Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing the Cloud Empowering Developers to pra...

Yury Nino
February 25, 2021

Securing the Cloud Empowering Developers to practice SCE

Yury Nino

February 25, 2021
Tweet

More Decks by Yury Nino

Other Decks in Technology

Transcript

  1. ▪ Cloud & Security ▪ Cloud & Reliability ▪ Developers

    & Security ▪ Rethinking the Cloud ▪ Security Chaos Engineering ▪ Democratizing Security ▪ SCE for DevOps Culture Agenda www.ingenieriadelcaos.com
  2. • Implement a strong identity foundation. • Enable traceability. •

    Apply security at all layers. • Automate security best practice. • Protect data in transit and a rest. • Keep people away from data. • Prepare for security events. AWS - Security https://wa.aws.amazon.com/wat.pillar.security.en.html
  3. • Defense in depth. • Identity management. • Infrastructure protection.

    • Encryption. • Network security. • Application security. Azure - Security https://docs.microsoft.com/en-us/learn/modules/azure-well-architected-security/
  4. • Implement least privilege with identity and authorization controls. •

    Build a layered security approach. • Automate deployments of sensitive task. • Implement security monitoring. GCP - Security https://docs.microsoft.com/en-us/learn/modules/azure-well-architected-security/
  5. The primary RELIABILITY risks in CLOUD are non-malicious, however, SECURITY

    risks come from adversaries who are actively trying to exploit CLOUD vulnerabilities. www.ingenieriadelcaos.com
  6. Both SECURITY and RELIABILITY are concerned with the CIA confidentiality,

    integrity, and availability. www.ingenieriadelcaos.com
  7. Do you have interest in Security topics? <1% <1% 110

    developers showed interest in security topics. 14.6% of them does not show interest in security topics. This group is mostly composed of Backend Engineers. www.ingenieriadelcaos.com
  8. Do you practice OWASP? <1% <1% 60.8% of engineers do

    not practice OWASP during the software development. In this group there are 7 Software Architects and 73% are Backend Engineers. 51 engineers apply best secure development practices. www.ingenieriadelcaos.com
  9. Do you run Static Analysis? <1% <1% 23% of developers

    do not have security steps enabled in pipelines. This group includes 5 Software Architects, 14 Backend Engineers and only 1 Frontend Engineer. 100 people have security integrated in the CI/CD process. www.ingenieriadelcaos.com
  10. 49 SonarQube 2 Snyk 3 BlackDuck 1 Fortify 1 Otros

    What tools do you use for Security? www.ingenieriadelcaos.com
  11. 14% of engineers do not show interest in security issues,

    which imposes us a challenge: motivation and culture. Conclusion www.ingenieriadelcaos.com Group of people is mostly conformed by Backend Engineers. We needed motivation strategies!
  12. Nowadays, digital reliance thrust upon businesses have served to spotlight

    how drastically important secure SDLC is for businesses, customers, and society at large. www.ingenieriadelcaos.com https://techwireasia.com/2021/02/are-self-taught-coders-a-cybersecurity-problem/
  13. Security should be front of mind, both for security engineers

    and developers! Organizations must offer training and culture internally.
  14. Security Chaos Engineering It is the identification of security control

    failures through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production. Security Chaos Engineering Book www.ingenieriadelcaos.com
  15. Gamified developer programs are a great way to engage developers

    and actively test their secure coding skills.
  16. GameDays are interactive team-based learning exercises designed to give players

    a chance to put their skills to the test in a real-world, gamified, risk-free environment. A Chaos GameDay is a practice event, and although it can take a whole day, it usually requires only a few hours. The goal of a GameDay is to practice how you, your team, and your supporting systems deal with real-world turbulent conditions.
  17. Before After During • Pick a hypothesis. • Pick a

    style. • Decide who. • Decide where. • Decide when. • Document. • Get approval! • Detect the situation. • Take a deep breath. • Communicate. • Visit dashboards. • Analyze data. • Propose solutions. • Apply and solve! • Write a postmortem. • What Happened • Impact • Duration • Resolution Time • Resolution • Timeline • Action Items Framework Security Gamedays
  18. Framework Security Gamedays • Introduce latency on security controls. •

    Drop a folder like a script would do in production. • Software secret clear text disclosure. • Permission collision in a shared IAM role policy. • Disable service event logging. • API gateway shutdown. • Unencrypted S3 Bucket. • Disable MFA.
  19. Now they are aware of the importance of considering security

    from the requirements gathering and architectures design. Impact in Development Teams Continuous testing team were able to generate tests to confirm security of data. An opportunity to involve to business for example by asking them if it was possible to block multiple login for users. We highlighted the importance of secure dependencies at the time of software design and implementation.
  20. Recommendations Use algorithms to protect sensitive data. Do not leave

    clear data in logs. Make all software activities auditable. Perform a vulnerability scan of the software. Use session management for frontends. Do not use cookies and browser storage. Use MFA for critical application actions. Use of short-lived effective links for documents to be delivered.
  21. Recommendations Enable CI and CD steps that perform an active

    scan. Use hashing for validation of software elements. Use security blocking when users have unsuccessful attempts. Generate container images in a secure way. Use of containers, with the minimum privilege Separate environments from applications. Separate databases from applications.