SlideShare una empresa de Scribd logo

Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019

Amazon Web Services
Amazon Web Services

In agile and elastic environments, having real-time visibility into instances and ensuring that they are secure and compliant is critical. Solutions must work with your DevOps tools to provide visibility without slowing down your release cadence. In this session, Qualys shares how you can implement an AWS golden AMI pipeline that is integrated with Qualys to assess your AMIs and monitor the instances for changes in production. Learn how Ancestry uses Qualys in its CI/CD pipeline to secure its applications and track-approved AMIs. Using Qualys, Ancestry was able to reduce the vulnerabilities in its application deployments by 80 percent in a few months.

1 de 22
Descargar para leer sin conexión
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Build and Monitor Security into Your Golden AMI Pipeline Hari Srinivasan Director Product Management, Cloud Security Qualys D E M 0 8
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Agenda Digital Transformation (DX) Security Transformation AWS Golden AMI Pipeline and Qualys Customer Case Studies Q&A
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Mindset Change Embracing the Digital Transformation Holistic Transformation of Business to Digital Cloud, Containers, IaaS, PaaS, OT, IIoT, IoT, Mobility, Web apps, APIs, Mobile Apps 3
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. DevOps the new Frontier This is real and highly contagious Developers decide how infrastructure runs in production Speeds up code moving to production significantly 4
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Moving Toward the Future of Security “Collaborative, Continuous Secure Development and Deployment” 5 Mantra of AppDev adopting Devops “You build it, You run it” Mantra of Sec in DevOps “You build it, You secure it, You run it” 5 DEVELOPERS SECURITY OPERATIONS
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Moving Toward the Future of Security “You build it, You secure it, you run it” 6 DEVELOPERS SECURITY OPERATIONS ✓Static Code Analysis ✓Vulnerability Management ✓Web Application Scanning ✓Compliance Checks ✓Configuration Assessments Comprehensive evaluation at an early stage (DevOps)
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Approach: Automate Security 7 DevOps-friendly capabilities –CI/CD Plug-ins, REST APIs, developer friendly actionable data Extending solutions into remediation & response Multiple solutions on single platform – lowering cost, reducing tool and console fatigue Automate Security Testing Create of pre- hardened images & applications Monitor and protect production environments Actionable data for developers Build Security into DevOps
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Golden AMI Pipeline • Create a Golden AMI • Incorporate Security Testing • Create an Approval process • Monitor & Track • Actively manage
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Qualys in AWS Golden AMI Pipeline • Add Qualys Scanning to identify issues in sample instances from AMI • Verifying the detections and remediate them • Embedding Agents for continuous visibility of production instances • Approve AMIs as Golden https://github.com/Qualys-Public
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Capital One Before: Lack of Security AutomationDelays Release Two weeks until the Image (AMI) is certified for production Vulnerability Management Teams Machine Builders VM SCAN/REPORT 48 HOURS VM SCAN/REPORT 48 HOURS 11
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Public Custom OS GOLD IMAGE and AMAZON MACHINE IMAGE (AMI) Approved Gold Image and AMI APPROVE and PUBLISH CI/CD PIPELINE Bake QUALYS ASSESS ON DEV INSTANCES OS Qualys Scanner Identify Vulns. & Config. Issues Live Instances Qualys Agent Qualys Scanner HARDENDED INSTANCES OS Fix & Verify Qualys Agent Bakery process happens within 24 hours Capital One After: Introducing Security at the Source Bake QualysSecurityintoGoldImagesand AMI 12
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Ancestry Hardening AMI’s to Reduce Vulnerabilities 13 Company Profile Largest for-profit genealogy company in the world, it operates a network of genealogical, historical record and genetic genealogy websites. INDUSTRY: Genealogy REGION: UTAH, USA CLOUD: All Applications in AWS QUALYS USAGE: Vulnerability Mgmt. , Policy Compliance Rearchitect security during migration to AWS Cloud to reduce vulnerabilities without slowing development Sev 4 Sev 5 Confirmed Vulnerability Count This happened And then this… and finally this… >80% drop in vulnerabilities Don’t shoot for ZERO
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Ancestry Tracking Golden AMI efficacy with KPI dashboards 14 Company Profile Largest for-profit genealogy company in the world, it operates a network of genealogical, historical record and genetic genealogy websites. INDUSTRY: Genealogy REGION: UTAH, USA CLOUD: All Applications in AWS QUALYS USAGE: Vulnerability Mgmt. , Policy Compliance Track the Golden AMI based instances and their patch cycles Created a KPI dashboard for every business unit, to track their adherence to the process
