The document outlines key controls and practices for integrating security into DevOps through DevSecOps, emphasizing cloud security and continuous compliance. It discusses various phases such as pre-commit practices, CI/CD security controls, and supply chain security management. Additionally, it highlights tools and techniques for automated security assessments and managing dependencies across development and operational workflows.

1. © 2019 Puma Security, LLC | All Rights Reserved
DEVOPS DAYS DES MOINES
DevSecOps
Key Controls For Modern Security Success
05/02/2019

2. © 2019 Puma Security, LLC | All Rights Reserved
Principal Security Engineer,
Puma Security
Coder
Static analysis engine, cloud
automation, security tools
Security Assessments
DevSecOps, cloud, source
code, web apps, mobile apps
Principal Instructor
DevSecOps Curriculum Manager
SANS Principal
Instructor
Contributing author of
SEC540, DEV544, and
DEV531
Education and Training
Iowa State M.S.
Information Assurance,
B.S. Computer
Engineering
AWS Certified Developer
CISSP, GSSP, GWAPT
Contact Information
Email:
eric.johnson@pumascan.com
Twitter: @emjohn20
LinkedIn: linkedin.com/in/
eric-m-johnson
@
$WHOAMI

3. © 2019 Puma Security, LLC | All Rights Reserved
KEYS FOR MODERN SECURITY
SUCCESS
Cloud & DevSecOps
Practices
Pre-Commit:
The Paved Road
Commit:
CI / CD Security Controls
Acceptance:
Supply Chain Security
Operations:
Continuous Security Compliance
Agenda

4. © 2019 Puma Security, LLC | All Rights Reserved
WHAT ARE THE GOALS AND
PRINCIPLES IN DEVSECOPS?
Make security a first-
class problem in
DevOps
Make security a first-class
participant in DevOps
Increase trust
between dev, ops,
and sec
Integrate security
practices and ideas into
DevOps culture
Wire security into
DevOps workflows to
incrementally improve
security
01
02 04
03 05
SecDevOps / DevSecOps / DevOpsSec / Rugged DevOps

5. © 2019 Puma Security, LLC | All Rights Reserved
Secure Cloud & DevOps Practices | sans.org/u/OGx
Cloud
Security Top
10
Serverless
Security Top
10
DevSecOps
Toolchain
Building a
DevSecOps
Program

6. © 2019 Puma Security, LLC | All Rights Reserved
PRE-COMMIT
Threat Modeling
IDE Security Plugins
Pre-Commit Hooks
Peer Code Reviews
COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS
Static Code Analysis
Security Unit Tests
Container Security
Dependency Management
Infrastructure as Code
Cloud Infrastructure
Dynamic Security Tests
Security Acceptance Tests
Security Smoke Tests
Secrets Management
Security Configuration
Server Hardening
Blameless Postmortems
Continuous Monitoring
Penetration Testing
Threat Intelligence
Cloud & DevSecOps Security Controls

7. © 2019 Puma Security, LLC | All Rights Reserved
Pre-Commit:
The Paved Road

8. © 2019 Puma Security, LLC | All Rights Reserved
Dev, Sec, and Ops teams build secure by default
frameworks, libraries, and services
Popularized by Netflix "Gates
to Guardrails"
Operations: Automated
pipelines build, certify, and
publish cloud infrastructure /
machine images
Development: Secure templates
for Web, APIs, front-end,
serverless projects
Security: Automated security
pipeline scans, unit tests,
acceptance tests, production
assertions
Build The Paved Road
PRE-COMMIT

9. © 2019 Puma Security, LLC | All Rights Reserved
Network, Cloud, Infrastructure as Code templates for quickly
provisioning certified environments for the development team to use:
Cloud
network
infrastructure
Virtual
machine
gold
images
Container
gold base
images
Managing
Functions as
a Service
(FaaS)
Network
hardware
devices
Opera&ons Paved Road
API gateway
appliances
for
microservices

10. © 2019 Puma Security, LLC | All Rights Reserved
AWS CloudFormation infrastructure paved road example:
1
2
3
4
5
6
7
8
9
10
11
12
13
{ }
LaunchConfiguration:
Type: AWS::AutoScaling::LaunchConfiguration
Metadata:
Properties:
ImageId: !FindInMap [ AWSRegionToAMI, !Ref "AWS::Region", AMI ]
IamInstanceProfile: !Ref InstanceProfile
KeyName: "devsecops"
SecurityGroups:
- !Ref SecurityGroup
UserData:
"Fn::Base64": !Sub |
#!/bin/bash
yum update -y
{ Gold Image }
{ Least privilege }
{ Admin Access }
{ Network configuration }
{ Supply chain security }
Operations Paved Road Example

