Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Validation through Continuous Delivery at Verizon - DEV403 - re:Invent 2017

835 views

Published on

In this session, Verizon and Stelligent demonstrate techniques and approaches on how to validate your security infrastructure during the development process through Continuous Security, and keep it that way through AWS Lambda auto-remediation. Verizon and Stelligent present a hands-on demo of these techniques, and a deep dive into the code that enables these technologies.

  • Be the first to comment

  • Be the first to like this

Security Validation through Continuous Delivery at Verizon - DEV403 - re:Invent 2017

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Validation through Continuous Delivery at Verizon C h r i s D u r a n d , D i r e c t o r o f C l o u d S e c u r i t y I n t e g r a t i o n S e r v i c e s , V e r i z o n C h u c k D u d l e y , V P o f S e r v i c e s , S t e l l i g e n t M a t t h e w D w y e r , A W S P r o f e s s i o n a l S e r v i c e s D e c e m b e r 1 , 2 0 1 7 D E V 4 0 3 AWS re:INVENT
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to Expect from This Session • How AWS Professional Services approaches security engagements • Verizon’s Journey to AWS and their strategic plan for scaling security • Understanding Continuous Security and how it fits into a DevOps approach • Deep dive into security static analysis of CloudFormation templates and developing custom rules • Automated certification of CloudFormation stacks • Security as an automated gate to production
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The AWS Professional Services Security Perspective
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Perspective Every company is concerned with protecting information and assets as they grow the business. They also want to ensure they are operating within the legal boundaries and standards set by and on the behalf of governmental agencies and industry associations. Security Perspective components provide guidance that enables a comprehensive and rigorous method of describing a structure and behavior for an organization’s security and compliance processes, systems and personnel. Security Perspective Directive Preventative Detective Responsive
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Outcome Focused Build core foundations backed by continuous improvement of operations Identify and document use and misuse cases that will drive implementation Clear implementation plan through sprints Implement AWS-native security services at an accelerated pace
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Approach Devise an iterative plan to rapidly transition from building core foundations to establishing maturity in the cloud ü Core 5 Security Epics • IAM • Logging and Monitoring • Infrastructure Security • Data Protection • Incident Response ü Augmenting the Core 5 • Resilience • Compliance validation • DevSecOps • Configuration and vulnerability analysis • Security big data and predictive analytics
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sample Security Epics Team Build one or more security epics delivery team with AWS security consultants Run a series of security sprints to to secure the customer’s cloud journey AWS Security Consultant Customer’s IAM Engineer Customer’s Infra Security Engineer Customer’s Data Protection Engineer Customer’s IR Engineer Customer’s Logging and Monitoring Engineer
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Delivery Team – Increased Velocity Identity and Access Management Logging and Monitoring Infrastructure Security Data Protection Incident Response Run multiple security delivery teams in parallel to increase agility and velocity
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Outcomes Enabled cloud security teams with AWS-native security operations and deployment skills Core security and compliance control and capability Culture of security ownership and continuous improvement of security operations
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Verizon’s Journey to the AWS Cloud
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Who We Are We are Verizon. • Verizon delivers the promise of the digital world. • Fortune 500 rank: #14 • $31.7 B in third-quarter revenue (2017) • 160,100 employees Wireless leadership LTE covers more than 98% of U.S. population 115.3 M retail connections LTE Advanced covers 470 markets Largest all-fiber Fios network 5.8 M Fios internet and 4.6 M Fios video connections Fios Gigabit downloads as fast as 940 Mbps and uploads as fast as 880 Mbps. Global IP network 99% of Fortune 500 customers Media and technology Innovating in entertainment, digital media, the Internet of Things and broadband service
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Our Cloud Journey Fundamentals: Ø Migrate all applications into AWS securely Ø Cloud deployment requires full automation Ø Security will enable cloud adoption through automation Ø Compliance monitoring is not enough
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Journey Ø Beginning in December 2015 Ø Start with Non Production Ø Baseline Structure: Ø Line of Business Account Approach Ø Shared Service Accounts for Support Ø No Live Data!
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Approach Logging and Monitoring Identity and Access Mgmt Infra/VPC Security Data Protection Vulnerability Analysis Incident Response Compliance Validation CICD Security Ø Formalize a team Ø Agile based Ø Leverage key partnerships Ø Use existing tools/processes where it makes sense Ø Log everything Ø Full automation Ø Build DevSecOps
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Requirements ü Onboarding Guidelines ü Risk Based ü Preventative Controls ü Continuous Monitoring ü Auto-Remediation ü Skillsets and Training Consistent and Current Documentation Usage policies and onboarding documentation. Prevent Compliance Issues DevSecOps pipeline Risk Based Approach Prioritization remediation efforts based on risk Automated Remediation Capability Enforce compliance to key controls Comprehensive Monitoring Identify compliance infractions in near real- time Team of Automation Engineers Security turns to code and coding
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security through Automation Automated Security Solutions ü Self-service IAM roles and AWS KMS keys ü Static AWS CloudFormation scanning ü Dynamic infrastructure compliance check ü Auto-remediation: § Security groups rules; § Encryption (Amazon S3, Amazon RDS, Amazon EBS, etc.) ü Self-remediation encryption tools ü Risk-assessment monitoring: § Logging-compliance monitoring § Bucket-policy compliance § IAM policy risks Amazon CloudWatchAWS Lambda Amazon EC2
