This session is designed to teach security engineers, developers, solutions architects, and other technical security practitioners how to use a DevSecOps approach to design and build robust security controls at cloud-scale. This session walks through the design considerations of operating high-assurance workloads on top of the AWS platform and provides examples of how to automate configuration management and generate audit evidence for your own workloads. We’ll discuss practical examples using real code for automating security tasks, then dive deeper to map the configurations against various industry frameworks. This advanced session showcases how continuous integration and deployment pipelines can accelerate the speed of security teams and improve collaboration with software development teams.
2. What to expect from the session
Why do security automation?
Who is responsible for security in a DevOps world?
Where do you want security automation?
When? pre, post, and everything in between
What you can do, practical examples
How? Tools and partners
4. So what is DevSecOps anyway?
DevOps is a collaboration between Development and
Operations to improve agility and pace of innovation.
So what is DevOps anyway?
5. So what is DevOps anyway?
DevOps is a collaboration between Development and
Operations to improve agility and pace of innovation.
Tooling that you have/use/develop to perform
this activity
Cultural philosophy on how change and
deployment are handled within the organization
Processes which enable this activity
6. So what is DevSecOps anyway?
DevSecOps is expanding the Dev + Ops collaboration to
include Security.
The aim: to have security that is:
• applied throughout the development process,
• is non-blocking,
• and works at scale.
7. So, Meet the new security team
Operations Engineering
Application
Security
Compliance
8. So, Meet the new security team
Operations Engineering
Application
Security
Compliance
Development
9. So, Meet the new security team
Operations Engineering
Application
Security
Compliance
Security team development
responsibilities:
- Tool creation
- Guide app dev teams
- Enabling automation of security
10. How to win at DevSecOps – Automate!
- Automation is responsive
- Automation is reliable
- Automation is scalable….
- Don’t worry… we still need humans
11. How to win at DevSecOps – The Mindset
• Develop a Customer-centric mindset
• Successful DevSecOps is not blocking a rapid pace of
innovation.
• Security is built in, automated, and current.
• Security as a self service, with strong auditability
• Security that is moving faster than Developers
13. Continuous Integration / Continuous Deployment
1. Security of the CI/CD Pipeline
• Access roles – separation of duties
• Hardening build servers/nodes
2. Security in the CI/CD Pipeline
• Artifact validation
• Static code analysis
• Validation prior to infrastructure change
14. CI/CD for DevOps
Version
Control
CI Server
Package
Builder
Deploy
Server
Commit to
Git/masterDev
Get /
Pull
Code
Images
Send build report to Dev
Stop everything if build failed
Distributed Builds
Run Tests in parallel
Staging Env
Test Env
Code
Config
Tests
Prod Env
Push
Config
Install
Create
Deployment templates for infrastructure
Generate
Artifact Repo
15. Version
Control
CI Server
Package
Builder
Promote
Process
Block creds
From gitDev
Get /
Pull
Code
Images
Log for audit
Staging Env
Test Env
Code
Config
Tests
Prod Env
Audit/Validate
Config
Checksum
Continuous
Scan
CI/CD for DevSecOps
Send build report to Security
Stop everything if audit/validation failed
Deployment templates for infrastructure
Scan hook
Artifact Repo
19. When – Control and Validate
Pre-event - Where possible
• Store infrastructure in code repository
• Validate each push (git event hooks)
• Use managed microservices as the execution engine
• Scan cloud infrastructure templates for unwanted/risk valued
configurations
• Validate container definitions
• Force infrastructure change via templates (Service Catalog)
• Block or add manual review if needed/unsure
20. When – Control and Validate
Post-event - Always
• Follow-up on sensitive APIs
• IAM, security groups/firewall, encryption keys, logging, etc.
• Alert/inform
• Use source of truth
• Locked to execution function (read only)
• Validate source
• Human or machine in CI/CD
• Decide on remediation
21. When – Control and Validate
Triggers – Event based:
• Per change
• API-based
• Event logs
• Per day
• Per framework
• Overall infrastructure, components, and resources
• One component, multiple frameworks
23. Okay, jeez fine, have some examples:
Security validation in a elastic infrastructure
• Implement -> Validate -> Decide
• Terminate upon failure of security check
Automatic Incident Response Remediation
• Autoheal Cloudtrail logging, then
• Disable offenders
Integrate host-based activity with cloud-based control
• Immutable infrastructure – Auto isolate instances that fail checks
24. It’s demo time! – Logging enforcement
Detect
• CloudTrail logging disabled
Respond
• Automatically re-enable logging
Forensics
• Has this happened before?
Countermeasures
• If num_disabled > x: # x could be zero based on type and user
disable_user()
• Safeguard: Should I temporarily disable the user? Who is the user?
25. Recap: Security Automation?
Why? Keep up with DevOps, and focus on higher value work
Who? Everyone (self-service model)
Where? Everywhere!
When? All the time!
More info: Search “DevSecOps” on AWS Security & DevOps blogs