SlideShare a Scribd company logo

DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019

Amazon Web Services
Amazon Web Services

"In this workshop, you practice running an environment with a test and production deployment pipeline. Along the way, we cover topics such as static code analysis, dynamic infrastructure review, and workflow types. You also learn how to update your process in response to security events. We write new AWS Lambda functions and incorporate them into the pipeline, and we consider capabilities such as AWS Systems Manager Parameter Store and AWS Secrets Manager.

1 of 50
Download to read offline
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps: Integrating security into pipelines Byron Pogson Solutions Architect Amazon Web Services S D D 3 1 0
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda What is DevOps? What about DevSecOps? Security of the pipeline Security in the pipeline Enforcement of the pipeline Lab
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Competing forces Business Development Build it faster Operations Keep it stable
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Competing forces Business DevOps
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is DevOps? Break down cultural barriers Work as one team Support business and IT agility Collaborate and communicate Treat infrastructure as code Automate Test, measure, and monitor Culture Process Tools
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why do organizations adopt DevOps? Faster time to value Agility Quality Speed
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. CI vs. CD Continuous integration Techniques and tools to implement the continuous process of applying quality control; in general, small pieces of effort, applied frequently, to improve the quality of software, and to reduce the time taken to deliver it. Continuous deployment Techniques and tools to improve the process of software delivery, resulting in the ability to rapidly, reliably, and repeatedly push out enhancements and bug fixes to customers at low risk and with minimal manual overhead.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Promotion process in continuous deployment
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is a pipeline? • Build automation • Continuous integration • Deployment automation • Test automation • Service orchestration
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Competing forces Business DevOps Security Make it secure DevSecOps
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is DevSecOps? DevSecOps is the combination of cultural philosophies, practices, and tools that exploits the advances made in IT automation to achieve a state of production immutability, frequent delivery of business value, and automated enforcement of security policy. DevSecOps is achieved by integrating and automating the enforcement of preventive, detective, and responsive security controls into the pipeline. Security OperationsDevelopment
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Tenets of DevSecOps
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Three major components of DevSecOps Enforcement of the pipeline Security in the pipeline Security of the pipeline
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. A brief word on governance Security governance is meant to support business objectives by defining policies and controls to manage risk Framework Policies Business outcomes Manage risks
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Pipeline as a workload • Securing the application starts with securing the pipeline • The CI/CD pipeline is a workload • Its purpose is to integrate and deliver other workloads • It has users, supporting infrastructure, application, and data components, etc. • Those components are typically managed as code
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The cloud adoption framework Business ▪ Align business and IT needs ▪ Map IT investments to business results Platform ▪ Provision cloud applications and infrastructure ▪ Improve cloud services and solutions Governance ▪ Manage cloud investments ▪ Measure business outcomes Operations ▪ Monitor and maintain system health and reliability ▪ Observe cloud best practices 1 4 3 6 4 63 1 People ▪ Prioritize cloud-based competencies ▪ Drive organizational readiness 2 Security ▪ Align security and compliance with current requirements ▪ Manage access and authorization 5 2 5
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Some identity and access management risks for pipelines • Anyone can run build jobs • Consistent user management across build servers • Pipeline role is too permissive • Slave node adverse affects on masters
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforcing least privilege between pipelines • Pipeline can perform a specific job (e.g., Jenkins/Spinnaker/CodePipeline is a pipeline factory) • Pipelines can be limited to blast-radius-based functions • Pipeline factory • AMI factory • Artifact factory
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Exercise: Identity and access management for pipelines wrap-up • Could you write a user story for the DevOps team managing the pipeline to implement? • If not, what is missing? • What is the acceptance criteria for your user story? • How would you validate your user story?
