Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Integrating Security into
DevOps and CI/CD
Environments
Dave Walker
Specialist Solutions
Architect, Security
and Compliance
DevSecOps
Integrating Security with DevOps
What is DevOps?
Cultural
Philosophy
Practices Tools
What is DevOps
Breakdown the barriers
Work as one team end to end
Support business and IT agility
Collaboration & Communic...
DevOps Walkthrough Guide:
http://docs.aws.amazon.com/devops/latest/gsg/welcome.html
Featuring:
• AWS CodeCommit
• AWS Code...
Competing Forces
Business
Development Operations
Build it faster Keep it stable
Security
Make it
secure
What is DevSecOps
DevOps = Efficiencies that speed up this lifecycle
DevSecOps = Validate building blocks without slowing ...
Who is DevSecOps
• DevSecOps is
• Team/Community, not a person
• Automated and autonomous security
• Security at scale
• D...
Continuous Integration
Techniques and tools to improve
the process of software
delivery, resulting in the ability to
rapid...
CI/CD for DevOps
Version
Control
CI Server
Package
Builder
Deploy
Server
Commit to
Git/masterDev
Get /
Pull
Code
AMIs
Send...
Version
Control
CI Server
Package
Builder
Promote
Process
Validate
Dev
Get /
Pull
Code
AMIs
Log for audit
Staging Env
Test...
Promotion Process in Continuous Deployment
What Does DevSecOps CI/CD Give Us?
• Confidence that our code is validated against corporate
security policies.
• Avoid in...
Automation – What we heard
Automation pain point: AMI building
• Triggers: patching, hardening, application bake-in
• Neve...
Automation
Introducing Automation
• Simplified automation solution
• Perfect for AMI updates, instance deployment & config...
Automation – Getting Started
1. Create an
automation
document
2. Run automation 3. Monitor your
automation
Automation - Documents
Input & output parameters
• Create default values, or assign at run-time
• Parameter Store integrat...
Automation - Documents
Automation Steps
• Action types:
• runInstances, changeInstanceState, createAMI
• runCommand, invok...
Automation – IAM Setup
1. Create a Service Role for Automation
• Permission for Automation service to operate in your acco...
Automation – Monitoring
• Amazon CloudWatch Events
• Publish notifications to an Amazon SNS topic
• Step-level & automatio...
Governance First
Infrastructure is code
AWS CloudFormation Primer
Allows you to define a “template” which is composed of
different “resources” and then provision ...
AWS CloudFormation Primer
AWS CloudFormation Stacks
JSON
Template
Stack Stack Stack
CFn for Security Practitioners
“Infrastructure is code”
• We already know how to manage “code” lifecycle
• Let CFn perform...
Traditional Structured Deployment
Create
Skeleton
Define
Resources
Execute
Split Ownership Configurations
Who knows your solution best?
• Dev, Infra, Sec…?
• Delegate ownership
Use Yaml and split f...
Merging
From single file or multiple files
• Maintain access control using
policies
• Use different source stores if
neede...
Validation
Keep track of what section you are
validating
• Stage vs Prod
• Merged vs separated
Validate often and log/aler...
Structured deployment using Split ownership
Create
Skeleton
-
Infra
team
Define
Resources
-
DevOps
Execute
-
Security
Applied Governance
Building processes to segment and
encapsulate application packages
Applied Governance deconstructed
Deployment mechanisms for software artifacts
Configuration building blocks
Managing segme...
Deployment Mechanisms for Software Artifacts
Amazon Machine
Images (AMIs)
Docker Image
OS Packages
Amazon EC2
Container Se...
Amazon Machine
Images (AMIs)
Docker Images
OS Packages
Amazon EC2
Container Service
AWS
CloudFormation
AWS CodeDeploy
Soft...
Configuration building blocks
CloudFormation
Template
Task Definition Application
Specification File
(AppSpec file)
…and m...
Managing segmentation and security
dependencies
Why use these configuration building blocks to enforce
security?
• Remove ...
Scaling Trust Decisions
Autonomous security
Does this flow feel familiar
1. Deploy Instance (Chef has it covered, so no worries…)
2. Follow checklist #1 for patches (...
Design time vs run time decisions
Autonomous
Security
Configuration
Resources
EC2::LaunchConfiguration
EC2::Instance
SWF::...
Why do we need these trust decisions?
How can we translate that into our W’s?
• Who [is that instance]?
• What [is it’s configuration]?
• Where [is the instance...
Scaling trust decisions - Allows
Allows Split Ownership
Allows intelligent decisions
• Inspect – Decide – Apply – Validate...
Scaling trust decisions - Do
Use combination of design time and run time decisions
Tie to authentication on-demand for sec...
Push pattern – web server certificate
DB tier Web tier
Secure tier
Presentation tier
AutoScaling Policy
Secure Flow
1. Aut...
Run-time security flow – best practices
Avoid pull patterns
• Requires an available source/path from target system
• Own/c...
Tooling - Triggering
AutoScaling Group
• Use Lifecycle hooks
• Automatic repair of non approved instances
• SNS for integr...
Tooling - Worker
Simple WorkFlow
• Flow engine for Ruby/Java
• Allow synchronous or asynchronous flows
• Deciders/Workers
...
Real-life trust applications
• Agent deployment/validation
• Integration with Configuration Management
(Chef/Puppet)
• Uni...
A little bit extra…
“Continuous Deployment necessitates Continuous Pentesting”
If you work with a company which does pente...
Customer
Environment
Provider
Environment
virtual private cloud
"Pentest as a
Service"
Elastic IP
instance
Elastic Load
Ba...
Dave Walker
davwal@amazon.com
Your feedback
is important to us!
Upcoming SlideShare
Loading in …5
×

