Successfully reported this slideshow.
Your SlideShare is downloading. ×

ADDO 2022 Putting the Sec in DevSecOps for an AWS Lambda Based System

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 21 Ad

ADDO 2022 Putting the Sec in DevSecOps for an AWS Lambda Based System

Download to read offline

What does it mean to implement zero-trust and DevSecOps principles in a serverless environment? This is our story of hardening an AWS application based on serverless architecture. It all began with an idea for a brand-new plugin for the Atlassian Jira Agile tool. Our plugin uses an innovative design based on GoLang, AWS Athena, Lambdas, and DynamoDB, and the Atlassian AtlasKit SDK for ReactJS. Serverless applications have many nice features that help make them secure. Lambdas get their credentials injected at runtime, eliminating the need to store keys or credentials. Our SSO solution improves security still further, by creating temporary credentials for every session, eliminating static keys and credentials. Given this excellent foundation, we thought our MVP was ready for production! Alas, how mistaken we were...
In order to meet Atlassian’s strict cybersecurity guidelines, we implemented security tools including GitHub’s dependabot, AWS credential management services, AWS app firewall, gosec, ZAP tester, and Nessus. We will discuss lessons learned and what was unique to the serverless environment. We will also cover privilege audits, data, and disaster recovery.
Using serverless architecture confers many benefits, and by reducing the attack surface, they can be inherently more secure than alternative architectures. Nevertheless, there are important steps that must be taken to further improve security. This talk will shed light on how to get where we need to be.

What does it mean to implement zero-trust and DevSecOps principles in a serverless environment? This is our story of hardening an AWS application based on serverless architecture. It all began with an idea for a brand-new plugin for the Atlassian Jira Agile tool. Our plugin uses an innovative design based on GoLang, AWS Athena, Lambdas, and DynamoDB, and the Atlassian AtlasKit SDK for ReactJS. Serverless applications have many nice features that help make them secure. Lambdas get their credentials injected at runtime, eliminating the need to store keys or credentials. Our SSO solution improves security still further, by creating temporary credentials for every session, eliminating static keys and credentials. Given this excellent foundation, we thought our MVP was ready for production! Alas, how mistaken we were...
In order to meet Atlassian’s strict cybersecurity guidelines, we implemented security tools including GitHub’s dependabot, AWS credential management services, AWS app firewall, gosec, ZAP tester, and Nessus. We will discuss lessons learned and what was unique to the serverless environment. We will also cover privilege audits, data, and disaster recovery.
Using serverless architecture confers many benefits, and by reducing the attack surface, they can be inherently more secure than alternative architectures. Nevertheless, there are important steps that must be taken to further improve security. This talk will shed light on how to get where we need to be.

Advertisement
Advertisement

More Related Content

More from Craeg Strong (20)

Recently uploaded (20)

