Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Securely Deploying Micro Services, Containers & Serverless PaaS Web Apps

94 vues

Publié le

This presentation will address all the relevant information about default security postures achieved by using the -aaS model. This session will be a unique opportunity to hear from Murray Goldschmidt, renowned DevSecOps expert, explaining the key items to achieve a secure deployment from build through ongoing continuous deployment, particularly for CI/CD DevOps environments



Key Points To Be Discussed:
-Learn the no-cost or low-cost measures to put in place immediately to secure their -aaS deployments.
-Understand where commercial products provide capability, particularly for container security.
-Understand the weaknesses of public cloud PaaS defaults—examples provided for AWS and Azure. Pre-Requisites:AWS and Azure PaaS offerings.

Publié dans : Technologie
  • Real Money Streams ~ Create multiple streams of wealth from your home! ●●● https://tinyurl.com/y4urott2
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • Soyez le premier à aimer ceci

Securely Deploying Micro Services, Containers & Serverless PaaS Web Apps

  1. 1. t Sydney Head Office – Level 8, 59 Goulburn Street, Sydney NSW 2000 Melbourne Office – Level 15, 401 Docklands Drive, Docklands VIC 3008 ABN 14 098 237 908 1300 922 923 NATIONAL +61 (2) 9290 4444 SYDNEY +61 (3) 8376 9410 MELBOURNE info@senseofsecurity.com.au Presented by Microservices, Containers & CaaS – How Safe Are You? Murray Goldschmidt, Chief Operating Officer 12 June 2019
  2. 2. t Agenda 16/6/19© Sense of Security Pty Ltd 2019 2 1. Serverless, Microservices and Container Security 2. Key Implications for Penetration Testing Programs 3. Key Security features for Container Deployments 4. CI/CD Integration for Automated Security & Vuln Mgt Agenda
  3. 3. t Are Containers As Good as it Gets? The key thing to recognize with cloud containers is that they are designed to virtualize a single application 3 *** Modified *** https://searchcloudsecurity.techtarget.com/feature/Cloud-containers-what-they-are-and-how- they-work © Sense of Security Pty Ltd 2019 16/6/19
  4. 4. t As Good as it Gets? e.g., you have a MySQL container and that's all it does, provide a virtual instance of that application. 4 *** Modified *** https://searchcloudsecurity.techtarget.com/feature/Cloud-containers-what-they-are-and-how- they-work © Sense of Security Pty Ltd 2019 16/6/19
  5. 5. t As Good as it Gets? Containers ***SHOULD*** create an isolation boundary at the application level rather than at the server level. 5 *** Modified *** https://searchcloudsecurity.techtarget.com/feature/Cloud-containers-what-they-are-and-how- they-work © Sense of Security Pty Ltd 2019 16/6/19
  6. 6. t As Good as it Gets? This isolation ***SHOULD*** mean that if anything goes wrong in that single container (e.g., excessive consumption of resources by a process) it only affects that individual container and not the whole VM or whole server. 6 *** Modified *** https://searchcloudsecurity.techtarget.com/feature/Cloud-containers-what-they-are-and-how- they-work © Sense of Security Pty Ltd 2019 16/6/19
  7. 7. t 7© Sense of Security Pty Ltd 2019 16/6/19
  8. 8. t 8 Container Security – Tech Neutral © Sense of Security Pty Ltd 2019 16/6/19
  9. 9. t Monolithic vs Microservices Architecture © Sense of Security Pty Ltd 2019 16/6/19 9
  10. 10. t Monolithic vs Microservices Architecture © Sense of Security Pty Ltd 2019 16/6/19 10
  11. 11. t Monolithic vs Microservices Architecture © Sense of Security Pty Ltd 2019 16/6/19 11
  12. 12. t Monolithic vs Micro Services (API Centric) https://developer.ibm.com/courses/monolithic-architecture-versus-microservices-architecture-dwc024/ © Sense of Security Pty Ltd 2019 16/6/19 12
  13. 13. t Monolithic vs Micro Services (API Centric) https://developer.ibm.com/courses/monolithic-architecture-versus-microservices-architecture-dwc024/ © Sense of Security Pty Ltd 2019 16/6/19 13
  14. 14. t Monolithic vs Micro Services (API Centric) https://developer.ibm.com/courses/monolithic-architecture-versus-microservices-architecture-dwc024/ © Sense of Security Pty Ltd 2019 16/6/19 14
  15. 15. t Example: Microsoft eShop Reference Architecture © Sense of Security Pty Ltd 2019 16/6/19 15