of

Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 1 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 2 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 3 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 4 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 5 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 6 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 7 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 8 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 9 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 10 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 11 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 12 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 13 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 14 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 15 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 16 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 17 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 18 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 19 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 20 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 21 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 22 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 23 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 24 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 25 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 26 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 27 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 28 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 29 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 30 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 31 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 32 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 33 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 34 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 35 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 36 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 37 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 38 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 39 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 40 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 41 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 42 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 43 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 44 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 45 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 46 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 47 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 48 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 49 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 50 Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017 Slide 51
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

6 Likes

Share

Download to read offline

Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017

Download to read offline

AWS serverless architecture components such as Amazon S3, Amazon SQS, Amazon SNS, CloudWatch Logs, DynamoDB, Amazon Kinesis, and Lambda can be tightly constrained in their operation. However, it may still be possible to use some of them to propagate payloads that could be used to exploit vulnerabilities in some consuming endpoints or user-generated code. This session explores techniques for enhancing the security of these services, from assessing and tightening permissions in IAM to integrating further tools and mechanisms for inline and out-of-band payload analysis that are more typically applied to traditional server-based architectures, and generalising these techniques to APIs for all AWS services.

Related Books

Free with a 30 day trial from Scribd

See all

Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017

  1. 1. Integrating Security into DevOps and CI/CD Environments Dave Walker Specialist Solutions Architect, Security and Compliance
  2. 2. DevSecOps Integrating Security with DevOps
  3. 3. What is DevOps? Cultural Philosophy Practices Tools
  4. 4. What is DevOps Breakdown the barriers Work as one team end to end Support business and IT agility Collaboration & Communication Treat Infrastructure as code Automate everything Test, measure & monitor everything Culture Technology
