Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecOps: Key Controls for Modern Security Success

104 views

Published on

In this updated slideshare, Principal Security Engineer, Eric Johnson shows engineers, developers and application security professionals how to start conversations on implementing security into the DevOps workflow.

You’ll learn about:

1) Cloud and DevSecOps Practices
2) Pre-Commit: The Paved Road
3) Commit: CI / CD Security Controls
4) Acceptance: Supply Chain Security
5) Operations: Continuous Security Compliance

For questions, please contact our team at sales [at] pumascan [dot] com.

Thanks for taking time to further your understanding of DevSecOps!

Published in: Technology
  • Be the first to comment

  • Be the first to like this

DevSecOps: Key Controls for Modern Security Success

  1. 1. © 2019 Puma Security, LLC | All Rights Reserved DEVOPS DAYS DES MOINES DevSecOps Key Controls For Modern Security Success 05/02/2019
  2. 2. © 2019 Puma Security, LLC | All Rights Reserved Principal Security Engineer, Puma Security Coder Static analysis engine, cloud automation, security tools Security Assessments DevSecOps, cloud, source code, web apps, mobile apps Principal Instructor DevSecOps Curriculum Manager SANS Principal Instructor Contributing author of SEC540, DEV544, and DEV531 Education and Training Iowa State M.S. Information Assurance, B.S. Computer Engineering AWS Certified Developer CISSP, GSSP, GWAPT Contact Information Email: eric.johnson@pumascan.com Twitter: @emjohn20 LinkedIn: linkedin.com/in/ eric-m-johnson @ $WHOAMI
  3. 3. © 2019 Puma Security, LLC | All Rights Reserved KEYS FOR MODERN SECURITY SUCCESS Cloud & DevSecOps Practices Pre-Commit: The Paved Road Commit: CI / CD Security Controls Acceptance: Supply Chain Security Operations: Continuous Security Compliance Agenda
  4. 4. © 2019 Puma Security, LLC | All Rights Reserved WHAT ARE THE GOALS AND PRINCIPLES IN DEVSECOPS? Make security a first- class problem in DevOps Make security a first-class participant in DevOps Increase trust between dev, ops, and sec Integrate security practices and ideas into DevOps culture Wire security into DevOps workflows to incrementally improve security 01 02 04 03 05 SecDevOps / DevSecOps / DevOpsSec / Rugged DevOps
  5. 5. © 2019 Puma Security, LLC | All Rights Reserved Secure Cloud & DevOps Practices | sans.org/u/OGx Cloud Security Top 10 Serverless Security Top 10 DevSecOps Toolchain Building a DevSecOps Program
  6. 6. © 2019 Puma Security, LLC | All Rights Reserved PRE-COMMIT Threat Modeling IDE Security Plugins Pre-Commit Hooks Peer Code Reviews COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS Static Code Analysis Security Unit Tests Container Security Dependency Management Infrastructure as Code Cloud Infrastructure Dynamic Security Tests Security Acceptance Tests Security Smoke Tests Secrets Management Security Configuration Server Hardening Blameless Postmortems Continuous Monitoring Penetration Testing Threat Intelligence Cloud & DevSecOps Security Controls
  7. 7. © 2019 Puma Security, LLC | All Rights Reserved Pre-Commit: The Paved Road
  8. 8. © 2019 Puma Security, LLC | All Rights Reserved Dev, Sec, and Ops teams build secure by default frameworks, libraries, and services Popularized by Netflix "Gates to Guardrails" Operations: Automated pipelines build, certify, and publish cloud infrastructure / machine images Development: Secure templates for Web, APIs, front-end, serverless projects Security: Automated security pipeline scans, unit tests, acceptance tests, production assertions Build The Paved Road PRE-COMMIT
  9. 9. © 2019 Puma Security, LLC | All Rights Reserved Network, Cloud, Infrastructure as Code templates for quickly provisioning certified environments for the development team to use: Cloud network infrastructure Virtual machine gold images Container gold base images Managing Functions as a Service (FaaS) Network hardware devices Opera&ons Paved Road API gateway appliances for microservices
