ADDO 2022 Putting the Sec in DevSecOps for an AWS Lambda Based System

1. TRACK: DEVSECOPS NOVEMBER 10, 2022 Craeg Strong, Ariel Partners Putting the Sec in DevSecOps for an AWS Lambda Based System

2. TRACK: DEVSECOPS Craeg Strong § Software Development since 1988 § Large Commercial & Government Projects § Kanban Coach / DevOps Engineer § Kanban Trainer / SpecFlow Trainer § Performance & Scalability Architect § Certified Ethical Hacker § New York & Washington DC Area CTO, Ariel Partners FLC, AKC, AKT, KCP, KMP, CSM, CSP, CSPO, ITILv3, PMI-ACP, PMP, CLP, SPC, ICP-ACC, ICP-ATF, PSM-II, PSK www.arielpartners.com cstrong@arielpartners.com @ckstrong1

3. TRACK: DEVSECOPS Agenda • About Me • Background and Context • Serverless Version • Cyber Security Practices • Architecture • Getting to Zero Trust • CI/CD Pipeline • Vulnerability Scanning • Kubernetes Version • Architecture • Zero Trust • Summary and Takeaways

4. TRACK: DEVSECOPS Context

5. TRACK: DEVSECOPS • Modern Project/Task Management Tools are Complex & Flexible • Agile Teams Don’t Have a Dedicated PM Resource • Team Members Are not Tool Experts • Agile teams place more value in delivering beautiful software rather than beautiful reports • Many teams receive inadequate training for tools • Agile Management Tools are full of missing, incomplete, or incorrect data • Reports are somewhat misleading, totally wrong, or won’t run at all • Senior management cannot not get aggregated reports they need to make decisions Cause Effect

6. TRACK: DEVSECOPS Manual Verification Checks: Agency 1

7. TRACK: DEVSECOPS Manual Verification Checks: Agency 2

8. TRACK: DEVSECOPS • Jira Plugin • Helps Teams Keep Jira Clean by reducing “Tool Debt” • Uses Gamification • Helps Enforce Jira Usage Policies Seatbelt for Jira

9. TRACK: DEVSECOPS Seatbelt for Jira

10. TRACK: DEVSECOPS Zero Trust for Serverless

11. TRACK: DEVSECOPS Zero Trust 1. Ensure the organization is observing good cyber hygiene 2. Secure all the software components 3. Track and manage all third-party dependencies 4. Secure the build/release process 5. Secure the deployment infrastructure 6. Secure data at rest and in motion 7. Don't trust any network, including your own. Enforce authentication and authorization everywhere. Assume the network is hostile. Securing Our Architecture

12. TRACK: DEVSECOPS AWS AWS API Gateway Lambda Seatbelt API AWS Step Functions Seatbelt Actions Glue Athena S3 DynamoDB Project Data and Metadata Project Data Project Metadata S3 Results Jobs AWS API Gateway JIRA Webhook Event Query ReST API Call Cognito

13. TRACK: DEVSECOPS • All services are locked down. Nothing can connect to anything by default • At runtime, Lambda are given temporary limited credentials just to connect to the services they need • Lambdas typically run for less than one minute and then the credentials are destroyed What makes this zero trust? Seatbelt API Identity & Access Manager S3 IAM Credentials Authenticated Access

14. TRACK: DEVSECOPS Frontend: NextJS TS Backend: Go Lang compile Static analysis CVE analysis Unit test SAM deploy E2e test compile Static analysis CVE analysis Unit test SAM deploy E2e test Cyber Tests Vulnerability Scan

15. TRACK: DEVSECOPS Remediation Actions for ZAP Seatbelt 1. Return HTTP 400 for bad requests 2. Tune zap.tsv for false positives 3. Always return Content-Type header 4. Set Strict-Transport-Security 5. CORS fixes

16. TRACK: DEVSECOPS

17. TRACK: DEVSECOPS CyberSecurity for Kubernetes

18. TRACK: DEVSECOPS IL4/IL6 or On Prem Kubernetes Control Plane Container Web App Firewall Container Container Go Lambda Function Container MongoDB PrestoDB Container Authentication Envoy Control

19. TRACK: DEVSECOPS • All services are locked down. Nothing can connect to anything by default • East-west traffic does not pass through the aggregation point What makes this zero-trust?

20. TRACK: DEVSECOPS Summary • Good Cyber Hygiene Involves many factors • Zero trust means we don't trust any network, including our own. We enforce authentication and authorization everywhere. We assume the network is hostile • Serverless technology significantly reduces attack surface • Long-running services could increase attack surface • Service Mesh provides a control plane that can be configured to enforce zero trust

21. TRACK: DEVSECOPS cstrong@arielpartners.com https://linkedin.com/in/cstrong @arielpartners https://youtube.com/arielpartners https://arielpartners.com THANKYOU

ADDO 2022 Putting the Sec in DevSecOps for an AWS Lambda Based System

You are reading a preview.

Check these out next

ADDO 2022 Putting the Sec in DevSecOps for an AWS Lambda Based System

More Related Content

More from Craeg Strong (20)

Recently uploaded (20)