Top Priorities for Cloud Application Security

Transcript

1. Top Priorities for Cloud Application Security @teriradichel Countermeasure, Ottawa, Canada

   2018 ©2018 2nd Sight Lab

2. ©2018 2nd Sight Lab We know what to do.

3. ©2018 2nd Sight Lab

4. ©2018 2nd Sight Lab Why isn’t this working?

5. ©2018 2nd Sight Lab It only takes one mistake.

6. ©2018 2nd Sight Lab CVE-2017-5638

7. ©2018 2nd Sight Lab

8. ©2018 2nd Sight Lab What’s different about the cloud? The

   “CLOUD” is one huge AUTOMATED configuration management platform. ©2018 2nd Sight Lab

9. ©2018 2nd Sight Lab Everything is code.

10. ©2018 2nd Sight Lab Code everything.

11. ©2018 2nd Sight Lab Automate Deployments ©2018 2nd Sight Lab

12. ©2018 2nd Sight Lab Reduce Human Error

13. ©2018 2nd Sight Lab Monitor Everything

14. ©2018 2nd Sight Lab Instead of this...

15. ©2018 2nd Sight Lab Inline Security Scans

16. ©2018 2nd Sight Lab Automate Governance & Compliance

17. ©2018 2nd Sight Lab Identify Risk Sooner (vulnerabilities)

18. ©2018 2nd Sight Lab Reporting and Metrics ©2018 2nd Sight

    Lab

19. ©2018 2nd Sight Lab Do More. ©2018 2nd Sight Lab

20. ©2018 2nd Sight Lab To Make This Happen… Requires Executive

    Leadership Support, Commitment, and Investment.

21. ©2018 2nd Sight Lab Make friends with developers

22. ©2018 2nd Sight Lab Build It. ©2018 2nd Sight Lab

23. ©2018 2nd Sight Lab Deploy from a source code repository.

24. ©2018 2nd Sight Lab Only code goes in source control

    No secrets, binaries, containers, or any components derived from source code.

25. ©2018 2nd Sight Lab Component Repositories Examples: • Docker Images

    • Java Jar Files • Python Packages • Node Packages • Windows DLLs

26. ©2018 2nd Sight Lab Secret and Parameter Repositories • Database

    passwords • Encryption keys • License keys • Environment parameters Keep secrets out of code! Code should not change on deployment. AWS SSM Parameter Store Azure Key Vault

27. ©2018 2nd Sight Lab Configuration Management Tools Azure Templates

28. ©2018 2nd Sight Lab Cloud Design Patterns Templates Inputs •

    Improve Consistency • Reduce Human Error • Speed up approval process Outputs

29. ©2018 2nd Sight Lab Deployment Pipeline Architecture

30. ©2018 2nd Sight Lab Application DevOps Systems Security Services Deploy

    Code Security Checks Promote Code Promote Code Segregation of Duties: Teams Developer DevOps Security ©2018 2nd Sight Lab

31. ©2018 2nd Sight Lab Application Architecture • Network Design •

    Segregation • Least privilege • Authentication • Authorization • Encryption • Availability • Performance • Monitoring

32. ©2018 2nd Sight Lab Account Microservice Product Catalog Microservice Reporting

    Microservice Promote Code Promote Code Segregation of Duties: Microservices Team A Team B Team C ©2018 2nd Sight Lab

33. ©2018 2nd Sight Lab Software Development Lifecycle • Requirements •

    Development • Testing • Deployment Requirements Code Tests Production Configuration

34. ©2018 2nd Sight Lab DEV QA PROD Developer QA OPs

    Promote Code Promote Code Segregation of Duties: Code Promotion ©2018 2nd Sight Lab

35. ©2018 2nd Sight Lab PROMOTE CODE TRIGGERS JOB SECURITY CHECKS

    DEPLOY PASS FAIL Continuous Integration + Deployment (CI/CD)e ©2018 2nd Sight Lab

36. ©2018 2nd Sight Lab Jenkins Job https://jenkins.io/pipeline/getting-started-pipelines/

37. ©2018 2nd Sight Lab https://www.cloudbees.com/blog/xunit-and-pipeline Test Failed

38. ©2018 2nd Sight Lab https://www.cloudbees.com/blog/top-10-best-practices-jenkins-pipeline-plugin

39. ©2018 2nd Sight Lab Automated Code and Vulnerability Scanning

40. ©2018 2nd Sight Lab Find vulnerable source code GitHub dependency

    graph

41. ©2018 2nd Sight Lab Create and enforce policies in repositories

    Prevent problems before they are deployed

42. ©2018 2nd Sight Lab Check cloud configurations The Dreaded S3

    Bucket! • Enforce Encryption • Disallow Public Settings • Enforce Logging • Check CORS configuration

43. ©2018 2nd Sight Lab Security Tests in QA Automation

44. ©2018 2nd Sight Lab

45. ©2018 2nd Sight Lab ©2018 2nd Sight Lab

46. ©2018 2nd Sight Lab ©2018 2nd Sight Lab

47. ©2018 2nd Sight Lab ©2018 2nd Sight Lab

48. ©2018 2nd Sight Lab After Deployment ~ Continue to Monitor

    • Vulnerability Scanning • Web Application Firewall (WAF) • Configuration checking tools • Flow Logs • IDS/IPS • SIEM • Alerts • Auto-Remediation ©2018 2nd Sight Lab

49. ©2018 2nd Sight Lab Azure Security Center

50. ©2018 2nd Sight Lab AWS Inspector

51. ©2018 2nd Sight Lab Valid Findings Turn Into Developer Tasks...

52. ©2018 2nd Sight Lab Cyber Security

53. ©2018 2nd Sight Lab In Summary... • Leverage the automated

    configuration management of the cloud • Deploy everything through an automated pipeline • Build best practices and security checks into deployment jobs • Automate governance and compliance checks • Incorporate segregation into your design of teams and systems • Turn findings into developer tasks • Generate cyber security risk reports from findings and inventory • Assign responsibility for risk to the person prioritizing the work ©2018 2nd Sight Lab

54. ©2018 2nd Sight Lab Thank you! @teriradichel ©2018 2nd Sight

    Lab