11. © 2019 Puma Security, LLC | All Rights Reserved
Templates covering approved technology stacks with protection for
common application security issues and misconfigurations:
Include common
libraries for data
validaHon,
logging,
encoding, etc.
Node.js, Django,
Spring Boot, .NET
Core, Ruby Rails,
Functions, etc.
Secrets
management
storage
Secure transport
configuration
(HTTPS)
Enable
authentication /
authorization
Configure
password
management /
single sign on
Development Paved Road

12. © 2019 Puma Security, LLC | All Rights Reserved
.NET Core paved road example w/ security
protecGons pre-configured:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
{ }
public void ConfigureServices(IServiceCollection services)
{
services.Configure<IdentityOptions>(options => {
options.Password.RequiredLength = 15;
options.Lockout.MaxFailedAccessAttempts = 5; }
services.AddMvc(options =>
{
options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser().Build())); });
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseRewriter(new RewriteOptions().AddRedirectToHttps());
app.AddSecurityHeaders();
{ Password Configuration }
{ Authorization}
{ HTTPS }
{ Security Headers}
Development Paved Road Example

13. © 2019 Puma Security, LLC | All Rights Reserved
CI / CD Security Controls
Commit:

14. © 2019 Puma Security, LLC | All Rights Reserved
Integrate tools to
automate build, test,
acceptance, and
deployment of
infrastructure, cloud,
and applications into a
repeatable workflow
Continuous Integration & Delivery Security Controls
COMMIT (CI)

15. © 2019 Puma Security, LLC | All Rights Reserved
Merging new features requires approval from peers and
security team prior to triggering the build pipeline:
116
117
118
119
120
121
122
123
{ }
LoadBalanceArn: !Ref Load Balancer
Port: !Ref HttpsPort
Protocol: HTTPS
SslPolicy: ELBSecurityPolicy-TLS-1-0-2015-04
SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01
Certificates:
- CertificateArn !Ref CertificateArn
DefaultActions:
CI / CD Security Controls: Version Control

16. © 2019 Puma Security, LLC | All Rights Reserved
Approved merge
request triggers
automated unit tests,
security scans, audit
reports, and fast
feedback
CI / CD Security Controls: Acceptance Tes7ng

17. © 2019 Puma Security, LLC | All Rights Reserved
Build pipelines contain
artifacts from security
scans and compliance
checks
CI / CD Security Controls: Audit Reports

18. © 2019 Puma Security, LLC | All Rights Reserved
Supply Chain Security
Acceptance:

19. © 2019 Puma Security, LLC | All Rights Reserved
Serious vulnerabilities can be inherited from open source libraries,
docker images, infrastructure templates, and serverless functions:
WARNING:
Some tools may
not check
transitive
dependencies
Carefully review
content before
usage
Run tools to
automatically
the scan code
base / images
Identify external
dependencies
Check against
public
vulnerability
database(s)
Integrate supply
chain security
scanning into
CI/CD
Supply Chain Security

20. © 2019 Puma Security, LLC | All Rights Reserved
OWASP Dependency Check (Java, .NET, Ruby, Python)
- h?ps://www.owasp.org/index.php/OWASP_Dependency_Check
NPM Audit / Retire.JS (NodeJS)
- https://retirejs.github.io/retire.js/
- https://docs.npmjs.com/cli/audit
Bundler-Audit (Ruby)
- https://github.com/rubysec/bundler-audit
PHP Security Checker
- https://security.sensiolabs.org/
DEPENDENCY
MANAGEMENT
Supply Chain Security: Application Scanning Tools
ACCEPTANCE

21. © 2019 Puma Security, LLC | All Rights Reserved
OWASP Dependency
Check scan and
vulnerability report in
a Jenkins CI pipeline
Supply Chain Security: Application Scanning Example

22. © 2019 Puma Security, LLC | All Rights Reserved
Anchore
- https://anchore.com/opensource/
Clair
- https://github.com/coreos/clair
Actuary
- https://github.com/diogomonica/actuary
Falco
- https://github.com/draios/falco
Supply Chain Security: Container Image Scanning Tools
CONTAINER
SECURITY
ACCEPTANCE