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Web App Security in CI pipeline Automated Integration into Sprint cycles SELENIUM QUALYS WAS JIRA ISSUES SELENIUM QUALYS WAS JIRA ISSUES Image Source: https://www.smashingmagazine.com/2015/01/basic-test-automation- for-apps-games-and-mobile-web/ 26 जवन 2019Qualys Inc.15 Company Profile Large payment processing company based out of Europe providing payment gateways for online orders as well as point of sale transactions. INDUSTRY: Electronic Payment Services REGION: UK CLOUD: All Applications in AWS QUALYS USAGE: Web Application Scanning, Vulnerability Mgmt. , Policy Compliance Incorporated Qualys based Web Application Scanning in the Jenkins CI pipeline covering both Applications and the APIs as part of testing in the sprint cycle JENKINS
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Container Image Vulnerability Analysis in CI/CD Blocking vulnerable images entering repositories 26 जवन 2019Qualys Inc.16 Company Profile Large US Bank INDUSTRY: Financial REGION: US CLOUD: All Applications in AWS QUALYS USAGE: Container Security, Vulnerability Mgmt., Policy Compliance, File Integrity Monitoring Incorporated Qualys Container Security to scan Docker Image builds. Covering roughly 50K image pushes per week.
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Container Image Vulnerability Analysis in CI/CD Actionable Information for Developers 26 जवन 2019Qualys Inc.17
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Qualys Security at scaleon hybrid clouds 19+ products providing comprehensive suite of security solutions 12,000+ customers and active users 7 shared cloud platforms across North America, Europe & Asia 70+ private clouds platforms deployed globally... on-prem, AWS, Azure, GCP 16+ PB storage and 16,000 cores 1818
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Free Service for External Qualys Security Apps Secure web applicationswith end-to-end protection Web Application Scanning WEB APPLICATION SECURITY Policy Compliance Assess security configurations of IT systems throughout your network COMPLIANCE MONITORING Continuously detect and protect against attacks, anytime, anywhere Vulnerability Management IT SECURITY Indication of Compromise Continuously monitor endpoints to detect suspicious activity Continuous Monitoring Alerts you in real time about network irregularities Threat Protection Pinpoint your most critical threats and prioritize patching PCI Compliance Automate, simplify and attain PCI compliance quickly Web Application Firewall Block attacks and virtually patch web application vulnerabilities Cloud Inventory Inventory of all your cloud assets across AWS, Azure, GCP and others Certificate Assessment Assess all your digital certificates for TLS/SSL vulnerabilities Certificate Inventory Inventory of TLS/SSL digital certificates on a global scale Container Security Discover, track, and continuously protect containers Cloud Security Assessment Get full visibility and control across all public cloud instances File Integrity Monitoring Log and track file changes across global IT systems Security Assessment Questionnaire Minimize the risk of doing business with vendors and other third parties Security Configuration Assessment Automate configuration assessment of global IT assets Asset Inventory ASSET MANAGEMENT Discover, normalize, and catalog all global IT assets CMDB Sync Synchronize asset information from Qualys into ServiceNow CMDB Patch Management Select, manage, and deploy patches to remediate vulnerabilities Available on Cloud Agent
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Qualys Sensor Platform Scalable, self-updating & centrally managed 20 Physical Legacy data centers, Corporate infrastructure Continuous security and compliance scanning Cloud/Container Commercial IaaS & PaaS clouds Pre-certified in market place Fully automated with API orchestration Continuous security and compliance scanning Cloud Agents Light weight, multi- platform On premise, elastic cloud & endpoints Real-time data collection Continuous evaluation on platform for security and compliance Passive Passively sniff on network Real-time device discovery & identification Identification of APT network traffic Extract malware files from network for analysis API Integration with Threat Intel feeds CMDB Integration Log connectors Virtual Private cloud infrastructure Virtualized Infrastructure Continuous security and compliance scanning 20
© 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Resources “Make it so.” - Captain Picard GitHub for cloud security https://github.com/Qualys- Public Qualys DevOps utilities CI/CD plugins (Jenkins, Bamboo,..), REST APIs https://community.qualys.com/d ocs/DOC-6814
Thank you! © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Hari Srinivasan hsrinivasan@qualys.com