  10. 10. © 2019 Puma Security, LLC | All Rights Reserved AWS CloudFormation infrastructure paved road example: 1 2 3 4 5 6 7 8 9 10 11 12 13 { } LaunchConfiguration: Type: AWS::AutoScaling::LaunchConfiguration Metadata: Properties: ImageId: !FindInMap [ AWSRegionToAMI, !Ref "AWS::Region", AMI ] IamInstanceProfile: !Ref InstanceProfile KeyName: "devsecops" SecurityGroups: - !Ref SecurityGroup UserData: "Fn::Base64": !Sub | #!/bin/bash yum update -y { Gold Image } { Least privilege } { Admin Access } { Network configuration } { Supply chain security } Operations Paved Road Example
  11. 11. © 2019 Puma Security, LLC | All Rights Reserved Templates covering approved technology stacks with protection for common application security issues and misconfigurations: Include common libraries for data validaHon, logging, encoding, etc. Node.js, Django, Spring Boot, .NET Core, Ruby Rails, Functions, etc. Secrets management storage Secure transport configuration (HTTPS) Enable authentication / authorization Configure password management / single sign on Development Paved Road
  12. 12. © 2019 Puma Security, LLC | All Rights Reserved .NET Core paved road example w/ security protecGons pre-configured: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 { } public void ConfigureServices(IServiceCollection services) { services.Configure<IdentityOptions>(options => { options.Password.RequiredLength = 15; options.Lockout.MaxFailedAccessAttempts = 5; } services.AddMvc(options => { options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder() .RequireAuthenticatedUser().Build())); }); } public void Configure(IApplicationBuilder app, IHostingEnvironment env) { app.UseRewriter(new RewriteOptions().AddRedirectToHttps()); app.AddSecurityHeaders(); { Password Configuration } { Authorization} { HTTPS } { Security Headers} Development Paved Road Example
  13. 13. © 2019 Puma Security, LLC | All Rights Reserved CI / CD Security Controls Commit:
  14. 14. © 2019 Puma Security, LLC | All Rights Reserved Integrate tools to automate build, test, acceptance, and deployment of infrastructure, cloud, and applications into a repeatable workflow Continuous Integration & Delivery Security Controls COMMIT (CI)
  15. 15. © 2019 Puma Security, LLC | All Rights Reserved Merging new features requires approval from peers and security team prior to triggering the build pipeline: 116 117 118 119 120 121 122 123 { } LoadBalanceArn: !Ref Load Balancer Port: !Ref HttpsPort Protocol: HTTPS SslPolicy: ELBSecurityPolicy-TLS-1-0-2015-04 SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01 Certificates: - CertificateArn !Ref CertificateArn DefaultActions: CI / CD Security Controls: Version Control
  16. 16. © 2019 Puma Security, LLC | All Rights Reserved Approved merge request triggers automated unit tests, security scans, audit reports, and fast feedback CI / CD Security Controls: Acceptance Tes7ng
  17. 17. © 2019 Puma Security, LLC | All Rights Reserved Build pipelines contain artifacts from security scans and compliance checks CI / CD Security Controls: Audit Reports
  18. 18. © 2019 Puma Security, LLC | All Rights Reserved Supply Chain Security Acceptance:
  19. 19. © 2019 Puma Security, LLC | All Rights Reserved Serious vulnerabilities can be inherited from open source libraries, docker images, infrastructure templates, and serverless functions: WARNING: Some tools may not check transitive dependencies Carefully review content before usage Run tools to automatically the scan code base / images Identify external dependencies Check against public vulnerability database(s) Integrate supply chain security scanning into CI/CD Supply Chain Security
  20. 20. © 2019 Puma Security, LLC | All Rights Reserved OWASP Dependency Check (Java, .NET, Ruby, Python) - h?ps://www.owasp.org/index.php/OWASP_Dependency_Check NPM Audit / Retire.JS (NodeJS) - https://retirejs.github.io/retire.js/ - https://docs.npmjs.com/cli/audit Bundler-Audit (Ruby) - https://github.com/rubysec/bundler-audit PHP Security Checker - https://security.sensiolabs.org/ DEPENDENCY MANAGEMENT Supply Chain Security: Application Scanning Tools ACCEPTANCE
  21. 21. © 2019 Puma Security, LLC | All Rights Reserved OWASP Dependency Check scan and vulnerability report in a Jenkins CI pipeline Supply Chain Security: Application Scanning Example
