Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Top Priorities for Cloud Application Security

Teri
November 02, 2018
Technology
0
51

Top Priorities for Cloud Application Security

Do you want to improve your cloud application security? You might think the biggest thing you need to worry about is S3 buckets, but you can actually leverage the cloud and DevSecOps in much more powerful ways to secure your applications. This talk was first presented at Countermeasure IT in Ottawa, Canada in November 2018

Teri

November 02, 2018
Tweet

More Decks by Teri

See All by Teri
Azure for Auditors
radichel
0
48
Stopping Cloud Breaches
radichel
0
97
Are you ready for a cloud pentest?
radichel
0
200
Azure Security Assessments
radichel
0
580

Other Decks in Technology

See All in Technology
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
220
隣接領域をBeyondするFinatextのエンジニア組織設計 / beyond-engineering-areas
stajima
1
270
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
信頼性に挑む中で拡張できる・得られる1人のスキルセットとは?
ken5scal
2
530
Can We Measure Developer Productivity?
ewolff
1
150
強いチームと開発生産性
onk
PRO
34
11k
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.4k
Application Development WG Intro at AppDeveloperCon
salaboy
0
180
ハイパーパラメータチューニングって何をしているの
toridori_dev
0
140
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
470
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
5
610
[FOSS4G 2024 Japan LT] LLMを使ってGISデータ解析を自動化したい!
nssv
1
210

Featured

See All Featured
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Bash Introduction
62gerente
608
210k
Designing for Performance
lara
604
68k
Agile that works and the tools we love
rasmusluckow
327
21k
Navigating Team Friction
lara
183
14k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
Scaling GitHub
holman
458
140k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Designing Experiences People Love
moore
138
23k

Transcript

  1. Top Priorities for Cloud Application Security @teriradichel Countermeasure, Ottawa, Canada

    2018 ©2018 2nd Sight Lab

  2. ©2018 2nd Sight Lab We know what to do.

  3. ©2018 2nd Sight Lab

  4. ©2018 2nd Sight Lab Why isn’t this working?

  5. ©2018 2nd Sight Lab It only takes one mistake.

  6. ©2018 2nd Sight Lab CVE-2017-5638

  7. ©2018 2nd Sight Lab

  8. ©2018 2nd Sight Lab What’s different about the cloud? The

    “CLOUD” is one huge AUTOMATED configuration management platform. ©2018 2nd Sight Lab

  9. ©2018 2nd Sight Lab Everything is code.

  10. ©2018 2nd Sight Lab Code everything.

  11. ©2018 2nd Sight Lab Automate Deployments ©2018 2nd Sight Lab

  12. ©2018 2nd Sight Lab Reduce Human Error

  13. ©2018 2nd Sight Lab Monitor Everything

  14. ©2018 2nd Sight Lab Instead of this...

  15. ©2018 2nd Sight Lab Inline Security Scans

  16. ©2018 2nd Sight Lab Automate Governance & Compliance

  17. ©2018 2nd Sight Lab Identify Risk Sooner (vulnerabilities)

  18. ©2018 2nd Sight Lab Reporting and Metrics ©2018 2nd Sight

    Lab

  19. ©2018 2nd Sight Lab Do More. ©2018 2nd Sight Lab

  20. ©2018 2nd Sight Lab To Make This Happen… Requires Executive

    Leadership Support, Commitment, and Investment.

  21. ©2018 2nd Sight Lab Make friends with developers

  22. ©2018 2nd Sight Lab Build It. ©2018 2nd Sight Lab

  23. ©2018 2nd Sight Lab Deploy from a source code repository.

  24. ©2018 2nd Sight Lab Only code goes in source control

    No secrets, binaries, containers, or any components derived from source code.

