OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf

Slide 1

Slide 1 text

Operate PCIDSS infrastructure using devOps approch

Slide 2

Slide 2 text

About Me • Gaëtan Trivino • Arrived from France a year ago • Working at cloud provider • @gaetantri

Slide 3

Slide 3 text

Summary • How devOps on PCIDSS infrastructure? – Infra design – SoD • Common operations tasks – Alert is trigger • H2M interaction – Log review • security purposes (Internal / External) • Track humans mistakes • Secure coding using OWASP • Ending • Q&A

Slide 4

Slide 4 text

Why devOps ? Origins of our devOps approch • Large scale infrastructure (> 200k VM) • All infrastructures are PCIDSS compliant • PCIDSS process and control so complicated • Human make more mistakes than robots • Scale robot easier to scale humans

Slide 5

Slide 5 text

Never trust humans • Robots checks humans action before working • Track unexpected human operations CMDB Infrastructure configuration Robots Human

Slide 6

Slide 6 text

SoD DATACENTER Infra Customer Advocates devOps R&D RUN Customer facing => Access: production => no Access: automation No customer facing: => Access: automation => no Access: production

Slide 7

Slide 7 text

3AM, AN alert is trigger

Slide 8

Slide 8 text

3AM, AN alert is trigger Unify alert broker • alerts code < 300 trigger automated fixes => traceability • Alerts code > 301 trigger human alerting

Slide 9

Slide 9 text

3AM, AN alert is trigger ORICO PCI DSS Zone • Connect to VPN • No access to impacted infrastructure

Slide 10

Slide 10 text

3AM, AN alert is trigger • Infrastructure details • Last automated operations

Slide 11

Slide 11 text

3AM, AN alert is trigger • List of possible actions integrated with infrastructure context • No need to access production environment

Slide 12

Slide 12 text

3AM, AN alert is trigger

Slide 13

Slide 13 text

3AM, AN alert is trigger

Slide 14

Slide 14 text

3AM, AN alert is trigger No access to production Access « on demand » Different access based on different roles • RO • RW • Admin

Slide 15

Slide 15 text

3AM, AN alert is trigger Is PCIDSS Yes Send Token No Task scheduled Access delivered

Slide 16

Slide 16 text

x1 SBG 3AM, AN alert is trigger #571

Slide 17

Slide 17 text

3AM, AN alert is trigger

Slide 18

Slide 18 text

3AM, AN alert is trigger

Slide 19

Slide 19 text

3AM, AN alert is trigger

Slide 20

Slide 20 text

x1 SBG #571 3AM, AN alert is trigger

Slide 21

Slide 21 text

3AM, AN alert is trigger • Automated procedure triggered by human • Keep what we did on infrastructure traceability

Slide 22

Slide 22 text

3AM, AN alert is trigger

Slide 23

Slide 23 text

3AM, AN alert is trigger 2 hours later Access deleted

Slide 24

Slide 24 text

x1 SBG 3AM, AN alert is trigger #571

Slide 25

Slide 25 text

What’s cool ? • Easy traceability of human and automated actions • Simplify access control • Limit risks of access usurpation • Trigger automated procedures are easier to do Challenges • Code has to be efficient and secure • CI/CD

Slide 26

Slide 26 text

What’s risky? • Code has to be efficient and secure • OWASP Top Ten Project 10 scenarios

Slide 27

Slide 27 text

8AM Daily log review

Slide 28

Slide 28 text

Daily log review

Slide 29

Slide 29 text

8AM Daily log review Control Objectives Requirements Build and maintain a secure network 1.Install and maintain a firewall configuration to protect cardholder data 2.Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3.Protect stored cardholder data 4.Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5.Use and regularly update anti-virus software 6.Develop and maintain secure systems and applications Implement strong access control measures 7.Restrict access to cardholder data by business need-to-know 8.Assign a unique ID to each person with computer access 9.Restrict physical access to cardholder data Regularly monitor and test networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an information security policy 12.Maintain a policy that addresses information security for all personnel

Slide 30

Slide 30 text

Daily log review • Loginsight

Slide 31

Slide 31 text

Daily log review /var/log/* ESXi Syslog Switch Syslog Windows Event Log Log Management …

Slide 32

Slide 32 text

/var/log/* ESXi Syslog Switch Syslog Windows Event Log Log Management … Daily log review

Slide 33

Slide 33 text

/var/log/* ESXi Syslog Switch Syslog Windows Event Log Log Management … Daily log review

Slide 34

Slide 34 text

Daily log review • Defined logs patterns • Trigger dashboard/alerting/automated operations on pattern matchs

Slide 35

Slide 35 text

Daily log review • Scenario checkVcenterLoginFailed checkVcenterLoginFaile d Restricted Open

Slide 36

Slide 36 text

Daily log review • Scenario checkNetworkOperations – Only automation users should manage some network configuration • authentication configuration (prevent unauthorized access) • IP/Vlan configuration (confidentiality) => Track unknown process covered by automation or potential leak of security

Slide 37

Slide 37 text

Secure coding using OWASP toolbox

Slide 38

Slide 38 text

OWASP • Yearly sensibilisation for all developpers and exercises (CTF) • Unit tests for regex • Sanitize all inputs • … • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project • https://www.owasp.org/index.php/OWASP_Juice_Shop_Project

Slide 39

Slide 39 text

Ending

Slide 40

Slide 40 text

Ending • Code production became more and more critical with the time • Secure coding • Good CI/CD process => Good releases and reduce regressions • 2 • Make process