Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Safeguard Code Integrity for Fast Deployments
Similar to Safeguard Code Integrity for Fast Deployments (20)
Recently uploaded
Recently uploaded (20)
Safeguard Code Integrity for Fast Deployments
- 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Safeguard the Integrity of YourCode for Fast andSecure Deployments Martin Klie Senior Cloud Architect – Security Development Broadridge Financial Solutions D E V 3 4 9 Ben Andrew Marketplace Security & Networking AWS Matt Girdharry Marketplace DevSecOps AWS
- 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Whatthisis… An intro to AWS Marketplace Describe our view on DevSecOps And why we’re focusing on a very specific piece of it today Showcase our customer Transforming the philosophy to practice (hopefully with some positive impacts)
- 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Whatthisisn’t… A deep dive on the Marketplace That’s somewhere else! A guide to perfecting DevOps or Security That would be hard. A focus on AWS services in this space We are interested primarily in how customers are using 3rd party technologies
- 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Quick Get the software you need in minutes with just a few clicks or use the 1-Click deployment option. Software in AWS Marketplace are ready-to-run on AWS. Pay-as-you-go Only pay for what you use through various payment options and receive discounts on longer or custom terms. All charges from AWS Marketplace are consolidated into one bill from AWS. Verified All software in AWS Marketplace are continuously scanned to ensure reliability. AWSMarketplace Acurateddigitalsoftwarecatalogthathelps youfind,buy,test,anddeploysoftware
- 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customizethewayyouprovisionsoftware Find Networking Security Storage DevOps Database Operating Systems BI & Big Data Security Information and Event Management (SIEM) From a breadth of categories: Buy Free trial Pay-as-you-go Hourly Monthly Annual and Multi-Year Bring Your Own License (BYOL) Seller Private Offers Through flexible pricing options: Deploy Amazon Machine Image (AMI) SaaS API AWS CloudFormation Template With multiple deployment options:
- 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agrowingdigitalsoftwarecatalog • Deploy software on demand • 1,300+ ISVs • Over 4,200 product listings • 200,000 active customers • Over 650 million hours of Amazon EC2 deployed monthly • Deployed in 16 regions • Offers 35 categories • Flexible consumption and contract models • Easy and secure deployment, almost instantly • One consolidated bill • Always evolving
- 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 94% 73% of cloud workloads and instances will be processed by cloud data centers of cloud workloads will be in public cloud (27.5% CAGR from 2016 to 2021) of cloud workloads will be Software-as-a-Service (SaaS) 75% Public cloud trends are accelerating By 2021…
- 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The mega 5 software vendors which represent ~50% of IT software spend Top 50 vendors critical to the journey to the cloud and future direction of a company The long tail of 500+ vendors Microsoft and Oracle managed by SAP on AWS and VMWare on AWS IBM or SFDC Transforming your portfolio: the5/50/500model ~15–18%oftheITbudgetissoftware
- 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Operating systems SIEMStorage BIDatabase DevOpsNetworking 8 popular categories mostoftenprovisioned Security
- 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. WhyAWS Marketplace? Grow your customer base Leverage a powerful and growing cloud offering to expand your customer base Improve efficiency and profitability Faster sales cycles and efficient provisioning can lead to higher overall profitability Sell the way your customers want to buy Streamline software procurement and offer flexible pricing models
- 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. WhyAWS MarketplaceforSecurity?
- 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Making theabstract concrete Broadridge is a global Fintech leader enabling corporate governance, powering capital markets and growing wealth management. With over $4 billion in revenues and part of the S&P 500® Index, Broadridge provides communications, technology, data and analytics that help clients get ahead of today’s challenges to capitalize on what’s next. We help drive business transformation for our clients with solutions for enriching client engagement, navigating risk, optimizing efficiency and generating revenue growth.
