Realizing DevSecOps and effectively implementing security into CI/CD pipelines on AWS remains a challenging proposition for most organizations today. In this session, we share the essential principles of achieving security automation in your CI/CD pipelines and across the build, deploy, and run phases of your applications. Finally, we conclude with a demonstration of security automation across all three phases of your applications that are deployed on AWS infrastructure, showing you how to bring security automation to your organization today.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Building Security into CI/CD
Pipelines for Effective Security
Automation on AWS
Ram Boreda
Director, Product Management
Palo Alto Networks
SDD351-S
Kevin Paige
CISO
Flexport

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• The need for security, early in development cycle
• The approach taken by Flexport
• Security during the build phase
• Security during the deployment phase
• Security during the production phase
• Q&A

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
About Your Speakers
Ram Boreda
Driving product strategy and roadmap of public
cloud security products at Palo Alto Networks.
@Amazon AWS - was responsible for AWS
Transit Gateway and VPN services.
Led product management of security products at
Verisign iDefense and CipherCloud.
Kevin Paige
Chief Information Security Officer (CISO) at
Flexport
CISO at MuleSoft
Technical leadership roles at Salesforce, xMatters,
the U.S. Army and U.S. Air Force.

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Security Analyst Dilemma
174,000
alerts/week
7%
reviewed
Mean Time To Identify
197days
Mean Time To Contain
69days
State of SOAR Report 2018, Demisto Cost of a Data Breach Study, 2018, Ponemon Institute

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Issues Start Early in the Build Phase
State of open source security report, 2019, Synk
1 in 2
developers don’t security test
images
~30
known vulnerabilities
4 in 10
Docker images can fix known
vulnerabilities with base
image tag update
TOP 10

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Perils of Automation During Deployment Phase
*2018 Cloud Security Report (https://www.paloaltonetworks.com/resources/research/2018-cloud-security-report-palo-alto-networks)
Easy to deploy misconfigured resources at
scale
Increased risk when governance/compliance
checks are not met

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Palo Alto Networks Proprietary and Confidential 8
SECURITY BUILT-IN SECURITY BOLTED ON

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Our Cloud Security
Challenge
• Hypergrowth
• Business wants more
features faster
• Lack of alignment and
ownership between teams

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shifting Left – Our
Approach
• Align and influence
• Get and give visibility
• Hold people accountable
• Get identity and access
control right

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dashboard Example

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shifting Left – Key
Outcomes
• Culture shift
• Accountability drove
behavior changes
• Increase in velocity

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
RUN
DEPLOY
Start Security From The Build Phase….
13
BUILD

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
And Cover the Entire Development Lifecycle
Scan images prior to
registry upload
Scan configurations
prior to deployment
• IaC
• k8s app manifest
YAML
DEPLOY
Image scanning in registry
Configuration scanning
Detect drifts from
templates
Continuous monitoring
Detect & respond to
attacks
RUN
Vulnerability scanning
packages
Analyze code
BUILD

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Give simple security tools to development
Development identifies
vulnerable packages and
fixes them
Builds pass and
images get pushed
to registry
Vulnerability scanning and
runtime issues with context
facilitate remediation
Scenario 2
Start Left To Drive Consistent And Secure Releases
Development starts without security, siloed security
Build fails with vuln & config issues.
Dev questions the need to fix
Scenario 1
Vuln scan & runtime issues without
context frustrate dev & security
BUILD DEPLOY RUN

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Integrating Security into Dev & CI/CD
AWS Cloud
Prisma Public Cloud
Scanning Service
AWS CodePipeline
Container Registry Amazon S3
Amazon RDS
Amazon ECS
AWS Lambda
Amazon EKS
Amazon EC2
Vuln scan OS packages in Docker
files in developer environment
before check in Git
1
Vuln scan OS packages
in Docker images in
CI/CD before push to
registry
2
Config scan CFT /
Terraform before
deployment to runtime
3

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Integrating Security into CI/CD
AWS Cloud
Prisma Public Cloud
Scanning Service
AWS CodePipeline
Container Registry Amazon S3
Amazon RDS
Amazon ECS
AWS Lambda
Amazon EKS
Amazon EC2
Vuln scan OS packages in Docker
files in developer environment
before check in Git
1
Vuln scan OS packages
in Docker images in
CI/CD before push to
registry
2
Config scan CFT /
Terraform before
deployment to runtime
3

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How
Configure CI/CD projects to vuln scan Docker images, triggered by Pull
Request (PR) in Git / build in CI/CD
Why
Verify that Docker images do not have vulnerabilities that violate policies
Benefit
• Eliminate vulnerabilities in Docker images
• Reduce attack surface of images before check into Git / push to
registry
Vulnerability Scan: For OS Packages In CI/CD

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo Time
Vulnerability Scanning During CI/CD

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Integrating Security into CI/CD
AWS Cloud
Prisma Public Cloud
Scanning Service
AWS CodePipeline
Container Registry Amazon S3
Amazon RDS
Amazon ECS
AWS Lambda
Amazon EKS
Amazon EC2
Vuln scan OS packages in Docker
files in developer environment
before check in Git
1
Vuln scan OS packages
in Docker images in
CI/CD before push to
registry
2
Config scan CFT /
Terraform before
deployment to runtime
3

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How
Configure CI/CD project to scan IAC templates, triggered by PR in Git
Why
Verify that IAC templates do not violate security policies
Benefit
• Eliminate insecure config in IAC before check into Git/deployment to
runtime
• Reduce attack surface of infrastructure when deployed to runtime
IaC Scan: For CFT / Terraform in CI/CD

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo Time
IaC Config Scanning During CI/CD

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Continuous Security During Run Phase
AWS Cloud
Container Registry Amazon S3
Amazon RDS
Amazon ECS
AWS Lambda
Amazon EKS
Amazon EC2
CRITICAL ALERTS
CONTINUOUS
MONITORING
RESPONSE
Demisto
Prisma Public Cloud

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo Time
Continuous Security During Run Phase

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start Left
Achieve Better Security Outcomes
with Security Built-In
developers.paloaltonetworks.com/prisma

25. Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Stop by Palo Alto Networks booth #707
Sign up for a free trial -
http://go.paloaltonetworks.com/awsmarketplace
Ram Boreda
rboreda@paloaltonetworks.com