Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-R2) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Safeguard the Integrity of Your
Code for Fast and Secure
Deployments
Brad Shelton
Senior Cloud Engineer
GDIT
D E V 3 4 9
Marta Whiteaker
Head of EMEA Marketplace
AWS
Matt Girdharry
Marketplace DevSecOps
AWS
Zach Schmitt
Senior Cloud Engineer
GDIT

What this is…
An intro to AWS Marketplace
Describe our view on DevSecOps
And why we’re focusing on a very specific piece of it today
Showcase our customer
Transforming the philosophy to practice (hopefully with some positive impacts)

What this isn’t…
A deep dive on the Marketplace
That’s somewhere else!
A guide to perfecting DevOps or Security
That would be hard.
A focus on AWS services in this space.
We are interested primarily in how customers are using 3rd party technologies.

Quick
Get the software you need in
minutes with just a few clicks or
use the 1-Click deployment option.
Software in AWS Marketplace are
ready-to-run on AWS.
Pay-as-you-go
Only pay for what you use through
various payment options and
receive discounts on longer or
custom terms.
All charges from AWS Marketplace
are consolidated into one bill
from AWS.
Verified
All software in AWS Marketplace
are continuously scanned to
ensure reliability.
AWS Marketplace
A curated digital software catalog that helps
you find, buy, test, and deploy software

Customize the way you provision software
Find
Networking
Security
Storage
DevOps
Database
Operating Systems
BI & Big Data
Security Information and Event
Management (SIEM)
From a breadth
of categories:
Buy
Free trial
Pay-as-you-go
Hourly
Monthly
Annual and Multi-Year
Bring Your Own License (BYOL)
Seller Private Offers
Through flexible
pricing options:
Deploy
Amazon Machine Image (AMI)
SaaS
API
AWS CloudFormation Template
With multiple
deployment options:

A growing digital software catalog
• Deploy software on demand
• 1,300+ ISVs
• Over 4,200 product listings
• 200,000 active customers
• Over 650 million hours of Amazon EC2 deployed
monthly
• Deployed in 16 regions
• Offers 35 categories
• Flexible consumption and contract models
• Easy and secure deployment, almost instantly
• One consolidated bill
• Always evolving

94%
73%
of cloud workloads and instances will
be processed by cloud data centers
of cloud workloads will be in public
cloud (27.5% CAGR from 2016 to 2021)
of cloud workloads will be
Software-as-a-Service (SaaS)
75%
Public cloud trends are accelerating
By 2021…

The mega 5 software vendors
which represent ~50%
of IT software spend
Top 50 vendors critical to the
journey to the cloud and future
direction of a company
The long tail of 500+ vendors
Microsoft and Oracle managed
by SAP on AWS and VMWare on
AWS IBM or SFDC
Transforming your portfolio: the 5/50/500 model
~15–18% of the IT budget is software

Operating
systems SIEMStorage BIDatabase DevOpsNetworking
8 popular categories most often provisioned
Security

Why AWS Marketplace?
Grow your
customer base
Leverage a powerful and
growing cloud offering to
expand your customer base
Improve efficiency
and profitability
Faster sales cycles and
efficient provisioning can lead
to higher overall profitability
Sell the way your
customers want to buy
Streamline software
procurement and offer
flexible pricing models

Why AWS Marketplace for Security?

GDIT
Making the abstract concrete

Speed! Collaboration! Automation!
Waterfall
Agile
DevOps

Automation x {Dev + Infra} = DevOps
Solving for the problem

Speed from Automation!
Computers managing other
computers
Software that can be set to discover,
manage, monitor and fix other
software
Something that removes humans –
and human error – from the
equation
Containerized
applications + Security
Traditional
applications + Security
Application
services + Security
Cloud
infrastructure + Security
Traditional
infrastructure + Security
100%
Breadth
Depth

Automated Remediation: The Future is Now!
https://arxiv.org/pdf/1810.05806.pdf

Speed vs. Stability and Security vs. Compliance

Nirvana

{Speed} + {Stability} = DevOps
Solving for the problem
{Speed, Stability} + {Security, Compliance} = DevSecOps

Agility (DevOps) versus Security.
Software delivered quickly but
with bad security features.
Software quickly iterated;
security is not an inhibitor.
You don’t want to be here. You
really don’t.
Slow delivery, well-armored
applications.
Automated Security
+ ComplianceHighPerformingDevOps
No Yes
No
Yes

But…automation in real life can be different
from what’s advertised by all of us automation
enthusiasts

⚙
⚙
⚙
⚙
⚙
⚙
⚙ Automation

Security of the CI/CD pipeline…
IAM
WAF
Logging & Monitoring, Visibility, APM, etc.