- 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Speed!Collaboration!Automation! Waterfall Agile DevOps
- 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automation x {Dev +Infra} =DevOps Solvingfor theproblem
- 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Speed fromAutomation! Computers managing other computers Software that can be set to discover, manage, monitor and fix other software Something that removes humans – and human error – from the equation Containerized applications + Security Traditional applications + Security Application services + Security Cloud infrastructure + Security Traditional infrastructure + Security 100% Breadth Depth
- 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated Remediation:TheFutureis Now! https://arxiv.org/pdf/1810.05806.pdf
- 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Speed vs.StabilityandSecurity vs.Compliance
- 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nirvana
- 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. {Speed}+{Stability}=DevOps Solvingfor theproblem {Speed,Stability}+{Security,Compliance}=DevSecOps
- 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agility(DevOps) versusSecurity. Software delivered quickly but with bad security features. Software quickly iterated; security is not an inhibitor. You don’t want to be here. You really don’t. Slow delivery, well-armored applications. Automated Security + ComplianceHighPerformingDevOps No Yes No Yes
- 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thefundamentals… • Identify what needs to be secure and compliant • Set rules for security and compliance • Auto-remediate (where possible) against deviations
- 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. But…automation in real lifecanbe different from what’sadvertisedby allof us automation enthusiasts
- 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ⚙ ⚙ ⚙ ⚙ ⚙ ⚙ ⚙ Automation
- 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. SecurityoftheCI/CDpipeline… IAM WAF Logging & Monitoring, Visibility, APM, etc.
- 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Versus security/complianceof thecode inthepipeline Pre Commit Commit Acceptance Deploy Continuous Compliance Threat modeling Initial SAST inside IDE Code review “Break the build“ Compile/build checks SCA Container security Additional SAST Unit test Secure infra build Functional/integration testing SCA DAST Unit test Security attacks Deep SAST Fuzzing, PenTests Provision runtime environment Config management RASP Security Compliance CI/CD
- 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Making DevOpsSec-sy
- 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Empower developers totreatsecuritydefectsas functional defects Likeerrors in code – somethingthatcanbe fixed earlyon intheprocess toprevent reallybad downstream impacts
- 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Similarfor compliant/safeinfrastructure… Automatethesecurityand compliance of your infrastructure ascode
- 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dev:ApplicationcodeCI/CDaccelerateintoprod Ops:“Infrastructureascode”CI/CDaccelerateintoprod Speed 2! Sec/Comp: “Security+Complianceascode”CI/CDaccelerate intoprod
- 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How isBroadridge automating securityand compliance early intheprocess before infra gets intoproduction?
- 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. MaintainAgilitywhileSecuringServices Allow Experimentation - Foundation not Façade Secure the perimeter independent of the service Secure access and align with corporate policies Guardrail Services Prepare for the Worst Scenario - Merger Partnerships – Buy or Build Relationships are Important Keeping Pace – Product and Development Keeping the Baseline Review the pipeline Timely Remediation – Educate Associates Allow Experimentation – Alert on Deviations
- 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Define theCriteria Shared Responsibility Log All Possible Events Data is always encrypted At rest - In transit Temporary Credentials Establish the governance if permanent credentials are required InternalTraffic unless Approved Any traffic past the internal perimeter must be approved All Security Groups areTrusted
- 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. KickstartandCommit Get out there – Keep scope in mind Attend education sessions Find focus groups Utilize research partners Others will most likely find new services – especially developers Always run a Proof of Concept (POC) Review the pipeline Remediate Issues – Report orAutomate Dome9 Trusted Security Groups – Locked Regions GSL rules – Continuous Compliance Auto Remediation
- 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. SecurityGroupGovernance Dome9 Full Protection for all Security Groups Alert and Adjust Allows pipeline to create Utilize IPLists – ease of maintenance Report and Review Policy Report – AWS Security Groups Clarity Magellan Define Usage Security Groups forAllow NACL for Deny