  5. 5. DevOps Walkthrough Guide: http://docs.aws.amazon.com/devops/latest/gsg/welcome.html Featuring: • AWS CodeCommit • AWS CodeDeploy • AWS CodePipeline • AWS Elastic Beanstalk • AWS OpsWorks • AWS CloudFormation • AWS Identity and Access Management
  6. 6. Competing Forces Business Development Operations Build it faster Keep it stable Security Make it secure
  7. 7. What is DevSecOps DevOps = Efficiencies that speed up this lifecycle DevSecOps = Validate building blocks without slowing lifecycle developers customers releasetestbuild plan monitor delivery pipeline feedback loop Software development lifecycle Security
  8. 8. Who is DevSecOps • DevSecOps is • Team/Community, not a person • Automated and autonomous security • Security at scale • DevSecOps role • Not there to audit code • Implement the control segments to validate and audit code and artifacts as part of the CI/CD process Security OperationsDevelopment
  9. 9. Continuous Integration Techniques and tools to improve the process of software delivery, resulting in the ability to rapidly, reliably, and repeatedly push out enhancements and bug fixes to customers at low risk and with minimal manual overhead. Techniques and tools to implement the continuous process of applying quality control; in general, small pieces of effort, applied frequently, to improve the quality of software, and to reduce the time taken to deliver it. Continuous Delivery
  10. 10. CI/CD for DevOps Version Control CI Server Package Builder Deploy Server Commit to Git/masterDev Get / Pull Code AMIs Send Build Report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo CloudFormation Templates for Environment Generate
  11. 11. Version Control CI Server Package Builder Promote Process Validate Dev Get / Pull Code AMIs Log for audit Staging Env Test Env Code Config Tests Prod Env Audit/Validate Config Checksum Continuous Scan CI/CD for DevSecOps Send Build Report to Security Stop everything if audit/validation failed CloudFormation Templates for Environment
  12. 12. Promotion Process in Continuous Deployment
  13. 13. What Does DevSecOps CI/CD Give Us? • Confidence that our code is validated against corporate security policies. • Avoid infrastructure/application failure in a later deployment due to different security configuration • Match DevOps pace of innovation • Audit and alert • Security at scale!
  14. 14. Automation – What we heard Automation pain point: AMI building • Triggers: patching, hardening, application bake-in • Never-ending • Time consuming, especially when builds fail • Overhead of maintaining build service
  15. 15. Automation Introducing Automation • Simplified automation solution • Perfect for AMI updates, instance deployment & config • Pro-active event notifications • AWS optimized (EC2 Run Command, AWS Lambda, AWS CloudTrail, IAM, and Amazon CloudWatch integrations)
  16. 16. Automation – Getting Started 1. Create an automation document 2. Run automation 3. Monitor your automation
  17. 17. Automation - Documents Input & output parameters • Create default values, or assign at run-time • Parameter Store integration • System Variables (DATE, DATE_TIME, REGION, EXECUTION_ID) Demo examples Document Parameter Name Default Value sourceAMIid “{{ssm:sourceAMI}}” targetAMIname “patchedAMI-{{global:DATE_TIME}}”
  18. 18. Automation - Documents Automation Steps • Action types: • runInstances, changeInstanceState, createAMI • runCommand, invokeLambdaFunction • Flow control: retries, timeouts, continue/abort Public Automation Documents • AWS-UpdateWindowsAmi • AWS-UpdateLinuxAmi
  19. 19. Automation – IAM Setup 1. Create a Service Role for Automation • Permission for Automation service to operate in your account 2. Attach PassRole policy to user’s account 3. Launch instances with SSM role (AmazonEC2RoleforSSM)
  20. 20. Automation – Monitoring • Amazon CloudWatch Events • Publish notifications to an Amazon SNS topic • Step-level & automation-level notifications
  21. 21. Governance First Infrastructure is code
  22. 22. AWS CloudFormation Primer Allows you to define a “template” which is composed of different “resources” and then provision that template into repeatable, live, “stacks”. CloudFormation (CFn) providing a single service interface and abstracts the underlying API semantics and implementation mechanics. CFn templates can hook into external configuration management frameworks such as Jenkins/Chef/Puppet/etc.