Recomendados

Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
Amazon Web Services
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Amazon Web Services
 
Serverless Computing: build and run applications without thinking about servers
Serverless Computing: build and run applications without thinking about serversServerless Computing: build and run applications without thinking about servers
Serverless Computing: build and run applications without thinking about servers
Amazon Web Services
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
Amazon Web Services
 
(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector
Amazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
Amazon Web Services
 
Introduction to AWS WAF and AWS Firewall Manager
Introduction to AWS WAF and AWS Firewall ManagerIntroduction to AWS WAF and AWS Firewall Manager
Introduction to AWS WAF and AWS Firewall Manager
Akesh Patil
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Amazon Web Services
 

Recomendados

Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
Amazon Web Services
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Amazon Web Services
 
Serverless Computing: build and run applications without thinking about servers
Serverless Computing: build and run applications without thinking about serversServerless Computing: build and run applications without thinking about servers
Serverless Computing: build and run applications without thinking about servers
Amazon Web Services
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
Amazon Web Services
 
(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector
Amazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
Amazon Web Services
 
Introduction to AWS WAF and AWS Firewall Manager
Introduction to AWS WAF and AWS Firewall ManagerIntroduction to AWS WAF and AWS Firewall Manager
Introduction to AWS WAF and AWS Firewall Manager
Akesh Patil
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Amazon Web Services
 
Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...
Amazon Web Services
 
Cloud Migration Cookbook: A Guide To Moving Your Apps To The Cloud
Cloud Migration Cookbook: A Guide To Moving Your Apps To The CloudCloud Migration Cookbook: A Guide To Moving Your Apps To The Cloud
Cloud Migration Cookbook: A Guide To Moving Your Apps To The Cloud
New Relic
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
Amazon Web Services
 
Cloud Migration Workshop
Cloud Migration WorkshopCloud Migration Workshop
Cloud Migration Workshop
Amazon Web Services
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
Amazon Web Services
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
Amazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
 
CI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and FargateCI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and Fargate
Amazon Web Services
 
Introduction to Serverless
Introduction to ServerlessIntroduction to Serverless
Introduction to Serverless
Amazon Web Services
 
An Overview of Machine Learning on AWS
An Overview of Machine Learning on AWSAn Overview of Machine Learning on AWS
An Overview of Machine Learning on AWS
Amazon Web Services
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdf
Amazon Web Services
 
Amazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for Kubernetes
Amazon Web Services
 
Getting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesGetting Started with Serverless Architectures
Getting Started with Serverless Architectures
Amazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
Amazon Web Services
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
Amazon Web Services
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
Amazon Web Services
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Amazon Web Services
 
Introducing AWS Transfer for SFTP, a Fully Managed SFTP Service for Amazon S3...
Introducing AWS Transfer for SFTP, a Fully Managed SFTP Service for Amazon S3...Introducing AWS Transfer for SFTP, a Fully Managed SFTP Service for Amazon S3...
Introducing AWS Transfer for SFTP, a Fully Managed SFTP Service for Amazon S3...
Amazon Web Services
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - Webinar
Amazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Amazon Web Services
 
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Amazon Web Services
 

Más contenido relacionado

La actualidad más candente

Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Amazon Web Services
 

La actualidad más candente (20)

Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...
 
