SlideShare una empresa de Scribd logo

Securing Systems at Cloud Scale with DevSecOps

Amazon Web Services
Amazon Web Services

The AWS platform offers a rich set of capabilities that can be leveraged by the customer to better control applications state, configuration, and supporting infrastructure throughout the service lifecycle – all while operating with security best practices such as audit and accountability, access control, change review and governance, and systems integrity. We will showcase and discuss design patterns for using these capabilities in synergy with fast-paced and agile application development methodologies – such as DevOps – to achieve an integrated security operations program.

Tecnología
1 de 42
Descargar para leer sin conexión
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Securing Systems at Cloud Scale Ian Massingham, Technical Evangelist @IanMmmm
DevSecOps Integrating Security with DevOps
What is DevOps? Cultural Philosophy Practices Tools
What is DevOps Breakdown the barriers Work as one team end to end Support business and IT agility Collaboration & Communication Treat Infrastructure as code Automate everything Test, measure & monitor everything Culture Technology
Competing Forces Business Development Operations Build it faster Keep it stable Security Make it secure
What is DevSecOps DevOps = Efficiencies that speed up this lifecycle DevSecOps = Validate building blocks without slowing lifecycle developers customers releasetestbuild plan monitor delivery pipeline feedback loop Software development lifecycle Security
Who is DevSecOps • DevSecOps is • Team/Community, not a person • Automated and autonomous security • Security at scale • DevSecOps role • Not there to audit code • Implement the control segments to validate and audit code and artifacts as part of the CI/CD process Security OperationsDevelopment
Continuous Integration Techniques and tools to improve the process of software delivery, resulting in the ability to rapidly, reliably, and repeatedly push out enhancements and bug fixes to customers at low risk and with minimal manual overhead. Techniques and tools to implement the continuous process of applying quality control; in general, small pieces of effort, applied frequently, to improve the quality of software, and to reduce the time taken to deliver it. Continuous Delivery
CI/CD for DevOps Version Control CI Server Package Builder Deploy Server Commit to Git/masterDev Get / Pull Code AMIs Send Build Report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo CloudFormation Templates for Environment Generate
Version Control CI Server Package Builder Promote Process Validate Dev Get / Pull Code AMIs Log for audit Staging Env Test Env Code Config Tests Prod Env Audit/Validate Config Checksum Continuous Scan CI/CD for DevSecOps Send Build Report to Security Stop everything if audit/validation failed CloudFormation Templates for Environment
Promotion Process in Continuous Deployment
What Does DevSecOps CI/CD Give Us? • Confidence that our code is validated against corporate security policies. • Avoid infrastructure/application failure in a later deployment due to different security configuration • Match DevOps pace of innovation • Audit and alert • Security at scale!
Governance First Infrastructure is code
AWS CloudFormation Primer Allows you to define a “template” which is composed of different “resources” and then provision that template into repeatable, live, “stacks”. CloudFormation (CFn) providing a single service interface and abstracts the underlying API semantics and implementation mechanics. CFn templates can hook into external configuration management frameworks such as Jenkins/Chef/Puppet/etc.
AWS CloudFormation Primer
AWS CloudFormation Stacks JSON Template Stack Stack Stack
CFn for Security Practitioners “Infrastructure is code” • We already know how to manage “code” lifecycle • Let CFn perform state changes and govern who calls CFn Split ownership templates • Merge code from Sec, Dev and Ops • Baseline and build/state management Provides inventory and documentation • Resources are the same, just scaled Integrate with Service Catalog • Provides UI • Use constraints (example: tags)
Traditional Structured Deployment Create Skeleton Define Resources Execute
Split Ownership Configurations Who knows your solution best? • Dev, Infra, Sec…? • Delegate ownership Use Yaml and split file into chunks or functions • Separate file sources with access control – Use IAM/VPC-E/etc. • Push files -> Validate -> Merge files -> Validate -> Deploy -> Validate Jenkins for deployment • Promotion flows • Move from manual to Automation based on validation quality • Excellent for merging jobs of split configurations
Merging From single file or multiple files • Maintain access control using policies • Use different source stores if needed Based on function/state Reusable patterns Maintain order, especially of validation • Security validation last to execute • Security should always win
Validation Keep track of what section you are validating • Stage vs Prod • Merged vs separated Validate often and log/alert • Validate part and end result • Run-time validation Use external agents • AWS Simple Work Flow • AWS Lambda • Etc.
