The Psychology of Security Automation

Presented at AutomaCon 2016 in Portland, OR on 9/28/2016.

Technologie

The Psychology of Security
Automation
Jason Chan - Netflix
Automacon 2016
@chanjbs

History:
Developer - Security
Relationship

Opportunities for Developers
are
Opportunities for Security Teams

Opportunities + History =
Powerful Tools to Improve
Security and Relationships!

Types of Security Automation
1. Developer-Facing Tools

Types of Security Automation
1. Developer-Facing Tools
2. Developer-Security Collaboration

Types of Security Automation
1. Developer-Facing Tools
2. Developer-Security Collaboration
3. Internal Security Tools

Lemur
• One-stop shop for SSL certiﬁcate management

Lemur
• One-stop shop for SSL certiﬁcate management
• Request, provision, deploy, monitor

Lemur
• One-stop shop for SSL certiﬁcate management
• Request, provision, deploy, monitor
• Plugin architecture for certiﬁcate authorities, endpoints, etc.

Lemur and SSL Management
Takeaways
• APIs = Opportunities

Lemur and SSL Management
Takeaways
• APIs = Opportunities
• Solves persistent, difﬁcult, common problem

Lemur and SSL Management
Takeaways
• APIs = Opportunities
• Solves persistent, difﬁcult, common problem
• Security++

Lemur and SSL Management
Takeaways
• APIs = Opportunities
• Solves persistent, difﬁcult, common problem
• Security++
• Reliability++

Old Ways of “Collaborating”
• Skirmishes

Old Ways of “Collaborating”
• Skirmishes
• Meetings

Old Ways of “Collaborating”
• Skirmishes
• Meetings
• Brouhahas

Old Ways of “Collaborating”
• Skirmishes
• Meetings
• Brouhahas
• Change review boards

Old Ways of “Collaborating”
• Skirmishes
• Meetings
• Brouhahas
• Change review boards
• Fisticuffs

Old Ways of “Collaborating”
• Skirmishes
• Meetings
• Brouhahas
• Change review boards
• Fisticuffs
• Tickets

Case Study:
Permissions Management in AWS

Permissions Management in AWS
• Innovation is enabled by composition of multiple services,
but . . .

Permissions Management in AWS
• Innovation is enabled by composition of multiple services,
but . . .
• Complex and sophisticated policy language with many
conditions

Rollie Pollie
Permissions Management via
ChatOps

Rollie Pollie Benefits
• Transparent decisions

Rollie Pollie Benefits
• Transparent decisions
• Eng-native workﬂows

Rollie Pollie Benefits
• Transparent decisions
• Eng-native workﬂows
• Automated, secure, consistent

Application Security
Automation with
Dirty Laundry

Dirty Laundry’s Approach
• Unix-like philosophy - execute task, return results, process,
iterate

Dirty Laundry’s Approach
• Unix-like philosophy - execute task, return results, process,
iterate
• Example: ﬁnd all new ELBs, run a basic security scan
against them, return results

Current Support
• Dynamic analysis - AppSpider, Arachni, Detectify

Current Support
• Dynamic analysis - AppSpider, Arachni, Detectify
• Static analysis - Bandit, Brakeman, FindSecBugs, Custom

Current Support
• Dynamic analysis - AppSpider, Arachni, Detectify
• Static analysis - Bandit, Brakeman, FindSecBugs, Custom
• Others - curl, GitHub, OpenGrok

Dirty Laundry Benefits
• Embraces continuous deployment, self-service

Dirty Laundry Benefits
• Embraces continuous deployment, self-service
• Supports safe, high velocity development

Dirty Laundry Benefits
• Embraces continuous deployment, self-service
• Supports safe, high velocity development
• Decouples push schedule from security team bandwidth

Takeaways
• Security teams can leverage the high-velocity development
ecosystem

Takeaways
• Security teams can leverage the high-velocity development
ecosystem
• Shared history provides both lessons and input to
development

Contenu connexe

Tendances

Careers in Security

Cloud Security at Netflix

Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.

