Ahmed Abugharbia Securing Cloud DevOps Cycle AWS Community Day Midwest 2023

2. Securing our Cloud DevOps Cycle
Ahmed Abugharbia
Security Practitioner and SANS Instructor

3. 3
$whoami
• CDW:
→ Security, Incident Handling, DevOps/DevSecOps
and Cloud technologies
• Instructor, SANS Institute
→ Teaching SEC540 and SEC534
• Based in Chicago
• Contact information
→ Email: ahmed.abugharbia@gmail.com
→ Linkedin: https://www.linkedin.com/in/ahmadabugharbieh/
→ Website: https://cyberdojo.cloud
• Ahmed Abugharbia

4.  DevOps
 DevOps Tools
 DevSecOps and Cloud Security
 Demo
Agenda
4

5. • DevOps combines Development and
Operations
• Requires a different culture
• Requires many tools
• Requires different skills
• How is that related to Cloud Security?
5
DevOps – Introduction

6. • No manual changes in Cloud
• Infrastructure as Code
• Cloudformation, Terraform
• Configuration as Code
• Ansible, Chef, Puppet
• Containers
• Dockerfile
• Application
• Java, Python, C++, etc
• Documentation
• Terraform-docs -> Readme.md
• Tests
• Unit tests, integration tests, security test
• Deployment Scripts
• Jenkins Groovy, YAML
6
DevOps – Everything as Code

7. 7
DevOps – Tools
Engineers and AI
are producing code
Code is stored and
managed in SCM
An orchestrator Manages
the deployment pipelines
External Secret Managers
can be used
Cloud infrastructure is
built/updated
Question:
How can Jenkins access
the cloud?

8. • Can run in a containerized environment
• BuildSpec is written in YAML
• Can receive parameters as inputs
• Stages
• Manages and runs needed commands and
scripts
• Pipelines are attached to SCM
repositories
• Monitor for changes in a specific branch.
Mostly main
8
DevOps – AWS CodePipelines

9. DevOps – AWS CodePipelines
9

10. • The VS Code supports many security plugins, a few
examples:
• Semgrep/DevSkim/Puma Scan
• Checkov/CFN Nag
• SonarLint/ESLint
• Hadolint
• InSpec
• Open Policy Agent
• Allows engineers to detect security issues as
they are being created
• Plugins require the original tools to be installed
on the dev station
• It might be a good practice to create a
“development environment"
10
DevSecOps – IDE Security Plugins

11. • Static Analysis tools scan flat files for
security issues
• We must consider the technology stack
• Security tools must be:
• Fast
• Able to run headless
• Able to generate an automation-friendly output
• JSON, JUNIT, XML, etc.
• Tools:
• Cfn_nag
• Terrasec
• Hadolint
• Semgrep
• Owasp Dependency-Check
11
DevSecOps – Static Code Analysis

12. • Scan running applications
• Interact with the applications
• GNU vs Headless
• Time consuming
• Resources hungry
• Special skills are needed
• Many options out there
• SQLMap
• OWASP ZAP
• BURP Suite
• Arachni
12
DevSecOps – Dynamic Security Testing

13. • Store secrets encrypted
• Secrets can be:
• Passwords, Private keys, certificates, API
Keys, Configuration
• Jenkins has a “Credentials Plugin”
• Many free Open-Source options
• Vault OSS, Conjur OSS
• Cloud Providers have their own
implementations
• AWS KMS, AWS SSM Parameter Store,
Azure Key Vault
• Can be a target for attackers
13
DevSecOps – Secrets Management

14. • Cloud Providers offer many services for
monitoring, detection and response
• CloudWatch can be used to detect certain
events
• AWS Lambdas can be used to respond to a
certain detection
• There are free open-source solutions out
there
• Cloud Custodian
• We can design out own
• Can all be designed as Infrastructure as Code
14
DevSecOps – Continuous Monitoring

15. Thank you!