This document outlines 5 key practices for modern security success in DevSecOps: 1) Cloud & DevSecOps practices, 2) Pre-Commit controls like the "paved road" of secure templates, 3) Commit controls through CI/CD pipelines, 4) Acceptance controls for supply chain security, and 5) Operations controls for continuous security compliance. The presentation provides examples for implementing controls at each stage to integrate security practices into the DevSecOps workflow.

1. 3/27/2019
DevSecOps: Key Controls
For Modern Security
Success
Eastern Iowa Security Conference
© 2019 Puma Security, LLC | All Rights Reserved

2. Puma Security, LLCPuma Security, LLC 2
• Principal Security Engineer, Puma Security
– Coder: static analysis engine, cloud automation, security tools
– Security assessments: DevSecOps, cloud, source code, web apps, mobile
apps
• DevSecOps Curriculum Manager, SANS Institute
– SANS Certified Instructor
– Contributing author of SEC540, DEV544, and DEV531
• Education & Training
– Iowa State M.S. Information Assurance, B.S. Computer Engineering
– AWS Certified Developer, CISSP, GSSP, GWAPT
• Contact information
– Email: eric.johnson@pumascan.com
– Twitter: @emjohn20
$WHOAMI

3. Puma Security, LLCPuma Security, LLC 3
Agenda
• Keys for Modern
Security Success
1. Cloud & DevSecOps Practices
2. Pre-Commit: The Paved Road
3. Commit: CI / CD Security Controls
4. Acceptance: Supply Chain Security
5. Operations: Continuous Security
Compliance

4. Puma Security, LLCPuma Security, LLC 4
What are the goals and principles in
DevSecOps?
• Make security a first-class problem in
DevOps
• Make security a first-class participant in
DevOps
• Increase trust between dev, ops, and sec
• Integrate security practices and ideas into
DevOps culture
• Wire security into DevOps workflows to
incrementally improve security
SecDevOps / DevSecOps / DevOpsSec / Rugged DevOps
https://memegenerator.net/img/instances/81941458/devsecops.jpg

5. Puma Security, LLCPuma Security, LLC 5
• Cloud Security
Top 10
• Serverless
Security Top 10
• DevSecOps
Toolchain
• Building a
DevSecOps
Program
Secure Cloud & DevOps Practices (https://www.sans.org/u/OGx)

6. Puma Security, LLCPuma Security, LLC 6
• Cloud & DevOps Critical Security Controls:
Cloud & DevSecOps Security Controls
IDE SECURITY
PLUGINS
PRE-COMMIT HOOKS
PEER CODE REVIEWS
STATIC CODE
ANALYSIS
SECURITY UNIT TESTS
CONTAINER
SECURITY
INFRASTRUCTURE AS
CODE
SECURITY SMOKE
TESTS
THREAT MODELING
DEPENDENCY
MANAGEMENT
SECURITY
ACCEPTANCE TESTS
BLAMELESS
POSTMORTEMS
CONTINUOUS
MONITORING
PENETRATION
TESTING
THREAT
INTELLIGENCE
PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS
CLOUD
INFRASTRUCTURE
DYNAMIC SECURITY
TESTS
SECRETS
MANAGEMENT
SECURITY
CONFIGURATION
SERVER HARDENING

7. Puma Security, LLCPuma Security, LLC
#1 Pre-Commit:
The Paved Road
7

8. Puma Security, LLCPuma Security, LLC 8
Dev, Sec, and Ops teams build secure by
default frameworks, libraries, and services:
• Popularized by Netflix "Gates to
Guardrails"
• Operations: Automated pipelines build,
certify, and publish cloud infrastructure /
machine images
• Development: Secure templates for Web,
APIs, front-end, serverless projects
• Security: Automated security pipeline
scans, unit tests, acceptance tests,
production assertions
Build The Paved Road PRE-COMMIT
http://www.flickr.com/photos/25173673@N03/4785565610/

9. Puma Security, LLCPuma Security, LLC 9
Network, Cloud, Infrastructure as Code templates for quickly
provisioning certified environments for the development team to
use:
• On-premise or cloud hosted virtual machine gold images
• On-premise or cloud hosted container gold images
• Provisioning cloud network infrastructure
• Deploying API gateway appliances for microservices
• Managing Functions as a Service (FaaS)
Operations Paved Road

