Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecOps: Key Controls to Modern Security Success

76 views

Published on

Discuss:
Cloud & DevSecOps Practices
Pre-Commit: The Paved Road
Commit: CI / CD Security Controls
Acceptance: Supply Chain Security
Operations: Continuous Security Compliance

Published in: Technology
  • Be the first to comment

DevSecOps: Key Controls to Modern Security Success

  1. 1. 3/27/2019 DevSecOps: Key Controls For Modern Security Success Eastern Iowa Security Conference © 2019 Puma Security, LLC | All Rights Reserved
  2. 2. Puma Security, LLCPuma Security, LLC 2 • Principal Security Engineer, Puma Security – Coder: static analysis engine, cloud automation, security tools – Security assessments: DevSecOps, cloud, source code, web apps, mobile apps • DevSecOps Curriculum Manager, SANS Institute – SANS Certified Instructor – Contributing author of SEC540, DEV544, and DEV531 • Education & Training – Iowa State M.S. Information Assurance, B.S. Computer Engineering – AWS Certified Developer, CISSP, GSSP, GWAPT • Contact information – Email: eric.johnson@pumascan.com – Twitter: @emjohn20 $WHOAMI
  3. 3. Puma Security, LLCPuma Security, LLC 3 Agenda • Keys for Modern Security Success 1. Cloud & DevSecOps Practices 2. Pre-Commit: The Paved Road 3. Commit: CI / CD Security Controls 4. Acceptance: Supply Chain Security 5. Operations: Continuous Security Compliance
  4. 4. Puma Security, LLCPuma Security, LLC 4 What are the goals and principles in DevSecOps? • Make security a first-class problem in DevOps • Make security a first-class participant in DevOps • Increase trust between dev, ops, and sec • Integrate security practices and ideas into DevOps culture • Wire security into DevOps workflows to incrementally improve security SecDevOps / DevSecOps / DevOpsSec / Rugged DevOps https://memegenerator.net/img/instances/81941458/devsecops.jpg
  5. 5. Puma Security, LLCPuma Security, LLC 5 • Cloud Security Top 10 • Serverless Security Top 10 • DevSecOps Toolchain • Building a DevSecOps Program Secure Cloud & DevOps Practices (https://www.sans.org/u/OGx)
  6. 6. Puma Security, LLCPuma Security, LLC 6 • Cloud & DevOps Critical Security Controls: Cloud & DevSecOps Security Controls IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE AS CODE SECURITY SMOKE TESTS THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS CLOUD INFRASTRUCTURE DYNAMIC SECURITY TESTS SECRETS MANAGEMENT SECURITY CONFIGURATION SERVER HARDENING
  7. 7. Puma Security, LLCPuma Security, LLC #1 Pre-Commit: The Paved Road 7
  8. 8. Puma Security, LLCPuma Security, LLC 8 Dev, Sec, and Ops teams build secure by default frameworks, libraries, and services: • Popularized by Netflix "Gates to Guardrails" • Operations: Automated pipelines build, certify, and publish cloud infrastructure / machine images • Development: Secure templates for Web, APIs, front-end, serverless projects • Security: Automated security pipeline scans, unit tests, acceptance tests, production assertions Build The Paved Road PRE-COMMIT http://www.flickr.com/photos/25173673@N03/4785565610/
  9. 9. Puma Security, LLCPuma Security, LLC 9 Network, Cloud, Infrastructure as Code templates for quickly provisioning certified environments for the development team to use: • On-premise or cloud hosted virtual machine gold images • On-premise or cloud hosted container gold images • Provisioning cloud network infrastructure • Deploying API gateway appliances for microservices • Managing Functions as a Service (FaaS) Operations Paved Road
  10. 10. Puma Security, LLC 10Puma Security, LLC 10 AWS CloudFormation infrastructure paved road example: 1 2 3 4 5 6 7 8 9 10 11 12 13 LaunchConfiguration: Type: AWS::AutoScaling::LaunchConfiguration Metadata: Properties: ImageId: !FindInMap [ AWSRegionToAMI, !Ref "AWS::Region", AMI ] IamInstanceProfile: !Ref InstanceProfile KeyName: "devsecops" SecurityGroups: - !Ref SecurityGroup UserData: "Fn::Base64": !Sub | #!/bin/bash yum update -y Operations Paved Road Example Gold Image Least privilege Admin access Network configuration Supply chain security
