SlideShare une entreprise Scribd logo

DevSecOps: Key Controls for Modern Security Success

Puma Security, LLC
Puma Security, LLC

In this updated slideshare, Principal Security Engineer, Eric Johnson shows engineers, developers and application security professionals how to start conversations on implementing security into the DevOps workflow. You’ll learn about: 1) Cloud and DevSecOps Practices 2) Pre-Commit: The Paved Road 3) Commit: CI / CD Security Controls 4) Acceptance: Supply Chain Security 5) Operations: Continuous Security Compliance For questions, please contact our team at sales [at] pumascan [dot] com. Thanks for taking time to further your understanding of DevSecOps!

Technologie
1  sur  32
Télécharger pour lire hors ligne
© 2019 Puma Security, LLC | All Rights Reserved DEVOPS DAYS DES MOINES DevSecOps Key Controls For Modern Security Success 05/02/2019
© 2019 Puma Security, LLC | All Rights Reserved Principal Security Engineer, Puma Security Coder Static analysis engine, cloud automation, security tools Security Assessments DevSecOps, cloud, source code, web apps, mobile apps Principal Instructor DevSecOps Curriculum Manager SANS Principal Instructor Contributing author of SEC540, DEV544, and DEV531 Education and Training Iowa State M.S. Information Assurance, B.S. Computer Engineering AWS Certified Developer CISSP, GSSP, GWAPT Contact Information Email: eric.johnson@pumascan.com Twitter: @emjohn20 LinkedIn: linkedin.com/in/ eric-m-johnson @ $WHOAMI
© 2019 Puma Security, LLC | All Rights Reserved KEYS FOR MODERN SECURITY SUCCESS Cloud & DevSecOps Practices Pre-Commit: The Paved Road Commit: CI / CD Security Controls Acceptance: Supply Chain Security Operations: Continuous Security Compliance Agenda
© 2019 Puma Security, LLC | All Rights Reserved WHAT ARE THE GOALS AND PRINCIPLES IN DEVSECOPS? Make security a first- class problem in DevOps Make security a first-class participant in DevOps Increase trust between dev, ops, and sec Integrate security practices and ideas into DevOps culture Wire security into DevOps workflows to incrementally improve security 01 02 04 03 05 SecDevOps / DevSecOps / DevOpsSec / Rugged DevOps
© 2019 Puma Security, LLC | All Rights Reserved Secure Cloud & DevOps Practices | sans.org/u/OGx Cloud Security Top 10 Serverless Security Top 10 DevSecOps Toolchain Building a DevSecOps Program
© 2019 Puma Security, LLC | All Rights Reserved PRE-COMMIT Threat Modeling IDE Security Plugins Pre-Commit Hooks Peer Code Reviews COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS Static Code Analysis Security Unit Tests Container Security Dependency Management Infrastructure as Code Cloud Infrastructure Dynamic Security Tests Security Acceptance Tests Security Smoke Tests Secrets Management Security Configuration Server Hardening Blameless Postmortems Continuous Monitoring Penetration Testing Threat Intelligence Cloud & DevSecOps Security Controls
© 2019 Puma Security, LLC | All Rights Reserved Pre-Commit: The Paved Road
© 2019 Puma Security, LLC | All Rights Reserved Dev, Sec, and Ops teams build secure by default frameworks, libraries, and services Popularized by Netflix "Gates to Guardrails" Operations: Automated pipelines build, certify, and publish cloud infrastructure / machine images Development: Secure templates for Web, APIs, front-end, serverless projects Security: Automated security pipeline scans, unit tests, acceptance tests, production assertions Build The Paved Road PRE-COMMIT
© 2019 Puma Security, LLC | All Rights Reserved Network, Cloud, Infrastructure as Code templates for quickly provisioning certified environments for the development team to use: Cloud network infrastructure Virtual machine gold images Container gold base images Managing Functions as a Service (FaaS) Network hardware devices Opera&ons Paved Road API gateway appliances for microservices
