Three things: Cultural philosophy on how changes and deployments are handled within the organization Practices around this What tools you have/use/develop to perform this
Developers are paid to change things i.e. write code, Ops folks are paid to NOT change things and keep things stable
Adding security to the mix we can say that security is paid to make sure what development is doing is not introducing insecurity that ops then will make public
The perimeter is no longer an option… Security, now more than ever, is an arms race…
The only way to win: - Customer focus - Open and transparent - Iteration over perfection - Hunting over reaction
Doesn’t matter if you need to run it one time or 1000 times…
Don’t worry…we still need humans, just focus
- Lets look at a software development lifecycle - here's the general development lifecycle for an application or service - every new feature or bug fix goes through this process - developer writes code, code is built and unit tested, app is deployed to a testing environment for deeper testing, finally given a thumbs up and deployed to production where customers can use it - after that happens, the company can collect feedback from customers, make decisions, and continue to iterate and improve the product - the faster you can complete that loop, the faster you can innovate Where does security come in here? It’s important to understand that we cannot implement one point of presence We need to integrate with the flow of events in order to be agile and elastic and not be a blocker for pace of innovation
Example of a CI/CD flow
Looking at the same flow using our secret DevSec goggles we see a different picture
We need to inject ourselves in all parts and sections of the flow
Highlight promotion process and manual vs automated process as segway to next slide
Mention git-secrets to look for keys on commits
One of the key components in this is treating your infrastructure as code.
You may want to stage that application stack through Dev/Test/Prod. You may want to have a stripped down version of the stack for demo purposes. You may want to have the stack in multiple regions. You may want to package the configuration and ship it to a customer. You can also version control the template you have carefully designed. Templatization and replication is useful in other scenarios as well. If you want everyone in your company to use a standard VPC configuration, you can capture the standard configuration in a CloudFormation template and have everyone use it. If you have an IT service catalog that needs to stamp out copies of services to multiple users, you can use CloudFormation as a building block.
Poll: Who knows what Yaml stands for (Yaml Aint Markup Language)
Important to validate post merging to get the correct build/State
Notice I mentioned Validate…it’s important!
If security fail, the flow fails
Keeping track of target is important when working on checked in resources thru for example jenkins jobs. Validating the wrong file/state can cause instant failures or insecure deployments
We will show more on Run-time validation shortly…
Script is validating that all of the IP addresses within the CFn are from the corporate CIDR block
Where this becomes really important is when you look at the actual components and what you can do in terms of securing and validating the workload.
CFN - Explain CloudFormation template and how you can use it to enforce certain AMIs, network config, SG, etc. ECS - Explain Task Definition and how this allows you to enforce port mappings, CPU/RAM usage, etc. CodeDeploy - Explain AppSpec.yml and how you can run validation scripts and fail deployment if they fail – define what software to install and what lifecycle hooks to take action upon
In general, you have a software artifact that you can deploy with an AWS service, and these services can be configured to enforce your security processes Validation is key!
Task Definition Which Docker images to use with the containers in your task How much CPU and memory to use with each container Whether containers are linked together in a task What (if any) ports from the container are mapped to the host container instance Whether the task should continue to run if the container finishes or fails The command the container should run when it is started What (if any) environment variables should be passed to the container when it starts Any data volumes that should be used with the containers in the task
!30s slide! Make new slide for best practices if needed
We are not going to focus on the tools but quick roundup. Pen is mightier then the sword…but Lambda is running circles around that pen...
Config Rules only in us-east-1 atm Region specific, IAM = us-east-1
Priced based on number of active rules per month
$2.00 per active rule per month with account-level allowance of 20,000 evaluations per active rule. Overage of $0.0001 per evaluation Evaluation: Single result reported for the rule/resource. Evaluations are shared across rules in account. Active Rule: Rule with at least one evaluation that month Customer Managed Rules may incur an additional charges from AWS Lambda
Why is this important (logging)
First step for any new function…Introducing…the dump function Easy, just tie to the trigger and dump