23. © 2019 Puma Security, LLC | All Rights Reserved
Invoking an Anchore
image scan and
capturing vulnerability
data in a Jenkins CI
pipeline
Supply Chain Security: Container Image Scanning Example

24. © 2019 Puma Security, LLC | All Rights Reserved
DevSec Hardening Templates
- Automated hardening framework using Puppet, Chef, Ansible
- Linux, Windows, SSH, Docker, K8S, Apache, Nginx
- https://github.com/dev-sec
Hardened infrastructure templates
can be used as references
Supply Chain Security: Hardened Infrastructure Templates
INFRASTRUCTURE
AS CODE
System Integrity Management Platform(SIMP)
- Hardened Puppet infrastructure configuration and testing
- NIST 800-53, DISA STIG, FIPS 140-2 RHEL & CentOS templates
- https://github.com/simp/
{ } ACCEPTANCE

25. © 2019 Puma Security, LLC | All Rights Reserved
Managing function
dependencies in AWS Lambda
can be achieved using Layers:
Buildpipelines
removethird-party
librariesfrom
deployment
packages
CloudOpsmanages
centralizedlayers
containingapproved
third-partylibraries
Third-partyvendorsare
leveragingLayerstofurther
hardenfunctionruntime
environments:
PureSecFunctionShield
TwistlockDefender
Supply Chain Security: FaaS Dependency Management

26. © 2019 Puma Security, LLC | All Rights Reserved
Opera&ons:
Continuous Security Compliance

27. © 2019 Puma Security, LLC | All Rights Reserved
Leveraging security configuration tools to
automate audit and compliance checks:
Test the server and
infrastructure
configuration against
expected baseline and
report any deviations
Tests should include
severity, risk level, and
description information
Match tests against
compliance checklist
items or regulatory
policies
Automated testing tools
available for Linux,
Unix, Windows, AWS,
Azure and VMWare
Con9nuous Security Compliance
PRODUCTION

28. © 2019 Puma Security, LLC | All Rights Reserved
SECURITY
CONFIGURATION
InSpec
- https://github.com/inspec/inspec
Cloud Custodian (AWS, GCP, Azure)
- https://github.com/cloud-custodian/cloud-custodian
OpenSCAP
- https://github.com/OpenSCAP
Security compliance / acceptance testing tools:
Scout Suite (AWS, GCP, Azure)
- https://github.com/nccgroup/ScoutSuite
AWS Benchmark Scanner
https://github.com/awslabs/aws-security-benchmark
Supply Chain Security: Application Scanning Tools
PRODUCTION

29. © 2019 Puma Security, LLC | All Rights Reserved
Running InSpec against a
running Docker container:
1
2
{ }
$ docker run -it --rm -v $(pwd):/share chef/inspec exec baseline -t
docker://container_id
Example InSpec output results from
the Linux baseline profile:{ }
1
2
3
4
5
6
7
8
9
✅ os-01: Trusted hosts login
✅‍ Command find / -name '.rhosts' stdout should be empty
✅ Command find / -name 'hosts.equiv' stdout should be empty
X os-02: Check owner and permissions for /etc/shadow (1 failed)
✅ File /etc/shadow should exist
✅ File /etc/shadow should be file
✅ File /etc/shadow should be owned by "root"
✅ File /etc/shadow should not be executable
X File /etc/shadow group should eq nil
Continuous Security Compliance: InSpec Docker Scan

30. © 2019 Puma Security, LLC | All Rights Reserved
Exporting InSpec
results to JUnit format
and integrating with
Jenkins CI
Continuous Security Compliance: Jenkins InSpec Integration

31. © 2019 Puma Security, LLC | All Rights Reserved
Running the AWS CIS
Benchmark scan via
AWS Config rules
Continuous Security Compliance: AWS CIS Benchmark Scan

32. © 2019 Puma Security, LLC | All Rights Reserved
Thank you for attending!
Keys for Modern Security Success
Contact Information:
E | eric.johnson@pumascan.com
ü Cloud & DevSecOps Practices
ü Pre-Commit: The Paved Road
ü Commit: CI / CD Security
Controls
ü Acceptance: Supply Chain
Security
ü Operations: Continuous
Security Compliance
SUMMARY
@emjohn20