DevSecOps: Key Controls for Modern Security Success
6 likes1,595 views
The document outlines key controls and practices for integrating security into DevOps through DevSecOps, emphasizing cloud security and continuous compliance. It discusses various phases such as pre-commit practices, CI/CD security controls, and supply chain security management. Additionally, it highlights tools and techniques for automated security assessments and managing dependencies across development and operational workflows.
![© 2019 Puma Security, LLC | All Rights Reserved
AWS CloudFormation infrastructure paved road example:
1
2
3
4
5
6
7
8
9
10
11
12
13
{ }
LaunchConfiguration:
Type: AWS::AutoScaling::LaunchConfiguration
Metadata:
Properties:
ImageId: !FindInMap [ AWSRegionToAMI, !Ref "AWS::Region", AMI ]
IamInstanceProfile: !Ref InstanceProfile
KeyName: "devsecops"
SecurityGroups:
- !Ref SecurityGroup
UserData:
"Fn::Base64": !Sub |
#!/bin/bash
yum update -y
{ Gold Image }
{ Least privilege }
{ Admin Access }
{ Network configuration }
{ Supply chain security }
Operations Paved Road Example](https://image.slidesharecdn.com/pumasecurity-keystomodernsecuritysuccess-190502142432/85/DevSecOps-Key-Controls-for-Modern-Security-Success-10-320.jpg)
DevSecOps: Key Controls for Modern Security Success
- 1. © 2019 Puma Security, LLC | All Rights Reserved DEVOPS DAYS DES MOINES DevSecOps Key Controls For Modern Security Success 05/02/2019
- 2. © 2019 Puma Security, LLC | All Rights Reserved Principal Security Engineer, Puma Security Coder Static analysis engine, cloud automation, security tools Security Assessments DevSecOps, cloud, source code, web apps, mobile apps Principal Instructor DevSecOps Curriculum Manager SANS Principal Instructor Contributing author of SEC540, DEV544, and DEV531 Education and Training Iowa State M.S. Information Assurance, B.S. Computer Engineering AWS Certified Developer CISSP, GSSP, GWAPT Contact Information Email: eric.johnson@pumascan.com Twitter: @emjohn20 LinkedIn: linkedin.com/in/ eric-m-johnson @ $WHOAMI
- 3. © 2019 Puma Security, LLC | All Rights Reserved KEYS FOR MODERN SECURITY SUCCESS Cloud & DevSecOps Practices Pre-Commit: The Paved Road Commit: CI / CD Security Controls Acceptance: Supply Chain Security Operations: Continuous Security Compliance Agenda
- 4. © 2019 Puma Security, LLC | All Rights Reserved WHAT ARE THE GOALS AND PRINCIPLES IN DEVSECOPS? Make security a first- class problem in DevOps Make security a first-class participant in DevOps Increase trust between dev, ops, and sec Integrate security practices and ideas into DevOps culture Wire security into DevOps workflows to incrementally improve security 01 02 04 03 05 SecDevOps / DevSecOps / DevOpsSec / Rugged DevOps
- 5. © 2019 Puma Security, LLC | All Rights Reserved Secure Cloud & DevOps Practices | sans.org/u/OGx Cloud Security Top 10 Serverless Security Top 10 DevSecOps Toolchain Building a DevSecOps Program
- 6. © 2019 Puma Security, LLC | All Rights Reserved PRE-COMMIT Threat Modeling IDE Security Plugins Pre-Commit Hooks Peer Code Reviews COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS Static Code Analysis Security Unit Tests Container Security Dependency Management Infrastructure as Code Cloud Infrastructure Dynamic Security Tests Security Acceptance Tests Security Smoke Tests Secrets Management Security Configuration Server Hardening Blameless Postmortems Continuous Monitoring Penetration Testing Threat Intelligence Cloud & DevSecOps Security Controls
- 7. © 2019 Puma Security, LLC | All Rights Reserved Pre-Commit: The Paved Road
- 8. © 2019 Puma Security, LLC | All Rights Reserved Dev, Sec, and Ops teams build secure by default frameworks, libraries, and services Popularized by Netflix "Gates to Guardrails" Operations: Automated pipelines build, certify, and publish cloud infrastructure / machine images Development: Secure templates for Web, APIs, front-end, serverless projects Security: Automated security pipeline scans, unit tests, acceptance tests, production assertions Build The Paved Road PRE-COMMIT
- 9. © 2019 Puma Security, LLC | All Rights Reserved Network, Cloud, Infrastructure as Code templates for quickly provisioning certified environments for the development team to use: Cloud network infrastructure Virtual machine gold images Container gold base images Managing Functions as a Service (FaaS) Network hardware devices Opera&ons Paved Road API gateway appliances for microservices