- 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. SecurityGroups - Rollout Provided Service Access AWS APIs Shared Services Internal/External Services Clone Create in Master account Clone to AWS Accounts/VPCs Application Specific Create in Sandbox Test to Define Least Access Combine Rule – AWS limits Clone to AWS Accounts/VPCs
- 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AccessReview – PolicyReports
- 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AccessReview –Clarity-Possible
- 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AccessReview – Magellan -Actual
- 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. GovernanceSpecificationLanguage(GSL)Rules Vendor Provided Utilize their Research and Maintenance Create new Bundles and Modify as needed to fit Business Requirements Create as Needed Easy to Create – Playground – Rule Builder IamPolicy where name!='BR_AdministratorAccess_Policy' and name!='AdministratorAccess' and name!='BR_Cloud_Admin_Policy' should not have document.Statement contain [Effect = 'Allow' and Resource ='*' and Action ='*' ] Single Source - Maintenance New Accounts Keeping up with the rate of change
- 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. GSL Rules - Provided AWS Dome9 Best Practices – 1000+ Rules Utilize their Research and Maintenance Create new Bundles and Modify as needed to fit Business Requirements Clone Bundle Edit GSL for Exceptions Remove Rule(s) as needed Maintenance Dome9 will provide regular updates and additional services https://dome9.com/product-updates/ Reevaluate and Apply
- 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. GSL Rules -Create Utilize Playground Utilize their Research and Maintenance Create new Bundles and Modify as needed to fit Business Requirements Test Rule Account – Region -VPC Remove Rule(s) as needed Add to Bundle
- 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ContinuousCompliance Bundles – Grouping of GSL Rules Individual Account / Service SDLC – Production only Global Notification Policies - Reporting Weekly Daily Immediate – SNS to SQS Pass and Fail updates Assessment History Review for Missed Alerts
- 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ContinuousCompliance -Example Create Bundle and GSL Rules DENY IPs In Continuous Compliance Attached CloudAccount Attached Notification Policy Daily Immediate
- 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ContinuousCompliance -Reports Remediate if not 100% - Daily Stop Issues before they become breaches or Production Near Real-time Audit Preparation Weekly Reports Inspector Scans AMI Adherence Immediate Notification Build Misconfigurations Prod, QA, and UAT
- 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ExpectDeviations –Ongoing Enhancements Unauthorized and Malicious Traffic Discovery Prevention Protection Continuous Integration and Deployment Pipeline Educate Remediate Auto Remediation – Dome9 CloudBots Know what to fix and where to educate
- 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. GuardDuty Setup Master Account - per Region Recommend to align with Firewall Manager New findings: Update CWE immediately (within ~5 minutes) Updated findings: Send notifications every 15 minutes Filter Criteria CloudWatch Alerts – All in the Master Account SNS SQS Surmise SIEM Dome9
- 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Macie Setup us-east-1 and us-west-2 Classify data – Integration – S3 Resources CloudWatch Alerts – Account/Region SNS SQS Events Object level – Access and Volume Bucket level CloudTrail Analysis
- 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. FirewallManager -WAF Setup – Master uses OrgID Create Rules – Market Place AWSWAF -Web Exploits Rules by F5 Create Policy – Define Scope CloudFront – Global Application Load Balancer - Regional CloudWatch Alerts { "source": [ "aws.waf" ] } SNS and SQS Distribution and Maintenance AWS Config Rules
- 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AdvancedShield Setup Subscribe Associate WAF CF/ALB/ELB/EIP/Route 53 CloudWatch Alerts DDOS message: SNS to SQS Authorize DDoS ResponseTeam (DRT) Support Subscribe DRT-Support Role VPC Flow logs to S3 bucket Additional Contacts – Support Distribution List
- 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Remediateor Educate Case Scenario ALB using Console port for Keep alive GuardDuty Brute ForceAttached Public Bucket Dome9 Alerts Educate Participate in Pipeline Work with Architects Create Standard and Reusable Modules Auto Fix CloudBots ChooseWisely - Cautious of Pipeline Replacing Condition Updates – Rollout System Manager
- 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dome9 Auto Remediation Architecture
- 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Auto Remediation –SecurityGroup Delete GSL Rule SecurityGroup where name like 'launch-wizard%' should not have networkAssetsStats contain-all [ count=0 ] CloudBot sg_delete Bundle All AWS Accounts
