Más contenido relacionado La actualidad más candente (20) Similar a Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 (20) Más de Amazon Web Services (20) Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 1. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Build and Monitor Security into Your
Golden AMI Pipeline
Hari Srinivasan
Director Product Management, Cloud Security
Qualys
D E M 0 8
2. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Agenda
Digital Transformation (DX)
Security Transformation
AWS Golden AMI Pipeline and Qualys
Customer Case Studies
Q&A
3. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Mindset Change
Embracing the Digital Transformation
Holistic Transformation of
Business to Digital
Cloud, Containers, IaaS, PaaS, OT,
IIoT, IoT, Mobility, Web apps, APIs,
Mobile Apps
3
4. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
DevOps the new
Frontier
This is real and highly contagious
Developers decide how
infrastructure runs in production
Speeds up code moving to production
significantly
4
5. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Moving Toward the
Future of Security
“Collaborative, Continuous Secure
Development and Deployment”
5
Mantra of AppDev adopting Devops
“You build it, You run it”
Mantra of Sec in DevOps
“You build it, You secure it, You run
it”
5
DEVELOPERS
SECURITY
OPERATIONS
6. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Moving Toward the
Future of Security
“You build it, You secure it, you run it”
6
DEVELOPERS
SECURITY
OPERATIONS
✓Static Code Analysis
✓Vulnerability Management
✓Web Application Scanning
✓Compliance Checks
✓Configuration Assessments
Comprehensive
evaluation
at an early stage
(DevOps)
7. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Approach: Automate Security
7
DevOps-friendly capabilities –CI/CD Plug-ins,
REST APIs, developer friendly actionable data
Extending solutions into remediation &
response
Multiple solutions on single platform – lowering
cost, reducing tool and console fatigue
Automate
Security
Testing
Create of pre-
hardened
images &
applications
Monitor and
protect
production
environments
Actionable
data for
developers
Build Security into DevOps
8. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
AWS Golden AMI Pipeline
• Create a Golden AMI
• Incorporate Security
Testing
• Create an Approval
process
• Monitor & Track
• Actively manage
9. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Qualys in AWS Golden AMI Pipeline
• Add Qualys Scanning to
identify issues in sample
instances from AMI
• Verifying the detections
and remediate them
• Embedding Agents for
continuous visibility of
production instances
• Approve AMIs as Golden
https://github.com/Qualys-Public
10. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
11. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Capital One
Before: Lack of Security AutomationDelays Release
Two weeks until the Image (AMI) is certified for production
Vulnerability
Management Teams
Machine
Builders VM SCAN/REPORT
48 HOURS
VM SCAN/REPORT
48 HOURS
11
12. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Public
Custom
OS GOLD IMAGE
and
AMAZON MACHINE IMAGE
(AMI)
Approved
Gold Image
and AMI
APPROVE and PUBLISH
CI/CD PIPELINE
Bake
QUALYS ASSESS
ON DEV
INSTANCES
OS
Qualys
Scanner
Identify
Vulns.
& Config.
Issues
Live Instances
Qualys
Agent
Qualys
Scanner
HARDENDED
INSTANCES
OS
Fix &
Verify
Qualys
Agent
Bakery process happens within 24 hours
Capital One
After: Introducing Security at the Source Bake
QualysSecurityintoGoldImagesand AMI
12
13. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Ancestry
Hardening AMI’s to Reduce Vulnerabilities
13
Company Profile
Largest for-profit genealogy company in
the world, it operates a network of
genealogical, historical record and
genetic genealogy websites.
INDUSTRY: Genealogy
REGION: UTAH, USA
CLOUD:
All Applications in AWS
QUALYS USAGE:
Vulnerability Mgmt. , Policy
Compliance
Rearchitect security during
migration to AWS Cloud to
reduce vulnerabilities
without slowing
development
Sev 4
Sev 5
Confirmed
Vulnerability
Count
This happened
And then this…
and finally this…
>80% drop in
vulnerabilities
Don’t shoot for ZERO
14. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Ancestry
Tracking Golden AMI efficacy with KPI dashboards
14
Company Profile
Largest for-profit genealogy company in
the world, it operates a network of
genealogical, historical record and
genetic genealogy websites.