  11. 11. Puma Security, LLCPuma Security, LLC 11 Templates covering approved technology stacks with protection for common application security issues and misconfigurations: • Node.js, Django, Spring Boot, .NET Core, Ruby Rails, Functions, etc. • Secrets management storage • Secure transport configuration (HTTPS) • Enable authentication / authorization • Configure password management / single sign on • Include common libraries for data validation, logging, encoding, etc. Development Paved Road
  12. 12. Puma Security, LLC 12Puma Security, LLC 12 .NET Core paved road example w/ security protections pre- configured:1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 public void ConfigureServices(IServiceCollection services) { services.Configure<IdentityOptions>(options => { options.Password.RequiredLength = 15; options.Lockout.MaxFailedAccessAttempts = 5; } services.AddMvc(options => { options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder() .RequireAuthenticatedUser().Build())); }); } public void Configure(IApplicationBuilder app, IHostingEnvironment env) { app.UseRewriter(new RewriteOptions().AddRedirectToHttps()); app.AddSecurityHeaders(); } Development Paved Road Example Password Configuration Authorization HTTPS
  13. 13. Puma Security, LLCPuma Security, LLC #2 Commit: CI / CD Security Controls 13
  14. 14. Puma Security, LLCPuma Security, LLC • Integrate tools to automate build, test, acceptance, and deployment of infrastructure, cloud, and applications into a repeatable workflow: Continuous Integration & Delivery Security Controls COMMIT (CI) 14
  15. 15. Puma Security, LLCPuma Security, LLC • Merging new features requires approval from peers and security team prior to triggering the build pipeline: CI / CD Security Controls: Version Control 15
  16. 16. Puma Security, LLCPuma Security, LLC • Approved merge request triggers automated unit tests, security scans, audit reports, and fast feedback: CI / CD Security Controls: Acceptance Testing 16
  17. 17. Puma Security, LLCPuma Security, LLC • Build pipelines contain artifacts from security scans and compliance checks: CI / CD Security Controls: Audit Reports 17
  18. 18. Puma Security, LLCPuma Security, LLC #3 Acceptance: Supply Chain Security 18
  19. 19. Puma Security, LLCPuma Security, LLC 19 Serious vulnerabilities can be inherited from open source libraries, docker images, infrastructure templates, and serverless functions: • Carefully review content before usage • Run tools to automatically the scan code base / images • Identify external dependencies • Check against public vulnerability database(s) • Integrate supply chain security scanning into CI/CD • WARNING: Some tools may not check transitive dependencies Supply Chain Security
  20. 20. Puma Security, LLCPuma Security, LLC 20 • OWASP Dependency Check (Java, .NET, Ruby, Python) – https://www.owasp.org/index.php/OWASP_Dependency _Check • Bundler-Audit (Ruby) – https://github.com/rubysec/bundler-audit • NPM Audit / Retire.JS (NodeJS) – https://retirejs.github.io/retire.js/ – https://docs.npmjs.com/cli/audit • PHP Security Checker – https://security.sensiolabs.org/ Supply Chain Security: Application Scanning Tools DEPENDENCY MANAGEMENT ACCEPTANCE
  21. 21. Puma Security, LLCPuma Security, LLC 21 • OWASP Dependency Check scan and vulnerability report in a Jenkins CI pipeline: Supply Chain Security: Application Scanning Example
  22. 22. Puma Security, LLCPuma Security, LLC 22 Open source container image security scanning tools: • Anchore — https://anchore.com/opensource/ • Actuary — https://github.com/diogomonica/actuary • Clair — https://github.com/coreos/clair • Falco — https://github.com/draios/falco Supply Chain Security: Container Image Scanning Tools CONTAINER SECURITY ACCEPTANCE
