Successfully reported this slideshow.
Your SlideShare is downloading. ×

DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019

DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019

Download to read offline

"In this workshop, you practice running an environment with a test and production deployment pipeline. Along the way, we cover topics such as static code analysis, dynamic infrastructure review, and workflow types. You also learn how to update your process in response to security events. We write new AWS Lambda functions and incorporate them into the pipeline, and we consider capabilities such as AWS Systems Manager Parameter Store and AWS Secrets Manager.

"In this workshop, you practice running an environment with a test and production deployment pipeline. Along the way, we cover topics such as static code analysis, dynamic infrastructure review, and workflow types. You also learn how to update your process in response to security events. We write new AWS Lambda functions and incorporate them into the pipeline, and we consider capabilities such as AWS Systems Manager Parameter Store and AWS Secrets Manager.

Advertisement
Advertisement

More Related Content

Slideshows for you

Similar to DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019

Advertisement

More from Amazon Web Services

Advertisement

Related Audiobooks

Free with a 30 day trial from Scribd

See all

DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps: Integrating security into pipelines Byron Pogson Solutions Architect Amazon Web Services S D D 3 1 0
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda What is DevOps? What about DevSecOps? Security of the pipeline Security in the pipeline Enforcement of the pipeline Lab
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Competing forces Business Development Build it faster Operations Keep it stable
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Competing forces Business DevOps
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is DevOps? Break down cultural barriers Work as one team Support business and IT agility Collaborate and communicate Treat infrastructure as code Automate Test, measure, and monitor Culture Process Tools
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why do organizations adopt DevOps? Faster time to value Agility Quality Speed
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. CI vs. CD Continuous integration Techniques and tools to implement the continuous process of applying quality control; in general, small pieces of effort, applied frequently, to improve the quality of software, and to reduce the time taken to deliver it. Continuous deployment Techniques and tools to improve the process of software delivery, resulting in the ability to rapidly, reliably, and repeatedly push out enhancements and bug fixes to customers at low risk and with minimal manual overhead.
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Promotion process in continuous deployment
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is a pipeline? • Build automation • Continuous integration • Deployment automation • Test automation • Service orchestration
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Competing forces Business DevOps Security Make it secure DevSecOps
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is DevSecOps? DevSecOps is the combination of cultural philosophies, practices, and tools that exploits the advances made in IT automation to achieve a state of production immutability, frequent delivery of business value, and automated enforcement of security policy. DevSecOps is achieved by integrating and automating the enforcement of preventive, detective, and responsive security controls into the pipeline. Security OperationsDevelopment
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Tenets of DevSecOps
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Three major components of DevSecOps Enforcement of the pipeline Security in the pipeline Security of the pipeline
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. A brief word on governance Security governance is meant to support business objectives by defining policies and controls to manage risk Framework Policies Business outcomes Manage risks
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Pipeline as a workload • Securing the application starts with securing the pipeline • The CI/CD pipeline is a workload • Its purpose is to integrate and deliver other workloads • It has users, supporting infrastructure, application, and data components, etc. • Those components are typically managed as code
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The cloud adoption framework Business ▪ Align business and IT needs ▪ Map IT investments to business results Platform ▪ Provision cloud applications and infrastructure ▪ Improve cloud services and solutions Governance ▪ Manage cloud investments ▪ Measure business outcomes Operations ▪ Monitor and maintain system health and reliability ▪ Observe cloud best practices 1 4 3 6 4 63 1 People ▪ Prioritize cloud-based competencies ▪ Drive organizational readiness 2 Security ▪ Align security and compliance with current requirements ▪ Manage access and authorization 5 2 5
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Some identity and access management risks for pipelines • Anyone can run build jobs • Consistent user management across build servers • Pipeline role is too permissive • Slave node adverse affects on masters
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforcing least privilege between pipelines • Pipeline can perform a specific job (e.g., Jenkins/Spinnaker/CodePipeline is a pipeline factory) • Pipelines can be limited to blast-radius-based functions • Pipeline factory • AMI factory • Artifact factory
