SlideShare a Scribd company logo

Vulnerability Testing in the Cloud by dint of DevSecOps

O
Owen Byrne

This document discusses using DevSecOps and open source tools to enable continuous vulnerability testing in the cloud. It introduces Norad, an open source tool that allows plugging in new security tests and third party tools through Docker containers. Norad integrates with cloud pipelines and centralizes results. AWS CloudWatch Events and Lambda are leveraged to stitch components together and enable continuous compliance checks based on security benchmarks. The goal is to make security testing easier for developers through automation and integration into the development workflow.

Technology
1 of 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Vulnerability Testing in the Cloud by dint of DevSecOps Owen Byrne Cisco dCloud obyrne@cisco.com https://www.linkedin.com/in/owen-byrne/ @owbyrne devopsdays Galway 2017
Our journey begins..
Enabled by some great OpenSource tools…
Cloud ‘Authorisation to Operate’ (CATO)
Conundrum
Security? Not my job!
• CD model means deployed code is constantly changing • Security Tools vary in: • Skill level to operate (developer friendly, automation possible?) • Coverage (gaps & detection – false positives/negatives) • Varied output formats (JSON, XML, Unstructured, But…Security Testing is Hard
OpenSource: https://norad.gitlab.io/ License: Apache 2 8
Enabling DevSecOps
• Ability to plug in new, home-grown tests & 3rd party tools quickly • Docker images containing preconfigured tools to scan for a specific type of vulnerability Containerised Security Tests
How Norad Works Cust omer Cl oud NORAD Cisco Confidential
Centralised Results
Pipeline Integration
Python (boto) AWS CLIAWS Console Powershell Tools Cloud Module Cloudformation BUT…many other ways to create Infra… AutoScaling
“You can think of CloudWatch Events as the central nervous system for your AWS environment. It is wired in to every nook and cranny of the supported services, and becomes aware of operational changes as they happen. Then, driven by your rules, it activates functions and sends messages (activating muscles, if you will) to respond to the environment, making changes, capturing state information, or taking corrective action.” AWS CloudWatch Events
“AWS Lambda is a compute service that lets you run code without provisioning or managing servers” “…use AWS Lambda to run your code in response to events” AWS Lambda
Stitching Things Together
Continuous Compliance with Lambda Based on: https://github.com/awslabs/aws-security- benchmark Config Check Rule evaluated every 24hours
When SecOps show up to the meeting http://devopsreactions.tumblr.com/post/142837211682/when-secops-shows-up-to-the-meeting
Thank You!

More Related Content

PDF
Practical Approaches to Container Security
Shea Stewart
 
PDF
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
PDF
Play 2 Java Framework with TDD
Basav Nagur
 
PDF
Docker container security
Thoughtworks
 
PPTX
DEVNET-1169 CI/CT/CD on a Micro Services Applications using Docker, Salt & Ni...
Cisco DevNet
 
PDF
Faster safer and 100 user centric application at equifax with docker
Docker, Inc.
 
PPTX
Docker crash course
Vishwas N
 
PPTX
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Practical Approaches to Container Security
Shea Stewart
 
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Play 2 Java Framework with TDD
Basav Nagur
 
Docker container security
Thoughtworks
 
DEVNET-1169 CI/CT/CD on a Micro Services Applications using Docker, Salt & Ni...
Cisco DevNet
 
Faster safer and 100 user centric application at equifax with docker
Docker, Inc.
 
Docker crash course
Vishwas N
 
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 

What's hot (20)

PDF
Infrastructure as Code with Ansible
Daniel Bezerra
 
PPTX
Pulumi iac on gcp
Vishwas N
 
PDF
Building Top-Notch Androids SDKs
relayr
 
PPTX
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon
 
PPTX
Test Automation Workshop with BDD Approach
kloia
 
PDF
5 patterns for success for application transformation
Docker, Inc.
 