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Detective controls for pipelines • Who logged in? • What code was committed and by who? • What jobs did they run? • Did the jobs succeed/fail? • Was static/dynamic analysis enforced? • What were the results of the static/dynamic analysis?
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Exercise: Detective controls • What produces logs? • How are logs produced? • Where do logs go? • How do I protect my logs? • What are the items of interest in my logs? • At what threshold are those items interesting? • What should I do when thresholds are exceeded?
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Detective controls for pipelineswrap-up • There are multiple consumers of logs produced by the pipeline • Fast feedback to the log consumers is critical • Results of static/dynamic tests are as important as any other audit trail
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure security risks to pipelines • Who has access to underlying infrastructure resources? • How are pipelines patched and updated? • How is least privilege between pipelines enforced? • Are my pipelines deploying into approved AWS accounts? • Does the pipeline align with organizational responsibility?
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure as code is a practice where traditional infrastructure management techniques are supplemented and often replaced by using code-based tools and software development techniques
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS resources Operating system and host configuration Application configuration Amazon Virtual Private Cloud (Amazon VPC) Amazon Elastic Compute Cloud (Amazon EC2) AWS Identity and Access Management (IAM) Amazon Relational Database Service (Amazon RDS) Amazon Simple Storage Service (Amazon S3), AWS CodePipeline Windows registry Linux networking OpenSSH LDAP Centralized logging System metrics Deployment agents Host monitoring Application dependencies Application configuration Service registration Management scripts Database credentials AWS CloudFormation AWS Systems Manager/AWS Secrets Manager AWS CodeDeploy
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure security for pipelines wrap-up • The pipeline is a workload and needs to be treated with the same rigor as other critical infrastructures • Build a pipeline factory to build pipelines from known good configurations • Deploy workloads into known good environments
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Data protection risks for pipelines • Who can change/commit code? • How is production data prevented from being introduced into non-prod environments? • How is artifact integrity maintained?
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Top data protection best practices • Control access and permissions to the code repository • Trigger builds automatically (time-based or event-based) • Use tokenization or dummy data in non-production environments • Categorize data and enforce restrictions through pipeline • For example, pipeline configured to build dev environment is not allowed to pull production data from repo
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Data protection for pipelines wrap-up • Control access and permissions to source repository: artifacts are critical data for your pipeline • Build pipelines that are environment-aware (e.g., prod vs. non-prod) • Build artifact handlers to validate integrity across pipelines and environments
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Incident detection Amazon GuardDuty AWS Security HubAmazon Macie Amazon Inspector
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Incident response
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in the pipeline Code Code analysis Build Dependencies Test Vulnerability scan Deploy Hash verification Monitor Automated
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in the pipeline Static analysis • Infrastructure as code • Security as code Dynamic analysis • Unit tests • Integration tests • System tests
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Dev Test Production Separation of duty – Multi-account strategy AWS Organizations account Sandbox Security Tools
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Separation of duty – Multi-account strategy Tools Dev Test Prod
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. No more humans in productions Tools Dev Test Prod
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Three major components to DevSecOps Security of the pipeline Security in the pipeline Enforcement of the pipeline
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps benefits • Confidence that workloads and changes are validated against corporate security policies • Consistency and repeatability of security validation • Match the business’ pace of innovation • Security at scale!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lab time! • Download the lab bundle here: https://tinyurl.com/yx9yuhxg • Open and follow the Readme.pdf • Join/create a group of four and come up here for a temp account • Once you have an account go to https://dashboard.eventengine.run/login and enter your code
Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Byron Pogson bpogson@amazon.com