© 2019 Puma Security, LLC | All Rights Reserved AWS CloudFormation infrastructure paved road example: 1 2 3 4 5 6 7 8 9 10 11 12 13 { } LaunchConfiguration: Type: AWS::AutoScaling::LaunchConfiguration Metadata: Properties: ImageId: !FindInMap [ AWSRegionToAMI, !Ref "AWS::Region", AMI ] IamInstanceProfile: !Ref InstanceProfile KeyName: "devsecops" SecurityGroups: - !Ref SecurityGroup UserData: "Fn::Base64": !Sub | #!/bin/bash yum update -y { Gold Image } { Least privilege } { Admin Access } { Network configuration } { Supply chain security } Operations Paved Road Example
© 2019 Puma Security, LLC | All Rights Reserved Templates covering approved technology stacks with protection for common application security issues and misconfigurations: Include common libraries for data validaHon, logging, encoding, etc. Node.js, Django, Spring Boot, .NET Core, Ruby Rails, Functions, etc. Secrets management storage Secure transport configuration (HTTPS) Enable authentication / authorization Configure password management / single sign on Development Paved Road
© 2019 Puma Security, LLC | All Rights Reserved .NET Core paved road example w/ security protecGons pre-configured: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 { } public void ConfigureServices(IServiceCollection services) { services.Configure<IdentityOptions>(options => { options.Password.RequiredLength = 15; options.Lockout.MaxFailedAccessAttempts = 5; } services.AddMvc(options => { options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder() .RequireAuthenticatedUser().Build())); }); } public void Configure(IApplicationBuilder app, IHostingEnvironment env) { app.UseRewriter(new RewriteOptions().AddRedirectToHttps()); app.AddSecurityHeaders(); { Password Configuration } { Authorization} { HTTPS } { Security Headers} Development Paved Road Example
© 2019 Puma Security, LLC | All Rights Reserved CI / CD Security Controls Commit:
© 2019 Puma Security, LLC | All Rights Reserved Integrate tools to automate build, test, acceptance, and deployment of infrastructure, cloud, and applications into a repeatable workflow Continuous Integration & Delivery Security Controls COMMIT (CI)
© 2019 Puma Security, LLC | All Rights Reserved Merging new features requires approval from peers and security team prior to triggering the build pipeline: 116 117 118 119 120 121 122 123 { } LoadBalanceArn: !Ref Load Balancer Port: !Ref HttpsPort Protocol: HTTPS SslPolicy: ELBSecurityPolicy-TLS-1-0-2015-04 SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01 Certificates: - CertificateArn !Ref CertificateArn DefaultActions: CI / CD Security Controls: Version Control
© 2019 Puma Security, LLC | All Rights Reserved Approved merge request triggers automated unit tests, security scans, audit reports, and fast feedback CI / CD Security Controls: Acceptance Tes7ng
© 2019 Puma Security, LLC | All Rights Reserved Build pipelines contain artifacts from security scans and compliance checks CI / CD Security Controls: Audit Reports
© 2019 Puma Security, LLC | All Rights Reserved Supply Chain Security Acceptance:
© 2019 Puma Security, LLC | All Rights Reserved Serious vulnerabilities can be inherited from open source libraries, docker images, infrastructure templates, and serverless functions: WARNING: Some tools may not check transitive dependencies Carefully review content before usage Run tools to automatically the scan code base / images Identify external dependencies Check against public vulnerability database(s) Integrate supply chain security scanning into CI/CD Supply Chain Security
© 2019 Puma Security, LLC | All Rights Reserved OWASP Dependency Check (Java, .NET, Ruby, Python) - h?ps://www.owasp.org/index.php/OWASP_Dependency_Check NPM Audit / Retire.JS (NodeJS) - https://retirejs.github.io/retire.js/ - https://docs.npmjs.com/cli/audit Bundler-Audit (Ruby) - https://github.com/rubysec/bundler-audit PHP Security Checker - https://security.sensiolabs.org/ DEPENDENCY MANAGEMENT Supply Chain Security: Application Scanning Tools ACCEPTANCE
© 2019 Puma Security, LLC | All Rights Reserved OWASP Dependency Check scan and vulnerability report in a Jenkins CI pipeline Supply Chain Security: Application Scanning Example