Introduction to DevSecOps

Security will always be our top priority. Agile deployment methods require a set of dynamic built-in security controls that keep pace with innovation and scale. In this session we will utilise the power of automation with the AWS platform to increase the agility of developers while maintaining a strong security posture. Speaker: David Faulkner, Senior Technical Account Manager, Amazon Web Services

Implementing DevSecOps

We are all embarking on a journey in the cloud that can be frightening at times, thrilling at others, but at all times filled with pitfalls and scary monsters that threaten the security of our infrastructure, applications, and data. The ultimate reward for all our hard work is to achieve a state of autonomous, self-healing security within our environment--one that can withstand any threats, whether internal or external. In this session, we walk you through the steps you need to be successful in your journey, just like Ellie Mae and many other enterprises and agencies. Your journey starts with security automation, and from there you will push outside of your security comfort zone, thanks to the gift of enhanced visibility and omniscience. Next we use CloudFormation Templates and custom signatures to move through our next security challenge with speed, and finally, we build auto-remediation into our security strategy with AWS Lambda workflows that enable the system to self-correct when misconfigurations occur. This fast-paced session will be filled code, best practices to help you in your quest, and even a few surprises about the ultimate destination of your journey. Session sponsored by Evident.io. AWS Competency Partner

AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...

Continuous delivery makes teams more agile and quickens the pace of innovation. Too often, though, teams adopt continuous delivery without putting the right safety mechanisms in place. In this talk, we'll transform a simple but typical software release process into one that is safe. We'll use DevOps techniques like continuous integration, a variety of non-production testing stages, rollbacks, machine redundancy, Availability Zone redundancy, canary deployments, canary tests, and dashboards. We'll use AWS Lambda, AWS CloudFormation, AWS CodePipeline, AWS CodeDeploy, Amazon CloudWatch alarms and dashboards, and AWS Elastic Beanstalk.

AWS re:Invent 2016: DevOps on AWS: Advanced Continuous Delivery Techniques (D...

Slides from my ServerlessConf Austin 2017. Serverless means handing off server management to the cloud platforms - along with their security risks. With the “pros” ensuring our servers are patched, what’s left for application owners to protect? As it turns out, quite a lot. This talk discusses the aspects of security serverless doesn’t solve, the problems it could make worse, and the tools and practices you can use to keep yourself safe

DevOps, Common use cases, Architectures, Best Practices

Shiva Narayanaswamy

SecDevOps

Peter Lamar

Serverless Security: What's Left to Protect?

Guy Podjarny

Azure Security Center

Udaiappa Ramachandran

by Jeet Shangari, Sr. Technical Account Manager, AWS Software release cycles are now measured in days instead of months. Cutting edge companies are continuously delivering high-quality software at a fast pace. In this session, we will cover how you can begin your DevOps journey by sharing best practices and tools used by the engineering teams at Amazon. We will showcase how you can accelerate developer productivity by implementing continuous Integration and delivery workflows. We will also cover an introduction to AWS CodeStar, AWS CodeCommit, AWS CodeBuild, AWS CodePipeline, AWS CodeDeploy, AWS Cloud9, and AWS X-Ray the services inspired by Amazon's internal developer tools and DevOps practice. Level 200

DevOps on AWS

s its biggest bottleneck and security is becoming the most pervasive bottleneck in most DevOps practices. Teams are unable to come up with security practices that integrate into the DevOps lifecycle and ensure continuous and smooth delivery of applications to customers. In fact, security failures in DevOps amplify security flaws in production as they are delivered at scale. If DevOps should not be at odds with security, then we must find ways to achieve the following on priority: - Integrate effective threat modeling into Agile development practices - Introduce Security Automation into Continuous Integration - Integrate Security Automation into Continuous Deployment While there are other elements like SAST and Monitoring that are important to SecDevOps, my talk will essentially focus on these three elements with a higher level of focus on Security Automation. In my talk, I will explore the following, with reference to the topic: - The talk will be replete with anecdotes from personal consulting and penetration testing experiences. - I will briefly discuss Threat Modeling and its impact on DevOps. I will use examples to demonstrate practical ways that one can use threat modeling effectively to break down obstacles and create security automation that reduces the security bottleneck in the later stages of the DevOps cycle. - I firmly believe that Automated Web Vulnerability Assessment (using scanners) no matter how tuned, can only produce 30-40% of the actual results as opposed to a manual application penetration test. I find that scanning tools fail to identify most vulnerabilities with modern Web Services (REST. I will discuss examples and demonstrate how one can leverage automated vulnerability scanners (like ZAP, through its Python API) and simulate manual testing using a custom security automation suite. In Application Penetration Testing, its impossible to have a one size-fits all, but there’s no reason why we can’t deliver custom security automation to simulate most of the manual penetration testing to combine them into a custom security automation suite that integrates with CI tools like Jenkins and Travis. I intend to demonstrate the use a custom security test suite (written in Python that integrates with Jenkins), against an intentionally vulnerable e-commerce app. - My talk will also detail automation to identify vulnerabilities in software libraries and components, integrated with CI tools. - Finally, I will (with the use of examples and demos) explain how one can use “Infrastructure as Code” practice to perform pre and post deployment security checks, using tools like Chef, Puppet and Ansible.

OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav

Abhay Bhargav

Today’s cutting-edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, we’ll share the processes that Amazon’s engineers use to practice DevOps and discuss how you can bring these processes to your company by using a new set of AWS tools (AWS CodePipeline and AWS CodeDeploy). These services were inspired by Amazon's own internal developer tools and DevOps culture.

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools

Elastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances for fault tolerance and load distribution. In this session, we go into detail about Elastic Load Balancing's configuration and day-to-day management, as well as its use in conjunction with Auto Scaling. We explain how to make decisions about the service and share best practices and useful tips for success.

Deep Dive on Elastic Load Balancing

Amazon Inspector is a new service from AWS that helps you identify security issues in the applications that you deploy and run on AWS. Use Amazon Inspector to assess the security posture of the Amazon EC2 instances running your applications, in order to identify areas that can be improved before you expose them to a production threat environment. This webinar will cover getting started with Amazon Inspector, how to automate the process, how to manage and act on findings, and additional ways you can enhance your development and release lifecycle using Amazon Inspector. Learning Objectives: Understand the basics of Amazon Inspector Learn how to assess your security posture and identify areas that can be improved Who Should Attend: Security professionals, people who are responsible for host or application security, and anyone interested in standards compliance

AWS Security Strategy

Teri Radichel

AWS December 2015 Webinar Series - Introducing Amazon Inspector

The AWS platform offers a rich set of capabilities that can be leveraged by the customer to better control applications state, configuration, and supporting infrastructure throughout the service lifecycle – all while operating with security best practices such as audit and accountability, access control, change review and governance, and systems integrity. We will showcase and discuss design patterns for using these capabilities in synergy with fast-paced and agile application development methodologies – such as DevOps – to achieve an integrated security operations program.

Putting it All Together: Securing Systems at Cloud Scale

Automating Software Deployments with AWS CodeDeploy

Are you a member of the Department of Defense (DoD) and want to simplify the process to cloud deployment? Learn how you can adopt AWS's utility-based cloud services to process, store, and transmit DoD data. This presentation is a step-by-step guide from AWS on how to navigate the DoD compliance framework. The guide outlines the planning, deployment, accreditation, and continuous monitoring phases to get you to the cloud. AWS enables military organizations and their business associates to leverage the secure AWS environment through our attainment of a provisional authority to operate (P-ATO) from the Defense Information Systems Agency (DISA).

From Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework

"Amazon Inspector is a new service from AWS that identifies security issues in your application deployments. Use Inspector with your applications to assess your security posture and identify areas that can be improved. Inspector works with your Amazon EC2 instances to monitor activity in your applications and system. This session will cover getting started with Inspector, how to automate the process, how to manage and act on findings, and additional ways you can enhance your development and release lifecycle using Inspector."

(SEC324) NEW! Introducing Amazon Inspector

Tendances (20)

Careers in Security

Cloud Security at Netflix

Introduction to DevSecOps

Implementing DevSecOps

AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...

AWS re:Invent 2016: DevOps on AWS: Advanced Continuous Delivery Techniques (D...

DevOps, Common use cases, Architectures, Best Practices

SecDevOps

Serverless Security: What's Left to Protect?

