Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-R2) - AWS re:Invent 2018

127 views

Published on

As companies employ DevOps practices to push applications faster into production through better collaboration and automated testing, security is often seen as an inhibitor to speed. The challenge for many organizations is getting applications delivered at a fast pace while embedding security at the speed of DevOps. In this session, learn how AWS Marketplace products and customers help make DevSecOps a well-orchestrated methodology to ensure the speed, stability, and security of your applications.

  • Be the first to comment

  • Be the first to like this

Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-R2) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Safeguard the Integrity of Your Code for Fast and Secure Deployments Brad Shelton Senior Cloud Engineer GDIT D E V 3 4 9 Marta Whiteaker Head of EMEA Marketplace AWS Matt Girdharry Marketplace DevSecOps AWS Zach Schmitt Senior Cloud Engineer GDIT
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What this is… An intro to AWS Marketplace Describe our view on DevSecOps And why we’re focusing on a very specific piece of it today Showcase our customer Transforming the philosophy to practice (hopefully with some positive impacts)
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What this isn’t… A deep dive on the Marketplace That’s somewhere else! A guide to perfecting DevOps or Security That would be hard. A focus on AWS services in this space. We are interested primarily in how customers are using 3rd party technologies.
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Quick Get the software you need in minutes with just a few clicks or use the 1-Click deployment option. Software in AWS Marketplace are ready-to-run on AWS. Pay-as-you-go Only pay for what you use through various payment options and receive discounts on longer or custom terms. All charges from AWS Marketplace are consolidated into one bill from AWS. Verified All software in AWS Marketplace are continuously scanned to ensure reliability. AWS Marketplace A curated digital software catalog that helps you find, buy, test, and deploy software
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customize the way you provision software Find Networking Security Storage DevOps Database Operating Systems BI & Big Data Security Information and Event Management (SIEM) From a breadth of categories: Buy Free trial Pay-as-you-go Hourly Monthly Annual and Multi-Year Bring Your Own License (BYOL) Seller Private Offers Through flexible pricing options: Deploy Amazon Machine Image (AMI) SaaS API AWS CloudFormation Template With multiple deployment options:
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. A growing digital software catalog • Deploy software on demand • 1,300+ ISVs • Over 4,200 product listings • 200,000 active customers • Over 650 million hours of Amazon EC2 deployed monthly • Deployed in 16 regions • Offers 35 categories • Flexible consumption and contract models • Easy and secure deployment, almost instantly • One consolidated bill • Always evolving
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 94% 73% of cloud workloads and instances will be processed by cloud data centers of cloud workloads will be in public cloud (27.5% CAGR from 2016 to 2021) of cloud workloads will be Software-as-a-Service (SaaS) 75% Public cloud trends are accelerating By 2021…
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The mega 5 software vendors which represent ~50% of IT software spend Top 50 vendors critical to the journey to the cloud and future direction of a company The long tail of 500+ vendors Microsoft and Oracle managed by SAP on AWS and VMWare on AWS IBM or SFDC Transforming your portfolio: the 5/50/500 model ~15–18% of the IT budget is software
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Operating systems SIEMStorage BIDatabase DevOpsNetworking 8 popular categories most often provisioned Security
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why AWS Marketplace? Grow your customer base Leverage a powerful and growing cloud offering to expand your customer base Improve efficiency and profitability Faster sales cycles and efficient provisioning can lead to higher overall profitability Sell the way your customers want to buy Streamline software procurement and offer flexible pricing models
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why AWS Marketplace for Security?
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. GDIT Making the abstract concrete
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Speed! Collaboration! Automation! Waterfall Agile DevOps
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automation x {Dev + Infra} = DevOps Solving for the problem
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Speed from Automation! Computers managing other computers Software that can be set to discover, manage, monitor and fix other software Something that removes humans – and human error – from the equation Containerized applications + Security Traditional applications + Security Application services + Security Cloud infrastructure + Security Traditional infrastructure + Security 100% Breadth Depth
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated Remediation: The Future is Now! https://arxiv.org/pdf/1810.05806.pdf
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Speed vs. Stability and Security vs. Compliance
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nirvana
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. {Speed} + {Stability} = DevOps Solving for the problem {Speed, Stability} + {Security, Compliance} = DevSecOps
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agility (DevOps) versus Security. Software delivered quickly but with bad security features. Software quickly iterated; security is not an inhibitor. You don’t want to be here. You really don’t. Slow delivery, well-armored applications. Automated Security + ComplianceHighPerformingDevOps No Yes No Yes
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. But…automation in real life can be different from what’s advertised by all of us automation enthusiasts
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ⚙ ⚙ ⚙ ⚙ ⚙ ⚙ ⚙ Automation
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security of the CI/CD pipeline… IAM WAF Logging & Monitoring, Visibility, APM, etc.