© 2019 Puma Security, LLC | All Rights Reserved Anchore - https://anchore.com/opensource/ Clair - https://github.com/coreos/clair Actuary - https://github.com/diogomonica/actuary Falco - https://github.com/draios/falco Supply Chain Security: Container Image Scanning Tools CONTAINER SECURITY ACCEPTANCE
© 2019 Puma Security, LLC | All Rights Reserved Invoking an Anchore image scan and capturing vulnerability data in a Jenkins CI pipeline Supply Chain Security: Container Image Scanning Example
© 2019 Puma Security, LLC | All Rights Reserved DevSec Hardening Templates - Automated hardening framework using Puppet, Chef, Ansible - Linux, Windows, SSH, Docker, K8S, Apache, Nginx - https://github.com/dev-sec Hardened infrastructure templates can be used as references Supply Chain Security: Hardened Infrastructure Templates INFRASTRUCTURE AS CODE System Integrity Management Platform(SIMP) - Hardened Puppet infrastructure configuration and testing - NIST 800-53, DISA STIG, FIPS 140-2 RHEL & CentOS templates - https://github.com/simp/ { } ACCEPTANCE
© 2019 Puma Security, LLC | All Rights Reserved Managing function dependencies in AWS Lambda can be achieved using Layers: Buildpipelines removethird-party librariesfrom deployment packages CloudOpsmanages centralizedlayers containingapproved third-partylibraries Third-partyvendorsare leveragingLayerstofurther hardenfunctionruntime environments: PureSecFunctionShield TwistlockDefender Supply Chain Security: FaaS Dependency Management
© 2019 Puma Security, LLC | All Rights Reserved Opera&ons: Continuous Security Compliance
© 2019 Puma Security, LLC | All Rights Reserved Leveraging security configuration tools to automate audit and compliance checks: Test the server and infrastructure configuration against expected baseline and report any deviations Tests should include severity, risk level, and description information Match tests against compliance checklist items or regulatory policies Automated testing tools available for Linux, Unix, Windows, AWS, Azure and VMWare Con9nuous Security Compliance PRODUCTION
© 2019 Puma Security, LLC | All Rights Reserved SECURITY CONFIGURATION InSpec - https://github.com/inspec/inspec Cloud Custodian (AWS, GCP, Azure) - https://github.com/cloud-custodian/cloud-custodian OpenSCAP - https://github.com/OpenSCAP Security compliance / acceptance testing tools: Scout Suite (AWS, GCP, Azure) - https://github.com/nccgroup/ScoutSuite AWS Benchmark Scanner https://github.com/awslabs/aws-security-benchmark Supply Chain Security: Application Scanning Tools PRODUCTION
© 2019 Puma Security, LLC | All Rights Reserved Running InSpec against a running Docker container: 1 2 { } $ docker run -it --rm -v $(pwd):/share chef/inspec exec baseline -t docker://container_id Example InSpec output results from the Linux baseline profile:{ } 1 2 3 4 5 6 7 8 9 ✅ os-01: Trusted hosts login ✅‍ Command find / -name '.rhosts' stdout should be empty ✅ Command find / -name 'hosts.equiv' stdout should be empty X os-02: Check owner and permissions for /etc/shadow (1 failed) ✅ File /etc/shadow should exist ✅ File /etc/shadow should be file ✅ File /etc/shadow should be owned by "root" ✅ File /etc/shadow should not be executable X File /etc/shadow group should eq nil Continuous Security Compliance: InSpec Docker Scan
© 2019 Puma Security, LLC | All Rights Reserved Exporting InSpec results to JUnit format and integrating with Jenkins CI Continuous Security Compliance: Jenkins InSpec Integration
© 2019 Puma Security, LLC | All Rights Reserved Running the AWS CIS Benchmark scan via AWS Config rules Continuous Security Compliance: AWS CIS Benchmark Scan
© 2019 Puma Security, LLC | All Rights Reserved Thank you for attending! Keys for Modern Security Success Contact Information: E | eric.johnson@pumascan.com ü Cloud & DevSecOps Practices ü Pre-Commit: The Paved Road ü Commit: CI / CD Security Controls ü Acceptance: Supply Chain Security ü Operations: Continuous Security Compliance SUMMARY @emjohn20

