Securing the Cloud Empowering Developers to practice SCE

Transcript

1. SECURING THE CLOUD Empowering Developers to practice Security Chaos Engineering

2. YURY NIÑO Chaos Engineering Advocate www.yurynino.dev JHONNATAN GIL Site Reliability

   Engineer www.ingenieriadelcaos.com

3. ▪ Cloud & Security ▪ Cloud & Reliability ▪ Developers

   & Security ▪ Rethinking the Cloud ▪ Security Chaos Engineering ▪ Democratizing Security ▪ SCE for DevOps Culture Agenda www.ingenieriadelcaos.com

4. CLOUD & Security www.ingenieriadelcaos.com

5. www.ingenieriadelcaos.com https://www.awsgeek.com/

6. • Implement a strong identity foundation. • Enable traceability. •

   Apply security at all layers. • Automate security best practice. • Protect data in transit and a rest. • Keep people away from data. • Prepare for security events. AWS - Security https://wa.aws.amazon.com/wat.pillar.security.en.html

7. • Defense in depth. • Identity management. • Infrastructure protection.

   • Encryption. • Network security. • Application security. Azure - Security https://docs.microsoft.com/en-us/learn/modules/azure-well-architected-security/

8. • Implement least privilege with identity and authorization controls. •

   Build a layered security approach. • Automate deployments of sensitive task. • Implement security monitoring. GCP - Security https://docs.microsoft.com/en-us/learn/modules/azure-well-architected-security/

9. Reliability & Security www.ingenieriadelcaos.com

10. The primary RELIABILITY risks in CLOUD are non-malicious, however, SECURITY

    risks come from adversaries who are actively trying to exploit CLOUD vulnerabilities. www.ingenieriadelcaos.com

11. Both SECURITY and RELIABILITY are concerned with the CIA confidentiality,

    integrity, and availability. www.ingenieriadelcaos.com

12. SECURITY for Developers www.ingenieriadelcaos.com

13. We did survey for developers ... <1% www.ingenieriadelcaos.com

14. Do you have interest in Security topics? <1% <1% 110

    developers showed interest in security topics. 14.6% of them does not show interest in security topics. This group is mostly composed of Backend Engineers. www.ingenieriadelcaos.com

15. Do you practice OWASP? <1% <1% 60.8% of engineers do

    not practice OWASP during the software development. In this group there are 7 Software Architects and 73% are Backend Engineers. 51 engineers apply best secure development practices. www.ingenieriadelcaos.com

16. Do you run Static Analysis? <1% <1% 23% of developers

    do not have security steps enabled in pipelines. This group includes 5 Software Architects, 14 Backend Engineers and only 1 Frontend Engineer. 100 people have security integrated in the CI/CD process. www.ingenieriadelcaos.com

17. 49 SonarQube 2 Snyk 3 BlackDuck 1 Fortify 1 Otros

    What tools do you use for Security? www.ingenieriadelcaos.com

18. 14% of engineers do not show interest in security issues,

    which imposes us a challenge: motivation and culture. Conclusion www.ingenieriadelcaos.com Group of people is mostly conformed by Backend Engineers. We needed motivation strategies!

19. Rethinking the CLOUD www.ingenieriadelcaos.com

20. Nowadays, digital reliance thrust upon businesses have served to spotlight

    how drastically important secure SDLC is for businesses, customers, and society at large. www.ingenieriadelcaos.com https://techwireasia.com/2021/02/are-self-taught-coders-a-cybersecurity-problem/

21. www.ingenieriadelcaos.com

22. Security should be front of mind, both for security engineers

    and developers! Organizations must offer training and culture internally.

23. What can we do if there are developers do not

    like security?

24. SECURITY CHAOS ENGINEERING www.ingenieriadelcaos.com

25. Security Chaos Engineering It is the identification of security control

    failures through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production. Security Chaos Engineering Book www.ingenieriadelcaos.com

26. Gamified developer programs are a great way to engage developers

    and actively test their secure coding skills.

27. GameDays are interactive team-based learning exercises designed to give players

    a chance to put their skills to the test in a real-world, gamified, risk-free environment. A Chaos GameDay is a practice event, and although it can take a whole day, it usually requires only a few hours. The goal of a GameDay is to practice how you, your team, and your supporting systems deal with real-world turbulent conditions.

28. Before After During • Pick a hypothesis. • Pick a

    style. • Decide who. • Decide where. • Decide when. • Document. • Get approval! • Detect the situation. • Take a deep breath. • Communicate. • Visit dashboards. • Analyze data. • Propose solutions. • Apply and solve! • Write a postmortem. • What Happened • Impact • Duration • Resolution Time • Resolution • Timeline • Action Items Framework Security Gamedays

29. Framework Security Gamedays • Introduce latency on security controls. •

    Drop a folder like a script would do in production. • Software secret clear text disclosure. • Permission collision in a shared IAM role policy. • Disable service event logging. • API gateway shutdown. • Unencrypted S3 Bucket. • Disable MFA.

30. IMPACT OF SECURITY CHAOS ENGINEERING www.ingenieriadelcaos.com

31. Now they are aware of the importance of considering security

    from the requirements gathering and architectures design. Impact in Development Teams Continuous testing team were able to generate tests to confirm security of data. An opportunity to involve to business for example by asking them if it was possible to block multiple login for users. We highlighted the importance of secure dependencies at the time of software design and implementation.

32. Recommendations Use algorithms to protect sensitive data. Do not leave

    clear data in logs. Make all software activities auditable. Perform a vulnerability scan of the software. Use session management for frontends. Do not use cookies and browser storage. Use MFA for critical application actions. Use of short-lived effective links for documents to be delivered.

33. Recommendations Enable CI and CD steps that perform an active

    scan. Use hashing for validation of software elements. Use security blocking when users have unsuccessful attempts. Generate container images in a secure way. Use of containers, with the minimum privilege Separate environments from applications. Separate databases from applications.