INDUSTRY: Genealogy
REGION: UTAH, USA
CLOUD:
All Applications in AWS
QUALYS USAGE:
Vulnerability Mgmt. , Policy
Compliance
Track the Golden AMI
based instances and their
patch cycles
Created a KPI dashboard
for every business unit, to
track their adherence to
the process
15. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Web App Security in CI pipeline
Automated Integration into Sprint cycles
SELENIUM
QUALYS WAS
JIRA ISSUES
SELENIUM
QUALYS WAS
JIRA ISSUES
Image Source: https://www.smashingmagazine.com/2015/01/basic-test-automation-
for-apps-games-and-mobile-web/
26 जवन 2019Qualys Inc.15
Company Profile
Large payment processing company
based out of Europe providing payment
gateways for online orders as well as
point of sale transactions.
INDUSTRY: Electronic Payment
Services
REGION: UK
CLOUD:
All Applications in AWS
QUALYS USAGE:
Web Application Scanning,
Vulnerability Mgmt. , Policy
Compliance
Incorporated Qualys
based
Web Application
Scanning
in the Jenkins CI pipeline
covering both
Applications and the APIs
as part of testing in the
sprint cycle
JENKINS
16. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Container Image Vulnerability Analysis in CI/CD
Blocking vulnerable images entering repositories
26 जवन 2019Qualys Inc.16
Company Profile
Large US Bank
INDUSTRY: Financial
REGION: US
CLOUD:
All Applications in AWS
QUALYS USAGE:
Container Security, Vulnerability
Mgmt., Policy Compliance, File
Integrity Monitoring
Incorporated Qualys Container Security to scan Docker Image builds. Covering
roughly 50K image pushes per week.
17. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Container Image Vulnerability Analysis in CI/CD
Actionable Information for Developers
26 जवन 2019Qualys Inc.17
18. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Qualys
Security at scaleon hybrid clouds
19+ products providing comprehensive suite
of security solutions
12,000+ customers and active users
7 shared cloud platforms across North
America, Europe & Asia
70+ private clouds platforms deployed
globally... on-prem, AWS, Azure, GCP
16+ PB storage and 16,000 cores
1818
19. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Free Service for External
Qualys Security Apps
Secure web applicationswith end-to-end
protection
Web Application Scanning
WEB APPLICATION SECURITY
Policy Compliance
Assess security configurations of IT systems
throughout your network
COMPLIANCE MONITORING
Continuously detect and protect against
attacks, anytime, anywhere
Vulnerability Management
IT SECURITY
Indication of Compromise
Continuously monitor endpoints to detect
suspicious activity
Continuous Monitoring
Alerts you in real time about network
irregularities
Threat Protection
Pinpoint your most critical threats and
prioritize patching
PCI Compliance
Automate, simplify and attain PCI
compliance quickly
Web Application Firewall
Block attacks and virtually patch web
application vulnerabilities
Cloud Inventory
Inventory of all your cloud assets across
AWS, Azure, GCP and others
Certificate Assessment
Assess all your digital certificates for TLS/SSL
vulnerabilities
Certificate Inventory
Inventory of TLS/SSL digital certificates on a
global scale
Container Security
Discover, track, and continuously protect
containers
Cloud Security Assessment
Get full visibility and control across all
public cloud instances
File Integrity Monitoring
Log and track file changes across global IT
systems
Security Assessment Questionnaire
Minimize the risk of doing business with
vendors and other third parties
Security Configuration Assessment
Automate configuration assessment of
global IT assets
Asset Inventory
ASSET MANAGEMENT
Discover, normalize, and catalog
all global IT assets
CMDB Sync
Synchronize asset information from Qualys
into ServiceNow CMDB
Patch Management
Select, manage, and deploy patches to
remediate vulnerabilities
Available on Cloud Agent
20. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Qualys Sensor Platform
Scalable, self-updating & centrally managed
20
Physical
Legacy data centers,
Corporate infrastructure
Continuous security and
compliance scanning
Cloud/Container
Commercial IaaS & PaaS
clouds
Pre-certified in market
place
Fully automated with API
orchestration
Continuous security and
compliance scanning
Cloud Agents
Light weight, multi-
platform
On premise, elastic
cloud & endpoints
Real-time data collection
Continuous evaluation on
platform for security and
compliance
Passive
Passively sniff on
network
Real-time device
discovery &
identification
Identification of APT
network traffic
Extract malware files
from network for
analysis
API
Integration with Threat
Intel feeds
CMDB Integration
Log connectors
Virtual
Private cloud
infrastructure
Virtualized Infrastructure
Continuous security and
compliance scanning
20
21. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Resources
“Make it so.”
- Captain
Picard
GitHub for cloud security
https://github.com/Qualys-
Public
Qualys DevOps utilities
CI/CD plugins (Jenkins, Bamboo,..), REST
APIs
https://community.qualys.com/d
ocs/DOC-6814
22. Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
Hari Srinivasan
hsrinivasan@qualys.com