Recommandé

Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 

Recommandé

Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
DevOps Engineer Day-to-Day Activities
DevOps Engineer Day-to-Day Activities DevOps Engineer Day-to-Day Activities
DevOps Engineer Day-to-Day Activities Intellipaat
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWSAmazon Web Services
 
DevOps Lifecycle | Edureka
DevOps Lifecycle | EdurekaDevOps Lifecycle | Edureka
DevOps Lifecycle | EdurekaEdureka!
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWSAmazon Web Services
 
Microservices, DevOps & SRE
Microservices, DevOps & SREMicroservices, DevOps & SRE
Microservices, DevOps & SREAraf Karsh Hamid
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWSBhargav Amin
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Securityn|u - The Open Security Community
 
A Roadmap to Cloud Center of Excellence Adoption
A Roadmap to Cloud Center of Excellence AdoptionA Roadmap to Cloud Center of Excellence Adoption
A Roadmap to Cloud Center of Excellence AdoptionAmazon Web Services
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...Amazon Web Services
 
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Amazon Web Services
 

Contenu connexe

Tendances

DevOps Engineer Day-to-Day Activities
DevOps Engineer Day-to-Day Activities DevOps Engineer Day-to-Day Activities
DevOps Engineer Day-to-Day Activities Intellipaat
 
DevOps Lifecycle | Edureka
DevOps Lifecycle | EdurekaDevOps Lifecycle | Edureka
DevOps Lifecycle | EdurekaEdureka!
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Microservices, DevOps & SRE
Microservices, DevOps & SREMicroservices, DevOps & SRE
Microservices, DevOps & SREAraf Karsh Hamid
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
A Roadmap to Cloud Center of Excellence Adoption
A Roadmap to Cloud Center of Excellence AdoptionA Roadmap to Cloud Center of Excellence Adoption
A Roadmap to Cloud Center of Excellence AdoptionAmazon Web Services
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 

Tendances (20)

DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
DevOps Engineer Day-to-Day Activities
DevOps Engineer Day-to-Day Activities DevOps Engineer Day-to-Day Activities
DevOps Engineer Day-to-Day Activities
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWS
 
DevOps Lifecycle | Edureka
DevOps Lifecycle | EdurekaDevOps Lifecycle | Edureka
DevOps Lifecycle | Edureka
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
Microservices, DevOps & SRE
Microservices, DevOps & SREMicroservices, DevOps & SRE
Microservices, DevOps & SRE
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWS
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
A Roadmap to Cloud Center of Excellence Adoption
A Roadmap to Cloud Center of Excellence AdoptionA Roadmap to Cloud Center of Excellence Adoption
A Roadmap to Cloud Center of Excellence Adoption
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 

Similaire à DevSecOps: Key Controls for Modern Security Success

Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...Amazon Web Services
 
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Amazon Web Services
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitAmazon Web Services
 
Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Amazon Web Services
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Amazon Web Services
 
CICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdfCICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdfAmazon Web Services
 
Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Amazon Web Services
 
CICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdfCICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdfAmazon Web Services
 
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...Amazon Web Services
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS servicesRuncy Oommen
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 Amazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Amazon Web Services
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsCobus Bernard
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Amazon Web Services
 
Elevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloudElevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloudAmazon Web Services
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Puma Security, LLC
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServicePuma Security, LLC
 
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Amazon Web Services
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...Amazon Web Services
 
Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017
Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017
Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017Amazon Web Services
 

Similaire à DevSecOps: Key Controls for Modern Security Success (20)

Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
 
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
 
Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...
 
CICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdfCICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdf
 
Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...
 
CICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdfCICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdf
 
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS services
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applications
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
 
Elevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloudElevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloud
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata Service
 
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
 
Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017
Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017
Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017
 

Plus de Puma Security, LLC

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsPuma Security, LLC
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsPuma Security, LLC
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructurePuma Security, LLC
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Puma Security, LLC
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanPuma Security, LLC
 

Plus de Puma Security, LLC (9)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless Infrastructure
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
 

Dernier

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Dernier (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

DevSecOps: Key Controls for Modern Security Success

  • 1. © 2019 Puma Security, LLC | All Rights Reserved DEVOPS DAYS DES MOINES DevSecOps Key Controls For Modern Security Success 05/02/2019
  • 2. © 2019 Puma Security, LLC | All Rights Reserved Principal Security Engineer, Puma Security Coder Static analysis engine, cloud automation, security tools Security Assessments DevSecOps, cloud, source code, web apps, mobile apps Principal Instructor DevSecOps Curriculum Manager SANS Principal Instructor Contributing author of SEC540, DEV544, and DEV531 Education and Training Iowa State M.S. Information Assurance, B.S. Computer Engineering AWS Certified Developer CISSP, GSSP, GWAPT Contact Information Email: eric.johnson@pumascan.com Twitter: @emjohn20 LinkedIn: linkedin.com/in/ eric-m-johnson @ $WHOAMI
  • 3. © 2019 Puma Security, LLC | All Rights Reserved KEYS FOR MODERN SECURITY SUCCESS Cloud & DevSecOps Practices Pre-Commit: The Paved Road Commit: CI / CD Security Controls Acceptance: Supply Chain Security Operations: Continuous Security Compliance Agenda
  • 4. © 2019 Puma Security, LLC | All Rights Reserved WHAT ARE THE GOALS AND PRINCIPLES IN DEVSECOPS? Make security a first- class problem in DevOps Make security a first-class participant in DevOps Increase trust between dev, ops, and sec Integrate security practices and ideas into DevOps culture Wire security into DevOps workflows to incrementally improve security 01 02 04 03 05 SecDevOps / DevSecOps / DevOpsSec / Rugged DevOps
  • 5. © 2019 Puma Security, LLC | All Rights Reserved Secure Cloud & DevOps Practices | sans.org/u/OGx Cloud Security Top 10 Serverless Security Top 10 DevSecOps Toolchain Building a DevSecOps Program
  • 6. © 2019 Puma Security, LLC | All Rights Reserved PRE-COMMIT Threat Modeling IDE Security Plugins Pre-Commit Hooks Peer Code Reviews COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS Static Code Analysis Security Unit Tests Container Security Dependency Management Infrastructure as Code Cloud Infrastructure Dynamic Security Tests Security Acceptance Tests Security Smoke Tests Secrets Management Security Configuration Server Hardening Blameless Postmortems Continuous Monitoring Penetration Testing Threat Intelligence Cloud & DevSecOps Security Controls
  • 7. © 2019 Puma Security, LLC | All Rights Reserved Pre-Commit: The Paved Road
  • 8. © 2019 Puma Security, LLC | All Rights Reserved Dev, Sec, and Ops teams build secure by default frameworks, libraries, and services Popularized by Netflix "Gates to Guardrails" Operations: Automated pipelines build, certify, and publish cloud infrastructure / machine images Development: Secure templates for Web, APIs, front-end, serverless projects Security: Automated security pipeline scans, unit tests, acceptance tests, production assertions Build The Paved Road PRE-COMMIT