Structured deployment using Split ownership Create Skeleton - Infra team Define Resources - DevOps Execute - Security
Applied Governance Building processes to segment and encapsulate application packages
Applied Governance deconstructed Deployment mechanisms for software artifacts Configuration building blocks Managing segmentation and security dependencies …and a real scenario to wrap this all together.
Deployment Mechanisms for Software Artifacts Amazon Machine Images (AMIs) Docker Image OS Packages Amazon EC2 Container Service AWS CloudFormation AWS CodeDeploy
Amazon Machine Images (AMIs) Docker Images OS Packages Amazon EC2 Container Service AWS CloudFormation AWS CodeDeploy Software Artifacts Deployment Services Deployment Mechanisms for Software Artifacts
Configuration building blocks CloudFormation Template Task Definition Application Specification File (AppSpec file) …and more.
Managing segmentation and security dependencies Why use these configuration building blocks to enforce security? • Remove accidental conflicts • Make security processes continuous and automatic • Encapsulate software artifacts and implement controls one level up • Control changes to these mechanisms via IAM
Example - Amazon EC2 Container Service Rate limiting proxy Web Application Container Cluster instance Reverse-Proxy Container Outbound network access
Scaling Trust Decisions Autonomous security
Does this flow feel familiar 1. Deploy Instance (Chef got it so no worries…) 2. Follow checklist #1 for patches (Oops…New patches arrived…time to update Chef) 3. Follow latest security list (Sec team don’t have access to Chef yet…) 4. Put in production 5. SecOps called…they have a new list (oh dear…) 6. Pull from production 7. Rinse and repeat
Design time vs run time decisions Autonomous Security Configuration Resources EC2::LaunchConfiguration EC2::Instance SWF::FlowFramework
Why do we need these trust decisions?
How can we translate that into our W’s? • Who [is that instance]? • What [is it’s configuration]? • Where [is the instance provisioned]? • When [was it launched]? • Why [is this instance alive]? Thought experiment: what is the root of trust for your Amazon EC2 instances?
Scaling trust decisions - Allows Allows Split Ownership Allows intelligent decisions • Inspect – Decide – Apply – Validate – Action - Log Forced • Comply or be destroyed Security inventory for audits at scale • Gather information from multiple sources • Host based • EC2 service • Created artifacts Unique per resource action and information • Keys/Certificates
Scaling trust decisions - Do Use combination of design time and run time decisions Tie to authentication on-demand for secure access of automated processes Combine with Continuous scanning • Code artifacts • Resources (AWS Config) Don’t mistake run time decisions with post deployment • Run-time happen at creation but before being made available
Push pattern – web server certificate DB tier Web tier Secure tier Presentation tier AutoScaling Policy Secure Flow 1. AutoScaling policy triggers • Hook Pending:Wait 2. Flow 1. Create certificate *Unique* 2. Start web service • Certificate in memory only 3. Delete certificate from disk 4. Install AWS CloudWatch Logs 5. Create SSH_RSAkey *Unique* 6. Replace SSH_RSAkey *Unique* 3. Validation 1. Check CW Logs API 2. Run WGET 4. Logging 1. Log information/state in DynamoDB (IAM!) 5. Continue/terminate instance/hook 1. Instance InService/terminated RDS ELB DynamoDB CloudTrail CloudWatch Instances have no knowledge on process or about the secure flow No need for: - Third party software - Expensive licensing - Magical fairy dust All using AWS services
Run-time security flow – best practices Avoid pull patterns • Requires an available source/path from target system • Own/compromise the target and you own the access process Push ensures only outgoing traffic • Instances have no path back to source • Instances have no knowledge of the process/flow Ephemeral/on-demand scripting on target • Store in memory • Create scripts on target on-demand at execution time • Temporary credentials for first run Keep source store on-instance (worker node) or S3 using dedicated VPC with VPC-Endpoint for S3 policy
Tooling - Triggering AutoScaling Group • Use Lifecycle hooks • Automatic repair of non approved instances • SNS for integration with Workers/Lambda • Use least privileges on AutoScaling Groupd instances • Use IAM Instance Roles • Unique credentials per instance
Tooling - Worker Simple WorkFlow • Flow engine for Ruby/Java • Allow synchronous or asynchronous flows • Deciders/Workers • EC2 or Lambda • Can be integrated into Elastic Beanstalk • Use internal or external source for validation tasks/tests • Checksum files before use • Use Lambda/Elastic Beanstalk workers
Real-life trust applications • Agent deployment/validation • Integration with Configuration Management (Chef/Puppet) • Unique per-instance configuration • Cross-instance network authentication • Joining an Active Directory Ask yourself what makes this instance trustworthy for any of the above and how can I scale that trust?
Please let us have your feedback on this event! Don’t forget to leave your badge and collect your $50 AWS Credit Token Thank You

