1) Developers prioritize speed and innovation while auditors focus on compliance and predictability. The resolution is adopting tools like Spinnaker that provide traceability in development pipelines to satisfy both groups. 2) Tools like Penguin allow continuous monitoring of application security risks across microservices rather than one-time assessments. 3) Compartmentalization through practices like tokenization and microservices limits the impact of breaches by restricting access on a need-to-know basis.

1. Splitting the Check on
Compliance and Security
Jason Chan
Engineering Director – Cloud Security
@chanjbs

2. 2015 for Developers

3. 2015 for Auditors and Security Teams

4. The Problem

5. Developers:
Incentives
• Speed
• Features
Want
• Freedom to innovate
• New technology
Incentives and Perspectives
Auditors:
Incentives
• Compliance with regulatory
obligations
• Verifiable processes
Want
• Well-known technology
• Predictability and stability

6. The Resolution

7. “You build it, you run it.”
-Werner Vogels, Amazon CTO (June 2006)

8. Who Cares About These Answers?
• When did that code change?
• Who made the change?
• Who logged in to that host?
• What did they do?
• Who pushed that code?
• When was this dependency
introduced?
• Was that build tested before
deployment?
• What were the test results?
?

9. Before
Developers and Auditors
After
AuditorDev
Auditor
Dev

10. How Do We Get There?

11. Two Approaches to Compliance

12. Pillars for Effective, Efficient, and
Flexible Compliance

13. The Pillars
1. Traceability in development
2. Continuous security visibility
3. Compartmentalization

14. Discussion Format

15. Traceability in Development

16. Common Audit Requirements for
Software Development
• Review changes.
• Track changes.
• Test changes.
• Deploy only approved code.
• For all actions:
• Who did it?
• When?

17. Spinnaker for Continuous Deployment
• Customizable development
pipelines (workflows)
• Based on team
requirements
• Single interface to entire
deployment process
• Answers who, what, when,
and why
• For developers and
auditors
Auditor
Dev

18. Spinnaker: Compliance-Relevant Features
• Integrated access to development artifacts
• Pull requests, test results, build artifacts, etc.
• Push authorization
• Restricted deployment windows (time, region)
• Deployment notifications

19. Spinnaker: App-Centric View & Multistage Pipeline
Multiple deployment stagesAutomated
Manual
Failed test, do not proceed
Application-specific components
Link to build (Jenkins CI),
code changes (Stash)

20. Automated Canary Analysis
Canary test score
Link to details
Result

21. Manual Approval (Optional)

22. Restricted Deployment Window (Optional)

23. Restricted Deployment Window (Optional)

24. Deployment Notification (Optional)

25. Spinnaker vs. Manual Deployments
• Deployment is independent of languages and other
underlying technology.
• Java, Python, Linux, Windows…
• Multiple stages of automated testing.
• Integration, security, functional, production canary.
• Fully traceable pipeline.
• Changes and change drivers are fully visible.
• All artifacts and test results available.

26. Control Mapping
Control Description
PCI 6.3.2 Perform code reviews prior to release.
PCI 6.4.5 Test changes to verify no adverse security impact.
COBIT BAI03.08 Execute solution testing.

27. Continuous Security Visibility

28. Issues with Application Security Risk Management
• Spreadsheets and surveys!
• Human driven.
• Presuppose managed
intake.
• One-time vs. continuous.

30. Penguin Shortbread – Automated Risk Analysis for
Microservice Architectures
• Analyze microservice
connectivity.
• Passively monitor app and
cloud configuration.
• Develop risk scoring based
on observations.

31. Application Risk Metric
Metric summary
Metric algorithm
Scoring

32. Application Risk Rollup
Metrics
Risk metrics by region/environment

33. Control Mapping
Control Description
PCI 1.2.1 Restrict traffic to that which is necessary.
PCI 12.2 Implement a risk-assessment process.
APO 12.03 Maintain a risk profile.

34. Compartmentalization

35. Compartmentalization
Resilience: Limit blast radius Confidentiality: Need to know

36. User Payments
application
Payment
processors
and
partners
Encrypted credit
card database
Name Encrypted CC
John Doe XXXXXXXXXX
HSM
Monolithic Card Processing in the Data Center
Sign up/change CC
Store/retrieve CC
Real-time/batch
auth
Tax, analytics,
fraud, etc.
Web server

37. Microservices and Tokenization in AWS
CloudHSM
Payment
application
Token
service
Token db
Token Encrypted CC
abc123 XXXXXXXXXXCrypto
proxy
Name Token
John Doe abc123
Payments db
Token vault
User
Sign up/change CC
Web server

38. Control Mapping
Control Description
PCI 2.2 Implement one primary function per server.
DSS05.02 Manage network and connectivity security.
DSS05.03 Manage endpoint security.

39. Wrapping Up!
• Limit investments in
approaches that meet
narrow regulatory needs.
• Embrace core security
design and operational
principles.
• Focus on tools and
techniques that serve
multiple audiences. Auditor
Dev

40. Thank you!
@chanjbs - chan@netflix.com