Cloud Migration Cookbook: A Guide To Moving Your Apps To The Cloud
Cloud Migration Cookbook: A Guide To Moving Your Apps To The CloudCloud Migration Cookbook: A Guide To Moving Your Apps To The Cloud
Cloud Migration Cookbook: A Guide To Moving Your Apps To The Cloud
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
 
Cloud Migration Workshop
Cloud Migration WorkshopCloud Migration Workshop
Cloud Migration Workshop
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 
CI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and FargateCI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and Fargate
 
Introduction to Serverless
Introduction to ServerlessIntroduction to Serverless
Introduction to Serverless
 
An Overview of Machine Learning on AWS
An Overview of Machine Learning on AWSAn Overview of Machine Learning on AWS
An Overview of Machine Learning on AWS
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdf
 
Amazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for Kubernetes
 
Getting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesGetting Started with Serverless Architectures
Getting Started with Serverless Architectures
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
Introducing AWS Transfer for SFTP, a Fully Managed SFTP Service for Amazon S3...
Introducing AWS Transfer for SFTP, a Fully Managed SFTP Service for Amazon S3...Introducing AWS Transfer for SFTP, a Fully Managed SFTP Service for Amazon S3...
Introducing AWS Transfer for SFTP, a Fully Managed SFTP Service for Amazon S3...
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - Webinar
 

Similar a Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019

Elevate your security with the cloud
Elevate your security with the cloudElevate your security with the cloud
Elevate your security with the cloud
Amazon Web Services
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Amazon Web Services
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 
AWS Summit Singapore 2019 | AWS Techfest Opening Keynote
AWS Summit Singapore 2019 | AWS Techfest Opening KeynoteAWS Summit Singapore 2019 | AWS Techfest Opening Keynote
AWS Summit Singapore 2019 | AWS Techfest Opening Keynote
AWS Summits
 
CICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdfCICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdf
Amazon Web Services
 
DevOps - Moving to DevOps the Amazon Way
DevOps - Moving to DevOps the Amazon WayDevOps - Moving to DevOps the Amazon Way
DevOps - Moving to DevOps the Amazon Way
Amazon Web Services
 
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Amazon Web Services
 

Similar a Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 (20)

Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
 
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
 
Elevate your security with the cloud
Elevate your security with the cloudElevate your security with the cloud
Elevate your security with the cloud
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOps
 
Developing Modern Applications in the Cloud
Developing Modern Applications in the CloudDeveloping Modern Applications in the Cloud
Developing Modern Applications in the Cloud
 
DevConZM - Modern Applications Development in the Cloud
DevConZM - Modern Applications Development in the CloudDevConZM - Modern Applications Development in the Cloud
DevConZM - Modern Applications Development in the Cloud
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOps
 
Executing a Large-Scale Migration to AWS
Executing a Large-Scale Migration to AWSExecuting a Large-Scale Migration to AWS
Executing a Large-Scale Migration to AWS
 
Containers on AWS
Containers on AWSContainers on AWS
Containers on AWS
 
AWS Summit Singapore 2019 | AWS Techfest Opening Keynote
AWS Summit Singapore 2019 | AWS Techfest Opening KeynoteAWS Summit Singapore 2019 | AWS Techfest Opening Keynote
AWS Summit Singapore 2019 | AWS Techfest Opening Keynote
 
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
 
From Monolith to Microservices
From Monolith to MicroservicesFrom Monolith to Microservices
From Monolith to Microservices
 
CICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdfCICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdf
 
DevOps - Moving to DevOps the Amazon Way
DevOps - Moving to DevOps the Amazon WayDevOps - Moving to DevOps the Amazon Way
DevOps - Moving to DevOps the Amazon Way
 
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
 
Inovação Rápida: O caso de negócio para desenvolvimento de aplicações modernas.
Inovação Rápida: O caso de negócio para desenvolvimento de aplicações modernas.Inovação Rápida: O caso de negócio para desenvolvimento de aplicações modernas.
Inovação Rápida: O caso de negócio para desenvolvimento de aplicações modernas.
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applications
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019