Recomendados

DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 

Recomendados

DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsCheah Eng Soon
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelDavid J Rosenthal
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
SOC Certification Runbook Template
SOC Certification Runbook TemplateSOC Certification Runbook Template
SOC Certification Runbook TemplateMark S. Mahre
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure SentinelBGA Cyber Security
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWSAmazon Web Services
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 

Más contenido relacionado

La actualidad más candente

DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelDavid J Rosenthal
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
SOC Certification Runbook Template
SOC Certification Runbook TemplateSOC Certification Runbook Template
SOC Certification Runbook TemplateMark S. Mahre
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 

La actualidad más candente (20)

DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure Sentinel
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
 
SOC Certification Runbook Template
SOC Certification Runbook TemplateSOC Certification Runbook Template
SOC Certification Runbook Template
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure Sentinel
 

Destacado

Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWSAmazon Web Services
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...Amazon Web Services
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0Amazon Web Services
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
Security as Code
Security as CodeSecurity as Code
Security as CodeEd Bellis
 
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayLeveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayAWS Germany
 
Securing Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web DaySecuring Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web DayAWS Germany
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Gartner Top 10 Strategic Technology Trends 2016
Gartner Top 10 Strategic Technology Trends 2016 Gartner Top 10 Strategic Technology Trends 2016
Gartner Top 10 Strategic Technology Trends 2016 Deepak Kamboj
 
Security Boundaries and Functions of Services for Serverless Architectures on...
Security Boundaries and Functions of Services for Serverless Architectures on...Security Boundaries and Functions of Services for Serverless Architectures on...
Security Boundaries and Functions of Services for Serverless Architectures on...AWS Germany
 
Data Storage for the Long Haul: Compliance and Archive
Data Storage for the Long Haul: Compliance and ArchiveData Storage for the Long Haul: Compliance and Archive
Data Storage for the Long Haul: Compliance and ArchiveAmazon Web Services
 
Get the Most Out of Amazon EC2: A Deep Dive on Reserved, On-Demand, and Spot ...
Get the Most Out of Amazon EC2: A Deep Dive on Reserved, On-Demand, and Spot ...Get the Most Out of Amazon EC2: A Deep Dive on Reserved, On-Demand, and Spot ...
Get the Most Out of Amazon EC2: A Deep Dive on Reserved, On-Demand, and Spot ...Amazon Web Services
 
Hybrid Infrastructure Integration
Hybrid Infrastructure IntegrationHybrid Infrastructure Integration
Hybrid Infrastructure IntegrationAmazon Web Services
 
Scaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsScaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsAmazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 

Destacado (20)

Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
Security as Code
Security as CodeSecurity as Code
Security as Code
 
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayLeveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
 
Securing Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web DaySecuring Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web Day
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Gartner Top 10 Strategic Technology Trends 2016
Gartner Top 10 Strategic Technology Trends 2016 Gartner Top 10 Strategic Technology Trends 2016
Gartner Top 10 Strategic Technology Trends 2016
 
Security Boundaries and Functions of Services for Serverless Architectures on...
Security Boundaries and Functions of Services for Serverless Architectures on...Security Boundaries and Functions of Services for Serverless Architectures on...
Security Boundaries and Functions of Services for Serverless Architectures on...
 
