The flexibility and scale of the AWS Cloud and the emergence of DevOps have combined to allow developers to build and deploy applications faster than ever before. Assessing these applications for security risks without slowing down the development process can be a challenge with traditional vulnerability assessment tools designed for on-premises infrastructure. Amazon Inspector, an automated security assessment service, addresses this by integrating security assessments directly into the development process of applications running on Amazon Elastic Compute Cloud (Amazon EC2).
In this session, we will review Amazon Inspector for performing host security assessments and how it can become a seamless part of your devops lifecycle. We will run through a demo of setting up assessment targets and templates, installing the AWS agent, and running assessments. We will explore the findings generated by an assessment and discuss how you can automate the running of assessments.
Learning Objectives:
An overview and the value of Security Assessment testing with Amazon Inspector
How customer sign up for, configure, and use the service
Understand AWS Agent and assessment data security
2. Why did we build Amazon Inspector?
What is Amazon Inspector?
How does it work?
How much does it cost?
What does it help protect against?
How does it help me with remediation?
What regions are supported?
What’s next for Amazon Inspector?
What to expect from this session
3. Better alignment with customer needs
Increased ownership by developers
Continuous feedback & bug discovery
Configuration & Infrastructure is part of the code
More frequent code rollouts
Automation
Better focus on operational excellence
Cloud provides infrastructure as code
Improved availability
Cost optimization
DevOps & Cloud
4. Asset Owner AppSec Team
Pen Test TeamAsset
Queue Ticket for Security Review Request
Scan for Vulnerabilities
Remediate
Identify Security Issues
EngagePenTest/RedTeam
ReportIssues
🕙
🕙
Work
Backlog
Work
Backlog
Work
Backlog
Traditional Security Processes
5. Its not about DevOps + Security
Not enough security professionals on the planet to do this
Security teams need their own automation to keep up with automated
deployments!
Security as code
Seamless integration with CI/CD pipelines
Ability to scan and run test suites in parallel
Ability to automate remediation
Consumable by APN technology partners as microservices
www.devsecops.org
7. Amazon Inspector
Vulnerability Assessment Service
Built from the ground up to support DevSecOps
Automatable via API’s
Integrates with CI/CD tools
On-Demand Pricing model
Static & Dynamic Rules Packages
Generates Findings
8. “[With] any large network, I will tell you that persistence and
focus will get you in, we’ll achieve that exploitation without
the zero days,” he says. “There’s so many more vectors
that are easier, less risky and quite often more productive
than going down that route.” This includes, of course,
known vulnerabilities for which a patch is available but the
owner hasn’t installed it.
- Rob Joyce NSA TAO @ Enigma 2016
The Value of Vulnerability Assessments
11. Red Hat Enterprise Linux (6.5 or later)
CentOS (6.5 or later)
Ubuntu (12.04 LTS, 14.04 LTS or later)
Amazon Linux (2015.03 or later)
Microsoft Windows (2012 R2, 2008 R2) - Preview
Linux Kernel Support
We get kernels at the same time you get them
It currently takes us 1-2 weeks for build, test & validation
We’re aiming for 1 day
New Distributions
Takes a long time
Supported Agent Operating Systems
16. Pricing
Free Trial
250 agent-assessments for first 90 days using the service
Based on Agent-Assessments
1 assessment with 10 agents = 10 agent-assessments
5 assessments with 2 agents = 10 agent-assessments
10 assessments with 1 agent = 10 agent-assessments
10 Agent-Assessments = $3.00
First 250 agent-assessments:
Next 750 agent-assessments:
Next 4000 agent-assessments:
Next 45,000 agent-assessments:
All other agent-assessments:
$0.30
$0.25
$0.15
$0.10
$0.05
18. CVE - Common Vulnerabilities & Exposures
Tagged list of publicly known info security issues
Vulnerabilities
A mistake in software that can be used to gain unauthorized system access
Execute commands as another user
Pose as another entity
Conduct a denial of service
Exposures
A mistake in software that allows access to information that can lead to
unauthorized system access.
Allows an attacker to hide activities
Enables information gathering activities
19. CIS Security Configuration Benchmarks
What are they?
Security configuration guide
Consensus-based development
process
PDF versions are free via CIS
website
Inspector automates scanning instances
against the latest benchmark for that OS
20. What’s inside a Benchmark?
What you should do…
Why you should do it…
How to do it…
How to know if you did it…
This is what Inspector does
for you now
(more in future)
22. Rules Package Support
CVE CIS Best
Practices
Runtime
Behavior
Amazon Linux 2015.03+ ✅ ✅ ✅ ✅
Ubuntu 14.04 LTS+ ✅ ✅ ✅
CentOS 6.5+ ✅ ✅ ✅
RHEL 6.5+ ✅ ✅ ✅
Windows Server 2008 R2+ ✅ ✅ ⭕️
23. Security Best Practices
Authentication
Network Security
Operating System
Application Security
Disable root login over SSH
Password complexity
Permissions for system directories
Secure Protocols
Data execution prevention enabled
24. Runtime Behavior Analysis
Package analyzes machine behavior during as assessment.
Unused listening ports
Insecure client protocols
Root processed with insecure permissions
Insecure server protocols
Impacts the severity of static findings
25. Automating Remediation
Findings are JSON formatted and taggable
Name of assessment target & template
Start time, end time, status
Name of rule packages
Name & severity of the finding
Description & remediation steps
Lambda-fy your incident response
Integrate with Jira-like services
Integrate with Pagerduty-like services
Integrate with EC2 SSM
27. Regions Supported
GA
US West (Oregon)
EU (Ireland)
US East (Virginia)
Asia Pacific (Tokyo)
July 2016
Asia Pacific (Sydney)
Asia Pacific (Seoul)
Fall 2016
Asia Pacific (India)
Europe (London)
Europe (Frankfurt)
28.
29. What’s Next for Inspector
Reporting
Threat Modelling
More Rules Packages (Industry-specific, applications)
Add/Edit Rules Packages