  • 1. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Build and Monitor Security into Your Golden AMI Pipeline Hari Srinivasan Director Product Management, Cloud Security Qualys D E M 0 8
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Agenda Digital Transformation (DX) Security Transformation AWS Golden AMI Pipeline and Qualys Customer Case Studies Q&A
  • 3. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Mindset Change Embracing the Digital Transformation Holistic Transformation of Business to Digital Cloud, Containers, IaaS, PaaS, OT, IIoT, IoT, Mobility, Web apps, APIs, Mobile Apps 3
  • 4. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. DevOps the new Frontier This is real and highly contagious Developers decide how infrastructure runs in production Speeds up code moving to production significantly 4
  • 5. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Moving Toward the Future of Security “Collaborative, Continuous Secure Development and Deployment” 5 Mantra of AppDev adopting Devops “You build it, You run it” Mantra of Sec in DevOps “You build it, You secure it, You run it” 5 DEVELOPERS SECURITY OPERATIONS
  • 6. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Moving Toward the Future of Security “You build it, You secure it, you run it” 6 DEVELOPERS SECURITY OPERATIONS ✓Static Code Analysis ✓Vulnerability Management ✓Web Application Scanning ✓Compliance Checks ✓Configuration Assessments Comprehensive evaluation at an early stage (DevOps)
  • 7. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Approach: Automate Security 7 DevOps-friendly capabilities –CI/CD Plug-ins, REST APIs, developer friendly actionable data Extending solutions into remediation & response Multiple solutions on single platform – lowering cost, reducing tool and console fatigue Automate Security Testing Create of pre- hardened images & applications Monitor and protect production environments Actionable data for developers Build Security into DevOps
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Golden AMI Pipeline • Create a Golden AMI • Incorporate Security Testing • Create an Approval process • Monitor & Track • Actively manage
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Qualys in AWS Golden AMI Pipeline • Add Qualys Scanning to identify issues in sample instances from AMI • Verifying the detections and remediate them • Embedding Agents for continuous visibility of production instances • Approve AMIs as Golden https://github.com/Qualys-Public
  • 10. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  • 11. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Capital One Before: Lack of Security AutomationDelays Release Two weeks until the Image (AMI) is certified for production Vulnerability Management Teams Machine Builders VM SCAN/REPORT 48 HOURS VM SCAN/REPORT 48 HOURS 11
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Public Custom OS GOLD IMAGE and AMAZON MACHINE IMAGE (AMI) Approved Gold Image and AMI APPROVE and PUBLISH CI/CD PIPELINE Bake QUALYS ASSESS ON DEV INSTANCES OS Qualys Scanner Identify Vulns. & Config. Issues Live Instances Qualys Agent Qualys Scanner HARDENDED INSTANCES OS Fix & Verify Qualys Agent Bakery process happens within 24 hours Capital One After: Introducing Security at the Source Bake QualysSecurityintoGoldImagesand AMI 12
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Ancestry Hardening AMI’s to Reduce Vulnerabilities 13 Company Profile Largest for-profit genealogy company in the world, it operates a network of genealogical, historical record and genetic genealogy websites. INDUSTRY: Genealogy REGION: UTAH, USA CLOUD: All Applications in AWS QUALYS USAGE: Vulnerability Mgmt. , Policy Compliance Rearchitect security during migration to AWS Cloud to reduce vulnerabilities without slowing development Sev 4 Sev 5 Confirmed Vulnerability Count This happened And then this… and finally this… >80% drop in vulnerabilities Don’t shoot for ZERO
  • 14. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Ancestry Tracking Golden AMI efficacy with KPI dashboards 14 Company Profile Largest for-profit genealogy company in the world, it operates a network of genealogical, historical record and genetic genealogy websites. INDUSTRY: Genealogy REGION: UTAH, USA CLOUD: All Applications in AWS QUALYS USAGE: Vulnerability Mgmt. , Policy Compliance Track the Golden AMI based instances and their patch cycles Created a KPI dashboard for every business unit, to track their adherence to the process
