Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Build security into CI/CD pipelines for effective security automation on AWS - SDD351-S - AWS re:Inforce 2019

1,015 views

Published on

Realizing DevSecOps and effectively implementing security into CI/CD pipelines on AWS remains a challenging proposition for most organizations today. In this session, we share the essential principles of achieving security automation in your CI/CD pipelines and across the build, deploy, and run phases of your applications. Finally, we conclude with a demonstration of security automation across all three phases of your applications that are deployed on AWS infrastructure, showing you how to bring security automation to your organization today.

  • Be the first to comment

  • Be the first to like this

Build security into CI/CD pipelines for effective security automation on AWS - SDD351-S - AWS re:Inforce 2019

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Building Security into CI/CD Pipelines for Effective Security Automation on AWS Ram Boreda Director, Product Management Palo Alto Networks SDD351-S Kevin Paige CISO Flexport
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda • The need for security, early in development cycle • The approach taken by Flexport • Security during the build phase • Security during the deployment phase • Security during the production phase • Q&A
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. About Your Speakers Ram Boreda Driving product strategy and roadmap of public cloud security products at Palo Alto Networks. @Amazon AWS - was responsible for AWS Transit Gateway and VPN services. Led product management of security products at Verisign iDefense and CipherCloud. Kevin Paige Chief Information Security Officer (CISO) at Flexport CISO at MuleSoft Technical leadership roles at Salesforce, xMatters, the U.S. Army and U.S. Air Force.
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. The Security Analyst Dilemma 174,000 alerts/week 7% reviewed Mean Time To Identify 197days Mean Time To Contain 69days State of SOAR Report 2018, Demisto Cost of a Data Breach Study, 2018, Ponemon Institute
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Issues Start Early in the Build Phase State of open source security report, 2019, Synk 1 in 2 developers don’t security test images ~30 known vulnerabilities 4 in 10 Docker images can fix known vulnerabilities with base image tag update TOP 10
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Perils of Automation During Deployment Phase *2018 Cloud Security Report (https://www.paloaltonetworks.com/resources/research/2018-cloud-security-report-palo-alto-networks) Easy to deploy misconfigured resources at scale Increased risk when governance/compliance checks are not met
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Palo Alto Networks Proprietary and Confidential 8 SECURITY BUILT-IN SECURITY BOLTED ON
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our Cloud Security Challenge • Hypergrowth • Business wants more features faster • Lack of alignment and ownership between teams
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shifting Left – Our Approach • Align and influence • Get and give visibility • Hold people accountable • Get identity and access control right
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dashboard Example
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shifting Left – Key Outcomes • Culture shift • Accountability drove behavior changes • Increase in velocity
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. RUN DEPLOY Start Security From The Build Phase…. 13 BUILD
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. And Cover the Entire Development Lifecycle Scan images prior to registry upload Scan configurations prior to deployment • IaC • k8s app manifest YAML DEPLOY Image scanning in registry Configuration scanning Detect drifts from templates Continuous monitoring Detect & respond to attacks RUN Vulnerability scanning packages Analyze code BUILD
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Give simple security tools to development Development identifies vulnerable packages and fixes them Builds pass and images get pushed to registry Vulnerability scanning and runtime issues with context facilitate remediation Scenario 2 Start Left To Drive Consistent And Secure Releases Development starts without security, siloed security Build fails with vuln & config issues. Dev questions the need to fix Scenario 1 Vuln scan & runtime issues without context frustrate dev & security BUILD DEPLOY RUN
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Integrating Security into Dev & CI/CD AWS Cloud Prisma Public Cloud Scanning Service AWS CodePipeline Container Registry Amazon S3 Amazon RDS Amazon ECS AWS Lambda Amazon EKS Amazon EC2 Vuln scan OS packages in Docker files in developer environment before check in Git 1 Vuln scan OS packages in Docker images in CI/CD before push to registry 2 Config scan CFT / Terraform before deployment to runtime 3
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Integrating Security into CI/CD AWS Cloud Prisma Public Cloud Scanning Service AWS CodePipeline Container Registry Amazon S3 Amazon RDS Amazon ECS AWS Lambda Amazon EKS Amazon EC2 Vuln scan OS packages in Docker files in developer environment before check in Git 1 Vuln scan OS packages in Docker images in CI/CD before push to registry 2 Config scan CFT / Terraform before deployment to runtime 3
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Configure CI/CD projects to vuln scan Docker images, triggered by Pull Request (PR) in Git / build in CI/CD Why Verify that Docker images do not have vulnerabilities that violate policies Benefit • Eliminate vulnerabilities in Docker images • Reduce attack surface of images before check into Git / push to registry Vulnerability Scan: For OS Packages In CI/CD
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo Time Vulnerability Scanning During CI/CD
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Integrating Security into CI/CD AWS Cloud Prisma Public Cloud Scanning Service AWS CodePipeline Container Registry Amazon S3 Amazon RDS Amazon ECS AWS Lambda Amazon EKS Amazon EC2 Vuln scan OS packages in Docker files in developer environment before check in Git 1 Vuln scan OS packages in Docker images in CI/CD before push to registry 2 Config scan CFT / Terraform before deployment to runtime 3
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Configure CI/CD project to scan IAC templates, triggered by PR in Git Why Verify that IAC templates do not violate security policies Benefit • Eliminate insecure config in IAC before check into Git/deployment to runtime • Reduce attack surface of infrastructure when deployed to runtime IaC Scan: For CFT / Terraform in CI/CD
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo Time IaC Config Scanning During CI/CD
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Continuous Security During Run Phase AWS Cloud Container Registry Amazon S3 Amazon RDS Amazon ECS AWS Lambda Amazon EKS Amazon EC2 CRITICAL ALERTS CONTINUOUS MONITORING RESPONSE Demisto Prisma Public Cloud
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo Time Continuous Security During Run Phase
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Start Left Achieve Better Security Outcomes with Security Built-In developers.paloaltonetworks.com/prisma
  25. 25. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Stop by Palo Alto Networks booth #707 Sign up for a free trial - http://go.paloaltonetworks.com/awsmarketplace Ram Boreda rboreda@paloaltonetworks.com

×