Versus security/compliance of the code in the pipeline
Pre Commit Commit Acceptance Deploy
 Continuous Compliance 
Threat modeling
Initial SAST inside
IDE
Code review
“Break the build“
Compile/build checks
SCA
Container security
Additional SAST
Unit test
Secure infra build
Functional/integration
testing
SCA DAST
Unit test
Security attacks
Deep SAST
Fuzzing, Pen Tests
Provision runtime
environment
Config management
RASP
Security
Compliance
CI/CD

Making DevOps Sec-sy

Empower developers to treat security defects as
functional defects
Like errors in code – something that can be fixed
early on in the process to prevent really bad
downstream impacts

Similar for compliant/safe infrastructure…
Automate the security and compliance of your
infrastructure as code

Dev: Application code  CI/CD  accelerate into prod
Ops: “Infrastructure as code”  CI/CD  accelerate into prod
Speed 2!
Sec/Comp: “Security + Compliance as code”  CI/CD 
accelerate into prod

How is GDIT automating security and compliance
early in the process before code gets into
production?

General Dynamics – IT / Geo-Spatial
Intelligence Division

Where our journey began:
Our initial discovery
• Limited visibility
 Nodes in accounts & intended utilization
 Verification of configurations
• Lengthy Authorized to Operate (ATO) process
• No scalability
• Auditing of environments proved difficult

Why fix it?
• Legacy processes cause the production deployment of
warfighter supporting applications being delayed
• Enable security teams to increase efficiency and
consistency in compliance, continuous monitoring, and
remediation
• Give security teams positive control over environment

Developing an enterprise solution…
Requirements
• Insight across enterprise
• Configuration management & validation
• Improving time to ATO completion
• Scalable & consistent
• Continuous monitoring in near real-time
• Rapid mitigation of Zero-Days

Key Components
1) InSpec & Chef Client
2) Chef Automate
3) Habitat
4) CI/CD Pipelines

InSpec & Chef Client
• InSpec - Local system service that enables the
system to run compliance profiles
• Chef Client - Local system service that allows for
system configuration and mitigation

Continuous Compliance with InSpec

Appeals to multiple teams

Introducing InSpec
InSpec helps express security & compliance requirements
as code and incorporate it directly into the delivery process.
Systems shall have a
Mandatory Access Control
system installed and enabled.
control "ensure_selinux_installed" do
title "Ensure SELinux is installed"
desc "SELinux provides Mandatory Access
Control"
impact 1.0
describe package("libselinux") do
it { should be_installed }
end
end

Compliance for Application-Level Resources
● Docker container/image/service
● Nginx, Apache, IIS configuration
● System packages
● PostgreSQL, Oracle, MySQL database configuration
● XML configuration elements using XPath

Chef-Client
• Utilizes cookbooks and recipes to
implement desired state configuration
in a repeatable and consistent manner
• Enables the mitigation of failures that
are reported in Chef Automate from the
InSpec results
• Provides the ability to implement Zero-
Day fixes or configuration changes

Chef Automate
• Single source for configuration management and
compliance reports
• Provides notifications for results
• Provides an audit trail of changes to configuration
management and compliance

Continuous Compliance with Chef Automate
• Real-time enterprise fleet
compliance dashboard
• 125+ built-in baselines for
standard compliance
frameworks
• Compliance report
generation and
sharing/exporting

Cloud Configuration Verification
Write compliance policies for all aspects of
cloud configuration:
● Virtual machines
● Security groups
● Block storage security policies
● Networking
● Identity and access management
● Log management

Example: InSpec AWS S3 Bucket Policy
describe aws_s3_bucket(bucket_name: 'my_secret_files') do
it { should exist }
it { should_not be_public }
it { should have_access_logging_enabled }
end

Habitat
• Application Automation & Service Manager

Utilizing Habitat
Libraries
Operating System
Application
Application &
Libraries
OS
● All of the traditional problems are a result
of this pattern: building up from the
operating system
● The entire triangle becomes the artifact
you carry around with you now and in the
future (including sometimes the VM and
the server!)
● Habitat builds from the application down
● Embedded supervisor as standard
management interface
● Builds have strict dependency control
Application Libraries

CI/CD Pipeline
• Tools and methods used for automating our
enterprise services

Base AMI CI/CD Pipeline

Our Key Benefits
• Maintain a real time view of enterprise status
• Positive control on the environment
• Detect security issues before they reach production
• Reduce risk and vulnerabilities
• Highly scalable
• Significantly reducing time to ATO

Thank you!
Brad & Zach
Sr. Cloud Engineers
GDIT
Marta & Matt
AWS Marketplace

Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-R2) - AWS re:Invent 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-R2) - AWS re:Invent 2018

Similar to Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-R2) - AWS re:Invent 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-R2) - AWS re:Invent 2018