Slide 1

Slide 1 text

Security & Policy Con fi gurations for Infrastructure as Code Cloud Native @Scale June 2021

Slide 2

Slide 2 text

infrastructure as code (This example creates policies in a secrets manager.) resource "vault_policy" “payments_pipeline" { name = var.pipeline_name policy = <

Slide 3

Slide 3 text

“It works. I’ll just copy it.”

Slide 4

Slide 4 text

copied infrastructure as code (This is…. fi ne?) resource "vault_policy" “payments_pipeline" { name = var.pipeline_name policy = <

Slide 5

Slide 5 text

copied infrastructure as code (This is…. fi ne?) resource "vault_policy" “payments_pipeline" { name = var.pipeline_name policy = <

Slide 6

Slide 6 text

Rosemary Wang Developer Advocate at HashiCorp @joatmon08 joatmon08.github.io (Not my cat.)

Slide 7

Slide 7 text

Deliver infrastructure and secure it across many teams.

Slide 8

Slide 8 text

5 Things I Learned 1. Static analysis 2. Dynamic analysis 3. Modularize 4. Pipelines as code 5. Enforcement levels

Slide 9

Slide 9 text

1. Static analysis

Slide 10

Slide 10 text

Does the change adhere to our policy and security 
 standards? Release it to infrastructure. Yes No Update infrastructure as code.

Slide 11

Slide 11 text

Lots of terms • Shift-left security testing • Fitness functions (evolutionary architecture) • Testing infrastructure as code

Slide 12

Slide 12 text

Security Testing Tool Parse for fi elds JSON or metadata format Con fi guration or planned state Check fi eld values Assert pass or fail

Slide 13

Slide 13 text

Use Cases •Network policy •Infrastructure con fi guration •Access control & logging

Slide 14

Slide 14 text

resource "vault_policy" “payments_pipeline" { name = var.pipeline_name policy = <

Slide 15

Slide 15 text

2. Dynamic analysis

Slide 16

Slide 16 text

Lots of terms • Vulnerability management • Security scanning • Remediation

Slide 17

Slide 17 text

Security Testing Tool Parse for fi elds JSON or metadata format Active state or infrastructure API Check fi eld values Assert pass or fail Run on a regular schedule.

Slide 18

Slide 18 text

resource "vault_policy" “payments_pipeline" { name = var.pipeline_name policy = <

Slide 19

Slide 19 text

import "sockaddr" import "strings" # Check for create, update, or delete actions to database secrets precond = rule { request.operation in ["create", "update", "delete"] and strings.has_prefix(request.path, “database/") } # Requests to come only from self-hosted pipeline runner in a private network cidrcheck = rule { sockaddr.is_contained(request.connection.remote_addr, "172.16.0.9/32") } # Check the precondition before execute the cidrcheck main = rule when precond { cidrcheck }

Slide 20

Slide 20 text

Other Tools •Vulnerability Scanning (Snyk, Tenable) •Cloud Infrastructure Scanning (Forseti, Cloudcheckr) •Authorization (Sentinel, OPA)

Slide 21

Slide 21 text

3. Modularize

Slide 22

Slide 22 text

Repositories to share… •Organizational policies •Organizational benchmarks •Industry benchmarks

Slide 23

Slide 23 text

Dividing Modules • Function • Infrastructure provider • Business domain

Slide 24

Slide 24 text

Repository: shared-org-policies naming tagging aws azure gcp billing secrets access-management vulnerability-management runtime-security Repository: infrastructure-policies aws (reference) shared-org-policies/tagging/aws azure gcp datadog Repository: payments-infrastructure-policies pci (reference) infrastructure-policies/aws (reference) shared-org-policies/vulnerability-management Build Test Deploy Security Test Release

Slide 25

Slide 25 text

4. Pipelines as code

Slide 26

Slide 26 text

Repository: shared-org-policies naming tagging aws azure gcp billing secrets access-management vulnerability-management runtime-security Repository: infrastructure-policies aws (reference) shared-org-policies/tagging/aws azure gcp datadog Repository: payments-infrastructure-policies pci (reference) infrastructure-policies/aws (reference) shared-org-policies/vulnerability-management Build Test Deploy Security Test Release

Slide 27

Slide 27 text

De fi ne Pipelines “as Code” •Use templates •Require “security testing” stages •Run asynchronously

Slide 28

Slide 28 text

Build Test Deploy Security Test Release Test

Slide 29

Slide 29 text

5. Enforcement levels

Slide 30

Slide 30 text

Choose one: •Hard mandatory •Soft mandatory •Advisory

Slide 31

Slide 31 text

5 Things I Learned 1. Static analysis 2. Dynamic analysis 3. Modularize 4. Pipelines as code 5. Enforcement levels

Slide 32

Slide 32 text

Demos & Tools • Pytest + Terraform • Inspec + Docker • Open Policy Agent + JSON API Response

Slide 33

Slide 33 text

References • ncp.nist.gov// • github.com/joatmon08/policy-as-code • github.com/tracypholmes/policy-as-code-workshop • github.com/joatmon08/tdd-infrastructure#policy-as-code- with-security-scanning Find these slides at joatmon08.github.io