  16. 16. t Example: Microsoft eShop Reference Architecture © Sense of Security Pty Ltd 2019 16/6/19 16
  17. 17. t VM vs. Containers (where the abstraction occurs) VM c o n t . C o n t . C o n t . C o n t . C o n t N c o n t . C o n t . C o n t . C o n t . C o n t N Hardware Hypervisor 1 V M V M V M V M V M Hardware Host OS V M V M V M V M V M Hypervisor 2 Hardware Host OS c o n t 1 C o n t 2 C o n t 3 C o n t 4 C o n t N Container Engine Dep 1 Dep 2 Guest OS Dependencies Application Container App. Deps. Application ABC Virtualisation Containerisation Type1 – Bare Metal Type 2 © Sense of Security Pty Ltd 2019 16/6/19 17
  18. 18. t © Sense of Security Pty Ltd 2019 16/6/19 18
  19. 19. t © Sense of Security Pty Ltd 2019 16/6/19 19
  20. 20. t © Sense of Security Pty Ltd 2019 16/6/19 20
  21. 21. t © Sense of Security Pty Ltd 2019 16/6/19 21
  22. 22. t © Sense of Security Pty Ltd 2019 16/6/19 22
  23. 23. t Developers © Sense of Security Pty Ltd 2019 16/6/19 23
  24. 24. t Hackers © Sense of Security Pty Ltd 2019 16/6/19 24
  25. 25. t HookingLowestWins © Sense of Security Pty Ltd 2019 16/6/19 25
  26. 26. t North-South&East-WestAttacks andPivots https://neuvector.com/network-security/securing-east-west-traffic-in-container-based-data-center/ 16/6/19© Sense of Security Pty Ltd 2019 26
  27. 27. t Break-In © Sense of Security Pty Ltd 2019 16/6/19 27
  28. 28. t Entry Point is usually a “Pin Hole” issue Break-In For example a known application issue © Sense of Security Pty Ltd 2019 16/6/19 28
  29. 29. t 14-Sep-18of Security Pty Ltd 2019 16/6/19 29
  30. 30. t Containers – The “Contained” Challenge IFyou can Break- In You then Need to Break-Outhttp://www.marvinfrancismaninacage.com/ © Sense of Security Pty Ltd 2019 16/6/19 30
  31. 31. t Break-Out <goWest goEast> © Sense of Security Pty Ltd 2019 16/6/19 31
  32. 32. t Either Find a Container Vuln & Exploit © Sense of Security Pty Ltd 2019 16/6/19 32
  33. 33. t • https://brauner.github.io/2019/02/12/privileged-containers.html Recent Container Vulnerabilities © Sense of Security Pty Ltd 2019 16/6/19 33
  34. 34. t • https://brauner.github.io/2019/02/12/privileged-containers.html Recent Container Vulnerabilities © Sense of Security Pty Ltd 2019 16/6/19 34
  35. 35. t Recent Container Vulnerabilities © Sense of Security Pty Ltd 2019 16/6/19 35
  36. 36. t Or - Living off the Land Attacker now has to “live off the land” Relying on misconfiguration, ability to use native tools, or download new and execute © Sense of Security Pty Ltd 2019 16/6/19 36
  37. 37. t 14-Sep-18Sense of Security Page 31
  38. 38. t 14-Sep-18Sense of Security Page 32
  39. 39. t e of Security Pty Ltd 2019 16/6/19 39
  40. 40. t © Sense of Security Pty Ltd 2019 16/6/19 40
  41. 41. t Content Slide Layout 16/6/19Sense of Security Page 41
  42. 42. t Content Slide Layout 16/6/19Sense of Security Page 42
  43. 43. t How to Upgrade your Vuln Mgt Program What to expect from a Pen Test Implications for CaaS Supply Chain Risk DevSecOps © Sense of Security Pty Ltd 2019 16/6/19 43
  44. 44. t 14-Sep-18 Page 42 Pen Test – Spray & Hope vs Knowledge & Finesse © Sense of Security Pty Ltd 2019
  45. 45. t Monolithic vs Microservices Architecture © Sense of Security Pty Ltd 2019 16/6/19 45
  46. 46. t © Sense of Security Pty Ltd 2019 16/6/19 46
  47. 47. t © Sense of Security Pty Ltd 2019 16/6/19 47
  48. 48. t © Sense of Security Pty Ltd 2019 4816/6/19
  49. 49. t 16/6/19 49 https://neuvector.com/run-time- container-security/ © Sense of Security Pty Ltd 2019
  50. 50. t © Sense of Security Pty Ltd 2019 16/6/19 50
  51. 51. t © Sense of Security Pty Ltd 2019 16/6/19 51
  52. 52. t © Sense of Security Pty Ltd 2019 16/6/19 52
  53. 53. t Load Balancing Perimeter Public Functions © Sense of Security Pty Ltd 2019 16/6/19 53
  54. 54. t 16/6/19 54© Sense of Security Pty Ltd 2019
  55. 55. t 16/6/19 55 Hack Transformation © Sense of Security Pty Ltd 2019
  56. 56. t https://neuvector.com/networ k-security/next-generation- firewall-vs-container-firewall/ © Sense of Security Pty Ltd 2019 16/6/19 56
  57. 57. t Security Testing Needs to Go Down The Stack Process UI (Container, presentation layer) AppServer (IIS, Apache, Nginx) Language (Java, PHP, .NET) Framework (Struts, Spring, .NET) Networking (SDN, SecGroups) Clustering/Orchestration (CaaS, Swarm, Kubernetes) Operating System (Linux, Windows) Process BackEnd (Container, database) Process App (Container, application processing) Core Infrastructure Cloud Platform User Interface (WebApps, forms, logons, API’s) © Sense of Security Pty Ltd 2019