Recommended

Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Amazon Web Services
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Amazon Web Services
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Amazon Web Services
 
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019 Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019 Amazon Web Services
 
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019 It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019 Amazon Web Services
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...Amazon Web Services
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...Amazon Web Services
 
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...Amazon Web Services
 

Recommended

Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Amazon Web Services
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Amazon Web Services
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Amazon Web Services
 
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019 Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019 Amazon Web Services
 
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019 It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019
It’s in my backlog: The truth behind DevSecOps - FND217 - AWS re:Inforce 2019 Amazon Web Services
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...Amazon Web Services
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...Amazon Web Services
 
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...Amazon Web Services
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...Amazon Web Services
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Amazon Web Services
 
Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Amazon Web Services
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 
New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...Amazon Web Services
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 Amazon Web Services
 
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Amazon Web Services
 
The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Amazon Web Services
 
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Amazon Web Services
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Amazon Web Services
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Amazon Web Services
 
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019 Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019 Amazon Web Services
 
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019 Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019 Amazon Web Services
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 Amazon Web Services
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Amazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Amazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Amazon Web Services
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAmazon Web Services
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsCobus Bernard
 

More Related Content

What's hot

How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...Amazon Web Services
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Amazon Web Services
 
Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Amazon Web Services
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 
New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...Amazon Web Services
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 Amazon Web Services
 
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Amazon Web Services
 
The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Amazon Web Services
 
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Amazon Web Services
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Amazon Web Services
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Amazon Web Services
 
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019 Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019 Amazon Web Services
 
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019 Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019 Amazon Web Services
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 Amazon Web Services
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Amazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Amazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Amazon Web Services
 

What's hot (20)

How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
 
Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
 
New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
 
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
 
The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
 
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
 
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019 Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
Amazon FreeRTOS security best practices - FND212 - AWS re:Inforce 2019
 
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019 Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
 

Similar to DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019

Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAmazon Web Services
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsCobus Bernard
 
CICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdfCICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdfAmazon Web Services
 
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...Amazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Amazon Web Services
 
Modernizing Software Development in the US Navy
Modernizing Software Development in the US NavyModernizing Software Development in the US Navy
Modernizing Software Development in the US NavyAmazon Web Services
 
CICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdfCICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdfAmazon Web Services
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitAmazon Web Services
 
NIST Compliance, AWS Federal Pop-Up Loft
NIST Compliance, AWS Federal Pop-Up LoftNIST Compliance, AWS Federal Pop-Up Loft
NIST Compliance, AWS Federal Pop-Up LoftAmazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Amazon Web Services
 
Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Amazon Web Services
 
How Do I Plan for Security, Risk and Compliance when Migrating to AWS?
How Do I Plan for Security, Risk and Compliance when Migrating to AWS?How Do I Plan for Security, Risk and Compliance when Migrating to AWS?
How Do I Plan for Security, Risk and Compliance when Migrating to AWS?Amazon Web Services
 
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Amazon Web Services
 
Modern Applications Development on AWS
Modern Applications Development on AWSModern Applications Development on AWS
Modern Applications Development on AWSBoaz Ziniman
 
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...Amazon Web Services
 
DevOps, CI/CD, cost management, and security on AWS
DevOps, CI/CD, cost management, and security on AWSDevOps, CI/CD, cost management, and security on AWS
DevOps, CI/CD, cost management, and security on AWSTom Laszewski
 
Stages of Adoption leading to Complete Migration
Stages of Adoption leading to Complete MigrationStages of Adoption leading to Complete Migration
Stages of Adoption leading to Complete MigrationAmazon Web Services
 
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Amazon Web Services
 

Similar to DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 (20)

Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applications
 
CICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdfCICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdf
 
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
 
Modernizing Software Development in the US Navy
Modernizing Software Development in the US NavyModernizing Software Development in the US Navy
Modernizing Software Development in the US Navy
 
CICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdfCICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdf
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
 
CI/CD for Modern Applications
CI/CD for Modern ApplicationsCI/CD for Modern Applications
CI/CD for Modern Applications
 
NIST Compliance, AWS Federal Pop-Up Loft
NIST Compliance, AWS Federal Pop-Up LoftNIST Compliance, AWS Federal Pop-Up Loft
NIST Compliance, AWS Federal Pop-Up Loft
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
 
Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...
 
How Do I Plan for Security, Risk and Compliance when Migrating to AWS?
How Do I Plan for Security, Risk and Compliance when Migrating to AWS?How Do I Plan for Security, Risk and Compliance when Migrating to AWS?
How Do I Plan for Security, Risk and Compliance when Migrating to AWS?
 
