Three Foundational Principles for Security Everywhere in Financial Services [MG: NEEDS TO BE EDITED]
How do you bring a publicly traded financial services corporation to the public cloud securely? How can you establish and maintain robust security across the entire cloud footprint spanning hundreds of accounts from innovation labs to production environments with different rules and requirements? This was the challenge facing Broadridge Financial Solutions, a global fintech leader who provides communications, technology, data and analytics to help drive business transformation for its clients. In this session, Martin Klie will talk about how his team operationalized core security principles such as least privilege, guardrails, and temporary credentials to enforce consistent security and compliance across DevOps and IT environments in AWS.
Key Takeaways:
- Security considerations in DevOps -- separation of duties, granular access, and code security
- Key ingredients of the security stack for defense-in-depth protection
- Best practices to enforce regulatory compliance with guardrail
TALK TRACK: We’re going to mentioning a number of topics that are 60-minute discussions in and of themselves (x as code and DevOps; Security ….but what we want to focus are the particular use cases that our customers are using to deal with their real-world problems. So we want to move from more abstract notions of what it means to have secure and compliant software delivery to how our customers are actually using both AWS and 3rd-party tooling within their own
Key here is partner oriented: there are other talks at re:Invent that will take you through the AWS architecture for DevOps and DevSecOps, but Marketplace is significantly interested in how 3rd-party technologies can be super easily assorted and deployed into customers’ cloud environments.
*Can actually poll audience for a quick survey on what they think DevSecOps is and maybe even some domains/tools it covers.*
Key here is partner oriented: there are other talks at re:Invent that will take you through the AWS architecture for DevOps and DevSecOps, but Marketplace is significantly interested in how 3rd-party technologies can be super easily assorted and deployed into customers’ cloud environments.
*Can actually poll audience for a quick survey on what they think DevSecOps is and maybe even some domains/tools it covers.*
TALK TRACK: AWS Marketplace is a curated digital software catalog and simplifies the discovery, purchase, and deployment of third party software. We focus on speed with features like 1-click deployment, flexible pricing terms to provide you with a subscription based, elastic pricing option, and reliability to ensure software solutions in AWS Marketplace are reliable and ready to use on other AWS services.
TALK TRACK: AWS Marketplace provides an extensive selection in software categories like Security, Networking, Storage, Business Intelligence, Database and Analytics, and DevOps with flexible pricing options such as free trial, pay as you go, BYOL, and Seller Private Offers, while having multiple deployment options, helping you to customize software provisioning to fit your security policies, licensing terms, budgetary needs, and more. Helping you to customize and provision software the way you need it.
NOTE TO PRESENTER:
AWS Marketplace provides over 4,200 software solutions from more than 1,400 ISVs and continues to grow and help customers migrate to the cloud. Today, customers are deploying over 570 million hours of EC2 monthly. If you do the math, that’s about 848K hours being deployed just in this hour.
TALK TRACK: The trend and need for a cloud is accelerating. By 2021, it’s expected that 94% of workloads and instances will be processed by cloud data centers vs. traditional data centers, 73% of cloud workloads will be in public cloud, and 75% of cloud workloads will be SaaS. One of the biggest challenges companies run into during this process is finding a way to migrate existing on-premises software applications to the cloud. That’s where AWS Marketplace can help.
TALK TRACK: During this migration process, you’ll find that there are hundreds software solutions you’ll need to fully migrate over to the cloud (alluding to the 500+). Our data and research shows that most companies are honing in on 30-50 important choices from that selection across 12 categories of software. This stems from needing 2-4 ISVs in each category since most of the time, one ISV will not cover everything you need (alluding to the 50 vendors). And because customers don’t know how much usage they’ll need at this point, they rely on a pay as you go pricing terms. As mentioned, this is where AWS Marketplace can help, by providing ISVs with flexible pricing options they can provide to their customer. And of course, everyone relies on the 5 top vendors from the 6 named on this chart. AWS Marketplace manages Microsoft and Oracle offerings, and you can bring SAP, VMWare and IBM or SFDC onto AWS.
TALK TRACK: These are the top 8 categories in which software solutions are most often deployed. AWS Marketplace includes software solutions from key ISVs such as CentOS, Trend Micro, NetApp, Cisco, Adobe, AppDynamics and more. Altogether, there are 35 categories in AWS Marketplace, with multiple deployment types and commerce models.
TALK TRACK: For those that may not be aware – or for those that might need a refresher – AWS employs a shared responsibility model where AWS is responsible for security ‘of the cloud’ and customers are responsible for security ‘in the cloud’.
