securing Microservices at API Gateway using Cloud Native Solutions
abhisek
1
370
Kubernetes From an Attacker's Perspective
abhisek
4
7k
Application Security Workflow Automation using Docker and Kubernetes
abhisek
0
420
Application Security Workflow Automation using Docker and Kubernetes
abhisek
0
570
Your Internet Exposure the Makes You Vulnerable
abhisek
0
140
Towards Verifiable Infrastructure Security
abhisek
0
48
Mobile Appsec from an attacker's perspective
abhisek
0
430

Other Decks in Technology

See All in Technology
Java Language Future
chiroito
4
1.1k
APIシナリオテストツールとしてのrunn / 4 API testing tools
k1low
0
120
RDBを使う単体テストの前に 用意しておきたい環境を考え てみたの
bun913
0
390
DMMプラットフォームにおける GKE を利用した プラットフォームエンジニアリングへの 取り組み
pospome
1
150
The future is already here – Mastering the challenges of the coming years
ufried
0
210
Managing "side effect" in Frontend Development
shinyaigeek
3
1.7k
20年以上続くサービスの 管理画面リプレイスを行いながら 技術的負債と向き合った話
radkmb
0
2k
Momento 概要&最新情報(2023/11/16時点)
yoshiitaka
0
100
CPOが開発する覚悟 〜コンパウンドスタートアップにおける、爆速の新規プロダクト開発スタイル〜
mosa_siru
5
3.8k
Kafka Streamsで作る10万rpsを支えるイベント駆動マイクロサービス
joker1007
7
2.3k
Vertex AI Feature Store に 機械学習エンジニアが涙した 理由
asei
3
1.2k
ミチビク株式会社エンジニアカンパニーデック
knsg16
0
2.1k

Featured

See All Featured
BBQ
matthewcrist
76
8.5k
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
A Philosophy of Restraint
colly
194
15k
The Language of Interfaces
destraynor
149
22k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4k
VelocityConf: Rendering Performance Case Studies
addyosmani
319
23k
The MySQL Ecosystem @ GitHub 2015
samlambert
241
11k
KATA
mclloyd
13
11k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k

Transcript

  1. Infrastructure as Code
    Towards Verifiable Infrastructure Security
    Abhisek Datta
    Head of Technology, Appsecco

    View Slide

  2. About Me – Abhisek Datta
    • Head of Technology (appsecco.com)
    • A boutique security consulting company
    • TechWing @ null0x00 (null.co.in)
    • An Open Security Community
    • Security Researcher
    • Discovered vulnerabilities in MS Office, Internet
    Explorer, HP SiteScope etc.
    • Open Source Contributor
    • Wireplay, RbWinDBG etc.
    github.com/abhisek

    View Slide

  3. Attackers Attack What They See
    • Real world examples?
    • Equifax
    • Accenture
    • LinkedIN
    • Verizon
    Name any major
    company and its
    probably breached
    once!

    View Slide

  4. What is the root cause?
    In spite of so much investment in security, why does low hanging fruits still
    exist for an attacker to exploit?

    View Slide

  5. • We react to security issues
    • Complexity
    • Lack of visibility
    • Lack for formal security
    testing methodology
    especially for infrastructure
    What is the root cause? (In my opinion)
    We
    REACT to
    Security
    Issues

    View Slide

  6. How to be Proactively Secure?
    By establishing
    TRUST

    View Slide

  7. Verification and
    Validation
    How to Establish Trust

    View Slide

  8. How does trust looks like?
    A DFD representing the Transaction Flow in an Online Banking Application
    Re-auth
    Anti-
    fraud
    Confirm with
    sender for high
    value
    transactions

    View Slide

  9. How do we Proactively Secure Infrastructure?

    View Slide

  10. The Challenge of Security at Scale
    This is the Amazon Microservices Graph
    The
    Challenge of
    Security at
    Scale is really
    – The
    SCALE

    View Slide

  11. How do we solve this? (My Opinion)
    • Instead of responding to vulnerabilities, we must
    proactively prevent them .. Continuously
    • We do this by applying the principles of Secure
    Software Development Life-cycle while building
    Infrastructure

    View Slide

  12. Infrastructure as Code (IaC)

    View Slide

  13. What is it?
    • The process of provisioning and managing
    infrastructure through machine readable code &
    configuration
    • It is an alternative approach compared to managing
    physical hardware and provisioning them with
    interactive setup and configuration tools

    View Slide

  14. The Tooling with an Example
    1. Setup 3 EC2
    instances in AWS
    2. Setup an EFS for
    shared state
    3. Deploy workload
    4. Get output
    5. Destroy
    https://github.com/abhisek/afl-in-the-cloud
    Image Source: https://docs.microsoft.com/en-us/azure/devops/learn/what-is-infrastructure-as-code

    View Slide

  15. Options for Adoption - Infrastructure
    IaaS Platform Tools Vendor
    GCP, AWS, Azure Terraform, Ansible,
    SaltStack
    -
    AWS Cloud Formations AWS
    Azure Azure Resource
    Manager
    Microsoft
    Google Cloud Deployment Manager Google

    View Slide

  16. What can be done with it?
    • Codify infrastructure
    • Version control
    • Test & Verify
    • Bug Fix
    • Automated & Continuous Deployment

    View Slide

  17. Verifiable Infrastructure
    What is it really?

    View Slide

  18. Enterprise Security Requirements
    Can we agree, that the most important requirement is
    To not get breached?

    View Slide

  19. How to be secure?
    By establishing
    TRUST

    View Slide

  20. Secure Software Development Lifecycle
    Security
    Requirements
    Secure
    Architecture
    Secure
    Development
    Security
    Testing
    Release
    Management

    View Slide

  21. Mapping SSDLC to Infrastructure as Code
    SSDLC Secure Infrastructure
    Security Requirements Security Requirements
    Secure Architecture Secure Architecture
    Secure Development Infrastructure as Code
    Security Testing Static Analysis and Verification
    Release Management Release Management

    View Slide

  22. An Example of Verifying Infrastructure
    A journey towards adopting infrastructure as code

    View Slide

  23. An example network architecture

    View Slide

  24. Codify the Infrastructure (Example for AWS)

    View Slide

  25. The Graph

    View Slide

  26. The Threat Model

    View Slide

  27. Now what?
    • Add security controls (mitigations) in architecture
    • Edit code to include the required resources and
    configuration
    • Push to repository
    • This triggers CI/CD
    • CI/CD runs test cases on code (if any)
    • CI/CD update the live infrastructure

    View Slide

  28. Build
    Test
    Deploy
    Audit
    Update
    How does it all look like?
    Threat Model

    View Slide

  29. Questions?
    [email protected]
    That’s all for now..
    https://appsecco.com
    @abh1sek
    github.com/abhisek

    View Slide