DevSecOps in Baby Steps
1 like1,292 views
The document discusses adopting a DevSecOps approach to security by starting small with baby steps. It recommends making security part of the development team's job, hardening the development toolchain, planning security-focused epics and user stories, and implementing them in sprints to continuously improve security.
![#RSAC
Reading events in Lambda
exports.handler = function(event,context) {
var snsMsgString = JSON.stringify(event.Records[0].Sns.Message);
var snsMsgObject = getSNSMessageObject(snsMsgString);
var srcBucket = snsMsgObject.Records[0].s3.bucket.name;
var srcKey = snsMsgObject.Records[0].s3.object.key;
...
function getSNSMessageObject(msgString) {
var x = msgString.replace(//g,’’);
var y = x.substring(1,x.length-1);
var z = JSON.parse(y);
return z;
}](https://image.slidesharecdn.com/csv-f03-devsecops-baby-steps-160310130427/85/DevSecOps-in-Baby-Steps-30-320.jpg)
DevSecOps in Baby Steps
- 1. SESSION ID: #RSAC Hart Rossman DevSecOps in Baby Steps CSV-F03 Amazon Web Services Global Practice Manager- Security, Risk, and Compliance @HartDanger
- 2. #RSAC The Journey: Baby Steps to Parkour 2 Getting to DevOps DevOps to DevSecOps Planning your Epics & Sprints Use Cases & Examples
- 3. #RSAC In The Beginning There Was NoOps 3
- 4. #RSAC Security program – Ownership as part of DNA • Promotes culture of “everyone is an owner” for security • Makes security stakeholder in business success • Enables easier and smoother communication Distributed Embedded
- 5. #RSAC Responsibility & Accountability Own it. Govern it. Not my monkeys; not my circus. Operating with Shared Responsibility How do I know? Do I carry a pager for this service? Do I make the rules? Should I be consulted or informed?
- 6. #RSAC Security as code 1. Use the cloud to protect the cloud 2. Security infrastructure should be cloud aware 3. Expose security features as services via API 4. Automate everything so everything scales
- 7. #RSAC Security as code: Innovation, stability, & security Business Development Operations Build it faster Keep it stable Security Protect it
- 8. #RSAC Security as code: A shorter path to the customer Requirements Gathering Release Automated Build and Deploy Some learning Minimal learning Lots of learning
- 9. #RSAC Security as code: Deploying more frequently lowers risk Smaller effort “Minimized risk” Frequent release events: “Agile methodology” Time Change Rare release events: “Waterfall methodology” Larger effort “Increased risk” Time Change
- 10. #RSAC Version Control CI Server Package Builder Commit to Git/master Dev Get / Pull Code Send Build Report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Code Config Tests Push Config Repo Continuous Integration
- 11. #RSAC Confidence that our code changes will build successfully Increasing velocity of feedback cycle through iterative change Bugs are detected quickly Automated testing reduces size of testing effort Very fast feedback on the things we can test immediately What does CI give us?
- 12. #RSAC Continuous Delivery Version Control CI Server Package Builder Deploy ServerCommit to Git/master Dev Get / Pull Code AMIs Send Build Report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo CloudFormation Templates for Env Generate
- 13. #RSAC Automated, repeatable process to push changes to production Hardens, de-risks the deployment process Allows detection of failure as quickly as possible in the build process Supports A/B testing or “We test customer reactions to features in production” Gives us a breadth of data points across our applications What does CD give us?
- 15. #RSAC DevOps Continuous Delivery Technology change that enables culture change DevOps Culture change that enables technology change
- 17. #RSAC DevSecOps: Core Principles 1. Secure the toolchain 2. Armor up the workloads 3. Deploy your security infrastructure through the toolchain
- 18. #RSAC DevOps DevSecOps Version Control CI Server Package Builder Deploy ServerCommit to repoDev Pull Code AMIs Send build report to dev and stop everything if build failed Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo AWS CloudFormation templates for Env Generate Security Repository Vulnerability and pen testing •Security Infrastructure tests •Security unit tests in app
- 19. #RSAC CI/CD and automation for security infrastructure Version Control Build/ compile code Dev Unit test app code IT Ops DR Env Test Env Prod Env Dev Env Application Write app code Infrastructure CloudFormation tar, war, zip yum, rpmDeploy app Package application Deploy application only Deploy infrastructure only AMI Build AMIs Validate templates Write infra code Deploy infras Automate deployment Artifact Repository
- 20. #RSAC Building DevSecOps teams • Make DevOps the security team’s job. • No siloed/walled off DevOps teams. • Encourage {security} developers to participate openly in the automation of operations code. • Embolden {security} operations participation in testing and automation of application code. • Take pride in how fast and frequently you deploy.
