Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf

 OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf

DESCRIPTION
OWASP dans le cadre des Midis conférence est heureux d'accueillir, M. Gaëtan Trivino.

Notre conférencier viendra présenter l'influence de la culture devops sur les opérations d'un hébergeur international en particulier pour supporter les réglementations comme PCI DSS.

Biographie :

Gaëtan est DevOps technical leader orienté cloud et automatisation réseau. Il a traversé l'Atlantique avec sa famille pour explorer de nouvelles culture de travail et se lance dans la recherche du meilleur sirop d'érable!

OWASP Montréal

March 05, 2018
Tweet

More Decks by OWASP Montréal

Other Decks in Technology

Transcript

  1. About Me • Gaëtan Trivino • Arrived from France a

    year ago • Working at cloud provider • @gaetantri
  2. Summary • How devOps on PCIDSS infrastructure? – Infra design

    – SoD • Common operations tasks – Alert is trigger • H2M interaction – Log review • security purposes (Internal / External) • Track humans mistakes • Secure coding using OWASP • Ending • Q&A
  3. Why devOps ? Origins of our devOps approch • Large

    scale infrastructure (> 200k VM) • All infrastructures are PCIDSS compliant • PCIDSS process and control so complicated • Human make more mistakes than robots • Scale robot easier to scale humans
  4. Never trust humans • Robots checks humans action before working

    • Track unexpected human operations CMDB Infrastructure configuration Robots Human
  5. SoD DATACENTER Infra Customer Advocates devOps R&D RUN Customer facing

    => Access: production => no Access: automation No customer facing: => Access: automation => no Access: production
  6. 3AM, AN alert is trigger Unify alert broker • alerts

    code < 300 trigger automated fixes => traceability • Alerts code > 301 trigger human alerting
  7. 3AM, AN alert is trigger ORICO PCI DSS Zone •

    Connect to VPN • No access to impacted infrastructure
  8. 3AM, AN alert is trigger • List of possible actions

    integrated with infrastructure context • No need to access production environment
  9. 3AM, AN alert is trigger No access to production Access

    « on demand » Different access based on different roles • RO • RW • Admin
  10. 3AM, AN alert is trigger Is PCIDSS Yes Send Token

    No Task scheduled Access delivered
  11. 3AM, AN alert is trigger • Automated procedure triggered by

    human • Keep what we did on infrastructure traceability
  12. What’s cool ? • Easy traceability of human and automated

    actions • Simplify access control • Limit risks of access usurpation • Trigger automated procedures are easier to do Challenges • Code has to be efficient and secure • CI/CD
  13. What’s risky? • Code has to be efficient and secure

    • OWASP Top Ten Project 10 scenarios
  14. 8AM Daily log review Control Objectives Requirements Build and maintain

    a secure network 1.Install and maintain a firewall configuration to protect cardholder data 2.Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3.Protect stored cardholder data 4.Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5.Use and regularly update anti-virus software 6.Develop and maintain secure systems and applications Implement strong access control measures 7.Restrict access to cardholder data by business need-to-know 8.Assign a unique ID to each person with computer access 9.Restrict physical access to cardholder data Regularly monitor and test networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an information security policy 12.Maintain a policy that addresses information security for all personnel
  15. Daily log review • Scenario checkNetworkOperations – Only automation users

    should manage some network configuration • authentication configuration (prevent unauthorized access) • IP/Vlan configuration (confidentiality) => Track unknown process covered by automation or potential leak of security
  16. OWASP • Yearly sensibilisation for all developpers and exercises (CTF)

    • Unit tests for regex • Sanitize all inputs • … • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
  17. Ending • Code production became more and more critical with

    the time • Secure coding • Good CI/CD process => Good releases and reduce regressions • 2 • Make process