OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf

Transcript

1. Operate PCIDSS infrastructure using devOps approch

2. About Me • Gaëtan Trivino • Arrived from France a

   year ago • Working at cloud provider • @gaetantri

3. Summary • How devOps on PCIDSS infrastructure? – Infra design

   – SoD • Common operations tasks – Alert is trigger • H2M interaction – Log review • security purposes (Internal / External) • Track humans mistakes • Secure coding using OWASP • Ending • Q&A

4. Why devOps ? Origins of our devOps approch • Large

   scale infrastructure (> 200k VM) • All infrastructures are PCIDSS compliant • PCIDSS process and control so complicated • Human make more mistakes than robots • Scale robot easier to scale humans

5. Never trust humans • Robots checks humans action before working

   • Track unexpected human operations CMDB Infrastructure configuration Robots Human

6. SoD DATACENTER Infra Customer Advocates devOps R&D RUN Customer facing

   => Access: production => no Access: automation No customer facing: => Access: automation => no Access: production

7. 3AM, AN alert is trigger

8. 3AM, AN alert is trigger Unify alert broker • alerts

   code < 300 trigger automated fixes => traceability • Alerts code > 301 trigger human alerting

9. 3AM, AN alert is trigger ORICO PCI DSS Zone •

   Connect to VPN • No access to impacted infrastructure

10. 3AM, AN alert is trigger • Infrastructure details • Last

    automated operations

11. 3AM, AN alert is trigger • List of possible actions

    integrated with infrastructure context • No need to access production environment

12. 3AM, AN alert is trigger

13. 3AM, AN alert is trigger

14. 3AM, AN alert is trigger No access to production Access

    « on demand » Different access based on different roles • RO • RW • Admin

15. 3AM, AN alert is trigger Is PCIDSS Yes Send Token

    No Task scheduled Access delivered

16. x1 SBG 3AM, AN alert is trigger #571

17. 3AM, AN alert is trigger

18. 3AM, AN alert is trigger

19. 3AM, AN alert is trigger

20. x1 SBG #571 3AM, AN alert is trigger

21. 3AM, AN alert is trigger • Automated procedure triggered by

    human • Keep what we did on infrastructure traceability

22. 3AM, AN alert is trigger

23. 3AM, AN alert is trigger 2 hours later Access deleted

24. x1 SBG 3AM, AN alert is trigger #571

25. What’s cool ? • Easy traceability of human and automated

    actions • Simplify access control • Limit risks of access usurpation • Trigger automated procedures are easier to do Challenges • Code has to be efficient and secure • CI/CD

26. What’s risky? • Code has to be efficient and secure

    • OWASP Top Ten Project 10 scenarios

27. 8AM Daily log review

28. Daily log review

29. 8AM Daily log review Control Objectives Requirements Build and maintain

    a secure network 1.Install and maintain a firewall configuration to protect cardholder data 2.Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3.Protect stored cardholder data 4.Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5.Use and regularly update anti-virus software 6.Develop and maintain secure systems and applications Implement strong access control measures 7.Restrict access to cardholder data by business need-to-know 8.Assign a unique ID to each person with computer access 9.Restrict physical access to cardholder data Regularly monitor and test networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an information security policy 12.Maintain a policy that addresses information security for all personnel

30. Daily log review • Loginsight

31. Daily log review /var/log/* ESXi Syslog Switch Syslog Windows Event

    Log Log Management …

32. /var/log/* ESXi Syslog Switch Syslog Windows Event Log Log Management

    … Daily log review

33. /var/log/* ESXi Syslog Switch Syslog Windows Event Log Log Management

    … Daily log review

34. Daily log review • Defined logs patterns • Trigger dashboard/alerting/automated

    operations on pattern matchs

35. Daily log review • Scenario checkVcenterLoginFailed checkVcenterLoginFaile d Restricted Open

36. Daily log review • Scenario checkNetworkOperations – Only automation users

    should manage some network configuration • authentication configuration (prevent unauthorized access) • IP/Vlan configuration (confidentiality) => Track unknown process covered by automation or potential leak of security

37. Secure coding using OWASP toolbox

38. OWASP • Yearly sensibilisation for all developpers and exercises (CTF)

    • Unit tests for regex • Sanitize all inputs • … • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • https://www.owasp.org/index.php/OWASP_Juice_Shop_Project

39. Ending

40. Ending • Code production became more and more critical with

    the time • Secure coding • Good CI/CD process => Good releases and reduce regressions • 2 • Make process