- 10. © 2019 Puma Security, LLC | All Rights Reserved AWS CloudFormation infrastructure paved road example: 1 2 3 4 5 6 7 8 9 10 11 12 13 { } LaunchConfiguration: Type: AWS::AutoScaling::LaunchConfiguration Metadata: Properties: ImageId: !FindInMap [ AWSRegionToAMI, !Ref "AWS::Region", AMI ] IamInstanceProfile: !Ref InstanceProfile KeyName: "devsecops" SecurityGroups: - !Ref SecurityGroup UserData: "Fn::Base64": !Sub | #!/bin/bash yum update -y { Gold Image } { Least privilege } { Admin Access } { Network configuration } { Supply chain security } Operations Paved Road Example
- 11. © 2019 Puma Security, LLC | All Rights Reserved Templates covering approved technology stacks with protection for common application security issues and misconfigurations: Include common libraries for data validaHon, logging, encoding, etc. Node.js, Django, Spring Boot, .NET Core, Ruby Rails, Functions, etc. Secrets management storage Secure transport configuration (HTTPS) Enable authentication / authorization Configure password management / single sign on Development Paved Road
- 12. © 2019 Puma Security, LLC | All Rights Reserved .NET Core paved road example w/ security protecGons pre-configured: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 { } public void ConfigureServices(IServiceCollection services) { services.Configure<IdentityOptions>(options => { options.Password.RequiredLength = 15; options.Lockout.MaxFailedAccessAttempts = 5; } services.AddMvc(options => { options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder() .RequireAuthenticatedUser().Build())); }); } public void Configure(IApplicationBuilder app, IHostingEnvironment env) { app.UseRewriter(new RewriteOptions().AddRedirectToHttps()); app.AddSecurityHeaders(); { Password Configuration } { Authorization} { HTTPS } { Security Headers} Development Paved Road Example
- 13. © 2019 Puma Security, LLC | All Rights Reserved CI / CD Security Controls Commit:
- 14. © 2019 Puma Security, LLC | All Rights Reserved Integrate tools to automate build, test, acceptance, and deployment of infrastructure, cloud, and applications into a repeatable workflow Continuous Integration & Delivery Security Controls COMMIT (CI)
- 15. © 2019 Puma Security, LLC | All Rights Reserved Merging new features requires approval from peers and security team prior to triggering the build pipeline: 116 117 118 119 120 121 122 123 { } LoadBalanceArn: !Ref Load Balancer Port: !Ref HttpsPort Protocol: HTTPS SslPolicy: ELBSecurityPolicy-TLS-1-0-2015-04 SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01 Certificates: - CertificateArn !Ref CertificateArn DefaultActions: CI / CD Security Controls: Version Control
- 16. © 2019 Puma Security, LLC | All Rights Reserved Approved merge request triggers automated unit tests, security scans, audit reports, and fast feedback CI / CD Security Controls: Acceptance Tes7ng
- 17. © 2019 Puma Security, LLC | All Rights Reserved Build pipelines contain artifacts from security scans and compliance checks CI / CD Security Controls: Audit Reports
- 18. © 2019 Puma Security, LLC | All Rights Reserved Supply Chain Security Acceptance:
- 19. © 2019 Puma Security, LLC | All Rights Reserved Serious vulnerabilities can be inherited from open source libraries, docker images, infrastructure templates, and serverless functions: WARNING: Some tools may not check transitive dependencies Carefully review content before usage Run tools to automatically the scan code base / images Identify external dependencies Check against public vulnerability database(s) Integrate supply chain security scanning into CI/CD Supply Chain Security
- 20. © 2019 Puma Security, LLC | All Rights Reserved OWASP Dependency Check (Java, .NET, Ruby, Python) - h?ps://www.owasp.org/index.php/OWASP_Dependency_Check NPM Audit / Retire.JS (NodeJS) - https://retirejs.github.io/retire.js/ - https://docs.npmjs.com/cli/audit Bundler-Audit (Ruby) - https://github.com/rubysec/bundler-audit PHP Security Checker - https://security.sensiolabs.org/ DEPENDENCY MANAGEMENT Supply Chain Security: Application Scanning Tools ACCEPTANCE