  58. 58. t Finesse © Sense of Security Pty Ltd 2019 16/6/19 58
  59. 59. t
  60. 60. t There are Pen Tests & There are Pen Tests! © Sense of Security Pty Ltd 2019 16/6/19 60
  61. 61. t Blue Team: Key Steps to App Container Security 1 End-to-End Vulnerability Management 2 Container Attack Surface Reduction 3 User Access Control 4 Hardening the Host OS & the Container 5 SDLC Automation (DevOps) © Sense of Security Pty Ltd 2019 16/6/19 61
  62. 62. t Solutioning 1 End-to-End Vulnerability Management 62© Sense of Security Pty Ltd 2019 16/6/19
  63. 63. t Automated Vuln Mgt Build • API’s & Plug-ins • Third Party Components • Vuln Mgt Automation Registry • Automated Scan of Pub/Priv Registry Host • Compliance Scanning • OS • CaaS Runtime • Audit logging • Event logging SHIFT LEFT Image adapted from Qualys materials © Sense of Security Pty Ltd 2019 16/6/19 63
  64. 64. t Container Security Lifecycle Management & Compliance Summary Develop / Build Test / Modify Release / Production Use Trusted Images Sign & Verify Images Reduce Attack Surface Privileged Access & Auth Mgt Ongoing SecOps Advanced Security Controls Vulnerability Management Third Party Components Mgt (SCA) Network Segmentation User Authentication Vulnerability Scanning Harden the OS Adapted from: Ten Basic Steps To Secure Software Containers, Instructions For Safely Developing And Deploying Software In Containers, by Amy DeMartine and Dave Bartoletti April 14, 2017 © Sense of Security Pty Ltd 2019 16/6/19 64
  65. 65. t 65© Sense of Security Pty Ltd 2019 16/6/19
  66. 66. t Solutioning 2 Container Attack Surface Reduction 66© Sense of Security Pty Ltd 2019 16/6/19
  67. 67. t Solutioning 3 User Access Control 67© Sense of Security Pty Ltd 2019 16/6/19
  68. 68. t Solutioning 4 Hardening the Host OS & the Container See NIST SP 800-190 and various others incl https://www.cisecurity.org/benchmark/docker/ 68© Sense of Security Pty Ltd 2019 16/6/19
  69. 69. t Solutioning 5 SDLC Automation (DevOps) 69© Sense of Security Pty Ltd 2019 16/6/19
  70. 70. t Agenda 16/6/19© Sense of Security Pty Ltd 2019 70 1. Serverless, Microservices and Container Security 2. Key Implications for Penetration Testing Programs 3. Key Security features for Container Deployments 4. CI/CD Integration for Automated Security & Vuln Mgt Agenda Recap
  71. 71. t Apply What You Have Learned Today – Exec/Procurement • Next week you should: - Reset your review criteria for Penetration Testing - Explicitly incorporate testing of Cloud Technologies into your Vuln Mgt Program • In the first three months following this presentation you should: - Review suppliers’ capability to test Cloud Technologies - Develop the Blue Team side of the equation - Have A functional Shift Left feature in your Vuln Mgt Program for Cloud • Within six months you should - Have performed an effective Penetration Test on your Cloud investment - Fine tune your blue team response to cloud technology attacks 71© Sense of Security Pty Ltd 2019 16/6/19
  72. 72. t Apply What You Have Learned Today – Pen Testers • Next week you should: - Shortlist all the relevant cloud technologies in use by your clients - Re-calibrate your approach to test PaaS and Container • In the first three months following this presentation you should: - Demonstrate the ability to breakout of containers - Demonstrate the ability to live off the land • Within six months you should - Perfect methods for persistence in highly dynamic environments - Determine how to integrate Pen Test with client Blue Team (Purple Team) 72© Sense of Security Pty Ltd 2019 16/6/19
  73. 73. t Do you have any questions? 16/6/19 73© Sense of Security Pty Ltd 2019 Murray Goldschmidt COO murrayg@senseofsecurity.com.au
  74. 74. t Sydney Head Office – Level 8, 59 Goulburn Street, Sydney NSW 2000 Melbourne Office – Level 15, 401 Docklands Drive, Docklands VIC 3008 ABN 14 098 237 908 Contact us to discuss how our security solutions can help protect your most vital assets. 1300 922 923 NATIONAL +61 (2) 9290 4444 SYDNEY +61 (3) 8376 9410 MELBOURNE info@senseofsecurity.com.au senseofsecurity.com.au

×