  23. 23. AWS CloudFormation Primer
  24. 24. AWS CloudFormation Stacks JSON Template Stack Stack Stack
  25. 25. CFn for Security Practitioners “Infrastructure is code” • We already know how to manage “code” lifecycle • Let CFn perform state changes and govern who calls CFn Split ownership templates • Merge code from Sec, Dev and Ops • Baseline and build/state management Provides inventory and documentation • Resources are the same, just scaled Integrate with Service Catalog • Provides UI • Use constraints (example: tags)
  26. 26. Traditional Structured Deployment Create Skeleton Define Resources Execute
  27. 27. Split Ownership Configurations Who knows your solution best? • Dev, Infra, Sec…? • Delegate ownership Use Yaml and split file into chunks or functions • Separate file sources with access control – Use IAM/VPC-E/etc. • Push files -> Validate -> Merge files -> Validate -> Deploy -> Validate Jenkins for deployment • Promotion flows • Move from manual to Automation based on validation quality • Excellent for merging jobs of split configurations
  28. 28. Merging From single file or multiple files • Maintain access control using policies • Use different source stores if needed Based on function/state Reusable patterns Maintain order, especially of validation • Security validation last to execute • Security should always win
  29. 29. Validation Keep track of what section you are validating • Stage vs Prod • Merged vs separated Validate often and log/alert • Validate part and end result • Run-time validation Use external agents • AWS Simple Work Flow • AWS Lambda • Etc.
  30. 30. Structured deployment using Split ownership Create Skeleton - Infra team Define Resources - DevOps Execute - Security
  31. 31. Applied Governance Building processes to segment and encapsulate application packages
  32. 32. Applied Governance deconstructed Deployment mechanisms for software artifacts Configuration building blocks Managing segmentation and security dependencies …and a real scenario to wrap this all together.
  33. 33. Deployment Mechanisms for Software Artifacts Amazon Machine Images (AMIs) Docker Image OS Packages Amazon EC2 Container Service AWS CloudFormation AWS CodeDeploy
  34. 34. Amazon Machine Images (AMIs) Docker Images OS Packages Amazon EC2 Container Service AWS CloudFormation AWS CodeDeploy Software Artifacts Deployment Services Deployment Mechanisms for Software Artifacts
  35. 35. Configuration building blocks CloudFormation Template Task Definition Application Specification File (AppSpec file) …and more.
  36. 36. Managing segmentation and security dependencies Why use these configuration building blocks to enforce security? • Remove accidental conflicts • Make security processes continuous and automatic • Encapsulate software artifacts and implement controls one level up • Control changes to these mechanisms via IAM
  37. 37. Scaling Trust Decisions Autonomous security
  38. 38. Does this flow feel familiar 1. Deploy Instance (Chef has it covered, so no worries…) 2. Follow checklist #1 for patches (Oops…New patches arrived…need to update Chef) 3. Follow latest security list (Sec team don’t have access to Chef yet…) 4. Put in production 5. SecOps called…they have a new list (Bother…) 6. Pull from production 7. Rinse and repeat
  39. 39. Design time vs run time decisions Autonomous Security Configuration Resources EC2::LaunchConfiguration EC2::Instance SWF::FlowFramework
  40. 40. Why do we need these trust decisions?
  41. 41. How can we translate that into our W’s? • Who [is that instance]? • What [is it’s configuration]? • Where [is the instance provisioned]? • When [was it launched]? • Why [is this instance alive]? Thought experiment: what is the root of trust for your Amazon EC2 instances?
  42. 42. Scaling trust decisions - Allows Allows Split Ownership Allows intelligent decisions • Inspect – Decide – Apply – Validate – Action - Log Forced • Comply or be destroyed Security inventory for audits at scale • Gather information from multiple sources • Host based • EC2 service • Created artifacts Unique per resource action and information • Keys/Certificates