- 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Auto Remediation – BucketVersioning GSL Rule S3Bucket should have versioning.status='Enabled‘ CloudBot s3_enable_versioning Bundle All AWS Accounts
- 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Auto Remediation –TerminateBuild Instance GSL Rule Instance where tags contain [ key='Name' and value like 'TestKit%' ] should not have isRunning=true and launchTime before(-12, 'hours') CloudBot ec2_terminate_instance Bundle InnLab Sandbox Development
- 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Auto Remediation –SystemManager GSL Rule Review existence of Instance Profile Review policy in Instance Profile CloudBot Attached Instance Profile Attached policy to Existing Instance Profile Bundle All AWS Accounts
- 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Auto Remediation –Confirmation Keep GSL Rule In Daily Review Bundle Review Remediation Log ReportTime: 2018-10-27T16:35:50.661Z Account id: $ACCOUNT Rule violation found: Instances should have an instance role attached ID: i-016463d9xxxfcf7f2 | Name: br-gtodev-ltxd-asg-asg Remediation bot: AUTO: ec2_attach_instance_role role_arn=arn:aws:iam::$ACCOUNT_ID:instance- profile/BR_SSM_Role Compliance failure was found for an account outside of the one the function is running in. Trying to assume_role to target account
- 59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Access Role Based Federated Access Aligns with corporate termination policy MFA andTemporary Credentials GSL Rules to cover any exception User Principles for legacy applications
- 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Continuous Improvement Constant Change What worked today may not tomorrow Updates are constant and require attention Existing Feature Sets Integration Segregation of Duties Delivery Configuration Keeping Current ProductAnnouncements and Updates AWS Executing Briefing Center (EBC) Drive toward AWS Organization Authorization
- 61. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Martin Klie Martin.Klie@Broadridge.com Ben Andrew benand@amazon.com Matt Girdharry mattgird@amazon.com
Editor's Notes
- Three Foundational Principles for Security Everywhere in Financial Services [MG: NEEDS TO BE EDITED] How do you bring a publicly traded financial services corporation to the public cloud securely? How can you establish and maintain robust security across the entire cloud footprint spanning hundreds of accounts from innovation labs to production environments with different rules and requirements? This was the challenge facing Broadridge Financial Solutions, a global fintech leader who provides communications, technology, data and analytics to help drive business transformation for its clients. In this session, Martin Klie will talk about how his team operationalized core security principles such as least privilege, guardrails, and temporary credentials to enforce consistent security and compliance across DevOps and IT environments in AWS. Key Takeaways: - Security considerations in DevOps -- separation of duties, granular access, and code security - Key ingredients of the security stack for defense-in-depth protection - Best practices to enforce regulatory compliance with guardrail
- TALK TRACK: We’re going to mentioning a number of topics that are 60-minute discussions in and of themselves (x as code and DevOps; Security ….but what we want to focus are the particular use cases that our customers are using to deal with their real-world problems. So we want to move from more abstract notions of what it means to have secure and compliant software delivery to how our customers are actually using both AWS and 3rd-party tooling within their own Key here is partner oriented: there are other talks at re:Invent that will take you through the AWS architecture for DevOps and DevSecOps, but Marketplace is significantly interested in how 3rd-party technologies can be super easily assorted and deployed into customers’ cloud environments. *Can actually poll audience for a quick survey on what they think DevSecOps is and maybe even some domains/tools it covers.*
- Key here is partner oriented: there are other talks at re:Invent that will take you through the AWS architecture for DevOps and DevSecOps, but Marketplace is significantly interested in how 3rd-party technologies can be super easily assorted and deployed into customers’ cloud environments. *Can actually poll audience for a quick survey on what they think DevSecOps is and maybe even some domains/tools it covers.*
- TALK TRACK: AWS Marketplace is a curated digital software catalog and simplifies the discovery, purchase, and deployment of third party software. We focus on speed with features like 1-click deployment, flexible pricing terms to provide you with a subscription based, elastic pricing option, and reliability to ensure software solutions in AWS Marketplace are reliable and ready to use on other AWS services.