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Web App Security in CI pipeline Automated Integration into Sprint cycles SELENIUM QUALYS WAS JIRA ISSUES SELENIUM QUALYS WAS JIRA ISSUES Image Source: https://www.smashingmagazine.com/2015/01/basic-test-automation- for-apps-games-and-mobile-web/ 26 जवन 2019Qualys Inc.15 Company Profile Large payment processing company based out of Europe providing payment gateways for online orders as well as point of sale transactions. INDUSTRY: Electronic Payment Services REGION: UK CLOUD: All Applications in AWS QUALYS USAGE: Web Application Scanning, Vulnerability Mgmt. , Policy Compliance Incorporated Qualys based Web Application Scanning in the Jenkins CI pipeline covering both Applications and the APIs as part of testing in the sprint cycle JENKINS
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Container Image Vulnerability Analysis in CI/CD Blocking vulnerable images entering repositories 26 जवन 2019Qualys Inc.16 Company Profile Large US Bank INDUSTRY: Financial REGION: US CLOUD: All Applications in AWS QUALYS USAGE: Container Security, Vulnerability Mgmt., Policy Compliance, File Integrity Monitoring Incorporated Qualys Container Security to scan Docker Image builds. Covering roughly 50K image pushes per week.
  • 17. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Container Image Vulnerability Analysis in CI/CD Actionable Information for Developers 26 जवन 2019Qualys Inc.17
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Qualys Security at scaleon hybrid clouds 19+ products providing comprehensive suite of security solutions 12,000+ customers and active users 7 shared cloud platforms across North America, Europe & Asia 70+ private clouds platforms deployed globally... on-prem, AWS, Azure, GCP 16+ PB storage and 16,000 cores 1818
  • 19. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Free Service for External Qualys Security Apps Secure web applicationswith end-to-end protection Web Application Scanning WEB APPLICATION SECURITY Policy Compliance Assess security configurations of IT systems throughout your network COMPLIANCE MONITORING Continuously detect and protect against attacks, anytime, anywhere Vulnerability Management IT SECURITY Indication of Compromise Continuously monitor endpoints to detect suspicious activity Continuous Monitoring Alerts you in real time about network irregularities Threat Protection Pinpoint your most critical threats and prioritize patching PCI Compliance Automate, simplify and attain PCI compliance quickly Web Application Firewall Block attacks and virtually patch web application vulnerabilities Cloud Inventory Inventory of all your cloud assets across AWS, Azure, GCP and others Certificate Assessment Assess all your digital certificates for TLS/SSL vulnerabilities Certificate Inventory Inventory of TLS/SSL digital certificates on a global scale Container Security Discover, track, and continuously protect containers Cloud Security Assessment Get full visibility and control across all public cloud instances File Integrity Monitoring Log and track file changes across global IT systems Security Assessment Questionnaire Minimize the risk of doing business with vendors and other third parties Security Configuration Assessment Automate configuration assessment of global IT assets Asset Inventory ASSET MANAGEMENT Discover, normalize, and catalog all global IT assets CMDB Sync Synchronize asset information from Qualys into ServiceNow CMDB Patch Management Select, manage, and deploy patches to remediate vulnerabilities Available on Cloud Agent
  • 20. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Qualys Sensor Platform Scalable, self-updating & centrally managed 20 Physical Legacy data centers, Corporate infrastructure Continuous security and compliance scanning Cloud/Container Commercial IaaS & PaaS clouds Pre-certified in market place Fully automated with API orchestration Continuous security and compliance scanning Cloud Agents Light weight, multi- platform On premise, elastic cloud & endpoints Real-time data collection Continuous evaluation on platform for security and compliance Passive Passively sniff on network Real-time device discovery & identification Identification of APT network traffic Extract malware files from network for analysis API Integration with Threat Intel feeds CMDB Integration Log connectors Virtual Private cloud infrastructure Virtualized Infrastructure Continuous security and compliance scanning 20
  • 21. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Resources “Make it so.” - Captain Picard GitHub for cloud security https://github.com/Qualys- Public Qualys DevOps utilities CI/CD plugins (Jenkins, Bamboo,..), REST APIs https://community.qualys.com/d ocs/DOC-6814
  • 22. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Hari Srinivasan hsrinivasan@qualys.com