2 W H O A M I Dženan Dževlan ▪ W H A T I S D E V S E C O P S ▪ W H Y I S T H I S S O M E T H I N G W E T A L K A B O U T W I T H C L O U D ▪ S E C U R I T Y A S C O D E ▪ E N F O R C E M E N T ▪ S E C U R I T Y C U L T U R E DevOps Lead
3 W H A T I S D E V S E C O P S DevSecOps automates security within the DevOps workflow, expanding colaboration between Dev and Ops to include Security. First: Embed code analysis, testing in code QA Later: Add operations-centric controls: • Logging • Event monitoring • Configuration, patch, user privilege management • Vulnerability assessment
5 G O A L S O F D E V S E C O P S S c a l a b l e i n f r a s t r u c t u r e n e e d s s c a l a b l e s e c u r i t y ▪ Security controls ▪ Directive / Preventing ▪ Detective / Alerting ▪ Responsive / Automating ▪ Security Culture – Ownership as part of DNA ▪ Promotes culture of “everyone is an owner” for security ▪ Makes security stakeholder in business success ▪ Enables easier and smoother communication ▪ Security that is: ▪ Applied through the development process ▪ Is non-blocking ▪ Automatized (responsive, reliable, scalable) ▪ Built in and current ▪ As a self service ▪ Works at scale
6 C L O U D S C A L E S E C U R I T Y ▪ Infrastructure as code ▪ Base requirement ▪ Split ownership ▪ Pre-deploy validation ▪ Elastic security automation ▪ API driven ▪ Auto Scaling groups – hooks ▪ Execution layer scales with targets ▪ Run time security ▪ Tag-based targeting ▪ Rip-n-replace ▪ Continuous pen testing ▪ Immutable infrastructure ▪ Validation and enforcement ▪ Integrated with managed services
7 A W S T O O L I N G ▪ Execution ▪ Lambda ▪ Tracking ▪ AWS Config Rules ▪ Amazon CloudWatch Events ▪ AWS Step Functions ▪ AWS CloudTrail ▪ AWS Inspector ▪ Track / Log ▪ Amazon CloudWatch Logs ▪ Amazon DynamoDB ▪ Alert ▪ Amazon SNS Third party open source
11 W H E R E D O Y O U W A N T S E C U R I T Y A U T M A T I O N ▪ Security of the CI/CD pipline ▪ Security in the CI/CD pipline ▪ Cloud-native approach to the security ▪ CI/CD for DevOps vs CI/CD for DevSecOps CI/CD for DevOps
14 C O N T R O L A N D V A L I D A T E ▪ Benchmarking infrastructure ▪ Pre-event (when possible) ▪ Post-event (always) ▪ Triggers – Event based Remediation framework
15 W H E R E T O G O N E X T AWS Security and AWS DevOps blog git-secrets - Prevents you from committing passwords and other sensitive information to a git repository. aws-security-benchmark - Benchmark scripts mapped against trusted security frameworks. aws-config-rules - [Node, Python, Java] Repository of sample custom rules for AWS Config Netflix/security_monkey - Monitors policy changes and alerts on insecure configurations in an AWS account. Netflix/edda - Edda is a service to track changes in your cloud deployments. ThreatResponse - Open Source Security Suite for hardening and responding in AWS. CloudSploit – Capturing things like open security groups, misconfigured VPCs, and more. Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure infrastructure.