- TALK TRACK: AWS Marketplace provides an extensive selection in software categories like Security, Networking, Storage, Business Intelligence, Database and Analytics, and DevOps with flexible pricing options such as free trial, pay as you go, BYOL, and Seller Private Offers, while having multiple deployment options, helping you to customize software provisioning to fit your security policies, licensing terms, budgetary needs, and more. Helping you to customize and provision software the way you need it.
- NOTE TO PRESENTER: AWS Marketplace provides over 4,200 software solutions from more than 1,400 ISVs and continues to grow and help customers migrate to the cloud. Today, customers are deploying over 570 million hours of EC2 monthly. If you do the math, that’s about 848K hours being deployed just in this hour.
- TALK TRACK: The trend and need for a cloud is accelerating. By 2021, it’s expected that 94% of workloads and instances will be processed by cloud data centers vs. traditional data centers, 73% of cloud workloads will be in public cloud, and 75% of cloud workloads will be SaaS. One of the biggest challenges companies run into during this process is finding a way to migrate existing on-premises software applications to the cloud. That’s where AWS Marketplace can help.
- TALK TRACK: During this migration process, you’ll find that there are hundreds software solutions you’ll need to fully migrate over to the cloud (alluding to the 500+). Our data and research shows that most companies are honing in on 30-50 important choices from that selection across 12 categories of software. This stems from needing 2-4 ISVs in each category since most of the time, one ISV will not cover everything you need (alluding to the 50 vendors). And because customers don’t know how much usage they’ll need at this point, they rely on a pay as you go pricing terms. As mentioned, this is where AWS Marketplace can help, by providing ISVs with flexible pricing options they can provide to their customer. And of course, everyone relies on the 5 top vendors from the 6 named on this chart. AWS Marketplace manages Microsoft and Oracle offerings, and you can bring SAP, VMWare and IBM or SFDC onto AWS.
- TALK TRACK: These are the top 8 categories in which software solutions are most often deployed. AWS Marketplace includes software solutions from key ISVs such as CentOS, Trend Micro, NetApp, Cisco, Adobe, AppDynamics and more. Altogether, there are 35 categories in AWS Marketplace, with multiple deployment types and commerce models.
- TALK TRACK: For those that may not be aware – or for those that might need a refresher – AWS employs a shared responsibility model where AWS is responsible for security ‘of the cloud’ and customers are responsible for security ‘in the cloud’. [Can point to some of the details in the AWS section vs the Customer section] We strive to make security offerings available to cover the customer’s responsibility through AWS and 3rd-party. Broadridge: And a lot of what we’ll be talking about today is how 3rd-party solutions work with AWS services to provide help cover the needs of our customers. GDIT: A lot of what we’ll be exploring today is how GDIT utilizes a partner offering to cover their needs around continuous compliance and automated remediation of issues that crop up during their [fill in details]
- Take this opportunity to remind the audience that we are really just here to prep you for the important stuff: how our customer thinks about compliance and security and how they see third-party technologies adding value to the services that AWS provides.
- TALK TRACK: So before we talk about DevSecOps, it’s probably a good idea to take a look at what we mean by DevOps. It’s now very much a cliché that every company is a software company…and this is as true for ‘born in the cloud’ companies as it is for decades-old institutions that need to keep up with the expectations of their customers. But just because every company is a software company doesn’t mean that every company provides continuously updated (new, improved) experiences for their customers. But for those that need to – or should – DevOps is the way to do this. DevOps, for those who don’t know the term, refers to the merging of development and operations teams to ensure that new, innovative features have a better chance of being delivered frequently into operating environments that are capable of deploying those applications. Pre-DevOps, you saw a lot of friction between dev teams that favored speed and ops teams that favored stability. In fact, these were seen as incompatible. DevOps, in simplest terms, ensures that applications can be successfully deployed into production environments by automating the testing the infrastructure alongside the application code, and fixing problems before getting to the production stage. So in DevOps we are considering both the application code and the infrastructure code as inextricably linked to produce functional application code on top of supportive infrastructure code. So here we’ve broken down the different software delivery options… the biggest difference between Waterfall and Agile/DevOps, the shift toward a test-driven approach to development, i.e. testing everything all the time. The key difference between Agile and DevOps: for Agile, software is developed and released, the agile team doesn't formally care what happens to it. They're on to the next sprint and the next revision of the user story. DevOps, on the other hand, is all about taking software which is ready for release and deploying it in the safest, most reliable manner possible. DevOps doesn't depend on the software being developed by the agile discipline. It's entirely possible to have waterfall development feeding DevOps Automation is also a big differentiator So a huge problem has been addressed between these two teams handling the evolution of software on the one hand and the accessibility of it on the other. You can imagine what happens when we start to think about security and where it belongs. Look to the audience: Any guesses? Think it’s a good story?
