Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps on AWS

DevSecOps on AWS

Slides from my talk at Adriatic AWS Innovation Days 2019 conference in Opatija (Croatia)
https://adriatica.ws/

Dzenan Dzevlan

October 10, 2019
Tweet

More Decks by Dzenan Dzevlan

Other Decks in Technology

Transcript

  1. Adriatic AWS Innovation Days, Inc. 2019 – All Rights Reserved

    1 C O M P A N Y I N T R O D U C T I O N DZENAN DZEVLAN DevOps Lead DevSecOps on AWS TN-TECH
  2. Adriatic AWS Innovation Days, Inc. 2019 – All Rights Reserved

    2 W H O A M I Dženan Dževlan ▪ W H A T I S D E V S E C O P S ▪ W H Y I S T H I S S O M E T H I N G W E T A L K A B O U T W I T H C L O U D ▪ S E C U R I T Y A S C O D E ▪ E N F O R C E M E N T ▪ S E C U R I T Y C U L T U R E DevOps Lead
  3. Adriatic AWS Innovation Days, Inc. 2019 – All Rights Reserved

    3 W H A T I S D E V S E C O P S DevSecOps automates security within the DevOps workflow, expanding colaboration between Dev and Ops to include Security. First: Embed code analysis, testing in code QA Later: Add operations-centric controls: • Logging • Event monitoring • Configuration, patch, user privilege management • Vulnerability assessment
  4. Adriatic AWS Innovation Days, Inc. 2019 – All Rights Reserved

    4 S E C U R I T Y I S S H A R E D R E S P O N S I B I L I T Y
  5. Adriatic AWS Innovation Days, Inc. 2019 – All Rights Reserved

    5 G O A L S O F D E V S E C O P S S c a l a b l e i n f r a s t r u c t u r e n e e d s s c a l a b l e s e c u r i t y ▪ Security controls ▪ Directive / Preventing ▪ Detective / Alerting ▪ Responsive / Automating ▪ Security Culture – Ownership as part of DNA ▪ Promotes culture of “everyone is an owner” for security ▪ Makes security stakeholder in business success ▪ Enables easier and smoother communication ▪ Security that is: ▪ Applied through the development process ▪ Is non-blocking ▪ Automatized (responsive, reliable, scalable) ▪ Built in and current ▪ As a self service ▪ Works at scale
  6. Adriatic AWS Innovation Days, Inc. 2019 – All Rights Reserved

    6 C L O U D S C A L E S E C U R I T Y ▪ Infrastructure as code ▪ Base requirement ▪ Split ownership ▪ Pre-deploy validation ▪ Elastic security automation ▪ API driven ▪ Auto Scaling groups – hooks ▪ Execution layer scales with targets ▪ Run time security ▪ Tag-based targeting ▪ Rip-n-replace ▪ Continuous pen testing ▪ Immutable infrastructure ▪ Validation and enforcement ▪ Integrated with managed services
  7. Adriatic AWS Innovation Days, Inc. 2019 – All Rights Reserved

    7 A W S T O O L I N G ▪ Execution ▪ Lambda ▪ Tracking ▪ AWS Config Rules ▪ Amazon CloudWatch Events ▪ AWS Step Functions ▪ AWS CloudTrail ▪ AWS Inspector ▪ Track / Log ▪ Amazon CloudWatch Logs ▪ Amazon DynamoDB ▪ Alert ▪ Amazon SNS Third party open source
  8. Adriatic AWS Innovation Days, Inc. 2019 – All Rights Reserved

    8 T H E A N A T O M Y O F S E C U R I T Y A U T O M A T I O N
  9. Adriatic AWS Innovation Days, Inc. 2019 – All Rights Reserved

    9 A U T O M A T E A C T I O N S O N E V E N T S
  10. Adriatic AWS Innovation Days, Inc. 2019 – All Rights Reserved

    10 A U T O M A T E A C T I O N S O N E V E N T S
  11. Adriatic AWS Innovation Days, Inc. 2019 – All Rights Reserved

    11 W H E R E D O Y O U W A N T S E C U R I T Y A U T M A T I O N ▪ Security of the CI/CD pipline ▪ Security in the CI/CD pipline ▪ Cloud-native approach to the security ▪ CI/CD for DevOps vs CI/CD for DevSecOps CI/CD for DevOps
  12. Adriatic AWS Innovation Days, Inc. 2019 – All Rights Reserved

    14 C O N T R O L A N D V A L I D A T E ▪ Benchmarking infrastructure ▪ Pre-event (when possible) ▪ Post-event (always) ▪ Triggers – Event based Remediation framework
  13. Adriatic AWS Innovation Days, Inc. 2019 – All Rights Reserved

    15 W H E R E T O G O N E X T AWS Security and AWS DevOps blog git-secrets - Prevents you from committing passwords and other sensitive information to a git repository. aws-security-benchmark - Benchmark scripts mapped against trusted security frameworks. aws-config-rules - [Node, Python, Java] Repository of sample custom rules for AWS Config Netflix/security_monkey - Monitors policy changes and alerts on insecure configurations in an AWS account. Netflix/edda - Edda is a service to track changes in your cloud deployments. ThreatResponse - Open Source Security Suite for hardening and responding in AWS. CloudSploit – Capturing things like open security groups, misconfigured VPCs, and more. Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure infrastructure.