  • 9. © 2019 Puma Security, LLC | All Rights Reserved Network, Cloud, Infrastructure as Code templates for quickly provisioning certified environments for the development team to use: Cloud network infrastructure Virtual machine gold images Container gold base images Managing Functions as a Service (FaaS) Network hardware devices Opera&ons Paved Road API gateway appliances for microservices
  • 10. © 2019 Puma Security, LLC | All Rights Reserved AWS CloudFormation infrastructure paved road example: 1 2 3 4 5 6 7 8 9 10 11 12 13 { } LaunchConfiguration: Type: AWS::AutoScaling::LaunchConfiguration Metadata: Properties: ImageId: !FindInMap [ AWSRegionToAMI, !Ref "AWS::Region", AMI ] IamInstanceProfile: !Ref InstanceProfile KeyName: "devsecops" SecurityGroups: - !Ref SecurityGroup UserData: "Fn::Base64": !Sub | #!/bin/bash yum update -y { Gold Image } { Least privilege } { Admin Access } { Network configuration } { Supply chain security } Operations Paved Road Example
  • 11. © 2019 Puma Security, LLC | All Rights Reserved Templates covering approved technology stacks with protection for common application security issues and misconfigurations: Include common libraries for data validaHon, logging, encoding, etc. Node.js, Django, Spring Boot, .NET Core, Ruby Rails, Functions, etc. Secrets management storage Secure transport configuration (HTTPS) Enable authentication / authorization Configure password management / single sign on Development Paved Road
  • 12. © 2019 Puma Security, LLC | All Rights Reserved .NET Core paved road example w/ security protecGons pre-configured: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 { } public void ConfigureServices(IServiceCollection services) { services.Configure<IdentityOptions>(options => { options.Password.RequiredLength = 15; options.Lockout.MaxFailedAccessAttempts = 5; } services.AddMvc(options => { options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder() .RequireAuthenticatedUser().Build())); }); } public void Configure(IApplicationBuilder app, IHostingEnvironment env) { app.UseRewriter(new RewriteOptions().AddRedirectToHttps()); app.AddSecurityHeaders(); { Password Configuration } { Authorization} { HTTPS } { Security Headers} Development Paved Road Example
  • 13. © 2019 Puma Security, LLC | All Rights Reserved CI / CD Security Controls Commit:
  • 14. © 2019 Puma Security, LLC | All Rights Reserved Integrate tools to automate build, test, acceptance, and deployment of infrastructure, cloud, and applications into a repeatable workflow Continuous Integration & Delivery Security Controls COMMIT (CI)
  • 15. © 2019 Puma Security, LLC | All Rights Reserved Merging new features requires approval from peers and security team prior to triggering the build pipeline: 116 117 118 119 120 121 122 123 { } LoadBalanceArn: !Ref Load Balancer Port: !Ref HttpsPort Protocol: HTTPS SslPolicy: ELBSecurityPolicy-TLS-1-0-2015-04 SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01 Certificates: - CertificateArn !Ref CertificateArn DefaultActions: CI / CD Security Controls: Version Control
  • 16. © 2019 Puma Security, LLC | All Rights Reserved Approved merge request triggers automated unit tests, security scans, audit reports, and fast feedback CI / CD Security Controls: Acceptance Tes7ng
  • 17. © 2019 Puma Security, LLC | All Rights Reserved Build pipelines contain artifacts from security scans and compliance checks CI / CD Security Controls: Audit Reports
  • 18. © 2019 Puma Security, LLC | All Rights Reserved Supply Chain Security Acceptance:
  • 19. © 2019 Puma Security, LLC | All Rights Reserved Serious vulnerabilities can be inherited from open source libraries, docker images, infrastructure templates, and serverless functions: WARNING: Some tools may not check transitive dependencies Carefully review content before usage Run tools to automatically the scan code base / images Identify external dependencies Check against public vulnerability database(s) Integrate supply chain security scanning into CI/CD Supply Chain Security
  • 20. © 2019 Puma Security, LLC | All Rights Reserved OWASP Dependency Check (Java, .NET, Ruby, Python) - h?ps://www.owasp.org/index.php/OWASP_Dependency_Check NPM Audit / Retire.JS (NodeJS) - https://retirejs.github.io/retire.js/ - https://docs.npmjs.com/cli/audit Bundler-Audit (Ruby) - https://github.com/rubysec/bundler-audit PHP Security Checker - https://security.sensiolabs.org/ DEPENDENCY MANAGEMENT Supply Chain Security: Application Scanning Tools ACCEPTANCE