[Can point to some of the details in the AWS section vs the Customer section]
We strive to make security offerings available to cover the customer’s responsibility through AWS and 3rd-party. Broadridge: And a lot of what we’ll be talking about today is how 3rd-party solutions work with AWS services to provide help cover the needs of our customers. GDIT: A lot of what we’ll be exploring today is how GDIT utilizes a partner offering to cover their needs around continuous compliance and automated remediation of issues that crop up during their [fill in details]
Take this opportunity to remind the audience that we are really just here to prep you for the important stuff: how our customer thinks about compliance and security and how they see third-party technologies adding value to the services that AWS provides.
TALK TRACK: So before we talk about DevSecOps, it’s probably a good idea to take a look at what we mean by DevOps. It’s now very much a cliché that every company is a software company…and this is as true for ‘born in the cloud’ companies as it is for decades-old institutions that need to keep up with the expectations of their customers.
But just because every company is a software company doesn’t mean that every company provides continuously updated (new, improved) experiences for their customers. But for those that need to – or should – DevOps is the way to do this.
DevOps, for those who don’t know the term, refers to the merging of development and operations teams to ensure that new, innovative features have a better chance of being delivered frequently into operating environments that are capable of deploying those applications. Pre-DevOps, you saw a lot of friction between dev teams that favored speed and ops teams that favored stability. In fact, these were seen as incompatible. DevOps, in simplest terms, ensures that applications can be successfully deployed into production environments by automating the testing the infrastructure alongside the application code, and fixing problems before getting to the production stage. So in DevOps we are considering both the application code and the infrastructure code as inextricably linked to produce functional application code on top of supportive infrastructure code.
So here we’ve broken down the different software delivery options… the biggest difference between Waterfall and Agile/DevOps, the shift toward a test-driven approach to development, i.e. testing everything all the time.
The key difference between Agile and DevOps: for Agile, software is developed and released, the agile team doesn't formally care what happens to it. They're on to the next sprint and the next revision of the user story.
DevOps, on the other hand, is all about taking software which is ready for release and deploying it in the safest, most reliable manner possible. DevOps doesn't depend on the software being developed by the agile discipline. It's entirely possible to have waterfall development feeding DevOps
Automation is also a big differentiator
So a huge problem has been addressed between these two teams handling the evolution of software on the one hand and the accessibility of it on the other. You can imagine what happens when we start to think about security and where it belongs.
Look to the audience: Any guesses? Think it’s a good story?
TALK TRACK: So essentially the equation for DevOps looks like this. Note: maybe place automation as an exponent?
Broadridge/GDIT are going to be talking about what automation means to them in their practice.
Typically the big things in automation go something like this, with subtle differences between dev and prod environments:
(Automatically discover what needs to be secured and compliant)
(Automatically detect when something is out of security and compliance policy)
(Automatically remediate what you can).
You can think of automation as spanning the depth and breadth of your IT estate, up the stack and across the business.
Imagine every team has automated how they build and deploy applications, and how they provision, configure and manage the infrastructure they run on.
This is what “always ready to ship” looks like. This is what pervasive/widespread automation delivers.
You may hit a 100 percent, but it’ll back down, go back up, because this is continuous. There’s always something new.
TALK TRACK: How far have we come – or, maybe a better way of stating this – where are we going with automation and things like automated remediation?
How about a bot disguised as a human operator? One that can detect bugs and then write patches to fix them. Now this may be on the far right of the bell curve in terms of automation examples, but…it’s just so cool.
These guys call their bot Repairnator and have successfully tested it by allowing it to compete against human developers to find fixes. “This is a milestone for human-competitiveness in software engineering research on automatic program repair,” they say.
Computer scientists have long known that it is possible to automate the process of writing patches. But it is not clear whether bots can do this work as quickly as humans and to the same quality.
Take a look at this: https://www.theregister.co.uk/2018/10/17/luc_esape_bug_fixer/
Take language from here: https://www.technologyreview.com/s/612336/a-bot-disguised-as-a-human-software-developer-fixes-bugs/
Software writing software….based on ‘intelligent response’.
https://arxiv.org/pdf/1810.05806.pdf
TALK TRACK: Let’s look at the left = delivering the features that are required with corresponding operational integrity. You have entities that have chosen to ’up’ the speed axis and sacrifice stability. Conversely, you can have
Right = delivering code that is secure and compliant. Although you can get security measures baked into compliance standards, it’s important to understand that just because you’re compliant doesn’t necessarily mean you’re secure. And just because you’re secure does not mean you’re compliant. The goal here is to be as secure and as compliant as possible, so that like the figure you have automated processes to ensure both security and compliance in your software development practice.
