Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Top Priorities for Cloud Application Security

Teri
November 02, 2018

Top Priorities for Cloud Application Security

Do you want to improve your cloud application security? You might think the biggest thing you need to worry about is S3 buckets, but you can actually leverage the cloud and DevSecOps in much more powerful ways to secure your applications. This talk was first presented at Countermeasure IT in Ottawa, Canada in November 2018

Teri

November 02, 2018
Tweet

More Decks by Teri

Other Decks in Technology

Transcript

  1. ©2018 2nd Sight Lab What’s different about the cloud? The

    “CLOUD” is one huge AUTOMATED configuration management platform. ©2018 2nd Sight Lab
  2. ©2018 2nd Sight Lab To Make This Happen… Requires Executive

    Leadership Support, Commitment, and Investment.
  3. ©2018 2nd Sight Lab Only code goes in source control

    No secrets, binaries, containers, or any components derived from source code.
  4. ©2018 2nd Sight Lab Component Repositories Examples: • Docker Images

    • Java Jar Files • Python Packages • Node Packages • Windows DLLs
  5. ©2018 2nd Sight Lab Secret and Parameter Repositories • Database

    passwords • Encryption keys • License keys • Environment parameters Keep secrets out of code! Code should not change on deployment. AWS SSM Parameter Store Azure Key Vault
  6. ©2018 2nd Sight Lab Cloud Design Patterns Templates Inputs •

    Improve Consistency • Reduce Human Error • Speed up approval process Outputs
  7. ©2018 2nd Sight Lab Application DevOps Systems Security Services Deploy

    Code Security Checks Promote Code Promote Code Segregation of Duties: Teams Developer DevOps Security ©2018 2nd Sight Lab
  8. ©2018 2nd Sight Lab Application Architecture • Network Design •

    Segregation • Least privilege • Authentication • Authorization • Encryption • Availability • Performance • Monitoring
  9. ©2018 2nd Sight Lab Account Microservice Product Catalog Microservice Reporting

    Microservice Promote Code Promote Code Segregation of Duties: Microservices Team A Team B Team C ©2018 2nd Sight Lab
  10. ©2018 2nd Sight Lab Software Development Lifecycle • Requirements •

    Development • Testing • Deployment Requirements Code Tests Production Configuration
  11. ©2018 2nd Sight Lab DEV QA PROD Developer QA OPs

    Promote Code Promote Code Segregation of Duties: Code Promotion ©2018 2nd Sight Lab
  12. ©2018 2nd Sight Lab PROMOTE CODE TRIGGERS JOB SECURITY CHECKS

    DEPLOY PASS FAIL Continuous Integration + Deployment (CI/CD)e ©2018 2nd Sight Lab
  13. ©2018 2nd Sight Lab Create and enforce policies in repositories

    Prevent problems before they are deployed
  14. ©2018 2nd Sight Lab Check cloud configurations The Dreaded S3

    Bucket! • Enforce Encryption • Disallow Public Settings • Enforce Logging • Check CORS configuration
  15. ©2018 2nd Sight Lab After Deployment ~ Continue to Monitor

    • Vulnerability Scanning • Web Application Firewall (WAF) • Configuration checking tools • Flow Logs • IDS/IPS • SIEM • Alerts • Auto-Remediation ©2018 2nd Sight Lab
  16. ©2018 2nd Sight Lab In Summary... • Leverage the automated

    configuration management of the cloud • Deploy everything through an automated pipeline • Build best practices and security checks into deployment jobs • Automate governance and compliance checks • Incorporate segregation into your design of teams and systems • Turn findings into developer tasks • Generate cyber security risk reports from findings and inventory • Assign responsibility for risk to the person prioritizing the work ©2018 2nd Sight Lab