  23. 23. Puma Security, LLCPuma Security, LLC 23 • Invoking an Anchore image scan and capturing vulnerability data in a Jenkins CI pipeline: Supply Chain Security: Container Image Scanning Example
  24. 24. Puma Security, LLCPuma Security, LLC 24 Hardened infrastructure templates can be used as references: • DevSec Hardening Templates — Automated hardening framework using Puppet, Chef, Ansible — Linux, Windows, SSH, Docker, K8S, Apache, Nginx — https://github.com/dev-sec • System Integrity Management Platform (SIMP) — Hardened Puppet infrastructure configuration and testing — NIST 800-53, DISA STIG, FIPS 140-2 RHEL & CentOS templates — https://github.com/simp/ Supply Chain Security: Hardened Infrastructure Templates INFRASTRUCTURE AS CODE ACCEPTANCE
  25. 25. Puma Security, LLCPuma Security, LLC Managing function dependencies in AWS Lambda can be achieved using Layers: • Build pipelines remove third-party libraries from deployment packages • CloudOps manages centralized layers containing approved third-party libraries • Third-party vendors are leveraging Layers to further harden function runtime environments: — PureSec FunctionShield — Twistlock Defender Supply Chain Security: FaaS Dependency Management Lambda function Layer Layer Execution Environment 25
  26. 26. Puma Security, LLCPuma Security, LLC #4 Operations: Continuous Security Compliance 26
  27. 27. Puma Security, LLCPuma Security, LLC 27 Leveraging security configuration tools to automate audit and compliance checks: • Test the server and infrastructure configuration against expected baseline and report any deviations • Tests should include severity, risk level, and description information • Match tests against compliance checklist items or regulatory policies • Automated testing tools available for Linux, Unix, Windows, AWS, Azure and VMWare Continuous Security Compliance PRODUCTION
  28. 28. Puma Security, LLCPuma Security, LLC 28 Security compliance / acceptance testing tools: • InSpec – https://github.com/inspec/inspec • OpenSCAP – https://github.com/OpenSCAP • Cloud Custodian (AWS, GCP, Azure) – https://github.com/cloud-custodian/cloud-custodian • ScoutSuite (AWS, GCP, Azure) – https://github.com/nccgroup/ScoutSuite • AWS Benchmark Scanner – https://github.com/awslabs/aws-security-benchmark Continuous Security Compliance: Tools SECURITY CONFIGURATION PRODUCTION
  29. 29. Puma Security, LLC 29Puma Security, LLC 29 Running InSpec against a running Docker container: Example InSpec output results from the Linux baseline profile: 1 2 $ docker run -it --rm -v $(pwd):/share chef/inspec exec baseline -t docker://container_id Continuous Security Compliance: InSpec Docker Scan 1 2 3 4 5 6 7 8 9 ✅ os-01: Trusted hosts login ✅☑︎ Command find / -name '.rhosts' stdout should be empty ✅ Command find / -name 'hosts.equiv' stdout should be empty X os-02: Check owner and permissions for /etc/shadow (1 failed) ✅ File /etc/shadow should exist ✅ File /etc/shadow should be file ✅ File /etc/shadow should be owned by "root" ✅ File /etc/shadow should not be executable X File /etc/shadow group should eq nil
  30. 30. Puma Security, LLCPuma Security, LLC 30 • Exporting InSpec results to JUnit format and integrating with Jenkins CI: Continuous Security Compliance: Jenkins InSpec Integration
  31. 31. Puma Security, LLCPuma Security, LLC 31 • Running the AWS CIS Benchmark scan via AWS Config rules: Continuous Security Compliance: AWS CIS Benchmark Scan
  32. 32. Puma Security, LLCPuma Security, LLC Puma Security, LLC | 2019 32 Thank you for attending!• Keys for Modern Security Success S U M M A R Y 1. Cloud & DevSecOps Practices 2. Pre-Commit: The Paved Road 3. Commit: CI / CD Security Controls 4. Acceptance: Supply Chain Security 5. Operations: Continuous Security Compliance Contact Information: • eric.johnson@pumascan.com • @emjohn20

×