Data Storage for the Long Haul: Compliance and Archive
Data Storage for the Long Haul: Compliance and ArchiveData Storage for the Long Haul: Compliance and Archive
Data Storage for the Long Haul: Compliance and Archive
 
Get the Most Out of Amazon EC2: A Deep Dive on Reserved, On-Demand, and Spot ...
Get the Most Out of Amazon EC2: A Deep Dive on Reserved, On-Demand, and Spot ...Get the Most Out of Amazon EC2: A Deep Dive on Reserved, On-Demand, and Spot ...
Get the Most Out of Amazon EC2: A Deep Dive on Reserved, On-Demand, and Spot ...
 
Hybrid Infrastructure Integration
Hybrid Infrastructure IntegrationHybrid Infrastructure Integration
Hybrid Infrastructure Integration
 
Scaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services PatternsScaling by Design: AWS Web Services Patterns
Scaling by Design: AWS Web Services Patterns
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 

Similar a Securing Systems at Cloud Scale with DevSecOps

Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScaleAmazon Web Services
 
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Amazon Web Services
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAmazon Web Services
 
Application Delivery Patterns for Developers - Technical 401
Application Delivery Patterns for Developers - Technical 401Application Delivery Patterns for Developers - Technical 401
Application Delivery Patterns for Developers - Technical 401Amazon Web Services
 
Integrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdfIntegrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdfAmazon Web Services
 
Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Mary Joy Sabal
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWSAmazon Web Services
 
Configuration Management in the Cloud | AWS Public Sector Summit 2017
Configuration Management in the Cloud | AWS Public Sector Summit 2017Configuration Management in the Cloud | AWS Public Sector Summit 2017
Configuration Management in the Cloud | AWS Public Sector Summit 2017Amazon Web Services
 
Improving Security Agility using DevSecOps
Improving Security Agility using DevSecOpsImproving Security Agility using DevSecOps
Improving Security Agility using DevSecOpsAmazon Web Services
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOpsEklove Mohan
 
DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...
DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...
DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...Amazon Web Services
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWSAmazon Web Services
 
ENT401 Deep Dive with Amazon EC2 Systems Manager
ENT401 Deep Dive with Amazon EC2 Systems ManagerENT401 Deep Dive with Amazon EC2 Systems Manager
ENT401 Deep Dive with Amazon EC2 Systems ManagerAmazon Web Services
 
Integrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfIntegrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfAmazon Web Services
 
Continuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and DockerContinuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and DockerAmazon Web Services
 

Similar a Securing Systems at Cloud Scale with DevSecOps (20)

Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
 
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
 
Application Delivery Patterns
Application Delivery PatternsApplication Delivery Patterns
Application Delivery Patterns
 
Application Delivery Patterns for Developers - Technical 401
Application Delivery Patterns for Developers - Technical 401Application Delivery Patterns for Developers - Technical 401
Application Delivery Patterns for Developers - Technical 401
 
Integrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdfIntegrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdf
 
Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
 
Configuration Management in the Cloud | AWS Public Sector Summit 2017
Configuration Management in the Cloud | AWS Public Sector Summit 2017Configuration Management in the Cloud | AWS Public Sector Summit 2017
Configuration Management in the Cloud | AWS Public Sector Summit 2017
 
Devops architecture
Devops architectureDevops architecture
Devops architecture
 
Improving Security Agility using DevSecOps
Improving Security Agility using DevSecOpsImproving Security Agility using DevSecOps
Improving Security Agility using DevSecOps
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOps
 
Devops on AWS
Devops on AWSDevops on AWS
Devops on AWS
 
DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...
DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...
DevOps on Windows: How to Deploy Complex Windows Workloads | AWS Public Secto...
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
 
ENT401 Deep Dive with Amazon EC2 Systems Manager
ENT401 Deep Dive with Amazon EC2 Systems ManagerENT401 Deep Dive with Amazon EC2 Systems Manager
ENT401 Deep Dive with Amazon EC2 Systems Manager
 
Towards Full Stack Security
Towards Full Stack SecurityTowards Full Stack Security
Towards Full Stack Security
 
Integrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfIntegrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdf
 
Continuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and DockerContinuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and Docker
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 

