Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[2018.05 Meetup #1] [TALK #2] José Casinha -...

DevOps Lisbon
May 14, 2018
320

[2018.05 Meetup #1] [TALK #2] José Casinha - DevSecOps @ OutSystems: The Why, the What and How ... on a PaaS provider

DevOps Lisbon

May 14, 2018
Tweet

More Decks by DevOps Lisbon

Transcript

  1. DevSecOps @ OutSystems : The Why, the What and How

    ... on a PaaS provider José Casinha, CISO [email protected] 2018, May 14
  2. Who we are ? 2 The #1 low-code software platform

    for building enterprise-grade web and mobile applications
  3. OutSystems low-code development platform 3 Visual Full-Stack Development Drag-and-drop designer

    with no walls Deploy to Any Device Responsive Web Apps Native Mobile Apps Full Life Cycle Create > Deploy > Monitor > Manage
  4. Security Office Global Organization 8 SOC / CSIRT Security Engineering

    Continuous Improvement Emergency Operations Situational awareness, ongoing monitoring, Coordination of computer incident response Definition of identity and access management, applications security, host and network security, information asset security, and physical access controls Internal Audit, governance, risk, compliance and supplier management; High-impact incidents; planning for incident response, business continuity, disaster recovery; tests, exercises, and drills; incident post mortems; investigations
  5. Organizational Level 9 DEV SEC OPS • R&D Core •

    R&D Cloud • Digital • Expert Services • Product Support • Cloud Operations • Digital Ops • Services DevOps Guidance & Vulnerability Alerts Attack Protection & Threat Intelligence Centralized Visibility & Control
  6. DevSecOps practices 10 Adapted from: LarryMaccherone Monitoring and Analytics Monitoring

    and Analytics • Threat Modelling • Analyze/Predict • Compliance Analyzes • Static Code Analysis • Dynamic Code Analysis • Code Review • Break the build code analysis • Common Abuse Tests • Pen Testing • Compliance Validation • Fuzz testing • Binaries validation • Load Tests • Incident Root Causes • Attack surface evaluation • Plan to update thread modeling • Incident Management process to restore service at the acceptable level • Configuration validation • Feature flags • Traffic Management policies • ACL management • Log information • Alarms • Thresholds • Abnormal Behaviors • Intrusion detection • Attacks detection • Block Attacker • Roll-Back • Disable services • Intrusion Prevention • Learn and build • Trend analysis • Capacity planning
  7. Organizational Maturity practices adoption 11 DEV SEC OPS • R&D

    Core • R&D Cloud • Digital • Expert Services • Product Support • Cloud Operations • Digital Ops • Services DevOps Guidance & Vulnerability Alerts Attack Protection & Threat Intelligence Centralized Visibility & Control
  8. What is OutSystems Sentry PaaS? OutSystems Sentry provides certified cloud

    environments with proactive security monitoring, built-in redundancy and 24*7 support to significantly reduce the likelihood of a data breach and to accelerate detection. Organizations with a cloud-first strategy that need to capture and store sensitive data such as customer, financial or classified information, need a secure cloud solution. 12
  9. Why Sentry ? 13 Accelerate the detection of a data

    breach Signifcantly reduce the likelihood of a data breach Value Prop: reduce the chances of a breach and commit to identifying anything that does happen as early as possible
  10. Outsystems Sentry PaaS Offer 15 …….. VPC 1 Heavy forwarder

    RDS S3 CloudWatch SQS VPC n Heavy forwarder RDS S3 CloudWatch SQS
  11. Preventive and Proactive Security 18 Case 1.4: Detect when a

    host stops sending events Case 2.5: Monitor for the creation of new Services Case 2.7: Detect the creation of local user Case 2.8: Detect new software installed Case 2.9: Detect remote RDP session Case 2.10: Detect successful privilege escalation Case 3.2: Privilege escalation successful Case 3.4: Detect local user creating Case 3.5: Detect remote ssh access Case 3.6: Creation of new Cron jobs Case 4.5: Detect IAM activity Case 4.11: Detect machines sending high volumes of DNS requests Case 4.13: Detect non-authorized access to S3 buckets Case 4.14: Detect changes to Customer IAM user Case 5.2: Detect Superman Case 5.3: Detect Core Modules Tampering Case 5.4: Detect Dispatcher confguration changes Case 5.7: Detect escalation of privileges in Service Center Case 6.1: Detect Platform confguration tampering
  12. Case 5.2 Detect Superman • Description: Detect if the same

    user logged in from different points Geographically far within a very short amount of time • Alert: Every 5m • Response procedure: When an alarm for Superman is triggered, the response team will perform the following steps ◦Confirm behavior with customer ◦Deactivate the user on the platform; ◦Revoke all active sessions from that user; ◦Notify Security Office about the incident; 19
  13. Future • Organizational Level ◦Merge Security Operations with Cloud Operations

    • Practices Level ◦Increase Training ◦Promote practices adoption ◦Increase Visibility 22
  14. DevSecOps @ OutSystems : The Why, the What and How

    ... on a PaaS provider José Casinha, CISO [email protected]
  15. Management and Cloud Framework 25 …….. VPC 1 Heavy forwarder

    RDS S3 CloudWatch SQS VPC n Heavy forwarder RDS S3 CloudWatch SQS Cloud Framework VPC Heavy forwarder RDS S3 CloudWatch SQS Management VPC S3 VPN Server YUM