資安問題牽涉到的層面太過廣範，從線上系統一路到辦公室門禁都被包含在其中 DevOps 的 CAMS 精神其實剛剛好可以跟資安融合在一起，從 Configuration Management, Infrastructure as Code 到最近很紅的 ChatOps 都可以用來幫助加強資安，此分享從大企業與新創一路跌跌撞撞所學以致用的血淚經驗

1. DevOps: Security 干我何事？

2. HELLO!
I am smalltown
AMIS Site Reliability Engineer
Taipei HashiCorp User Group Organizer
AWS User Group Taiwan Staff

3. HUG
http://bit.ly/taipei-hug

4. Workshop
Infrastructure as Code
Terraform ❤ AWS EKS

5. “
Do You Think Security is
Important in Software
Development?

6. “
Everything Goes Well With
Waterfall Model

7. “
Agile Model Made Software
Delivery Faster and Faster

8. “
It’s Impossible to Test After
Done of Development

9. DevOps Power By
Testing
Ref

10. “
Security Also Encounter
The Same Problem

11. DevOps Power By
Security
Security
Thank for
Coming Today

12. Three Elements of
DevSecOps
OperationDeveloper
Information
Security
Security factor into
release pipeline
Unite developers,
security and operation
Increase Visibility

13. Outline
⊡ Security Gene in Development
⊡ Secret Management
⊡ Infrastructure As Must Be Code
⊡ System Management
⊡ C.A.S. C.A.M.S.

14. Security Gene in
Development
1

15. “
Penetration Testing Need
to be Fast and Seamless
with Development Process

16. Penetration Test in
Traditional Way
⊡ When new service online, performing
penetration testing By...
□ Information Security Department
□ Third Party Penetration Service
⊡ But … Agile development teams focus on
producing code Not Enhance Security

17. Penetration Testing
in Development
⊡ Static application security testing (SAST)
⊡ Runtime application self-protection (RASP)
Ref

18. Penetration Testing
in Development
⊡ Dynamic application security testing (DAST)
⊡ Interactive application security testing (IAST)
Ref

19. “
A Chain is Only as Strong
as Its Weakest Link

20. “
Penetration Test Need
Include Both Human and
System

21. Penetration Test for
Human
⊡ Although written tests/inform orally is not
avoid
⊡ But the exercise make things well imprinted
on human’s brain.
⊡ After all, practice makes perfect

22. Penetration Test for
Human
⊡ Don’t Need Strong Knowledge/Skill
⊡ All you need to do is …
□ Leverage Human’s Greedy/Fear
□ Get the organization member contact info
□ Automatic send mail/sms mechanism
□ Host Fake website to collect feedback (e.g.
CredSniper, SET)

23. “
Trust Me, The Result Will
Make Your Jaw Drop

24. Secret Management
2

25. “
Have You Rotated Production
Database Account/Password
Recently?

26. Rotate Credentials
⊡ The database credentials will be rotated
when…
□ Database migration
□ External auditing
⊡ Only if the rotate mechanism is implemented
at first, then it truly happens

27. HashiCorp Vault
⊡ Secures, stores, and tightly controls access to
tokens, passwords, certificates, API keys
⊡ Handles leasing, key revocation, key rolling,
and auditing

28. Authentication
⊡ Vault provide various auth method
□ Tokens, AppRole
□ AWS, Azure, Google Cloud
□ LDAP, GitHub
□ ...etc

29. Authorization
⊡ Vault store credentials like key/value
database, e.g.
□ /secret/stag/database/admin
□ /secret/prod/database/admin
⊡ Hence, predefined policy grant appropriate
permission, e.g.
path "secret/stag/database/admin" {
capabilities = ["read"]
}

30. Dynamic Credentials
⊡ Vault support many secret backend
□ AWS, Azure, GCP, Database...etc
⊡ Take database for example, you could
generate dynamic database credentials
$ vault read database/creds/my-role
Key Value
--- -----
lease_duration 1h
password 8cab931c-d62e-a73d-60d3-5ee85139cd66
username v-root-e2978cd0-

31. Infrastructure As Must Be
Code
3

32. “Network Misconfigurations
Are Major Source Of
Reliability and Security
Issues
In a report summarizing the findings of 124 penetration tests,
security firm Rapid7 found that more than two-thirds of sites
were vulnerable because of a misconfiguration
Ref

33. “
Why So Many Important
Internal Server Can Be
Accessed Publicly?!

34. Keep Server Private
Private Network
- Kubernetes
- Database
- NAT Gateway
- ...
Public Network
- Load Balancer
- Linux Gateway
- ...
- Non-Employee: Only access product service through
load balancer
- Employee: Access server through VPN/Bastion
- Don’t forgot to enable WAF

35. “
In Fact, Not Only Network Related
Configuration, Every Program
Misconfiguration Makes Issues

36. Infrastructure As
Code
⊡ There are so many benefits when adopting
IaC
□ Save time & Avoid human error
□ Code review & Knowledge transfer easily
□ Testing (kitchen, terratest...etc)

37. Infrastructure As
Code
⊡ There are many tools which can achieve IaC
⊡ Servers:
□ Ansible, Chef, Puppet, SaltStack...etc
⊡ Cloud Providers:
□ Terraform, AWS CloudFormation, Azure
Resource Manager, GCP Deployment
Manager...etc

38. System Management
4

39. 9 Key Point
⊡ Authentication (Later)
⊡ Authorization (Later)
⊡ Secret Management (HashiCorp Vault)
⊡ Don’t Share Account
⊡ Least Privilege Policy
⊡ Log Everything
⊡ Manage and Record Privileged Activity (Later)
⊡ Alert and Notify of Suspicious Activity (Later)
⊡ Identity Centralize and Unify

40. Authentication for
Human
⊡ Adopt Password Manager to avoid credential
stuffing attacks
⊡ Must Enable 2FA: What-you-know,
What-you-have and What-you-are (2 out of
the 3 types)

41. “
A: I Need Sudo Permission for
Production Deployment Tomorrow

42. Manage and Record
Privileged Activity
⊡ The traditional way maybe…
□ File a ticket
□ Wait the ticket assign
□ Information collection
□ Approved by someone
□ Wait for operator change permission
□ Confirm you really get the permission
□ Start the task
□ Remove the permission by operator

44. “
How About Achieving This
Efficiently Through ChatBot!

45. Using Chatbot

46. Using ChatBot

47. “Get All Security Information and
Auditing Function Ready, No Matter
From Cloud Provider or Third-Party
Solution

48. Alert and Notify of
Suspicious Activity
⊡ Only having enough data, then the security
checks and monitoring can happen
⊡ Setup basic rule set to monitor abnormal
behavior
⊡ Using AI to train the rule set

49. “
How do You Patch Vulnerability?

50. Patch Vulnerability
Actively

51. “
More Secure CI/CD Flow - GitOps

52. GitOps
WebHook GitOps
Push
Push
Push
Push
Like Agent
Pulling
More Network Settings, Credentials

53. C.A.S. C.A.M.S.
5

54. DevOps Core Value

55. Culture
⊡ Except information security department,
everyone should have security knowledge

56. Automate
⊡ Penetration test integrate with release
pipeline
⊡ Iac avoid misconfiguration
⊡ Secret management rotate credentials
⊡ Chatbot
⊡ ...

57. Measure
⊡ Continuous security testing measure how
your service health
⊡ Rich system log measure how your system
safe

58. Share
⊡ Internal sharing makes vulnerability can be
excluded
⊡ External sharing make new patch
implemented quickly, incident decrease

59. THANKS!
Any questions?
You can find me at
facebook.com/smalltown0110