Security and compliance play different roles, both in your internal and external environments. The right cybersecurity measures protect your information from threats by controlling how that information is used, consumed and provided. Compliance, on the other hand, is a demonstration — a reporting function — of how your security program meets specific security standards as laid out by regulatory organizations.
Key underlying foundation is automation. Automated testing, automated security and compliance checks – many things that fall into the domain of ‘x as code’ – are all the things that makes this possible. Removing the human factor to promote greater accuracy and speed is essential for this to work. Broadridge/GDIT will talk more about this and make it much more concrete.
TALK TRACK: So here is the ultimate DevSecOps picture…”All Apologies” (lower left) to “Smells Like Teen Spirit” (upper right).
TALK TRACK: So what are the algorithm for DevSecOps. As I mentioned, DevOps looks to take application code and the Ops team looks to take infrastructure code in order to ‘synergize’ speed and security (I need to find a way to talk about ‘ideate’ next – it can be done!). Those frontiers have been conquered.
TALK TRACK:
GDIT: Tie back into the GDIT/NGA story and what THEY teach us about speed and security. Can use this to talk specifically to what Brad mentioned --- security can take pre-emininence especially when the stakes are national security (versus my bank who risks personal/financial info - bad, but not catastrophic at a nation-state level, like nuclear codes).
Broadridge: There are just some things that you don’t want to automate because the risk can be high (automating mistakes). Sometimes companies will just want to have the information available in order for a human to figure out what to do. Martin will talk more about this - ‘unfettered automation’ is not part of their standard operating procedure.
Broadridge and GDIT will give us the real view of what actually happens…and while things like automated remediation sound great – and there are growing use cases out there for it – you’ll see that people still matter. There are still things that either only humans can do at this point or customers highly prefer that they have a human being doing it.
Let’s go to the chalkboard….arbitrary time values. Automation = testing/detection and remediation. Manual Inspection – can think of this like people getting involved to make sense of findings before a remediation is executed.
Path A, B, C is first and historically typical and is more closely tied to longer development cycles that are not incorporating optimized DevOps practices nor are they embedding security. (“Same as it ever was” territory). This is like three of your favorite x – come up with witty names/graphics for the various letters.
Path D is the path of cloud-born. They are pushing out updates and feature enhancements and it’s seamless. You – the customer - don’t feel a thing. You’re not getting notifications to update your system. This is what Lyft, Airbnb, Netflix, and yes, Amazon.com are doing.
Path F is the what a lot of our customers are aiming for – those that have run traditional apps on prem, moving to the cloud, and trying to exploit what they can from cloud functionality while maintaining policies aligning with their corporate needs/values (tolerance for risk, etc., included here)
Show how security and compliance needs to be placed back into the early portions of the dev process and automated to keep up with what developers – and ultimately the businesses themselves – need in order to flourish (and some to survive).
Remediation costs increase in direct proportion to how far downstream they travel.
Key underlying foundation is automation. Automated testing, automated security and compliance checks – many things that fall into the domain of ‘x as code’ – are all the things that makes this possible. Removing the human factor to promote greater accuracy and speed is essential for this to work. Broadridge will talk more about this.
IAM for access rights = who gets control
WAF for application security – hardened from dev into production
Logging, etc to get a comprehensive view of security and performance
All of these things are important from a DevSecOps perspective to make sure security and compliance is functioning properly.
TALK TRACK: (high level) But we also need to look at the security that’s being embedded into the application and infrastructure code. We need to get firm control over robustness of the code itself and whether it will ultimately be delivered with low probability of vulnerable components. And it’s better to this early
Let’s take a closer view at a core piece of DevOps, the CI/CD pipeline. This again is one of those topics we could spend an entire session on, but we’re going to give
Pre-Commit: Comprise security activities before code is checked into version control. Here you have things like threat modeling, static application security testing that will look for potential flaws within your code and code reviews.
Commit (Continuous Integration): Fast, automated security checks during the build and continuous integration steps. Here you’ll get into things like…x
Acceptance (Continuous Delivery): Automated security acceptance, functional testing, and deep ‘out-of-band’ scanning during continuous delivery. Here you’ll get into things like…x
Deploy/Production (Continuous Deployment): Security checks before, during and after code is deployed into production.