- TALK TRACK: So essentially the equation for DevOps looks like this. Note: maybe place automation as an exponent?
- Broadridge/GDIT are going to be talking about what automation means to them in their practice. Typically the big things in automation go something like this, with subtle differences between dev and prod environments: (Automatically discover what needs to be secured and compliant) (Automatically detect when something is out of security and compliance policy) (Automatically remediate what you can). You can think of automation as spanning the depth and breadth of your IT estate, up the stack and across the business. Imagine every team has automated how they build and deploy applications, and how they provision, configure and manage the infrastructure they run on. This is what “always ready to ship” looks like. This is what pervasive/widespread automation delivers. You may hit a 100 percent, but it’ll back down, go back up, because this is continuous. There’s always something new.
- TALK TRACK: How far have we come – or, maybe a better way of stating this – where are we going with automation and things like automated remediation? How about a bot disguised as a human operator? One that can detect bugs and then write patches to fix them. Now this may be on the far right of the bell curve in terms of automation examples, but…it’s just so cool. These guys call their bot Repairnator and have successfully tested it by allowing it to compete against human developers to find fixes. “This is a milestone for human-competitiveness in software engineering research on automatic program repair,” they say. Computer scientists have long known that it is possible to automate the process of writing patches. But it is not clear whether bots can do this work as quickly as humans and to the same quality. Take a look at this: https://www.theregister.co.uk/2018/10/17/luc_esape_bug_fixer/ Take language from here: https://www.technologyreview.com/s/612336/a-bot-disguised-as-a-human-software-developer-fixes-bugs/ Software writing software….based on ‘intelligent response’. https://arxiv.org/pdf/1810.05806.pdf
- TALK TRACK: Let’s look at the left = delivering the features that are required with corresponding operational integrity. You have entities that have chosen to ’up’ the speed axis and sacrifice stability. Conversely, you can have Right = delivering code that is secure and compliant. Although you can get security measures baked into compliance standards, it’s important to understand that just because you’re compliant doesn’t necessarily mean you’re secure. And just because you’re secure does not mean you’re compliant. The goal here is to be as secure and as compliant as possible, so that like the figure you have automated processes to ensure both security and compliance in your software development practice. Security and compliance play different roles, both in your internal and external environments. The right cybersecurity measures protect your information from threats by controlling how that information is used, consumed and provided. Compliance, on the other hand, is a demonstration — a reporting function — of how your security program meets specific security standards as laid out by regulatory organizations. Key underlying foundation is automation. Automated testing, automated security and compliance checks – many things that fall into the domain of ‘x as code’ – are all the things that makes this possible. Removing the human factor to promote greater accuracy and speed is essential for this to work. Broadridge/GDIT will talk more about this and make it much more concrete.
- TALK TRACK: So here is the ultimate DevSecOps picture…”All Apologies” (lower left) to “Smells Like Teen Spirit” (upper right).
- TALK TRACK: So what are the algorithm for DevSecOps. As I mentioned, DevOps looks to take application code and the Ops team looks to take infrastructure code in order to ‘synergize’ speed and security (I need to find a way to talk about ‘ideate’ next – it can be done!). Those frontiers have been conquered.
