Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Adding the Sec to Your DevOps Pipelines (SEC332-R1) - AWS re:Invent 2018

963 views

Published on

DevSecOps is the premise that everyone in the software development lifecycle is responsible for security. DevSecOps aims to embed security in every part of the development process. In this workshop, participants explore taking a standard CI/CD pipeline and adding security stages to improve security posture. Learn how to use AWS CodeCommit and AWS CodePipeline to build and publish golden AMI images. Also, learn how to modify pipeline flow to add security test cases. You also have to opportunity to perform CVE analysis and code analysis using Amazon Inspector and perform observational container analysis using Amazon GuardDuty.

  • Be the first to comment

Adding the Sec to Your DevOps Pipelines (SEC332-R1) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Adding the Sec to Your DevOps Pipelines S E C 3 3 2 Welcome to the Workshop and have a seat. Please visit http://bit.ly/2CVczI0 and follow the setup instructions to complete the pre-requisite for this workshop. If you need to create a new AWS account, visit http://bit.ly/2P45JHn
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Adding the Sec to Your DevOps Pipelines Armando Leite Sr. Manager Solutions Prototyping S E C 3 3 2 Adam McLean Solutions Developer Solutions Prototyping Aravind Kodandaramaiah Solutions Developer Solutions Prototyping
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Dev(Sec)Ops Overview Security in the Pipeline Pipeline Build-Out Take home challenge Wrap-up Q&A
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is DevOps? What is DevSecOps? Reliability Speed ScaleRapid Delivery Improved Collaboration Combination of Practices and tools SecDev Ops Adding Sec to Dev/__/Ops Security Securing the Pipeline Auditing Workloads Operations Security in the Pipeline
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in the Pipeline Source Control Build Testing & Staging Production Maintain AWS CodeCommit AWS CloudFormation AWS CodeBuild AWS Step Functions AWS X-Ray AWS CodePipeline AWS Step Functions AWS CodeDeploy AWS Elastic Beanstalk AWS Systems Manager Amazon GuardDuty AWS CodeStar AWS CodePipeline AWS CodeStar AWS CodePipeline COMMIT CHANGES BUILD ARTIFACTS DEPLOY TO TEST ENVIRONMENT RUN INTEGRATION, SECURITY, LOAD AND OTHER TESTS DEPLOY TO PRODUCTION ENVIRONMENT MANAGE RUNTIME
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What you will do today? 1. Build a CI/CD Pipeline. 2. Implement security IN the Pipeline.
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Pipeline Pre-requisite check http://bit.ly/2CVczI0 5 Min
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The base Pipeline Source Source Code CodeCommit Launch & Install Lambda AWS CodePipeline Build AMI Lambda SSM Automation EC2 Instance Golden AMI Build source code CodeBuild
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The final Pipeline Source Source Code CodeCommit Static Code Analysis CodeBuild Launch & Install Lambda AWS CodePipeline EC2 Instance Vulnerability check Lambda Build AMI Lambda Amazon Inspector SSM Automation Golden AMI
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Your turn – Build the base pipeline Source Source Code CodeCommit Launch & Install Lambda AWS CodePipeline Build AMI Lambda Build source code CodeBuild Golden AMI http://bit.ly/2zlngjB 25 Min
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Is the base Pipeline working? Source Source Code CodeCommit Launch & Install Lambda AWS CodePipeline Build AMI Lambda Static code analysis CodeBuild Golden AMI
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Static Code Analysis
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Your turn - Add static code analysis to the Pipeline Source Source Code CodeCommit Launch & Install Lambda AWS CodePipeline Build AMI Lambda SSM Automation EC2 Instance Golden AMI Static code analysis CodeBuild http://bit.ly/2D1uk8u 8 Min
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Did the Pipeline find the embedded credentials?
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Your Turn – Remove the embedded Credentials Source Source Code CodeCommit Launch & Install Lambda AWS CodePipeline Build AMI Lambda Static code analysis CodeBuild Golden AMI http://bit.ly/2F7Wd1p 12 Min
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Vulnerability Assessment with Amazon Inspector What is Amazon Inspector? Vulnerability assessment service in the cloud. • Application / EC2 security assessment • Selectable built-in rules • Runtime Behavioral Analysis • CVE (common vulnerabilities and exposures) • AWS Security Best Practices • Weak Security Configuration(CIS Security Benchmarks) • Network Reachability • Security findings – guidance and management • Automatable via APIs
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Your turn - Add Vulnerability assessment to the Pipeline Source Source Code CodeCommit Launch & Install Lambda AWS CodePipeline Build AMI Lambda SSM Automation EC2 Instance Golden AMI Static code analysis CodeBuild Vulnerability Check Lambda Amazon Inspector http://bit.ly/2RwEsKB 20 Min
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Did the Pipeline catch the vulnerability?
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What did Amazon Inspector find? Finding Recommendation A security flaw was found in the chap_server_compute_md5() function Use your Operating System's update feature to update package kernel- 0:4.14.62- 65.117.amzn1 The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. Use your Operating System's update feature to update package kernel- 0:4.14.62- 65.117.amzn1 Fix yum –y update kernel yum –y update kernel
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Your Turn – Fix the vulnerability Source Source Code CodeCommit Launch & Install Lambda AWS CodePipeline Build AMI Lambda Static code analysis CodeBuild Vulnerability Check Lambda Golden AMI http://bit.ly/2RzgvCk 20 Min
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Your Turn – Launch the AMI http://bit.ly/2zxg18e 15 Min
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Threat detection and continuous monitoring with Amazon GuardDuty GuardDuty Monitors • Unusual API calls. • Potentially unauthorized deployments that indicate a possible account compromise. • Potentially compromised instances or reconnaissance by attackers.
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How GuardDuty Works Threat intel, ML/AI Anomaly Detection SIEM and/or Remediate Reconnaissance Instance Compromise Account Compromise DNS Logs CloudTrail Events HIGH MEDIUM LOW FindingsData SourcesThreat Detection Types VPC Flow logs Amazon GuardDuty AWS Cloud
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Your Turn - Cleanup AWS Resources http://bit.ly/2Dl7A4k
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  35. 35. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Aravind Kodandaramaiah karavind@amazon.com Adam Mclean apmclean@amazon.com
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×