Advertisement

ADDO 2022 Putting the Sec in DevSecOps for an AWS Lambda Based System

  1. 1. TRACK: DEVSECOPS NOVEMBER 10, 2022 Craeg Strong, Ariel Partners Putting the Sec in DevSecOps for an AWS Lambda Based System
  2. 2. TRACK: DEVSECOPS Craeg Strong § Software Development since 1988 § Large Commercial & Government Projects § Kanban Coach / DevOps Engineer § Kanban Trainer / SpecFlow Trainer § Performance & Scalability Architect § Certified Ethical Hacker § New York & Washington DC Area CTO, Ariel Partners FLC, AKC, AKT, KCP, KMP, CSM, CSP, CSPO, ITILv3, PMI-ACP, PMP, CLP, SPC, ICP-ACC, ICP-ATF, PSM-II, PSK www.arielpartners.com cstrong@arielpartners.com @ckstrong1
  3. 3. TRACK: DEVSECOPS Agenda • About Me • Background and Context • Serverless Version • Cyber Security Practices • Architecture • Getting to Zero Trust • CI/CD Pipeline • Vulnerability Scanning • Kubernetes Version • Architecture • Zero Trust • Summary and Takeaways
  4. 4. TRACK: DEVSECOPS Context
  5. 5. TRACK: DEVSECOPS • Modern Project/Task Management Tools are Complex & Flexible • Agile Teams Don’t Have a Dedicated PM Resource • Team Members Are not Tool Experts • Agile teams place more value in delivering beautiful software rather than beautiful reports • Many teams receive inadequate training for tools • Agile Management Tools are full of missing, incomplete, or incorrect data • Reports are somewhat misleading, totally wrong, or won’t run at all • Senior management cannot not get aggregated reports they need to make decisions Cause Effect
  6. 6. TRACK: DEVSECOPS Manual Verification Checks: Agency 1
  7. 7. TRACK: DEVSECOPS Manual Verification Checks: Agency 2
  8. 8. TRACK: DEVSECOPS • Jira Plugin • Helps Teams Keep Jira Clean by reducing “Tool Debt” • Uses Gamification • Helps Enforce Jira Usage Policies Seatbelt for Jira
  9. 9. TRACK: DEVSECOPS Seatbelt for Jira
  10. 10. TRACK: DEVSECOPS Zero Trust for Serverless
  11. 11. TRACK: DEVSECOPS Zero Trust 1. Ensure the organization is observing good cyber hygiene 2. Secure all the software components 3. Track and manage all third-party dependencies 4. Secure the build/release process 5. Secure the deployment infrastructure 6. Secure data at rest and in motion 7. Don't trust any network, including your own. Enforce authentication and authorization everywhere. Assume the network is hostile. Securing Our Architecture
  12. 12. TRACK: DEVSECOPS AWS AWS API Gateway Lambda Seatbelt API AWS Step Functions Seatbelt Actions Glue Athena S3 DynamoDB Project Data and Metadata Project Data Project Metadata S3 Results Jobs AWS API Gateway JIRA Webhook Event Query ReST API Call Cognito
  13. 13. TRACK: DEVSECOPS • All services are locked down. Nothing can connect to anything by default • At runtime, Lambda are given temporary limited credentials just to connect to the services they need • Lambdas typically run for less than one minute and then the credentials are destroyed What makes this zero trust? Seatbelt API Identity & Access Manager S3 IAM Credentials Authenticated Access
  14. 14. TRACK: DEVSECOPS Frontend: NextJS TS Backend: Go Lang compile Static analysis CVE analysis Unit test SAM deploy E2e test compile Static analysis CVE analysis Unit test SAM deploy E2e test Cyber Tests Vulnerability Scan
  15. 15. TRACK: DEVSECOPS Remediation Actions for ZAP Seatbelt 1. Return HTTP 400 for bad requests 2. Tune zap.tsv for false positives 3. Always return Content-Type header 4. Set Strict-Transport-Security 5. CORS fixes
  16. 16. TRACK: DEVSECOPS
  17. 17. TRACK: DEVSECOPS CyberSecurity for Kubernetes
  18. 18. TRACK: DEVSECOPS IL4/IL6 or On Prem Kubernetes Control Plane Container Web App Firewall Container Container Go Lambda Function Container MongoDB PrestoDB Container Authentication Envoy Control
  19. 19. TRACK: DEVSECOPS • All services are locked down. Nothing can connect to anything by default • East-west traffic does not pass through the aggregation point What makes this zero-trust?
  20. 20. TRACK: DEVSECOPS Summary • Good Cyber Hygiene Involves many factors • Zero trust means we don't trust any network, including our own. We enforce authentication and authorization everywhere. We assume the network is hostile • Serverless technology significantly reduces attack surface • Long-running services could increase attack surface • Service Mesh provides a control plane that can be configured to enforce zero trust
  21. 21. TRACK: DEVSECOPS cstrong@arielpartners.com https://linkedin.com/in/cstrong @arielpartners https://youtube.com/arielpartners https://arielpartners.com THANKYOU

×