- TALK TRACK: GDIT: Tie back into the GDIT/NGA story and what THEY teach us about speed and security. Can use this to talk specifically to what Brad mentioned --- security can take pre-emininence especially when the stakes are national security (versus my bank who risks personal/financial info - bad, but not catastrophic at a nation-state level, like nuclear codes). Broadridge: There are just some things that you don’t want to automate because the risk can be high (automating mistakes). Sometimes companies will just want to have the information available in order for a human to figure out what to do. Martin will talk more about this - ‘unfettered automation’ is not part of their standard operating procedure.
- Broadridge and GDIT will give us the real view of what actually happens…and while things like automated remediation sound great – and there are growing use cases out there for it – you’ll see that people still matter. There are still things that either only humans can do at this point or customers highly prefer that they have a human being doing it.
- Let’s go to the chalkboard….arbitrary time values. Automation = testing/detection and remediation. Manual Inspection – can think of this like people getting involved to make sense of findings before a remediation is executed. Path A, B, C is first and historically typical and is more closely tied to longer development cycles that are not incorporating optimized DevOps practices nor are they embedding security. (“Same as it ever was” territory). This is like three of your favorite x – come up with witty names/graphics for the various letters. Path D is the path of cloud-born. They are pushing out updates and feature enhancements and it’s seamless. You – the customer - don’t feel a thing. You’re not getting notifications to update your system. This is what Lyft, Airbnb, Netflix, and yes, Amazon.com are doing. Path F is the what a lot of our customers are aiming for – those that have run traditional apps on prem, moving to the cloud, and trying to exploit what they can from cloud functionality while maintaining policies aligning with their corporate needs/values (tolerance for risk, etc., included here) Show how security and compliance needs to be placed back into the early portions of the dev process and automated to keep up with what developers – and ultimately the businesses themselves – need in order to flourish (and some to survive). Remediation costs increase in direct proportion to how far downstream they travel. Key underlying foundation is automation. Automated testing, automated security and compliance checks – many things that fall into the domain of ‘x as code’ – are all the things that makes this possible. Removing the human factor to promote greater accuracy and speed is essential for this to work. Broadridge will talk more about this.
- IAM for access rights = who gets control WAF for application security – hardened from dev into production Logging, etc to get a comprehensive view of security and performance All of these things are important from a DevSecOps perspective to make sure security and compliance is functioning properly.
- TALK TRACK: (high level) But we also need to look at the security that’s being embedded into the application and infrastructure code. We need to get firm control over robustness of the code itself and whether it will ultimately be delivered with low probability of vulnerable components. And it’s better to this early Let’s take a closer view at a core piece of DevOps, the CI/CD pipeline. This again is one of those topics we could spend an entire session on, but we’re going to give Pre-Commit: Comprise security activities before code is checked into version control. Here you have things like threat modeling, static application security testing that will look for potential flaws within your code and code reviews. Commit (Continuous Integration): Fast, automated security checks during the build and continuous integration steps. Here you’ll get into things like…x Acceptance (Continuous Delivery): Automated security acceptance, functional testing, and deep ‘out-of-band’ scanning during continuous delivery. Here you’ll get into things like…x Deploy/Production (Continuous Deployment): Security checks before, during and after code is deployed into production. Throughout this process, you’ll want to make sure DETAILED: Precommit These are the steps before and until a change to software or configuration is checked in to the source code repo. Additional security checks and controls to be added here include the following: Lightweight, iterative threat modeling and risk assessments Static analysis (SAST) checking in the engineer’s IDE Peer code reviews (for defensive coding and security vulnerabilities Commit Stage (Continuous Integration) This is automatically triggered by a check in. In this stage, you build and perform basic automated testing of the system. These steps return fast feedback to developers: did this change “break the build”? This stage needs to complete in at most a few minutes. Here are the security checks that you should include in this stage: Compile and build checks, ensuring that these steps are clean, and that there are no errors or warnings Software Component Analysis in build, identifying