Último (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 

Securing Systems at Cloud Scale with DevSecOps

  • 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Securing Systems at Cloud Scale Ian Massingham, Technical Evangelist @IanMmmm
  • 4. What is DevOps Breakdown the barriers Work as one team end to end Support business and IT agility Collaboration & Communication Treat Infrastructure as code Automate everything Test, measure & monitor everything Culture Technology
  • 5. Competing Forces Business Development Operations Build it faster Keep it stable Security Make it secure
  • 6. What is DevSecOps DevOps = Efficiencies that speed up this lifecycle DevSecOps = Validate building blocks without slowing lifecycle developers customers releasetestbuild plan monitor delivery pipeline feedback loop Software development lifecycle Security
  • 7. Who is DevSecOps • DevSecOps is • Team/Community, not a person • Automated and autonomous security • Security at scale • DevSecOps role • Not there to audit code • Implement the control segments to validate and audit code and artifacts as part of the CI/CD process Security OperationsDevelopment
  • 8. Continuous Integration Techniques and tools to improve the process of software delivery, resulting in the ability to rapidly, reliably, and repeatedly push out enhancements and bug fixes to customers at low risk and with minimal manual overhead. Techniques and tools to implement the continuous process of applying quality control; in general, small pieces of effort, applied frequently, to improve the quality of software, and to reduce the time taken to deliver it. Continuous Delivery
  • 9. CI/CD for DevOps Version Control CI Server Package Builder Deploy Server Commit to Git/masterDev Get / Pull Code AMIs Send Build Report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo CloudFormation Templates for Environment Generate
  • 10. Version Control CI Server Package Builder Promote Process Validate Dev Get / Pull Code AMIs Log for audit Staging Env Test Env Code Config Tests Prod Env Audit/Validate Config Checksum Continuous Scan CI/CD for DevSecOps Send Build Report to Security Stop everything if audit/validation failed CloudFormation Templates for Environment
  • 11. Promotion Process in Continuous Deployment
  • 12. What Does DevSecOps CI/CD Give Us? • Confidence that our code is validated against corporate security policies. • Avoid infrastructure/application failure in a later deployment due to different security configuration • Match DevOps pace of innovation • Audit and alert • Security at scale!
  • 14. AWS CloudFormation Primer Allows you to define a “template” which is composed of different “resources” and then provision that template into repeatable, live, “stacks”. CloudFormation (CFn) providing a single service interface and abstracts the underlying API semantics and implementation mechanics. CFn templates can hook into external configuration management frameworks such as Jenkins/Chef/Puppet/etc.
  • 17. CFn for Security Practitioners “Infrastructure is code” • We already know how to manage “code” lifecycle • Let CFn perform state changes and govern who calls CFn Split ownership templates • Merge code from Sec, Dev and Ops • Baseline and build/state management Provides inventory and documentation • Resources are the same, just scaled Integrate with Service Catalog • Provides UI • Use constraints (example: tags)
  • 19. Split Ownership Configurations Who knows your solution best? • Dev, Infra, Sec…? • Delegate ownership Use Yaml and split file into chunks or functions • Separate file sources with access control – Use IAM/VPC-E/etc. • Push files -> Validate -> Merge files -> Validate -> Deploy -> Validate Jenkins for deployment • Promotion flows • Move from manual to Automation based on validation quality • Excellent for merging jobs of split configurations
  • 20. Merging From single file or multiple files • Maintain access control using policies • Use different source stores if needed Based on function/state Reusable patterns Maintain order, especially of validation • Security validation last to execute • Security should always win
  • 21. Validation Keep track of what section you are validating • Stage vs Prod • Merged vs separated Validate often and log/alert • Validate part and end result • Run-time validation Use external agents • AWS Simple Work Flow • AWS Lambda • Etc.
  • 22. Structured deployment using Split ownership Create Skeleton - Infra team Define Resources - DevOps Execute - Security
  • 23. Applied Governance Building processes to segment and encapsulate application packages
  • 24. Applied Governance deconstructed Deployment mechanisms for software artifacts Configuration building blocks Managing segmentation and security dependencies …and a real scenario to wrap this all together.