Security in the cloud
Security in the cloudSecurity in the cloud
Security in the cloud
 
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
 
Modern Applications Development on AWS
Modern Applications Development on AWSModern Applications Development on AWS
Modern Applications Development on AWS
 
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
 
DevOps, CI/CD, cost management, and security on AWS
DevOps, CI/CD, cost management, and security on AWSDevOps, CI/CD, cost management, and security on AWS
DevOps, CI/CD, cost management, and security on AWS
 
Stages of Adoption leading to Complete Migration
Stages of Adoption leading to Complete MigrationStages of Adoption leading to Complete Migration
Stages of Adoption leading to Complete Migration
 
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019

  • 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps: Integrating security into pipelines Byron Pogson Solutions Architect Amazon Web Services S D D 3 1 0
  • 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda What is DevOps? What about DevSecOps? Security of the pipeline Security in the pipeline Enforcement of the pipeline Lab
  • 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Competing forces Business Development Build it faster Operations Keep it stable
  • 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Competing forces Business DevOps
  • 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is DevOps? Break down cultural barriers Work as one team Support business and IT agility Collaborate and communicate Treat infrastructure as code Automate Test, measure, and monitor Culture Process Tools
  • 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why do organizations adopt DevOps? Faster time to value Agility Quality Speed
  • 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. CI vs. CD Continuous integration Techniques and tools to implement the continuous process of applying quality control; in general, small pieces of effort, applied frequently, to improve the quality of software, and to reduce the time taken to deliver it. Continuous deployment Techniques and tools to improve the process of software delivery, resulting in the ability to rapidly, reliably, and repeatedly push out enhancements and bug fixes to customers at low risk and with minimal manual overhead.
  • 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Promotion process in continuous deployment
  • 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is a pipeline? • Build automation • Continuous integration • Deployment automation • Test automation • Service orchestration
  • 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Competing forces Business DevOps Security Make it secure DevSecOps
  • 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is DevSecOps? DevSecOps is the combination of cultural philosophies, practices, and tools that exploits the advances made in IT automation to achieve a state of production immutability, frequent delivery of business value, and automated enforcement of security policy. DevSecOps is achieved by integrating and automating the enforcement of preventive, detective, and responsive security controls into the pipeline. Security OperationsDevelopment
  • 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Tenets of DevSecOps
  • 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Three major components of DevSecOps Enforcement of the pipeline Security in the pipeline Security of the pipeline
  • 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. A brief word on governance Security governance is meant to support business objectives by defining policies and controls to manage risk Framework Policies Business outcomes Manage risks
  • 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Pipeline as a workload • Securing the application starts with securing the pipeline • The CI/CD pipeline is a workload • Its purpose is to integrate and deliver other workloads • It has users, supporting infrastructure, application, and data components, etc. • Those components are typically managed as code
  • 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The cloud adoption framework Business ▪ Align business and IT needs ▪ Map IT investments to business results Platform ▪ Provision cloud applications and infrastructure ▪ Improve cloud services and solutions Governance ▪ Manage cloud investments ▪ Measure business outcomes Operations ▪ Monitor and maintain system health and reliability ▪ Observe cloud best practices 1 4 3 6 4 63 1 People ▪ Prioritize cloud-based competencies ▪ Drive organizational readiness 2 Security ▪ Align security and compliance with current requirements ▪ Manage access and authorization 5 2 5
  • 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework
  • 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
  • 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Some identity and access management risks for pipelines • Anyone can run build jobs • Consistent user management across build servers • Pipeline role is too permissive • Slave node adverse affects on masters
  • 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforcing least privilege between pipelines • Pipeline can perform a specific job (e.g., Jenkins/Spinnaker/CodePipeline is a pipeline factory) • Pipelines can be limited to blast-radius-based functions • Pipeline factory • AMI factory • Artifact factory
  • 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Exercise: Identity and access management for pipelines wrap-up • Could you write a user story for the DevOps team managing the pipeline to implement? • If not, what is missing? • What is the acceptance criteria for your user story? • How would you validate your user story?
  • 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