risk in third-party components Incremental static analysis scanning for bugs and security vulnerabilities Alerting on high-risk code changes through static analysis checks or tests Automated unit testing of security functions, with code coverage analysis Acceptance Stage This stage is triggered by a successful commit. The latest good commit build is picked up and deployed to an acceptance test environment. Automated acceptance (functional, integration, performance, and security) tests are executed. To minimize the time required, these tests are often fanned out to different test servers and executed in parallel. Following a “fail fast” approach, the more expensive and time-consuming tests are left until as late as possible in the test cycle, so that they are only executed if other tests have already passed. Security controls and tests in this stage include the following: Secure, automated configuration management and provisioning of the runtime environment (using tools like Ansible, Chef, Puppet, Salt, and/or Docker). Ensure that the test environment is clean and configured to match production as closely as possible. Automatically deploy the latest good build from the binary artifact repository. Smoke tests (including security tests) designed to catch mistakes in configuration or deployment. Targeted dynamic scanning (DAST). Automated functional and integration testing of security features. Automated security attacks, using Gauntlt or other security tools. Deep static analysis scanning (can be done out of band). Fuzzing (of APIs, files). This can be done out of band. Manual pen testing (out of band). Production Deployment and Post-Deployment If all of the previous steps and tests pass, the change is ready to be deployed to production, pending manual review/approvals and scheduling (in Continuous Delivery) or automatically (in Continuous Deployment). Additional security checks and controls are needed in production deployment and post-deployment: Secure, automated configuration management and provisioning of the runtime environment Automated deployment and release orchestration (authorized, repeatable, and auditable) Production monitoring/feedback Runtime defense Bug bounties
- TALK TRACK: ”If you’re a vendor that would like to sell into Marketplace, we would love to talk to you. My whole job centers around providing robust selection for our partners. So let’s bring this back to the AWS Marketplace. A lot of the pieces that we need to cover in the pipeline can be found and deployed from the marketplace. SAST = static application security testing DAST = dynamic application security testing SCA = software composition analysis CVA = container vulnerability analysis RASP = runtime application self-protection Stress that Dome9 will be featured in Broadridge talk and Chef will be featured in GDIT
- (show line curves here: traditional security/compliance vs continuous/early) Quality Bug Defect in a system or a representation of a system that if executed/activated could potentially result in an error (ISO/IEC 15026-1:2013). Software Defect A condition in a software product which does not meet a software requirement (as stated in the requirement specifications) or end-user expectations (which may not be specified but are reasonable). In other words, a defect is an error in coding or logic that causes a program to malfunction or to produce incorrect/unexpected results. Software Fault An abnormal condition or defect at the component, equipment, or sub-system level which may lead to a failure (ISO 10303-226). Security Software Vulnerability A mistake in software that can be directly used by a hacker to gain access to a system or network (CVE). Software Weakness Flaws, faults, bugs, vulnerabilities, and other errors in software implementation, code, design, or architecture that if left unaddressed could result in systems and networks being vulnerable to attack (CWE). See Qualys case study: https://vimeo.com/237972697 30 minute mark
- TALK TRACK: So this is a It’s all about code. Developers have been doing this for a long time… Development engineering teams have been writing code since the beginning. Modern operations teams are now writing "infrastructure as code" using tools like Chef, Puppet, and Ansible to create and configure cloud infrastructure, on-premise infrastructure, gold images, and network devices. Security as code takes this approach a step further by converting manual security and compliance steps into automated, repeatable scripts that can be executed inside a CI pipeline. Security tools are quickly evolving to have APIs and command line interfaces to support "security as code" instead of manually configuring a scanner and pressing a button. Security as Code is about building security into DevOps tools and practices, making it an essential part of the tool chains and workflows. You do this by mapping out how changes to code and infrastructure are made and finding places to add security checks and tests and gates without introducing unnecessary costs or delays.
- TALK TRACK: A few things that we’ll see from Broadridgecan the infrastructure code for necessary compliance and security checks before deploying to production. Complements automated unit and integration testing that are part of the