Introduction to DevSecOps

© 2016 AWS and affiliates, all rights reserved
Introduction to DevSecOps on AWS

What is DevOps?
Cultural
Philosophy
Practices Tools

Competing Forces
Business
Development Operations
Build it faster Keep it stable
Security
Make it
secure

Who is DevSecOps
DevSecOps is
• Team/Community effort, not a person
• Automated and autonomous security
• Security at scale
DevSecOps role
• Not there to audit code
• Implement the control segments to validate and audit code and artifacts as part of
the CI/CD process
Security
OperationsDevelopment

Terminology
DevSecOps / Security Automation / Security at Scale
Make up your mind…

Why security automation
Reduce risk of human error
- Automation is effective
- Automation is reliable
- Automation is scalable

Reduce risk of human error
- Automation is effective
- Automation is reliable
- Automation is scalable
Don’t worry…we still need humans

High pace of innovation is great

We also want high pace of:
• Detection
• Alerting
• Remediation
• Countermeasures
• Forensics

What is DevSecOps
Three flavors
- Security of the CI/CD Pipeline
- Automated IAM roles, Jenkins server hardening, etc.
- Security in the CI/CD Pipeline
- Automated security tests, code analysis, etc.
- Security Automation
- Automated Incident Response Remediation, forensics, etc.

Security in/of the CI/CD Pipeline

What is DevSecOps
DevOps = Efficiencies that speed up this lifecycle
DevSecOps = Validate building blocks without slowing lifecycle
developers customers
releasetestbuild
plan monitor
delivery pipeline
feedback loop
Software development lifecycle
Security

CI/CD for DevOps
Version
Control
CI Server
Package
Builder
Deploy
Server
Commit to
Git/masterDev
Get /
Pull
Code
AMIs
Send Build Report to Dev
Stop everything if build failed
Distributed Builds
Run Tests in parallel
Staging Env
Test Env
Code
Config
Tests
Prod Env
Push
Config
Install
Create
Repo
CloudFormation
Templates for Environment
Generate

Version
Control
CI Server
Package
Builder
Promote
Process
Validate
Git-SecretsDev
Get /
Pull
Code
AMIs
Log for audit
Staging Env
Test Env
Code
Config
Tests
Prod Env
Audit/Validate
Config
Checksum
Continuous
Scan
CI/CD for DevSecOps
Send Build Report to Security
Stop everything if audit/validation failed
CloudFormation
Templates for Environment

What Does DevSecOps CI/CD Give Us?
• Confidence that our code is validated against corporate security
policies.
• Avoid infrastructure/application failure in a later deployment due to
different security configuration
• Match DevOps pace of innovation
• Audit and alert
• Security at scale!

Security Automation

AWS CloudFormation primer
Infrastructure is code

AWS CloudFormation Primer
Allows you to define a “template”
• Composed of different “resources”
• Provision that template into repeatable, live, “stacks”.
CloudFormation (CFn) provides a single service interface
• Let CFn perform state changes and govern who calls CFn
Treat as Code
• Check in your templates
CFn templates can hook into external configuration management frameworks
• Jenkins/Chef/Puppet/etc.

AWS CloudFormation Stacks
JSON/YAML
Template
Stack Stack Stack
Dev
Test
Staging
Prod
Demos
Regions

Split Ownership Configurations
Who knows your solution best?
• Dev, Infra, Sec…?
• Delegate ownership
• Infra – VPC design, IGW Deployment, Subnets, etc
• DevOps – EC2, Elastic BeanStalk, RDS, DynamoDB, etc
• OS Patching, Security Agent Deployments, IAM Roles, etc
Use Yaml and split file into chunks or functions
• Separate file sources with access control – Use IAM/VPC-E/etc.
• Push files -> Validate -> Merge files -> Validate -> Deploy -> Validate
AWS CodePipeline or Jenkins for deployment
• Promotion flows
• Move from manual to Automation based on validation quality
• Excellent for merging jobs of split configurations

Merging
From single file or multiple files
• Maintain access control using policies
• Use different source stores if needed
Based on function/state
Reusable patterns
Maintain order, especially of validation
• Security validation last to execute
• Security should always win

Validation
Keep track of what section
you are validating
• Stage vs Prod
• Merged vs separated
Validate often and log/alert
• Validate part and end result
• Run-time validation
Tools
• AWS CodeCommit
• AWS CodeBuild
• AWS Lambda
• Config / Config Rules
• CloudWatch Logs / CloudWatch Events
• Etc.

Where else can this be applied?
CloudFormation
Template
Task Definition Application
Specification File
(AppSpec file)
…and more.
AWS CloudFormation AWS CodeDeployAmazon EC2 Container Service

AWS Tooling
Execution
• Lambda
Tracking
• AWS Config Rules
• Amazon CloudWatch Events
• AWS CloudTrail
• AWS Inspector
Track/Log
• Amazon CloudWatch Logs
• Amazon DynamoDB
Alert
• SNS
Third party Open Source

Other resources / Open Source
• Some of the projects out there:
– ThreatResponse.cloud https://threatresponse.cloud
– Cloud Custodian https://github.com/capitalone/cloud-custodian
– Security Monkey https://github.com/Netflix/security_monkey
– FIDO https://github.com/Netflix/Fido
• And many more…