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Versus security/compliance of the code in the pipeline Pre Commit Commit Acceptance Deploy  Continuous Compliance  Threat modeling Initial SAST inside IDE Code review “Break the build“ Compile/build checks SCA Container security Additional SAST Unit test Secure infra build Functional/integration testing SCA DAST Unit test Security attacks Deep SAST Fuzzing, Pen Tests Provision runtime environment Config management RASP Security Compliance CI/CD
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Making DevOps Sec-sy
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Empower developers to treat security defects as functional defects Like errors in code – something that can be fixed early on in the process to prevent really bad downstream impacts
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Similar for compliant/safe infrastructure… Automate the security and compliance of your infrastructure as code
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dev: Application code  CI/CD  accelerate into prod Ops: “Infrastructure as code”  CI/CD  accelerate into prod Speed 2! Sec/Comp: “Security + Compliance as code”  CI/CD  accelerate into prod
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How is GDIT automating security and compliance early in the process before code gets into production?
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. General Dynamics – IT / Geo-Spatial Intelligence Division
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where our journey began: Our initial discovery • Limited visibility  Nodes in accounts & intended utilization  Verification of configurations • Lengthy Authorized to Operate (ATO) process • No scalability • Auditing of environments proved difficult
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why fix it? • Legacy processes cause the production deployment of warfighter supporting applications being delayed • Enable security teams to increase efficiency and consistency in compliance, continuous monitoring, and remediation • Give security teams positive control over environment
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Developing an enterprise solution… Requirements • Insight across enterprise • Configuration management & validation • Improving time to ATO completion • Scalable & consistent • Continuous monitoring in near real-time • Rapid mitigation of Zero-Days
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key Components 1) InSpec & Chef Client 2) Chef Automate 3) Habitat 4) CI/CD Pipelines
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. InSpec & Chef Client • InSpec - Local system service that enables the system to run compliance profiles • Chef Client - Local system service that allows for system configuration and mitigation
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Continuous Compliance with InSpec
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Appeals to multiple teams
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Introducing InSpec InSpec helps express security & compliance requirements as code and incorporate it directly into the delivery process. Systems shall have a Mandatory Access Control system installed and enabled. control "ensure_selinux_installed" do title "Ensure SELinux is installed" desc "SELinux provides Mandatory Access Control" impact 1.0 describe package("libselinux") do it { should be_installed } end end
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Compliance for Application-Level Resources ● Docker container/image/service ● Nginx, Apache, IIS configuration ● System packages ● PostgreSQL, Oracle, MySQL database configuration ● XML configuration elements using XPath
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Chef-Client • Utilizes cookbooks and recipes to implement desired state configuration in a repeatable and consistent manner • Enables the mitigation of failures that are reported in Chef Automate from the InSpec results • Provides the ability to implement Zero- Day fixes or configuration changes
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Chef Automate • Single source for configuration management and compliance reports • Provides notifications for results • Provides an audit trail of changes to configuration management and compliance
  43. 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Continuous Compliance with Chef Automate • Real-time enterprise fleet compliance dashboard • 125+ built-in baselines for standard compliance frameworks • Compliance report generation and sharing/exporting
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud Configuration Verification Write compliance policies for all aspects of cloud configuration: ● Virtual machines ● Security groups ● Block storage security policies ● Networking ● Identity and access management ● Log management
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Example: InSpec AWS S3 Bucket Policy describe aws_s3_bucket(bucket_name: 'my_secret_files') do it { should exist } it { should_not be_public } it { should have_access_logging_enabled } end
  46. 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Habitat • Application Automation & Service Manager
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Utilizing Habitat Libraries Operating System Application Application & Libraries OS ● All of the traditional problems are a result of this pattern: building up from the operating system ● The entire triangle becomes the artifact you carry around with you now and in the future (including sometimes the VM and the server!) ● Habitat builds from the application down ● Embedded supervisor as standard management interface ● Builds have strict dependency control Application Libraries
  48. 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CI/CD Pipeline • Tools and methods used for automating our enterprise services
  49. 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Base AMI CI/CD Pipeline
  50. 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our Key Benefits • Maintain a real time view of enterprise status • Positive control on the environment • Detect security issues before they reach production • Reduce risk and vulnerabilities • Highly scalable • Significantly reducing time to ATO
  51. 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  52. 52. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Brad & Zach Sr. Cloud Engineers GDIT Marta & Matt AWS Marketplace
  53. 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×