  43. 43. Scaling trust decisions - Do Use combination of design time and run time decisions Tie to authentication on-demand for secure access of automated processes Combine with Continuous scanning • Code artifacts • Resources (AWS Config) Don’t mistake run time decisions with post deployment • Run-time happen at creation but before being made available
  44. 44. Push pattern – web server certificate DB tier Web tier Secure tier Presentation tier AutoScaling Policy Secure Flow 1. AutoScaling policy triggers • Hook Pending:Wait 2. Flow 1. Create certificate *Unique* 2. Start web service • Certificate in memory only 3. Delete certificate from disk 4. Install AWS CloudWatch Logs 5. Create SSH_RSA key *Unique* 6. Replace SSH_RSA key *Unique* 3. Validation 1. Check CW Logs API 2. Run WGET 4. Logging 1. Log information/state in DynamoDB (IAM!) 5. Continue/terminate instance/hook 1. Instance InService/terminated RDS ELB DynamoDB CloudTrail CloudWatch Instance have no knowledge on process or about the secure flow No need for: - Third party software - Expensive licensing - Magical fairy dust All using AWS services
  45. 45. Run-time security flow – best practices Avoid pull patterns • Requires an available source/path from target system • Own/compromise the target and you own the access process Push ensures only outgoing traffic • Instances have no path back to source • Instances have no knowledge of the process/flow Ephemeral/on-demand scripting on target • Store in memory • Create scripts on target on-demand at execution time • Temporary credentials for first run Keep source store on-instance (worker node) or S3 using dedicated VPC with VPC-Endpoint for S3 policy
  46. 46. Tooling - Triggering AutoScaling Group • Use Lifecycle hooks • Automatic repair of non approved instances • SNS for integration with Workers/Lambda • Use least privileges on AutoScaling Groupd instances • Use IAM Instance Roles • Unique credentials per instance
  47. 47. Tooling - Worker Simple WorkFlow • Flow engine for Ruby/Java • Allow synchronous or asynchronous flows • Deciders/Workers • EC2 or Lambda • Can be integrated into Elastic Beanstalk • Use internal or external source for validation tasks/tests • Checksum files before use • Use Lambda/Elastic Beanstalk workers
  48. 48. Real-life trust applications • Agent deployment/validation • Integration with Configuration Management (Chef/Puppet) • Unique per-instance configuration • Cross-instance network authentication • Joining an Active Directory Ask yourself what makes this instance trustworthy for any of the above and how can I scale that trust?
  49. 49. A little bit extra… “Continuous Deployment necessitates Continuous Pentesting” If you work with a company which does pentesting on demand, I’m interested in having a chat with them…
  50. 50. Customer Environment Provider Environment virtual private cloud "Pentest as a Service" Elastic IP instance Elastic Load Balancing AWS CodeCommit virtual private cloud Amazon API Gateway Amazon SQS Amazon DynamoDB AWS Lambda bucket AWS CodePipeline AWS CodeDeploy AWS Lambda instance Internet gateway Internet gateway AMI AWS Lambda Amazon Inspector (1) (2) (3) (4) instances (5) (6) (7) (8) (9) (10) (11) (12) (13) (14)(15)
  51. 51. Dave Walker davwal@amazon.com Your feedback is important to us!
  • KurtLizzy

    Apr. 10, 2019
  • GeorgeKlifov

    Aug. 7, 2017
  • gunterollmann

    Aug. 6, 2017
  • AlokPrabhat

    Aug. 6, 2017
  • capitolhilljack

    May. 10, 2017
  • DominiqueQue

    Apr. 17, 2017

AWS serverless architecture components such as Amazon S3, Amazon SQS, Amazon SNS, CloudWatch Logs, DynamoDB, Amazon Kinesis, and Lambda can be tightly constrained in their operation. However, it may still be possible to use some of them to propagate payloads that could be used to exploit vulnerabilities in some consuming endpoints or user-generated code. This session explores techniques for enhancing the security of these services, from assessing and tightening permissions in IAM to integrating further tools and mechanisms for inline and out-of-band payload analysis that are more typically applied to traditional server-based architectures, and generalising these techniques to APIs for all AWS services.

Views

Total views

2,812

On Slideshare

0

From embeds

0

Number of embeds

4

Actions

Downloads

193

Shares

0

Comments

0

Likes

6

×