Azure Security Center

DevOps on AWS

OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools

Deep Dive on Elastic Load Balancing

AWS Security Strategy

AWS December 2015 Webinar Series - Introducing Amazon Inspector

Putting it All Together: Securing Systems at Cloud Scale

Automating Software Deployments with AWS CodeDeploy

From Zero to ATO: A Step-by-Step Guide on the DoD Compliance Framework

(SEC324) NEW! Introducing Amazon Inspector

En vedette

Defending Netflix from Abuse

Practical Security Automation

Amazon Web Services Security

Resilience and Compliance at Speed and Scale

Cloud Security @ Netflix

Practical Cloud Security

Security at Scale - Lessons from Six Months at Yahoo

Alex Stamos

Resilience and Security @ Scale: Lessons Learned

The Qualcomm® Snapdragon™ Performance Visualizer, a product of Qualcomm Technologies, Inc. is a suite of tools that allows developers to better analyze their code’s operation on a Snapdragon processor. This session will show developers how to examine interrupts, DSP information, GPU events, performance counters and temperature, as well as custom, user-defined data and more. Learn more about Snapdragon Performance Visualizer: https://developer.qualcomm.com/mobile-development/increase-app-performance/snapdragon-performance-visualizer Watch this presentation on YouTube: https://www.youtube.com/watch?v=iVrF6LEyCwY

Informix 12.10.xC7 MQTT listener - june2016

Shawn Moe

Analyze System and Code Interactions

Qualcomm Developer Network

Virtualization: Security and IT Audit Perspectives

Ibm cloud nativenetflixossfinal

Members from over all over the world streamed over forty-two billion hours of Netflix content last year. Various Netflix batch jobs and an increasing number of service applications use containers for their processing. In this session, Netflix presents a deep dive on the motivations and the technology powering container deployment on top of Amazon Web Services. The session covers our approach to resource management and scheduling with the open source Fenzo library, along with details of how we integrate Docker and Netflix container scheduling running on AWS. We cover the approach we have taken to deliver AWS platform features to containers such as IAM roles, VPCs, security groups, metadata proxies, and user data. We want to take advantage of native AWS container resource management using Amazon ECS to reduce operational responsibilities. We are delivering these integrations in collaboration with the Amazon ECS engineering team. The session also shares some of the results so far, and lessons learned throughout our implementation and operations.

Re:invent 2016 Container Scheduling, Execution and AWS Integration

Netflix Global Applications - NoSQL Search Roadshow

Adrian Cockcroft

Netflix Cloud Platform and Open Source

In this episode, we will focus on open sourcing how we run Netflix's open source program. Netflix has been using and contributing to open source for several years. Over the years, Netflix has released over one hundred Netflix Open Source (aka NetflixOSS) libraries, servers, and technologies. Netflix engineers benefit by accepting contributions and gathering feedback with key collaborators around the world. Users of NetflixOSS from many industries benefit from our solutions including Big Data, Build and Delivery Tools, Runtime Services and Libraries, Data Persistence, Insight, Reliability and Performance, Security and User Interface. With such a large and mature open source program, Netflix has worked on approaches and tools that help manage and improve the NetflixOSS source offerings and communities. Netflix has taken a different approach to building support for open source as compared to other Internet scale companies. Come to this session to learn about the unique approaches Netflix has taken to both distribute and automate the responsibilities of building a world-class open source program.

Netflix OSS Meetup Season 4 Episode 4

AWS Security: A Practitioner's Perspective

Customers from over all over the world streamed Forty Two Billion hours of Netflix content last year. The Netflix streaming service had been powered by the Amazon cloud with virtual machines for over five years, blazing a trail for similar architectures. In the last year, it invested in containers for batch-style jobs and service-style applications. Andrew Spyker will explain the potential containers have to help Netflix create a more productive development experience while simultaneously deepening its control over resource management. Join Andrew to see why Netflix is moving forward with containers, how it can leverage its existing operational machinery, and how it’s running containers with a similar guarantee of high availability as current Netflix infrastructure provides.

Netflix Webkit-Based UI for TV Devices

Matt McCarthy

Netflix and Containers: Not A Stranger Thing

Software release cycles are now measured in days instead of months. Cutting edge companies are continuously delivering high-quality software at a fast pace. In this session, we will cover how you can begin your DevOps journey by sharing best practices and tools used by the engineering teams at Amazon. We will showcase how you can accelerate developer productivity by implementing continuous Integration and delivery workflows. We will also cover an introduction to AWS CodeStar, AWS CodeCommit, AWS CodeBuild, AWS CodePipeline, AWS CodeDeploy, AWS Cloud9, and AWS X-Ray the services inspired by Amazon's internal developer tools and DevOps practice. Level: 200 Speaker: Nick Brandaleone - Solutions Architect, AWS

Bottleneck analysis - Devopsdays Silicon Valley 2013

Adrian Cockcroft

En vedette (20)