  25. ©2018 2nd Sight Lab Component Repositories Examples: • Docker Images

    • Java Jar Files • Python Packages • Node Packages • Windows DLLs

  26. ©2018 2nd Sight Lab Secret and Parameter Repositories • Database

    passwords • Encryption keys • License keys • Environment parameters Keep secrets out of code! Code should not change on deployment. AWS SSM Parameter Store Azure Key Vault

  27. ©2018 2nd Sight Lab Configuration Management Tools Azure Templates

  28. ©2018 2nd Sight Lab Cloud Design Patterns Templates Inputs •

    Improve Consistency • Reduce Human Error • Speed up approval process Outputs

  29. ©2018 2nd Sight Lab Deployment Pipeline Architecture

  30. ©2018 2nd Sight Lab Application DevOps Systems Security Services Deploy

    Code Security Checks Promote Code Promote Code Segregation of Duties: Teams Developer DevOps Security ©2018 2nd Sight Lab

  31. ©2018 2nd Sight Lab Application Architecture • Network Design •

    Segregation • Least privilege • Authentication • Authorization • Encryption • Availability • Performance • Monitoring

  32. ©2018 2nd Sight Lab Account Microservice Product Catalog Microservice Reporting

    Microservice Promote Code Promote Code Segregation of Duties: Microservices Team A Team B Team C ©2018 2nd Sight Lab

  33. ©2018 2nd Sight Lab Software Development Lifecycle • Requirements •

    Development • Testing • Deployment Requirements Code Tests Production Configuration

  34. ©2018 2nd Sight Lab DEV QA PROD Developer QA OPs

    Promote Code Promote Code Segregation of Duties: Code Promotion ©2018 2nd Sight Lab

  35. ©2018 2nd Sight Lab PROMOTE CODE TRIGGERS JOB SECURITY CHECKS

    DEPLOY PASS FAIL Continuous Integration + Deployment (CI/CD)e ©2018 2nd Sight Lab

  36. ©2018 2nd Sight Lab Jenkins Job https://jenkins.io/pipeline/getting-started-pipelines/

  37. ©2018 2nd Sight Lab https://www.cloudbees.com/blog/xunit-and-pipeline Test Failed

  38. ©2018 2nd Sight Lab https://www.cloudbees.com/blog/top-10-best-practices-jenkins-pipeline-plugin

  39. ©2018 2nd Sight Lab Automated Code and Vulnerability Scanning

  40. ©2018 2nd Sight Lab Find vulnerable source code GitHub dependency

    graph

  41. ©2018 2nd Sight Lab Create and enforce policies in repositories

    Prevent problems before they are deployed

  42. ©2018 2nd Sight Lab Check cloud configurations The Dreaded S3

    Bucket! • Enforce Encryption • Disallow Public Settings • Enforce Logging • Check CORS configuration

  43. ©2018 2nd Sight Lab Security Tests in QA Automation

  44. ©2018 2nd Sight Lab

  45. ©2018 2nd Sight Lab ©2018 2nd Sight Lab

  46. ©2018 2nd Sight Lab ©2018 2nd Sight Lab

  47. ©2018 2nd Sight Lab ©2018 2nd Sight Lab

  48. ©2018 2nd Sight Lab After Deployment ~ Continue to Monitor

    • Vulnerability Scanning • Web Application Firewall (WAF) • Configuration checking tools • Flow Logs • IDS/IPS • SIEM • Alerts • Auto-Remediation ©2018 2nd Sight Lab

  49. ©2018 2nd Sight Lab Azure Security Center

  50. ©2018 2nd Sight Lab AWS Inspector

  51. ©2018 2nd Sight Lab Valid Findings Turn Into Developer Tasks...

  52. ©2018 2nd Sight Lab Cyber Security

  53. ©2018 2nd Sight Lab In Summary... • Leverage the automated

    configuration management of the cloud • Deploy everything through an automated pipeline • Build best practices and security checks into deployment jobs • Automate governance and compliance checks • Incorporate segregation into your design of teams and systems • Turn findings into developer tasks • Generate cyber security risk reports from findings and inventory • Assign responsibility for risk to the person prioritizing the work ©2018 2nd Sight Lab

  54. ©2018 2nd Sight Lab Thank you! @teriradichel ©2018 2nd Sight

    Lab