- 21. #RSAC Planetary Scale from Day 1 Build Security Services Expose features as API Plan for Scale Know your Customers Utilize customer feedback to Iterate Internalize your Metrics, let them guide you
- 22. #RSAC Planning your Epics & Sprints
- 23. #RSAC Security as code: Agile user stories 1. Epics vs. stories An epic is delivered over many sprints; a user story is delivered in one sprint or less. Icebox backlog sprint 2. Product owner The product owner decides the priority of each story, is responsible for accepting the story, and is responsible for defining the detailed requirements and detailed acceptance criteria for the story.
- 24. #RSAC Security as code: Agile user stories 3. Persona (or role) A persona/role is a fictitious user or actor within or of the system. 4. Acceptance criteria What does good look like? How will we know? 5. Summary format Every story should have the same summary format: As a (persona/role) I want (function) so that (benefit).
- 25. #RSAC Security as code: Security Epics Shared Responsibility Model Identity and Access Control Logging and Monitoring Infrastructure Security Data Protection Incident Response & Forensics Configuration and Vulnerability Analysis Big Data and Predictive Analytics
- 26. #RSAC Getting Started: IAM Story: As a IAM administrator I want to continually reduce the scope of access for humans even as our platform grows. Passwords and access keys that have not been used recently might be good candidates for removal. Sprint 1: Get credential reports and flag credentials not used in last 45 days. Other sprint ideas can be found at: http://docs.aws.amazon.com/IAM/latest/UserGuide/best- practices.html
- 27. #RSAC Getting Started: Logging & Monitoring Story: As a security analyst I want to monitor interactions with AWS API so that we can baseline user behavior Sprint 1: Enable AWS CloudTrail globally Story: As a security operations team member I want to take action on AWS CloudWatch alarms so that we respond responsibly Sprint 2: Integrate alerting into security workflow & ticketing
- 28. #RSAC Use Cases & Examples
- 29. #RSAC Building a “Lambda Responder” AWS CloudTrail Amazon S3 Amazon SNS
- 30. #RSAC Reading events in Lambda exports.handler = function(event,context) { var snsMsgString = JSON.stringify(event.Records[0].Sns.Message); var snsMsgObject = getSNSMessageObject(snsMsgString); var srcBucket = snsMsgObject.Records[0].s3.bucket.name; var srcKey = snsMsgObject.Records[0].s3.object.key; ... function getSNSMessageObject(msgString) { var x = msgString.replace(//g,’’); var y = x.substring(1,x.length-1); var z = JSON.parse(y); return z; }
- 31. #RSAC Detecting events in Lambda … var EVENT_SOURCE_TO_TRACK = /cloudtrail.amazonaws.com/; var EVENT_NAME_TO_TRACK = /StopLogging/; var matchingRecords = records .Records .filter(function(record) { return record.eventSource.match(EVENT_SOURCE_TO_TRACK) && record.eventName.match(EVENT_NAME_TO_TRACK); }); …
- 32. #RSAC Responding to events in Lambda ... if (matchingRecords.length >= 1) { console.log('StopLogging detected! Reverting...'); cloudtrail.startLogging(cloudtrailParams, function(err, data) { ...
- 33. #RSAC Responding to events in Lambda
- 34. #RSAC What you do in any IT Environment • Firewall rules • Network ACLs • Network time pointers • Internal and external subnets • NAT rules • Gold OS images • Encryption algorithms for data in transit and at rest http://docs.aws.amazon.com/quickstart/latest/accelerat or-nist/welcome.html Golden Code: Security Translation to AWS AWS JSON translation Gold Image, NTP and NAT Network ACLs, Subnets, FW rules
- 35. #RSAC Security As Code: Using AWS CodeDeploy Imaging instance memory: LiME - https://github.com/504ensicslabs/lime AWS CodeDeploy:
- 36. #RSAC Now What?
- 37. #RSAC “Apply” Slide 37 Make DevOps the security team’s job Harden your toolchain Plan your Security Epics Write your first Security User Story Sprint!