Automatic Incident Response
Remediation

Creating a blueprint
Continuous /
Event based
Config Rules
CloudWatch
Events
Is it region
specific
Will action risk
breaking
something
Yes: Call human
No: Lambda
Will enable add
cost
Yes: Based on
possible cost
limit call
human
No/Minor: Set
rules
Is there a source
of truth
Config Rules:
Check previous
•Caution on
multiple events
CWE: Check
tag/DDB
•Have default
value
Action
Revert change
based on above
Forensic
Is it human (or
unknown
source) or
machine
(CI/CD)
CI/CD: Create
ticket (Jira etc)
Human: Should
we
countermeasur
e/prevent?
Are they using
MFA
•No: Add MFA
(external Lambda)
First occurrence
(check DDB)
•Yes: Disable
account/Keys
Alert
High:
SMS/Page
Low:
Email/tracking
system
Logging
Is it sensitive
Yes: Encrypt
(KMS)
No: Cleartext
Always: Access
control

The anatomy of security automation
Mode
Section Actions
Initiate
React Config Rules / CloudWatch Events / Log Parsing
Trigger Lambda
Learn Lambda / CloudWatch Logs
Execution
Priority Action Restart service, delete user, etc.
Forensics Discover: Who/where/when, allowed to execute?
Countermeasure Disable access keys, isolate instance, etc.
Alert Text/Page, email, ticket system
Logging Database, ticket system, encrypt data?

How do I know what happened - Config

The key to Custom Rules
response = client.put_evaluations(
Evaluations=[
{
'ComplianceResourceType': 'string',
'ComplianceResourceId': 'string',
'ComplianceType': 'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA',
'Annotation': 'string',
'OrderingTimestamp': datetime(2015, 1, 1) },
],
ResultToken='string’
)

How do I know what happened – CloudWatch Events
{
”account”: “111111111111”,
”region”: “us-east-1”,
”detail”: {
”eventVersion”: “1.02”,
”eventID”: “c78ce8de-46ee-4fea-bcf4-0e889d419f2f”,
”eventTime”: “2016-01-18T03:32:18Z”,
”requestParameters”: {
”userName”: “trigger”
},
”eventType”: “AwsApiCall”,
”responseElements”: {
”user”: {
”userName”: “trigger”,
”path”: “/”,
”createDate”: “Jan 18, 2016 3:32:18 AM”,
”userId”: “AIDAIKL7LKTAUFPNJQ3LY”,
”arn”: “arn:aws:iam::111111111111:user/trigger”
}
},
”awsRegion”: “us-east-1”,
”eventName”: “CreateUser”,
”userIdentity”: {
”userName”: “IAM-API-RW”,
”principalId”: “AIDAI5SJPHVGH1WK7HTQS”,
”accessKeyId”: “AKIAIGYEYSX4EVED52YA”,
”type”: “IAMUser”,
”arn”: “arn:aws:iam::111111111111:user/IAM-API-RW”,
”accountId”: “111111111111”
},
”eventSource”: “iam.amazonaws.com”,
”requestID”: “13bb2739-bd94-11e5-9abd-af4e7ff9090f”,
”userAgent”: “aws-cli/1.9.20 Python/2.7.10 Darwin/15.2.0
botocore/1.3.20”,
”sourceIPAddress”: “111.112.113.114”
},
”detail-type”: “AWS API Call via CloudTrail”,
”source”: “aws.iam”,
”version”: “0”,
”time”: “2016-01-18T03:32:18Z”,
”id”: “d818DD19-7b16-4e1d-a491-794a26b51657”,

Different sources have different event
”userIdentity”: {
”userName”: “IAM-API-RW”,
”principalId”: “AIDAI5RTPJGHE43K7GEQS”,
”accessKeyId”: “AKIADSJGHSXRKVDM52DA”,
”type”: “IAMUser”,
”arn”: “arn:aws:iam::111111111111:user
”accountId”: “111111111111”
"userIdentity": {
"principalId": "AROGKTYFTCBFKTESCEVK:henrikj",
"accessKeyId": ”GFSHKUOLZG53JE5DHKRC",
"sessionContext": {
"sessionIssuer": {
"userName": ”AssumeAdministrator",
"type": "Role",
"arn": "arn:aws:iam::111111111111:role/Administrator",
"principalId": "AROSKTRDFTXBUFLSKCEVK",
"accountId": " 111111111111 "
},
"attributes": {
"creationDate": "2016-01-18T16:50:04Z",
"mfaAuthenticated": "false"
}
},
"type": "AssumedRole",
"arn": "arn:aws:sts::111111111111:assumed-
role/Administrator/henrikj",
"accountId": "111111111111"

How can I get the different events?
import json
def lambda_handler(event, context):
eventdump = json.dumps(event, indent=2)
print("Received event: " + json.dumps(event, indent=2))
return eventdump

Risks
• You can now automatically mess up your approved changes
• No proper alerting and follow-up on automatic events
• Over/under complicated scripts
• No info on desired state
• Race the hacker…automation wars!

Best practices
Implement “Compliance Status” for easy overview
• Use pre defined checks
• Create extended custom checks
• Fix the issue while checking
Evaluate/remediate changes/events in your account
• Doesn’t replace log analysis (Machine Learning FTW)
• Protect against changes made by (un)authorized accounts
• Automatic remediation for critical events
• Do forensic on the fly
Always Log and Alert!

Introduction to DevSecOps

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Introduction to DevSecOps

Similar a Introduction to DevSecOps (20)

Más de Amazon Web Services

Más de Amazon Web Services (20)

Introduction to DevSecOps