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Constraints and Challenges Ø Scale Ø Governance Ø Diversity of Applications Ø Culture Ø Automation
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Partnerships AWS ProServ resources assigned to epics Stelligent assigned to DevOps and IAM
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DevOps and Security Security as a first-class citizen of the DevOps pipeline
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Development Security Operations
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What Is DevOps? Development OperationsThrough QA Security Governance
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Release Process… The Old Way Release
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Release Process… The Old Way Release
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Release Process… The Old Way Release
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Release Process… The Old Way Release
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Release Process… With DevOps and Continuous Delivery Release? Release?
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Release Security… The Old Way
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Release Security… The Old Way
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Release Security… The Old Way
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Release Process… With DevOps and Continuous Security Release? Release?
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security OF and IN the Pipeline Security as a first class citizen of the DevOps pipeline
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security OF the Pipeline Your code IS your AWS environment Therefore security starts with source control Access and authorization and isolation is even more important with infrastructure code Hardening the pipeline is essential
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Hardening the Pipeline • Managed services (AWS CodePipeline) are preferred • If your organization requires, you may need manage your own pipeline infrastructure • Authorization and access are critical • Isolation to prevent cross- contamination • Least privilege is very important in the pipeline
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Security as a gate function doesn’t scale • Fast feedback loops provide speed and confidence in software development, so use the same techniques when developing infrastructure code • Pulling the security validation forward in the pipeline produces more secure code more quickly AND more security-aware developers Security IN the Pipeline
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Stelligent Pipeline Commit Acceptance Capacity Pre-Prod Preproduction
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Commit Stage Commit Acceptance Capacity Pre-Prod Preproduction GOAL: Fast feedback for developers Pipeline Actions: 1. Unit Tests 2. Static Code Analysis Security Tests: 1. Security static analysis of application code 2. Security static analysis of infrastructure code
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Static Analysis (Commit Stage) • Typically runs fast and can give developers good feedback long before the security team can • Makes predictions based upon understanding of code before deploying resources • Can't be the sole security analysis, because it's only predictive
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Scan CloudFormation template for obvious security shortcomings: • IAM wildcard actions, principals, resources • Security groups or port ranges open to the world • Encryption not enabled (EBS volumes) • Access logging not enabled (ELBs, buckets) • Scan occurs BEFORE create-stack • Stop the pipeline on failing violations, notify on warnings cfn_nag Usage
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Each rule has: • A unique identifier • A description for found violations • An indicator of whether it is a failure or a warning • Typical logic for a rule: • Select all AWS resources of a certain type (e.g. AWS::IAM::ManagedPolicy) • Interrogate each resource for a security anti-pattern • Record the logical resource identifiers for violating resources cfn-nag – Rule Development
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. cfn-nag – Rule Example require 'cfn-nag/violation' require_relative 'base' class IamManagedPolicyWildcardActionRule < BaseRule def rule_text 'IAM managed policy should not allow * action' end def rule_type Violation::FAILING_VIOLATION end def rule_id 'F5' end def audit_impl(cfn_model) violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy').select do |policy| !policy.policy_document.wildcard_allowed_actions.empty? end violating_policies.map { |policy| policy.logical_resource_id } end end
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • As security tools are integrated into a delivery pipeline, security/operations has to have enough control to dictate that these tools be run before a deployment to production • If security/operations controls the last step of the pipeline before production and runs these tools, that is too late to receive feedback • If security/operations controls the pipeline outright, then that becomes a chokepoint for developers being able to do their work quickly • Can control pipeline structure with extension points to allow customization, but if we can certify security tools were invoked... Problem – Certification of Test Results
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question: How to prove that proper tests have been run against an object and the results are acceptable? Answer: Need a few things together to certify: • Actual object under test • The test specification • Test results • Trust in the test administrator, and that he actually ran the test • In so many words, prove that: "The test administrator applied a set of particular tests to that particular object and obtained a set of particular results" Certification of Test Results – in Abstract
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Question: How to prove that static analysis has been run against an AWS CloudFormation template and it doesn't have known security anti- patterns? Answer: Need a few things together to certify: • AWS CloudFormation template, a.k.a. the object under test • cfn-nag list of rules applied, a.k.a. the test specification • cfn-nag results • Aforementioned content digitally signed together by a trusted test administrator Certification of Test Results – in Abstract