  • 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Detective controls for pipelines • Who logged in? • What code was committed and by who? • What jobs did they run? • Did the jobs succeed/fail? • Was static/dynamic analysis enforced? • What were the results of the static/dynamic analysis?
  • 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Exercise: Detective controls • What produces logs? • How are logs produced? • Where do logs go? • How do I protect my logs? • What are the items of interest in my logs? • At what threshold are those items interesting? • What should I do when thresholds are exceeded?
  • 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Detective controls for pipelineswrap-up • There are multiple consumers of logs produced by the pipeline • Fast feedback to the log consumers is critical • Results of static/dynamic tests are as important as any other audit trail
  • 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
  • 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure security risks to pipelines • Who has access to underlying infrastructure resources? • How are pipelines patched and updated? • How is least privilege between pipelines enforced? • Are my pipelines deploying into approved AWS accounts? • Does the pipeline align with organizational responsibility?
  • 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure as code is a practice where traditional infrastructure management techniques are supplemented and often replaced by using code-based tools and software development techniques
  • 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS resources Operating system and host configuration Application configuration Amazon Virtual Private Cloud (Amazon VPC) Amazon Elastic Compute Cloud (Amazon EC2) AWS Identity and Access Management (IAM) Amazon Relational Database Service (Amazon RDS) Amazon Simple Storage Service (Amazon S3), AWS CodePipeline Windows registry Linux networking OpenSSH LDAP Centralized logging System metrics Deployment agents Host monitoring Application dependencies Application configuration Service registration Management scripts Database credentials AWS CloudFormation AWS Systems Manager/AWS Secrets Manager AWS CodeDeploy
  • 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure security for pipelines wrap-up • The pipeline is a workload and needs to be treated with the same rigor as other critical infrastructures • Build a pipeline factory to build pipelines from known good configurations • Deploy workloads into known good environments
  • 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
  • 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Data protection risks for pipelines • Who can change/commit code? • How is production data prevented from being introduced into non-prod environments? • How is artifact integrity maintained?
  • 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Top data protection best practices • Control access and permissions to the code repository • Trigger builds automatically (time-based or event-based) • Use tokenization or dummy data in non-production environments • Categorize data and enforce restrictions through pipeline • For example, pipeline configured to build dev environment is not allowed to pull production data from repo
  • 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Data protection for pipelines wrap-up • Control access and permissions to source repository: artifacts are critical data for your pipeline • Build pipelines that are environment-aware (e.g., prod vs. non-prod) • Build artifact handlers to validate integrity across pipelines and environments
  • 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
  • 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Incident detection Amazon GuardDuty AWS Security HubAmazon Macie Amazon Inspector
  • 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Incident response
  • 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Align with the cloud adoption framework Identity and access management Detective controls Infrastructure controls Data protection Incident response
  • 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in the pipeline Code Code analysis Build Dependencies Test Vulnerability scan Deploy Hash verification Monitor Automated
  • 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in the pipeline Static analysis • Infrastructure as code • Security as code Dynamic analysis • Unit tests • Integration tests • System tests
  • 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Dev Test Production Separation of duty – Multi-account strategy AWS Organizations account Sandbox Security Tools
  • 45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Separation of duty – Multi-account strategy Tools Dev Test Prod
  • 46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. No more humans in productions Tools Dev Test Prod
  • 47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Three major components to DevSecOps Security of the pipeline Security in the pipeline Enforcement of the pipeline
  • 48. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps benefits • Confidence that workloads and changes are validated against corporate security policies • Consistency and repeatability of security validation • Match the business’ pace of innovation • Security at scale!
  • 49. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lab time! • Download the lab bundle here: https://tinyurl.com/yx9yuhxg • Open and follow the Readme.pdf • Join/create a group of four and come up here for a temp account • Once you have an account go to https://dashboard.eventengine.run/login and enter your code
  • 50. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Byron Pogson bpogson@amazon.com