Throughout this process, you’ll want to make sure
DETAILED:
Precommit
These are the steps before and until a change to software or configuration is checked in to the source code repo. Additional security checks and controls to be added here include the following:
Lightweight, iterative threat modeling and risk assessments
Static analysis (SAST) checking in the engineer’s IDE
Peer code reviews (for defensive coding and security vulnerabilities
Commit Stage (Continuous Integration)
This is automatically triggered by a check in. In this stage, you build and perform basic automated testing of the system. These steps return fast feedback to developers: did this change “break the build”? This stage needs to complete in at most a few minutes. Here are the security checks that you should include in this stage:
Compile and build checks, ensuring that these steps are clean, and that there are no errors or warnings
Software Component Analysis in build, identifying risk in third-party components
Incremental static analysis scanning for bugs and security vulnerabilities
Alerting on high-risk code changes through static analysis checks or tests
Automated unit testing of security functions, with code coverage analysis
Acceptance Stage
This stage is triggered by a successful commit. The latest good commit build is picked up and deployed to an acceptance test environment. Automated acceptance (functional, integration, performance, and security) tests are executed. To minimize the time required, these tests are often fanned out to different test servers and executed in parallel. Following a “fail fast” approach, the more expensive and time-consuming tests are left until as late as possible in the test cycle, so that they are only executed if other tests have already passed.
Security controls and tests in this stage include the following:
Secure, automated configuration management and provisioning of the runtime environment (using tools like Ansible, Chef, Puppet, Salt, and/or Docker). Ensure that the test environment is clean and configured to match production as closely as possible.
Automatically deploy the latest good build from the binary artifact repository.
Smoke tests (including security tests) designed to catch mistakes in configuration or deployment.
Targeted dynamic scanning (DAST).
Automated functional and integration testing of security features.
Automated security attacks, using Gauntlt or other security tools.
Deep static analysis scanning (can be done out of band).
Fuzzing (of APIs, files). This can be done out of band.
Manual pen testing (out of band).
Production Deployment and Post-Deployment
If all of the previous steps and tests pass, the change is ready to be deployed to production, pending manual review/approvals and scheduling (in Continuous Delivery) or automatically (in Continuous Deployment). Additional security checks and controls are needed in production deployment and post-deployment:
Secure, automated configuration management and provisioning of the runtime environment
Automated deployment and release orchestration (authorized, repeatable, and auditable)
Production monitoring/feedback
Runtime defense
Bug bounties
TALK TRACK: ”If you’re a vendor that would like to sell into Marketplace, we would love to talk to you. My whole job centers around providing robust selection for our partners.
So let’s bring this back to the AWS Marketplace. A lot of the pieces that we need to cover in the pipeline can be found and deployed from the marketplace.
SAST = static application security testing
DAST = dynamic application security testing
SCA = software composition analysis
CVA = container vulnerability analysis
RASP = runtime application self-protection
Stress that Dome9 will be featured in Broadridge talk and Chef will be featured in GDIT
(show line curves here: traditional security/compliance vs continuous/early)
Quality
Bug
Defect in a system or a representation of a system that if executed/activated could potentially result in an error (ISO/IEC 15026-1:2013).
Software Defect
A condition in a software product which does not meet a software requirement (as stated in the requirement specifications) or end-user expectations (which may not be specified but are reasonable). In other words, a defect is an error in coding or logic that causes a program to malfunction or to produce incorrect/unexpected results.
Software Fault
An abnormal condition or defect at the component, equipment, or sub-system level which may lead to a failure (ISO 10303-226).
Security
Software Vulnerability
A mistake in software that can be directly used by a hacker to gain access to a system or network (CVE).
Software Weakness
Flaws, faults, bugs, vulnerabilities, and other errors in software implementation, code, design, or architecture that if left unaddressed could result in systems and networks being vulnerable to attack (CWE).
See Qualys case study: https://vimeo.com/237972697 30 minute mark
TALK TRACK: So this is a It’s all about code. Developers have been doing this for a long time…
Development engineering teams have been writing code since the beginning. Modern operations teams are now writing "infrastructure as code" using tools like Chef, Puppet, and Ansible to create and configure cloud infrastructure, on-premise infrastructure, gold images, and network devices.
Security as code takes this approach a step further by converting manual security and compliance steps into automated, repeatable scripts that can be executed inside a CI pipeline. Security tools are quickly evolving to have APIs and command line interfaces to support "security as code" instead of manually configuring a scanner and pressing a button.
Security as Code is about building security into DevOps tools and practices, making it an essential part of the tool chains and workflows. You do this by mapping out how changes to code and infrastructure are made and finding places to add security checks and tests and gates without introducing unnecessary costs or delays.
TALK TRACK: A few things that we’ll see from Broadridgecan the infrastructure code for necessary compliance and security checks before deploying to production.
Complements automated unit and integration testing that are part of the