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • cfn-nag fronted by a simple REST API • Request: AWS CloudFormation template • Response: single JSON document including: • AWS CloudFormation template • List of cfn-nag rule identifiers applied • Result of cfn-nag analysis • Digital signature of whole document (Ed25519 - libsodium) • Distribute public half of key pair to verify the signature and cfn-nag service administered by security operations holds the private half Trusted Test Administrator – cfn-nag service
  47. 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. cfn-nag Service Response Example "signature":"Z1ZLw8nAjBB3nf8kEmT2ctqgotCZIAKd8jXHCWTIQq24Ngbikqnt+Mtj556mbEO7F2VmG u8X7jPUIB93DA==", "cfn_template_with_cfn_nag_results":"eyJjZm5fdGVtcGxhdGUiOiJ7XG4gIFwi...", "cfn_nag_results": [ { "id":"F2000", "type":"FAIL", "message":"User is not assigned to a group", "logical_resource_ids":["iamUserWithAddition"] } ] }
  48. 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Base 64 encoding of a digital signature of the template alongside the analysis results • Nested JSON document that includes the template and results • This is the content that is actually signed • JSON in a JSON field is a nightmare so encoded with Base 64 • Duplication of the signed cfn- nag results, but human readable for convenience cfn-nag Service Response Anatomy Signature cfn_template_with_cfn_ nag_results cfn_nag_results
  49. 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Security has control over a final automated "deployment gate" to production • Instead of a security team running scans before deployment and becoming a choke point that returns late feedback, scans are made public as services for developers to run early and often • The "deployment gate" verifies the digital signatures to prove the scans have been done instead of having to run them • Can also verify the nature of the test (which rules in case there are new ones) Consuming Test Certification Results
  50. 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Acceptance Stage Commit Acceptance Capacity Pre-Prod Preproduction GOAL: Comprehensive testing of the application and its infrastructure Pipeline Actions: 1. Integration Tests 2. Acceptance Tests Security Tests: 1. Infrastructure Analysis
  51. 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Configuration Inspection and Governance • After infrastructure is converged, configuration is inspected for security anti- patterns • Inspections can overlap with static analysis checks, but can also check for things that are harder to discover from just the code, for example, a security group open to the world on port 80 is attached to an EC2 instance versus a load balancer • These inspections should be in code, and in an ideal world, code for on-demand inspections from a pipeline should be the same code as is used for ongoing governance and compliance activities
  52. 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Configuration Inspection and Governance • AWS Config Rules are used to ensure resources are compliant with standards • Can be used on-demand, but a little awkward... • As an AWS CloudFormation stack is converged, can request noncompliant resources from Config Rules and filter them against resources in the stack under test • Config Rules are evaluating constantly in background against the whole of the AWS account as events occur • Any noncompliant resources in the stack stop the pipeline
  53. 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • AWS Config Rules fronted by a simple REST API • Request: Arn of a converged AWS CloudFormation stack • Response: single JSON document including: • AWS CloudFormation template scraped from converged stack • List of AWS Config Rules applied • List of noncompliant resources from the converged stack • Digital signature of whole document (Ed25519 - libsodium) • Distribute public half of key pair to verify the signature and Config Rule service administered by security operations holds the private half Trusted Test Administrator – Config Service
  54. 54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Attack! (Acceptance or Cross-Functional Stage) Beyond configuration inspection to instigating and measuring behavior Scan system for vulnerabilities and hit running system with attacks to capture the response
  55. 55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Capacity Stage Commit Acceptance Capacity Pre-Prod Preproduction GOAL: Test the system under real world conditions Pipeline Actions: 1. Performance Tests 2. Load Tests Security Tests: 1. OWASP ZAP Pen Test 2. OpenSCAP Image Testing
  56. 56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Vulnerability Scanning and Penetration Testing • Examine instances for weaknesses • Examine system for fatal flaws via automated pen testing • Similar to previous stages, though more difficult to represent as code due to the nature of the tooling • Same precepts: Collect data on target, rule sets and results, digitally sign for verification
  57. 57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Vision – BYOS (Bring Your Own Security): Security-as-a-service with digital signatures enables distributed teams to invoke analysis in their own custom pipelines without interference from centralized team • Given the infrastructure certification pipeline structure is mostly identical across applications... • Pipelines can be generated from metadata furnished by the application teams Bringing It Together: Infrastructure Certification Pipeline
  58. 58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Conclusion • Infrastructure IS code… treat it as such. Applying modern development techniques such as TDD and Continuous Delivery yields immense value. • Infrastructure is part of the solution in application development now. Its development should be integrated into the application development process, treating the solution as an integrated entity. • From within development team, CD reduces cycle time for releases and improves confidence in released code (including infrastructure code). • From outside, it allows security/governance/compliance to inject best practices as automated gates in the delivery process without introducing delays for review and approval. • This allows for control at scale without grinding to a halt.
  59. 59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Resources https://stelligent.com/dev403
  60. 60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×