Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf

OWASP Montréal
March 05, 2018
Technology
0
110

 OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf

DESCRIPTION
OWASP dans le cadre des Midis conférence est heureux d'accueillir, M. Gaëtan Trivino.

Notre conférencier viendra présenter l'influence de la culture devops sur les opérations d'un hébergeur international en particulier pour supporter les réglementations comme PCI DSS.

Biographie :

Gaëtan est DevOps technical leader orienté cloud et automatisation réseau. Il a traversé l'Atlantique avec sa famille pour explorer de nouvelles culture de travail et se lance dans la recherche du meilleur sirop d'érable!

OWASP Montréal

March 05, 2018
Tweet

More Decks by OWASP Montréal

See All by OWASP Montréal
Endpoint Bypass Charles Hamilton
owaspmontreal
0
130
Hybrid approach to security testing
owaspmontreal
0
190
Threat Modeling Toolkit
owaspmontreal
0
900
NorthSec - Applied Security Event
owaspmontreal
0
170
Sécurité des applications : Les fondements
owaspmontreal
0
110
WORKSHOP ! Server Side Template Injection (SSTI)
owaspmontreal
1
900
Ransomware and healthcare - Hacking Health
owaspmontreal
0
140
OWASP Montréal reçoit Mario Contestabile
owaspmontreal
0
170
Comment protéger les applications mobiles
owaspmontreal
0
74

Other Decks in Technology

See All in Technology
User Story Mapping in CEDEC23
kawaguti
PRO
0
120
M5Stack Core2とUIFlowの「リモコン+」でお手軽IoT(仕組みをシンプルに試してみた) / IoTLT vol.102
you
0
3.1k
ペンテストに関するTIPS
cryptopeg
1
200
Compliance & Regulatory Standards Are NOT Incompatible With Modern Development Best Practices
charity
2
410
Nutanix AHVでHYCUのポリシーの「オプション」をいろいろ触ってみた
keigotomomatsu
0
200
Who's Who in Java
skrb
3
190
featureチーム単位でのFindyTeam+との付き合い方
tkkrtky
0
200
CEDEC 2023 モダンハイパフォーマンスC# 2023 Edition
neuecc
5
4.6k
2023 Aug | #HackTogether Opening Keynote
nitya
0
730
Web サイトを独自ドメインで配信するには~AWSサービスを使用しサーバレスで構築~
shomzz
0
120
「失われたRailsの輝きを追い求めて」開発者たちの悩みと希望の物語
ryosk7
0
110
NeRF-RPN_carnavi
ryokawanami
0
200

Featured

See All Featured
Building a Scalable Design System with Sketch
lauravandoore
453
31k
Designing Experiences People Love
moore
133
22k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
2.1k
Rebuilding a faster, lazier Slack
samanthasiow
71
7.8k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
Teambox: Starting and Learning
jrom
125
8.1k
YesSQL, Process and Tooling at Scale
rocio
159
13k
Three Pipe Problems
jasonvnalue
89
9.2k
How to train your dragon (web standard)
notwaldorf
69
4.6k
Docker and Python
trallard
31
2.2k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.2k
Code Reviewing Like a Champion
maltzj
510
38k

Transcript

  1. Operate PCIDSS infrastructure using devOps approch

    View Slide

  2. About Me
    • Gaëtan Trivino
    • Arrived from France a year ago
    • Working at cloud provider
    • @gaetantri

    View Slide

  3. Summary
    • How devOps on PCIDSS infrastructure?
    – Infra design
    – SoD
    • Common operations tasks
    – Alert is trigger
    • H2M interaction
    – Log review
    • security purposes (Internal / External)
    • Track humans mistakes
    • Secure coding using OWASP
    • Ending
    • Q&A

    View Slide

  4. Why devOps ?
    Origins of our devOps approch
    • Large scale infrastructure (> 200k VM)
    • All infrastructures are PCIDSS compliant
    • PCIDSS process and control so complicated
    • Human make more mistakes than robots
    • Scale robot easier to scale humans

    View Slide

  5. Never trust humans
    • Robots checks humans action before working
    • Track unexpected human operations
    CMDB
    Infrastructure
    configuration
    Robots
    Human

    View Slide

  6. SoD
    DATACENTER
    Infra
    Customer
    Advocates
    devOps
    R&D
    RUN
    Customer facing
    => Access: production
    => no Access: automation
    No customer facing:
    => Access: automation
    => no Access: production

    View Slide

  7. 3AM,
    AN alert is trigger

    View Slide

  8. 3AM, AN alert is trigger
    Unify alert broker
    • alerts code < 300 trigger automated fixes => traceability
    • Alerts code > 301 trigger human alerting