10. Puma Security, LLC 10Puma Security, LLC 10
AWS CloudFormation infrastructure paved road example:
1
2
3
4
5
6
7
8
9
10
11
12
13
LaunchConfiguration:
Type: AWS::AutoScaling::LaunchConfiguration
Metadata:
Properties:
ImageId: !FindInMap [ AWSRegionToAMI, !Ref "AWS::Region", AMI ]
IamInstanceProfile: !Ref InstanceProfile
KeyName: "devsecops"
SecurityGroups:
- !Ref SecurityGroup
UserData:
"Fn::Base64": !Sub |
#!/bin/bash
yum update -y
Operations Paved Road Example
Gold Image
Least privilege
Admin access
Network configuration
Supply chain security

11. Puma Security, LLCPuma Security, LLC 11
Templates covering approved technology stacks with protection for
common application security issues and misconfigurations:
• Node.js, Django, Spring Boot, .NET Core, Ruby Rails, Functions,
etc.
• Secrets management storage
• Secure transport configuration (HTTPS)
• Enable authentication / authorization
• Configure password management / single sign on
• Include common libraries for data validation, logging, encoding,
etc.
Development Paved Road

12. Puma Security, LLC 12Puma Security, LLC 12
.NET Core paved road example w/ security protections pre-
configured:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
public void ConfigureServices(IServiceCollection services)
{
services.Configure<IdentityOptions>(options => {
options.Password.RequiredLength = 15;
options.Lockout.MaxFailedAccessAttempts = 5; }
services.AddMvc(options =>
{
options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser().Build())); });
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseRewriter(new RewriteOptions().AddRedirectToHttps());
app.AddSecurityHeaders();
}
Development Paved Road Example
Password Configuration
Authorization
HTTPS

13. Puma Security, LLCPuma Security, LLC
#2 Commit:
CI / CD Security Controls
13

14. Puma Security, LLCPuma Security, LLC
• Integrate tools to automate build, test, acceptance, and
deployment of infrastructure, cloud, and applications into a
repeatable workflow:
Continuous Integration & Delivery Security Controls COMMIT (CI)
14

15. Puma Security, LLCPuma Security, LLC
• Merging new features requires approval from peers and security
team prior to triggering the build pipeline:
CI / CD Security Controls: Version Control
15

16. Puma Security, LLCPuma Security, LLC
• Approved merge request triggers automated unit tests, security
scans, audit reports, and fast feedback:
CI / CD Security Controls: Acceptance Testing
16

17. Puma Security, LLCPuma Security, LLC
• Build pipelines contain artifacts from security scans and
compliance checks:
CI / CD Security Controls: Audit Reports
17

18. Puma Security, LLCPuma Security, LLC
#3 Acceptance:
Supply Chain Security
18

19. Puma Security, LLCPuma Security, LLC 19
Serious vulnerabilities can be inherited from open
source libraries, docker images, infrastructure
templates, and serverless functions:
• Carefully review content before usage
• Run tools to automatically the scan code base /
images
• Identify external dependencies
• Check against public vulnerability database(s)
• Integrate supply chain security scanning into
CI/CD
• WARNING: Some tools may not check
transitive dependencies
Supply Chain Security

20. Puma Security, LLCPuma Security, LLC 20
• OWASP Dependency Check (Java, .NET, Ruby,
Python)
– https://www.owasp.org/index.php/OWASP_Dependency
_Check
• Bundler-Audit (Ruby)
– https://github.com/rubysec/bundler-audit
• NPM Audit / Retire.JS (NodeJS)
– https://retirejs.github.io/retire.js/
– https://docs.npmjs.com/cli/audit
• PHP Security Checker
– https://security.sensiolabs.org/
Supply Chain Security: Application Scanning Tools
DEPENDENCY
MANAGEMENT
ACCEPTANCE

21. Puma Security, LLCPuma Security, LLC 21
• OWASP Dependency Check scan and vulnerability report in a
Jenkins CI pipeline:
Supply Chain Security: Application Scanning Example

22. Puma Security, LLCPuma Security, LLC 22
Open source container image security scanning tools:
• Anchore
— https://anchore.com/opensource/
• Actuary
— https://github.com/diogomonica/actuary
• Clair
— https://github.com/coreos/clair
• Falco
— https://github.com/draios/falco
Supply Chain Security: Container Image Scanning Tools
CONTAINER
SECURITY
ACCEPTANCE