  • 21. © 2019 Puma Security, LLC | All Rights Reserved OWASP Dependency Check scan and vulnerability report in a Jenkins CI pipeline Supply Chain Security: Application Scanning Example
  • 22. © 2019 Puma Security, LLC | All Rights Reserved Anchore - https://anchore.com/opensource/ Clair - https://github.com/coreos/clair Actuary - https://github.com/diogomonica/actuary Falco - https://github.com/draios/falco Supply Chain Security: Container Image Scanning Tools CONTAINER SECURITY ACCEPTANCE
  • 23. © 2019 Puma Security, LLC | All Rights Reserved Invoking an Anchore image scan and capturing vulnerability data in a Jenkins CI pipeline Supply Chain Security: Container Image Scanning Example
  • 24. © 2019 Puma Security, LLC | All Rights Reserved DevSec Hardening Templates - Automated hardening framework using Puppet, Chef, Ansible - Linux, Windows, SSH, Docker, K8S, Apache, Nginx - https://github.com/dev-sec Hardened infrastructure templates can be used as references Supply Chain Security: Hardened Infrastructure Templates INFRASTRUCTURE AS CODE System Integrity Management Platform(SIMP) - Hardened Puppet infrastructure configuration and testing - NIST 800-53, DISA STIG, FIPS 140-2 RHEL & CentOS templates - https://github.com/simp/ { } ACCEPTANCE
  • 25. © 2019 Puma Security, LLC | All Rights Reserved Managing function dependencies in AWS Lambda can be achieved using Layers: Buildpipelines removethird-party librariesfrom deployment packages CloudOpsmanages centralizedlayers containingapproved third-partylibraries Third-partyvendorsare leveragingLayerstofurther hardenfunctionruntime environments: PureSecFunctionShield TwistlockDefender Supply Chain Security: FaaS Dependency Management
  • 26. © 2019 Puma Security, LLC | All Rights Reserved Opera&ons: Continuous Security Compliance
  • 27. © 2019 Puma Security, LLC | All Rights Reserved Leveraging security configuration tools to automate audit and compliance checks: Test the server and infrastructure configuration against expected baseline and report any deviations Tests should include severity, risk level, and description information Match tests against compliance checklist items or regulatory policies Automated testing tools available for Linux, Unix, Windows, AWS, Azure and VMWare Con9nuous Security Compliance PRODUCTION
  • 28. © 2019 Puma Security, LLC | All Rights Reserved SECURITY CONFIGURATION InSpec - https://github.com/inspec/inspec Cloud Custodian (AWS, GCP, Azure) - https://github.com/cloud-custodian/cloud-custodian OpenSCAP - https://github.com/OpenSCAP Security compliance / acceptance testing tools: Scout Suite (AWS, GCP, Azure) - https://github.com/nccgroup/ScoutSuite AWS Benchmark Scanner https://github.com/awslabs/aws-security-benchmark Supply Chain Security: Application Scanning Tools PRODUCTION
  • 29. © 2019 Puma Security, LLC | All Rights Reserved Running InSpec against a running Docker container: 1 2 { } $ docker run -it --rm -v $(pwd):/share chef/inspec exec baseline -t docker://container_id Example InSpec output results from the Linux baseline profile:{ } 1 2 3 4 5 6 7 8 9 ✅ os-01: Trusted hosts login ✅‍ Command find / -name '.rhosts' stdout should be empty ✅ Command find / -name 'hosts.equiv' stdout should be empty X os-02: Check owner and permissions for /etc/shadow (1 failed) ✅ File /etc/shadow should exist ✅ File /etc/shadow should be file ✅ File /etc/shadow should be owned by "root" ✅ File /etc/shadow should not be executable X File /etc/shadow group should eq nil Continuous Security Compliance: InSpec Docker Scan
  • 30. © 2019 Puma Security, LLC | All Rights Reserved Exporting InSpec results to JUnit format and integrating with Jenkins CI Continuous Security Compliance: Jenkins InSpec Integration
  • 31. © 2019 Puma Security, LLC | All Rights Reserved Running the AWS CIS Benchmark scan via AWS Config rules Continuous Security Compliance: AWS CIS Benchmark Scan
  • 32. © 2019 Puma Security, LLC | All Rights Reserved Thank you for attending! Keys for Modern Security Success Contact Information: E | eric.johnson@pumascan.com ü Cloud & DevSecOps Practices ü Pre-Commit: The Paved Road ü Commit: CI / CD Security Controls ü Acceptance: Supply Chain Security ü Operations: Continuous Security Compliance SUMMARY @emjohn20