  • 25. Deployment Mechanisms for Software Artifacts Amazon Machine Images (AMIs) Docker Image OS Packages Amazon EC2 Container Service AWS CloudFormation AWS CodeDeploy
  • 26. Amazon Machine Images (AMIs) Docker Images OS Packages Amazon EC2 Container Service AWS CloudFormation AWS CodeDeploy Software Artifacts Deployment Services Deployment Mechanisms for Software Artifacts
  • 27. Configuration building blocks CloudFormation Template Task Definition Application Specification File (AppSpec file) …and more.
  • 28. Managing segmentation and security dependencies Why use these configuration building blocks to enforce security? • Remove accidental conflicts • Make security processes continuous and automatic • Encapsulate software artifacts and implement controls one level up • Control changes to these mechanisms via IAM
  • 29. Example - Amazon EC2 Container Service Rate limiting proxy Web Application Container Cluster instance Reverse-Proxy Container Outbound network access
  • 31. Does this flow feel familiar 1. Deploy Instance (Chef got it so no worries…) 2. Follow checklist #1 for patches (Oops…New patches arrived…time to update Chef) 3. Follow latest security list (Sec team don’t have access to Chef yet…) 4. Put in production 5. SecOps called…they have a new list (oh dear…) 6. Pull from production 7. Rinse and repeat
  • 32. Design time vs run time decisions Autonomous Security Configuration Resources EC2::LaunchConfiguration EC2::Instance SWF::FlowFramework
  • 33. Why do we need these trust decisions?
  • 34. How can we translate that into our W’s? • Who [is that instance]? • What [is it’s configuration]? • Where [is the instance provisioned]? • When [was it launched]? • Why [is this instance alive]? Thought experiment: what is the root of trust for your Amazon EC2 instances?
  • 35. Scaling trust decisions - Allows Allows Split Ownership Allows intelligent decisions • Inspect – Decide – Apply – Validate – Action - Log Forced • Comply or be destroyed Security inventory for audits at scale • Gather information from multiple sources • Host based • EC2 service • Created artifacts Unique per resource action and information • Keys/Certificates
  • 36. Scaling trust decisions - Do Use combination of design time and run time decisions Tie to authentication on-demand for secure access of automated processes Combine with Continuous scanning • Code artifacts • Resources (AWS Config) Don’t mistake run time decisions with post deployment • Run-time happen at creation but before being made available
  • 37. Push pattern – web server certificate DB tier Web tier Secure tier Presentation tier AutoScaling Policy Secure Flow 1. AutoScaling policy triggers • Hook Pending:Wait 2. Flow 1. Create certificate *Unique* 2. Start web service • Certificate in memory only 3. Delete certificate from disk 4. Install AWS CloudWatch Logs 5. Create SSH_RSAkey *Unique* 6. Replace SSH_RSAkey *Unique* 3. Validation 1. Check CW Logs API 2. Run WGET 4. Logging 1. Log information/state in DynamoDB (IAM!) 5. Continue/terminate instance/hook 1. Instance InService/terminated RDS ELB DynamoDB CloudTrail CloudWatch Instances have no knowledge on process or about the secure flow No need for: - Third party software - Expensive licensing - Magical fairy dust All using AWS services
  • 38. Run-time security flow – best practices Avoid pull patterns • Requires an available source/path from target system • Own/compromise the target and you own the access process Push ensures only outgoing traffic • Instances have no path back to source • Instances have no knowledge of the process/flow Ephemeral/on-demand scripting on target • Store in memory • Create scripts on target on-demand at execution time • Temporary credentials for first run Keep source store on-instance (worker node) or S3 using dedicated VPC with VPC-Endpoint for S3 policy
  • 39. Tooling - Triggering AutoScaling Group • Use Lifecycle hooks • Automatic repair of non approved instances • SNS for integration with Workers/Lambda • Use least privileges on AutoScaling Groupd instances • Use IAM Instance Roles • Unique credentials per instance
  • 40. Tooling - Worker Simple WorkFlow • Flow engine for Ruby/Java • Allow synchronous or asynchronous flows • Deciders/Workers • EC2 or Lambda • Can be integrated into Elastic Beanstalk • Use internal or external source for validation tasks/tests • Checksum files before use • Use Lambda/Elastic Beanstalk workers
  • 41. Real-life trust applications • Agent deployment/validation • Integration with Configuration Management (Chef/Puppet) • Unique per-instance configuration • Cross-instance network authentication • Joining an Active Directory Ask yourself what makes this instance trustworthy for any of the above and how can I scale that trust?
  • 42. Please let us have your feedback on this event! Don’t forget to leave your badge and collect your $50 AWS Credit Token Thank You