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Exercise: Identity and access management for pipelines wrap-up • Could you write a user story for the DevOps team managing the pipeline to implement? • If not, what is missing? • What is the acceptance criteria for your user story? • How would you validate your user story?
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Detective controls for pipelines • Who logged in? • What code was committed and by who? • What jobs did they run? • Did the jobs succeed/fail? • Was static/dynamic analysis enforced? • What were the results of the static/dynamic analysis?
  26. 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Exercise: Detective controls • What produces logs? • How are logs produced? • Where do logs go? • How do I protect my logs? • What are the items of interest in my logs? • At what threshold are those items interesting? • What should I do when thresholds are exceeded?
  27. 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Detective controls for pipelineswrap-up • There are multiple consumers of logs produced by the pipeline • Fast feedback to the log consumers is critical • Results of static/dynamic tests are as important as any other audit trail
  28. 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
  29. 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure security risks to pipelines • Who has access to underlying infrastructure resources? • How are pipelines patched and updated? • How is least privilege between pipelines enforced? • Are my pipelines deploying into approved AWS accounts? • Does the pipeline align with organizational responsibility?
  30. 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure as code is a practice where traditional infrastructure management techniques are supplemented and often replaced by using code-based tools and software development techniques
  31. 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS resources Operating system and host configuration Application configuration Amazon Virtual Private Cloud (Amazon VPC) Amazon Elastic Compute Cloud (Amazon EC2) AWS Identity and Access Management (IAM) Amazon Relational Database Service (Amazon RDS) Amazon Simple Storage Service (Amazon S3), AWS CodePipeline Windows registry Linux networking OpenSSH LDAP Centralized logging System metrics Deployment agents Host monitoring Application dependencies Application configuration Service registration Management scripts Database credentials AWS CloudFormation AWS Systems Manager/AWS Secrets Manager AWS CodeDeploy
  32. 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure security for pipelines wrap-up • The pipeline is a workload and needs to be treated with the same rigor as other critical infrastructures • Build a pipeline factory to build pipelines from known good configurations • Deploy workloads into known good environments
  33. 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
  34. 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Data protection risks for pipelines • Who can change/commit code? • How is production data prevented from being introduced into non-prod environments? • How is artifact integrity maintained?
  35. 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Top data protection best practices • Control access and permissions to the code repository • Trigger builds automatically (time-based or event-based) • Use tokenization or dummy data in non-production environments • Categorize data and enforce restrictions through pipeline • For example, pipeline configured to build dev environment is not allowed to pull production data from repo
  36. 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Data protection for pipelines wrap-up • Control access and permissions to source repository: artifacts are critical data for your pipeline • Build pipelines that are environment-aware (e.g., prod vs. non-prod) • Build artifact handlers to validate integrity across pipelines and environments
  37. 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
  38. 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Incident detection Amazon GuardDuty AWS Security HubAmazon Macie Amazon Inspector
  39. 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Incident response
  40. 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
  41. 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in the pipeline Code Code analysis Build Dependencies Test Vulnerability scan Deploy Hash verification Monitor Automated
  42. 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in the pipeline Static analysis • Infrastructure as code • Security as code Dynamic analysis • Unit tests • Integration tests • System tests
  43. 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  44. 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Dev Test Production Separation of duty – Multi-account strategy AWS Organizations account Sandbox Security Tools
  45. 45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Separation of duty – Multi-account strategy Tools Dev Test Prod
  46. 46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. No more humans in productions Tools Dev Test Prod
  47. 47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Three major components to DevSecOps Security of the pipeline Security in the pipeline Enforcement of the pipeline
  48. 48. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps benefits • Confidence that workloads and changes are validated against corporate security policies • Consistency and repeatability of security validation • Match the business’ pace of innovation • Security at scale!
  49. 49. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lab time! • Download the lab bundle here: https://tinyurl.com/yx9yuhxg • Open and follow the Readme.pdf • Join/create a group of four and come up here for a temp account • Once you have an account go to https://dashboard.eventengine.run/login and enter your code
  50. 50. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Byron Pogson bpogson@amazon.com

×