2 W H O A M I Dženan Dževlan ▪ W H A T I S D E V S E C O P S ▪ W H Y I S T H I S S O M E T H I N G W E T A L K A B O U T W I T H C L O U D ▪ S E C U R I T Y A S C O D E ▪ E N F O R C E M E N T ▪ S E C U R I T Y C U L T U R E DevOps Lead
3 W H A T I S D E V S E C O P S DevSecOps automates security within the DevOps workflow, expanding colaboration between Dev and Ops to include Security. First: Embed code analysis, testing in code QA Later: Add operations-centric controls: • Logging • Event monitoring • Configuration, patch, user privilege management • Vulnerability assessment
5 G O A L S O F D E V S E C O P S S c a l a b l e i n f r a s t r u c t u r e n e e d s s c a l a b l e s e c u r i t y ▪ Security controls ▪ Directive / Preventing ▪ Detective / Alerting ▪ Responsive / Automating ▪ Security Culture – Ownership as part of DNA ▪ Promotes culture of “everyone is an owner” for security ▪ Makes security stakeholder in business success ▪ Enables easier and smoother communication ▪ Security that is: ▪ Applied through the development process ▪ Is non-blocking ▪ Automatized (responsive, reliable, scalable) ▪ Built in and current ▪ As a self service ▪ Works at scale
6 C L O U D S C A L E S E C U R I T Y ▪ Infrastructure as code ▪ Base requirement ▪ Split ownership ▪ Pre-deploy validation ▪ Elastic security automation ▪ API driven ▪ Auto Scaling groups – hooks ▪ Execution layer scales with targets ▪ Run time security ▪ Tag-based targeting ▪ Rip-n-replace ▪ Continuous pen testing ▪ Immutable infrastructure ▪ Validation and enforcement ▪ Integrated with managed services
7 A W S T O O L I N G ▪ Execution ▪ Lambda ▪ Tracking ▪ AWS Config Rules ▪ Amazon CloudWatch Events ▪ AWS Step Functions ▪ AWS CloudTrail ▪ AWS Inspector ▪ Track / Log ▪ Amazon CloudWatch Logs ▪ Amazon DynamoDB ▪ Alert ▪ Amazon SNS Third party open source
11 W H E R E D O Y O U W A N T S E C U R I T Y A U T M A T I O N ▪ Security of the CI/CD pipline ▪ Security in the CI/CD pipline ▪ Cloud-native approach to the security ▪ CI/CD for DevOps vs CI/CD for DevSecOps CI/CD for DevOps
14 C O N T R O L A N D V A L I D A T E ▪ Benchmarking infrastructure ▪ Pre-event (when possible) ▪ Post-event (always) ▪ Triggers – Event based Remediation framework
15 W H E R E T O G O N E X T AWS Security and AWS DevOps blog git-secrets - Prevents you from committing passwords and other sensitive information to a git repository. aws-security-benchmark - Benchmark scripts mapped against trusted security frameworks. aws-config-rules - [Node, Python, Java] Repository of sample custom rules for AWS Config Netflix/security_monkey - Monitors policy changes and alerts on insecure configurations in an AWS account. Netflix/edda - Edda is a service to track changes in your cloud deployments. ThreatResponse - Open Source Security Suite for hardening and responding in AWS. CloudSploit – Capturing things like open security groups, misconfigured VPCs, and more. Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure infrastructure.
sqlheisenberg
tenforward
nayuts
takehikohashimoto
kenichirokimura
ytake
nikinusu
sadnessojisan
minorun365
teyamagu
tenten0727
soukouki
kkamegawa
samlambert
skipperchong
maltzj
kevinliebholz
destraynor
zenorocha
eileencodes
lara
3n
chriscoyier
honnibal