PDF
Hacking into your containers, and how to stop it!
Eric Smalling
 
PDF
Know What’s in Your Containers! Manage and Secure all Open Source that Compos...
DevOps.com
 
PDF
Secure Substrate: Least Privilege Container Deployment
Docker, Inc.
 
PPT
Jenkins Overview
Ahmed M. Gomaa
 
PDF
DockerCon EU 2015: Official Repos and Project Nautilus
Docker, Inc.
 
PDF
All Things Open 2017: How to Treat a Network as a Container
Rosemary Wang
 
PDF
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
PDF
ScriptRock Overview
CloudCheckr
 
PPTX
Introduction to Containers & Diving a little deeper into the benefits of Con...
Synergetics Learning and Cloud Consulting
 
PDF
Javantura v4 - Test-driven documentation with Spring REST Docs - Danijel Mitar
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
PDF
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
PPTX
Onnx and onnx runtime
Vishwas N
 
PDF
From Zero to Hero: Continuous Container Security in 4 Simple Steps
DevOps.com
 
PDF
DockerCon SF 2015: Docker at Lyft
Docker, Inc.
 
Infrastructure as Code with Ansible
Daniel Bezerra
 
Pulumi iac on gcp
Vishwas N
 
Building Top-Notch Androids SDKs
relayr
 
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon
 
Test Automation Workshop with BDD Approach
kloia
 
5 patterns for success for application transformation
Docker, Inc.
 
Hacking into your containers, and how to stop it!
Eric Smalling
 
Know What’s in Your Containers! Manage and Secure all Open Source that Compos...
DevOps.com
 
Secure Substrate: Least Privilege Container Deployment
Docker, Inc.
 
Jenkins Overview
Ahmed M. Gomaa
 
DockerCon EU 2015: Official Repos and Project Nautilus
Docker, Inc.
 
All Things Open 2017: How to Treat a Network as a Container
Rosemary Wang
 
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
ScriptRock Overview
CloudCheckr
 
Introduction to Containers & Diving a little deeper into the benefits of Con...
Synergetics Learning and Cloud Consulting
 
Javantura v4 - Test-driven documentation with Spring REST Docs - Danijel Mitar
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
Onnx and onnx runtime
Vishwas N
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
DevOps.com
 
DockerCon SF 2015: Docker at Lyft
Docker, Inc.
 
Ad

Similar to Vulnerability Testing in the Cloud by dint of DevSecOps (8)

PDF
DevSecOps - Background, Status and Future Challenges
dsc71656
 
PDF
Forecast 2012 Panel: Cloud Security Christofer Hoff
Open Data Center Alliance
 
PPTX
Security as Code
Ed Bellis
 
PDF
What is exactly anti fragile in dev ops - v3
Asher Sterkin
 
PDF
The Impact of DevSecOps on Cloud Security.pdf
Rosy G
 
PPTX
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
Garth Boyd
 
PDF
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
PDF
DevOps Days Tel Aviv 2013: What exactly is anti-fragile in DevOps? - Asher St...
DevOpsDays Tel Aviv
 
DevSecOps - Background, Status and Future Challenges
dsc71656
 
Forecast 2012 Panel: Cloud Security Christofer Hoff
Open Data Center Alliance
 
Security as Code
Ed Bellis
 
What is exactly anti fragile in dev ops - v3
Asher Sterkin
 
The Impact of DevSecOps on Cloud Security.pdf
Rosy G
 
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
Garth Boyd
 
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
DevOps Days Tel Aviv 2013: What exactly is anti-fragile in DevOps? - Asher St...
DevOpsDays Tel Aviv
 
Ad

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Teaching material agriculture food technology
LiaRayya
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
KodekX | Application Modernization Development
KodekX
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 

Vulnerability Testing in the Cloud by dint of DevSecOps

Editor's Notes

  • #16: https://aws.amazon.com/blogs/aws/new-cloudwatch-events-track-and-respond-to-changes-to-your-aws-resources/
  • #17: http://docs.aws.amazon.com/lambda/latest/dg/welcome.html