OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf

 OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf

DESCRIPTION
OWASP dans le cadre des Midis conférence est heureux d'accueillir, M. Gaëtan Trivino.

Notre conférencier viendra présenter l'influence de la culture devops sur les opérations d'un hébergeur international en particulier pour supporter les réglementations comme PCI DSS.

Biographie :

Gaëtan est DevOps technical leader orienté cloud et automatisation réseau. Il a traversé l'Atlantique avec sa famille pour explorer de nouvelles culture de travail et se lance dans la recherche du meilleur sirop d'érable!

09905cce02942fb076f958f4b69fd8f6?s=128

OWASP Montréal

March 05, 2018
Tweet

Transcript

  1. Operate PCIDSS infrastructure using devOps approch

  2. About Me • Gaëtan Trivino • Arrived from France a

    year ago • Working at cloud provider • @gaetantri
  3. Summary • How devOps on PCIDSS infrastructure? – Infra design

    – SoD • Common operations tasks – Alert is trigger • H2M interaction – Log review • security purposes (Internal / External) • Track humans mistakes • Secure coding using OWASP • Ending • Q&A
  4. Why devOps ? Origins of our devOps approch • Large

    scale infrastructure (> 200k VM) • All infrastructures are PCIDSS compliant • PCIDSS process and control so complicated • Human make more mistakes than robots • Scale robot easier to scale humans
  5. Never trust humans • Robots checks humans action before working

    • Track unexpected human operations CMDB Infrastructure configuration Robots Human
  6. SoD DATACENTER Infra Customer Advocates devOps R&D RUN Customer facing

    => Access: production => no Access: automation No customer facing: => Access: automation => no Access: production
  7. 3AM, AN alert is trigger

  8. 3AM, AN alert is trigger Unify alert broker • alerts

    code < 300 trigger automated fixes => traceability • Alerts code > 301 trigger human alerting
  9. 3AM, AN alert is trigger ORICO PCI DSS Zone •

    Connect to VPN • No access to impacted infrastructure
  10. 3AM, AN alert is trigger • Infrastructure details • Last

    automated operations
  11. 3AM, AN alert is trigger • List of possible actions

    integrated with infrastructure context • No need to access production environment
  12. 3AM, AN alert is trigger

  13. 3AM, AN alert is trigger

  14. 3AM, AN alert is trigger No access to production Access

    « on demand » Different access based on different roles • RO • RW • Admin
  15. 3AM, AN alert is trigger Is PCIDSS Yes Send Token

    No Task scheduled Access delivered
  16. x1 SBG 3AM, AN alert is trigger #571

  17. 3AM, AN alert is trigger

  18. 3AM, AN alert is trigger

  19. 3AM, AN alert is trigger

  20. x1 SBG #571 3AM, AN alert is trigger

  21. 3AM, AN alert is trigger • Automated procedure triggered by

    human • Keep what we did on infrastructure traceability
  22. 3AM, AN alert is trigger

  23. 3AM, AN alert is trigger 2 hours later Access deleted

  24. x1 SBG 3AM, AN alert is trigger #571

  25. What’s cool ? • Easy traceability of human and automated

    actions • Simplify access control • Limit risks of access usurpation • Trigger automated procedures are easier to do Challenges • Code has to be efficient and secure • CI/CD
  26. What’s risky? • Code has to be efficient and secure

    • OWASP Top Ten Project 10 scenarios
  27. 8AM Daily log review

  28. Daily log review

  29. 8AM Daily log review Control Objectives Requirements Build and maintain

    a secure network 1.Install and maintain a firewall configuration to protect cardholder data 2.Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3.Protect stored cardholder data 4.Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5.Use and regularly update anti-virus software 6.Develop and maintain secure systems and applications Implement strong access control measures 7.Restrict access to cardholder data by business need-to-know 8.Assign a unique ID to each person with computer access 9.Restrict physical access to cardholder data Regularly monitor and test networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an information security policy 12.Maintain a policy that addresses information security for all personnel
  30. Daily log review • Loginsight

  31. Daily log review /var/log/* ESXi Syslog Switch Syslog Windows Event

    Log Log Management …
  32. /var/log/* ESXi Syslog Switch Syslog Windows Event Log Log Management

    … Daily log review
  33. /var/log/* ESXi Syslog Switch Syslog Windows Event Log Log Management

    … Daily log review
  34. Daily log review • Defined logs patterns • Trigger dashboard/alerting/automated

    operations on pattern matchs
  35. Daily log review • Scenario checkVcenterLoginFailed checkVcenterLoginFaile d Restricted Open

  36. Daily log review • Scenario checkNetworkOperations – Only automation users

    should manage some network configuration • authentication configuration (prevent unauthorized access) • IP/Vlan configuration (confidentiality) => Track unknown process covered by automation or potential leak of security
  37. Secure coding using OWASP toolbox

  38. OWASP • Yearly sensibilisation for all developpers and exercises (CTF)

    • Unit tests for regex • Sanitize all inputs • … • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
  39. Ending

  40. Ending • Code production became more and more critical with

    the time • Secure coding • Good CI/CD process => Good releases and reduce regressions • 2 • Make process