23. Puma Security, LLCPuma Security, LLC 23
• Invoking an Anchore image scan and capturing vulnerability data
in a Jenkins CI pipeline:
Supply Chain Security: Container Image Scanning Example

24. Puma Security, LLCPuma Security, LLC 24
Hardened infrastructure templates can be used as references:
• DevSec Hardening Templates
— Automated hardening framework using Puppet, Chef, Ansible
— Linux, Windows, SSH, Docker, K8S, Apache, Nginx
— https://github.com/dev-sec
• System Integrity Management Platform (SIMP)
— Hardened Puppet infrastructure configuration and testing
— NIST 800-53, DISA STIG, FIPS 140-2 RHEL & CentOS templates
— https://github.com/simp/
Supply Chain Security: Hardened Infrastructure Templates
INFRASTRUCTURE AS
CODE
ACCEPTANCE

25. Puma Security, LLCPuma Security, LLC
Managing function dependencies in AWS Lambda can
be achieved using Layers:
• Build pipelines remove third-party libraries from
deployment packages
• CloudOps manages centralized layers containing
approved third-party libraries
• Third-party vendors are leveraging Layers to
further harden function runtime environments:
— PureSec FunctionShield
— Twistlock Defender
Supply Chain Security: FaaS Dependency Management
Lambda function
Layer
Layer
Execution
Environment
25

26. Puma Security, LLCPuma Security, LLC
#4 Operations:
Continuous Security Compliance
26

27. Puma Security, LLCPuma Security, LLC 27
Leveraging security configuration tools to automate audit
and compliance checks:
• Test the server and infrastructure configuration against
expected baseline and report any deviations
• Tests should include severity, risk level, and description
information
• Match tests against compliance checklist items or
regulatory policies
• Automated testing tools available for Linux, Unix,
Windows, AWS, Azure and VMWare
Continuous Security Compliance
PRODUCTION

28. Puma Security, LLCPuma Security, LLC 28
Security compliance / acceptance testing tools:
• InSpec
– https://github.com/inspec/inspec
• OpenSCAP
– https://github.com/OpenSCAP
• Cloud Custodian (AWS, GCP, Azure)
– https://github.com/cloud-custodian/cloud-custodian
• ScoutSuite (AWS, GCP, Azure)
– https://github.com/nccgroup/ScoutSuite
• AWS Benchmark Scanner
– https://github.com/awslabs/aws-security-benchmark
Continuous Security Compliance: Tools
SECURITY
CONFIGURATION
PRODUCTION

29. Puma Security, LLC 29Puma Security, LLC 29
Running InSpec against a running Docker container:
Example InSpec output results from the Linux baseline profile:
1
2
$ docker run -it --rm -v $(pwd):/share chef/inspec exec baseline -t
docker://container_id
Continuous Security Compliance: InSpec Docker Scan
1
2
3
4
5
6
7
8
9
✅ os-01: Trusted hosts login
✅☑︎ Command find / -name '.rhosts' stdout should be empty
✅ Command find / -name 'hosts.equiv' stdout should be empty
X os-02: Check owner and permissions for /etc/shadow (1 failed)
✅ File /etc/shadow should exist
✅ File /etc/shadow should be file
✅ File /etc/shadow should be owned by "root"
✅ File /etc/shadow should not be executable
X File /etc/shadow group should eq nil

30. Puma Security, LLCPuma Security, LLC 30
• Exporting InSpec results to JUnit format and integrating with
Jenkins CI:
Continuous Security Compliance: Jenkins InSpec Integration

31. Puma Security, LLCPuma Security, LLC 31
• Running the AWS CIS Benchmark scan via AWS Config rules:
Continuous Security Compliance: AWS CIS Benchmark Scan

32. Puma Security, LLCPuma Security, LLC Puma Security, LLC | 2019 32
Thank you for
attending!• Keys for Modern
Security Success
S U M M A R Y
1. Cloud & DevSecOps Practices
2. Pre-Commit: The Paved Road
3. Commit: CI / CD Security Controls
4. Acceptance: Supply Chain Security
5. Operations: Continuous Security
Compliance
Contact Information:
• eric.johnson@pumascan.com
• @emjohn20