- 21. © 2019 Puma Security, LLC | All Rights Reserved OWASP Dependency Check scan and vulnerability report in a Jenkins CI pipeline Supply Chain Security: Application Scanning Example
- 22. © 2019 Puma Security, LLC | All Rights Reserved Anchore - https://anchore.com/opensource/ Clair - https://github.com/coreos/clair Actuary - https://github.com/diogomonica/actuary Falco - https://github.com/draios/falco Supply Chain Security: Container Image Scanning Tools CONTAINER SECURITY ACCEPTANCE
- 23. © 2019 Puma Security, LLC | All Rights Reserved Invoking an Anchore image scan and capturing vulnerability data in a Jenkins CI pipeline Supply Chain Security: Container Image Scanning Example
- 24. © 2019 Puma Security, LLC | All Rights Reserved DevSec Hardening Templates - Automated hardening framework using Puppet, Chef, Ansible - Linux, Windows, SSH, Docker, K8S, Apache, Nginx - https://github.com/dev-sec Hardened infrastructure templates can be used as references Supply Chain Security: Hardened Infrastructure Templates INFRASTRUCTURE AS CODE System Integrity Management Platform(SIMP) - Hardened Puppet infrastructure configuration and testing - NIST 800-53, DISA STIG, FIPS 140-2 RHEL & CentOS templates - https://github.com/simp/ { } ACCEPTANCE
- 25. © 2019 Puma Security, LLC | All Rights Reserved Managing function dependencies in AWS Lambda can be achieved using Layers: Buildpipelines removethird-party librariesfrom deployment packages CloudOpsmanages centralizedlayers containingapproved third-partylibraries Third-partyvendorsare leveragingLayerstofurther hardenfunctionruntime environments: PureSecFunctionShield TwistlockDefender Supply Chain Security: FaaS Dependency Management
- 26. © 2019 Puma Security, LLC | All Rights Reserved Opera&ons: Continuous Security Compliance
- 27. © 2019 Puma Security, LLC | All Rights Reserved Leveraging security configuration tools to automate audit and compliance checks: Test the server and infrastructure configuration against expected baseline and report any deviations Tests should include severity, risk level, and description information Match tests against compliance checklist items or regulatory policies Automated testing tools available for Linux, Unix, Windows, AWS, Azure and VMWare Con9nuous Security Compliance PRODUCTION
- 28. © 2019 Puma Security, LLC | All Rights Reserved SECURITY CONFIGURATION InSpec - https://github.com/inspec/inspec Cloud Custodian (AWS, GCP, Azure) - https://github.com/cloud-custodian/cloud-custodian OpenSCAP - https://github.com/OpenSCAP Security compliance / acceptance testing tools: Scout Suite (AWS, GCP, Azure) - https://github.com/nccgroup/ScoutSuite AWS Benchmark Scanner https://github.com/awslabs/aws-security-benchmark Supply Chain Security: Application Scanning Tools PRODUCTION
- 29. © 2019 Puma Security, LLC | All Rights Reserved Running InSpec against a running Docker container: 1 2 { } $ docker run -it --rm -v $(pwd):/share chef/inspec exec baseline -t docker://container_id Example InSpec output results from the Linux baseline profile:{ } 1 2 3 4 5 6 7 8 9 ✅ os-01: Trusted hosts login ✅ Command find / -name '.rhosts' stdout should be empty ✅ Command find / -name 'hosts.equiv' stdout should be empty X os-02: Check owner and permissions for /etc/shadow (1 failed) ✅ File /etc/shadow should exist ✅ File /etc/shadow should be file ✅ File /etc/shadow should be owned by "root" ✅ File /etc/shadow should not be executable X File /etc/shadow group should eq nil Continuous Security Compliance: InSpec Docker Scan
- 30. © 2019 Puma Security, LLC | All Rights Reserved Exporting InSpec results to JUnit format and integrating with Jenkins CI Continuous Security Compliance: Jenkins InSpec Integration
- 31. © 2019 Puma Security, LLC | All Rights Reserved Running the AWS CIS Benchmark scan via AWS Config rules Continuous Security Compliance: AWS CIS Benchmark Scan
- 32. © 2019 Puma Security, LLC | All Rights Reserved Thank you for attending! Keys for Modern Security Success Contact Information: E | eric.johnson@pumascan.com ü Cloud & DevSecOps Practices ü Pre-Commit: The Paved Road ü Commit: CI / CD Security Controls ü Acceptance: Supply Chain Security ü Operations: Continuous Security Compliance SUMMARY @emjohn20