  22. 22. © 2019 Puma Security, LLC | All Rights Reserved Anchore - https://anchore.com/opensource/ Clair - https://github.com/coreos/clair Actuary - https://github.com/diogomonica/actuary Falco - https://github.com/draios/falco Supply Chain Security: Container Image Scanning Tools CONTAINER SECURITY ACCEPTANCE
  23. 23. © 2019 Puma Security, LLC | All Rights Reserved Invoking an Anchore image scan and capturing vulnerability data in a Jenkins CI pipeline Supply Chain Security: Container Image Scanning Example
  24. 24. © 2019 Puma Security, LLC | All Rights Reserved DevSec Hardening Templates - Automated hardening framework using Puppet, Chef, Ansible - Linux, Windows, SSH, Docker, K8S, Apache, Nginx - https://github.com/dev-sec Hardened infrastructure templates can be used as references Supply Chain Security: Hardened Infrastructure Templates INFRASTRUCTURE AS CODE System Integrity Management Platform(SIMP) - Hardened Puppet infrastructure configuration and testing - NIST 800-53, DISA STIG, FIPS 140-2 RHEL & CentOS templates - https://github.com/simp/ { } ACCEPTANCE
  25. 25. © 2019 Puma Security, LLC | All Rights Reserved Managing function dependencies in AWS Lambda can be achieved using Layers: Buildpipelines removethird-party librariesfrom deployment packages CloudOpsmanages centralizedlayers containingapproved third-partylibraries Third-partyvendorsare leveragingLayerstofurther hardenfunctionruntime environments: PureSecFunctionShield TwistlockDefender Supply Chain Security: FaaS Dependency Management
  26. 26. © 2019 Puma Security, LLC | All Rights Reserved Opera&ons: Continuous Security Compliance
  27. 27. © 2019 Puma Security, LLC | All Rights Reserved Leveraging security configuration tools to automate audit and compliance checks: Test the server and infrastructure configuration against expected baseline and report any deviations Tests should include severity, risk level, and description information Match tests against compliance checklist items or regulatory policies Automated testing tools available for Linux, Unix, Windows, AWS, Azure and VMWare Con9nuous Security Compliance PRODUCTION
  28. 28. © 2019 Puma Security, LLC | All Rights Reserved SECURITY CONFIGURATION InSpec - https://github.com/inspec/inspec Cloud Custodian (AWS, GCP, Azure) - https://github.com/cloud-custodian/cloud-custodian OpenSCAP - https://github.com/OpenSCAP Security compliance / acceptance testing tools: Scout Suite (AWS, GCP, Azure) - https://github.com/nccgroup/ScoutSuite AWS Benchmark Scanner https://github.com/awslabs/aws-security-benchmark Supply Chain Security: Application Scanning Tools PRODUCTION
  29. 29. © 2019 Puma Security, LLC | All Rights Reserved Running InSpec against a running Docker container: 1 2 { } $ docker run -it --rm -v $(pwd):/share chef/inspec exec baseline -t docker://container_id Example InSpec output results from the Linux baseline profile:{ } 1 2 3 4 5 6 7 8 9 ✅ os-01: Trusted hosts login ✅‍ Command find / -name '.rhosts' stdout should be empty ✅ Command find / -name 'hosts.equiv' stdout should be empty X os-02: Check owner and permissions for /etc/shadow (1 failed) ✅ File /etc/shadow should exist ✅ File /etc/shadow should be file ✅ File /etc/shadow should be owned by "root" ✅ File /etc/shadow should not be executable X File /etc/shadow group should eq nil Continuous Security Compliance: InSpec Docker Scan
  30. 30. © 2019 Puma Security, LLC | All Rights Reserved Exporting InSpec results to JUnit format and integrating with Jenkins CI Continuous Security Compliance: Jenkins InSpec Integration
  31. 31. © 2019 Puma Security, LLC | All Rights Reserved Running the AWS CIS Benchmark scan via AWS Config rules Continuous Security Compliance: AWS CIS Benchmark Scan
  32. 32. © 2019 Puma Security, LLC | All Rights Reserved Thank you for attending! Keys for Modern Security Success Contact Information: E | eric.johnson@pumascan.com ü Cloud & DevSecOps Practices ü Pre-Commit: The Paved Road ü Commit: CI / CD Security Controls ü Acceptance: Supply Chain Security ü Operations: Continuous Security Compliance SUMMARY @emjohn20

×