    View Slide

  9. 3AM, AN alert is trigger
    ORICO
    PCI DSS Zone
    • Connect to VPN
    • No access to impacted infrastructure

    View Slide

  10. 3AM, AN alert is trigger
    • Infrastructure details
    • Last automated operations

    View Slide

  11. 3AM, AN alert is trigger
    • List of possible actions integrated with infrastructure context
    • No need to access production environment

    View Slide

  12. 3AM, AN alert is trigger

    View Slide

  13. 3AM, AN alert is trigger

    View Slide

  14. 3AM, AN alert is trigger
    No access to production
    Access « on demand »
    Different access based on different roles
    • RO
    • RW
    • Admin

    View Slide

  15. 3AM, AN alert is trigger
    Is PCIDSS
    Yes
    Send Token
    No
    Task scheduled
    Access delivered

    View Slide

  16. x1
    SBG
    3AM, AN alert is trigger
    #571

    View Slide

  17. 3AM, AN alert is trigger

    View Slide

  18. 3AM, AN alert is trigger

    View Slide

  19. 3AM, AN alert is trigger

    View Slide

  20. x1
    SBG
    #571
    3AM, AN alert is trigger

    View Slide

  21. 3AM, AN alert is trigger
    • Automated procedure triggered by human
    • Keep what we did on infrastructure traceability

    View Slide

  22. 3AM, AN alert is trigger

    View Slide

  23. 3AM, AN alert is trigger
    2 hours later
    Access deleted

    View Slide

  24. x1
    SBG
    3AM, AN alert is trigger
    #571

    View Slide

  25. What’s cool ?
    • Easy traceability of human and automated actions
    • Simplify access control
    • Limit risks of access usurpation
    • Trigger automated procedures are easier to do
    Challenges
    • Code has to be efficient and secure
    • CI/CD

    View Slide

  26. What’s risky?
    • Code has to be efficient and secure
    • OWASP Top Ten Project 10 scenarios

    View Slide

  27. 8AM
    Daily log review

    View Slide

  28. Daily log review

    View Slide

  29. 8AM Daily log review
    Control Objectives Requirements
    Build and maintain a secure network
    1.Install and maintain a firewall configuration to protect cardholder data
    2.Do not use vendor-supplied defaults for system passwords and other security
    parameters
    Protect cardholder data 3.Protect stored cardholder data
    4.Encrypt transmission of cardholder data across open, public networks
    Maintain a vulnerability management program 5.Use and regularly update anti-virus software
    6.Develop and maintain secure systems and applications
    Implement strong access control measures
    7.Restrict access to cardholder data by business need-to-know
    8.Assign a unique ID to each person with computer access
    9.Restrict physical access to cardholder data
    Regularly monitor and test networks
    10.Track and monitor all access to network resources and
    cardholder data
    11.Regularly test security systems and processes
    Maintain an information security policy 12.Maintain a policy that addresses information security for all personnel

    View Slide

  30. Daily log review
    • Loginsight

    View Slide

  31. Daily log review
    /var/log/*
    ESXi Syslog
    Switch Syslog
    Windows Event Log
    Log Management

    View Slide

  32. /var/log/*
    ESXi Syslog
    Switch Syslog
    Windows Event Log
    Log Management

    Daily log review

    View Slide

  33. /var/log/*
    ESXi Syslog
    Switch Syslog
    Windows Event Log
    Log Management

    Daily log review

    View Slide

  34. Daily log review
    • Defined logs patterns
    • Trigger dashboard/alerting/automated operations on pattern matchs

    View Slide

  35. Daily log review
    • Scenario checkVcenterLoginFailed
    checkVcenterLoginFaile
    d
    Restricted Open

    View Slide

  36. Daily log review
    • Scenario checkNetworkOperations
    – Only automation users should manage some
    network configuration
    • authentication configuration (prevent unauthorized access)
    • IP/Vlan configuration (confidentiality)
    => Track unknown process covered by automation
    or potential leak of security

    View Slide

  37. Secure coding using OWASP toolbox

    View Slide

  38. OWASP
    • Yearly sensibilisation for all developpers and exercises (CTF)
    • Unit tests for regex
    • Sanitize all inputs
    • …
    • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
    • https://www.owasp.org/index.php/OWASP_Juice_Shop_Project

    View Slide

  39. Ending

    View Slide

  40. Ending
    • Code production became more and more critical with the time
    • Secure coding
    • Good CI/CD process => Good releases and reduce regressions
    • 2
    • Make process

    View Slide