Defending Netflix from Abuse

Practical Security Automation

Amazon Web Services Security

Resilience and Compliance at Speed and Scale

Cloud Security @ Netflix

Practical Cloud Security

Security at Scale - Lessons from Six Months at Yahoo

Resilience and Security @ Scale: Lessons Learned

Informix 12.10.xC7 MQTT listener - june2016

Analyze System and Code Interactions

Virtualization: Security and IT Audit Perspectives

Ibm cloud nativenetflixossfinal

Re:invent 2016 Container Scheduling, Execution and AWS Integration

Netflix Global Applications - NoSQL Search Roadshow

Netflix Cloud Platform and Open Source

Netflix OSS Meetup Season 4 Episode 4

AWS Security: A Practitioner's Perspective

Netflix Webkit-Based UI for TV Devices

Netflix and Containers: Not A Stranger Thing

Bottleneck analysis - Devopsdays Silicon Valley 2013

Similaire à The Psychology of Security Automation

DevOps on AWS

The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability, and control. You have to know what you have and where it is before you can assess the environment against best practices, internal standards, and compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says that "Tom is the only person who can access this data object that I store with Amazon, and he can do so only from his corporate desktop on the corporate network, from Monday–Friday 9–5, and when he uses MFA?" That's the level of granularity you can choose to implement if you wish. In this session, we'll cover these topics to provide a practical understanding of the security programs, procedures, and best practices you can use to enhance your current security posture.

Intro to AWS: Security

In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.

AppSec in an Agile World

David Lindner

Intro to AWS: Security

Every developer has gone through the frustration of creating new features, fixing bugs, or refactoring beautiful code, and then wait for it to reach the promise land of production. Come and learn how to get your changes in the hands of your customers with more speed, reliability, security and quality. We will dive deep into architectures for continuous delivery pipelines, apply lean principles, and build intelligence into your pipeline. Speaker: Shiva Narayanaswamy, Solutions Architect, Amazon Web Services Featured Customer - REA Group

Making security-agile matt-tesauro

Matt Tesauro

Application Delivery Patterns

Shiva Narayanaswamy

Application Delivery Patterns for Developers - Technical 401

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1mv6Kpr. Josh Evans uses the Netflix Operations Engineering as a case study to explore the challenges faced by centralized engineering teams and approaches to addressing those challenges. Filmed at qconsf.com. Josh Evans is Director of Operations Engineering at Netflix, with experience in e-commerce, playback control services, infrastructure, tools, testing, and operations.

Selenium for everyone

Tft Us

Beyond DevOps: How Netflix Bridges the Gap?

C4Media

This session is designed to teach security engineers, developers, solutions architects, and other technical security practitioners how to use a DevSecOps approach to design and build robust security controls at cloud-scale. This session walks through the design considerations of operating high-assurance workloads on top of the AWS platform and provides examples of how to automate configuration management and generate audit evidence for your own workloads. We’ll discuss practical examples using real code for automating security tasks, then dive deeper to map the configurations against various industry frameworks. This advanced session showcases how continuous integration and deployment pipelines can accelerate the speed of security teams and improve collaboration with software development teams.

Automating Security in Cloud Workloads with DevSecOps

How We Should Think About Security

Sumo Logic offers a powerful cloud-native analytics solution that supports all types of machine data. Our platform integrates easily with your AWS infrastructure supporting fast, accurate and secure analysis and monitoring of enormous amounts of data—giving you clear and direct visibility into its operations. In this webinar, you’ll learn how organizations such as Greenhouse Software harness cloud-native machine data analytics to optimize the internal and external process lifecycles, monitor the health of all AWS application and services and deliver a WOW application to their end users.

The Joy of Proactive Security

Andy Hoernecke

Proactive Security AppSec Case Study

Andy Hoernecke

Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin

Matt Tesauro

Agile Secure Cloud Application Development Management

Adam Getchell

How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...

The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability, and control. You have to know what you have and where it is before you can assess the environment against best practices, internal standards, and compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says that “Tom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?”. That’s the level of granularity you can choose to implement if you wish. In this session, we’ll cover these topics to provide a practical understanding of the security programs, procedures, and best practices you can use to enhance your current security posture. Speakers: Rob Whitmore, AWS Solutions Architect

Introduction to AWS Security

Integrated Security & Operations for Scaling Securely in AWS