Post on 07-Jan-2017
SECURITY AS CODE
A NEW FRONTIER
Christian PriceCloud Security Architect, Intuit
Shannon LietzSr. Mgr & DevSecOps Leader, Intuit
IN THE BEGINNING
COMPLIANCE • 375 PAGE DOCUMENT• MINIMUM BASELINE: 87 RATIONALIZED
CONTROLS• RISK BASED ON IMPACT & LIKELIHOOD
SOFTWARE DEVELOPER• OK – HOW DOES THAT APPLY TO WHAT I
DO?
Page 3 of 375
Security Configuration ProceduresV 3.6.0.1.1,January 2011
UBERSECRET
CHOICE
WHO WE ARE
• CLOUD SECURITY ENGINEERING @ INTUIT• 20+ YEARS OF SECURITY EXPERIENCE • DIVERSIFIED GROUP OF DEVELOPERS,
OPERATIONS & SECURITY• FOUNDERS OF DEVSECOPS.ORG• RUGGED BUNCH OF RESEARCHERS &
EMERGING TECHNOLOGISTS-- FOUNDER --
QUICK OVERVIEW• PROBLEM STATEMENT• DEVOPS REQUIRES CONTINUOUS DEPLOYMENTS• FAST DECISION MAKING IS CRITICAL TO DEVOPS SUCCESS• TRADITIONAL SECURITY JUST DOESN’T SCALE OR MOVE
FAST ENOUGH
• WELCOME DEVSECOPS!• CUSTOMER FOCUSED MINDSET• SCALE, SCALE, SCALE• OBJECTIVE CRITERIA• PROACTIVE HUNTING• CONTINUOUS DETECTION & RESPONSE
BangHead Here
RUGGED SECURITY
Com
plia
nce
Oper
atio
ns
Secu
rity
Ope
ratio
ns Security Sc
ience
Security
Engineering
OPSSECDEVAppSec
NEW
NEW
NEW
• Security as Code• Self-Service Testing• Red Team/Blue Team• Inline Enforcement• Analytics & Insights• Detect & Contain• Incident Response• Investigations• Forensics
THE ART OF DEVSECOPS -> SECURITY AS CODE
DevSecOps
Security Engineering
Experiment, Automate, Test
Security Operations
Hunt, Detect, Contain
Compliance Operations
Respond, Manage, Train
Security Science
Learn, Measure, Forecast
EVOLUTION
FULL STACK VULNERABILITIES
• API KEY EXPOSURE -> 8
HRS• DEFAULT
CONFIGS -> 24 HRS
• SECURITY GROUPS -> 24
HRS • ESCALATION OF
PRIVS -> 5 DAYS
• KNOWN VULN -> 8 HRS
SECURITY AS CODE
• INFRASTRUCTURE -> TEMPLATES & RECIPES• FIREWALLS -> SECURITY GROUPS• ACCESS CONTROLS -> IAM USERS AND POLICIES• IDS -> HOST AGENTS & RESOURCE TESTING• LOGGING -> API & INSTANCE LOGGING• FORENSICS -> SNAPSHOTS & API PROFILE• VULNERABILITY SCORES -> GRADES
SOFTWARE DEFINED UPS & DOWNS
PLUS• FAR MORE DATA THAT SIMPLY NEEDS TO BE HARNESSED• FASTER DETECTION, CONTAINMENT & REMEDIATION• ABILITY TO REFRESH STACKS TO AVOID CRITICAL ISSUES
MINUS• MUCH EASIER TO MAKE CRITICAL MISTAKES• MOST EVENTS COME FROM DEFAULT IMPLEMENTATIONS• HUGE DATA MAKES EVERYTHING HARDER
+/-
LOW FRICTION TRANSPARENT GOVERNANCE
Central Account(Trusted)
Admin
IAM IAMIAM IAM IAM IAM
SecRole SecRole SecRole SecRole SecRole SecRole
IAM
How did we decide which roles would be deployed?• Human
• IAM Admin• Incident Response• Read Only
• Services• IAM Grantor• Instance Roles required to support
security services• Read Only
TOOLS
ENVIRONMENT
• SOFTWARE-DEFINED ENVIRONMENT
• BLAST RADIUS CONTAINMENT• NATIVE MULTI-FACTOR AUTH• GRANULAR ACCESS CONTROLS• EXTENSIVE LOGGING
AWSRUBY, PYTHON,
GOAPI/MICRO-SERVICES
LOG EVENTS
GITHUB
• BASELINE TEMPLATES (CLOUDFORMATION, SCRIPTS, ETC.)
• PATTERNS & DECISIONS• RULES, SIGNATURES, SEARCH
QUERIES, ALERT DEFINITIONS• WHITELISTING & SHARING TO
EXTEND FOR SCALE
COMPONENTS
MACHINE IMAGESDOCKER
CONTAINERSBASELINE SCRIPTS
LIBRARIES & TOOLKITS
• BUILD SECURE COMPONENTS FOR INCLUSION
• MAKE RESOURCE LEVEL CHANGES AND DISSEMINATE TO TEAMS
• APPLY LESSONS FROM SECURITY OPERATIONS & INCIDENT RESPONSE TO BASELINE COMPONENTS
• MANAGE FOR DRIFT BY BUILDING OUT DIFF TOOLS
RESOURCE TESTING & VALIDATION
• RESOURCE AND COMPONENT TESTING IMPROVES RUGGEDNESS OF SOFTWARE DURING INTEGRATION
• TOOLS CAN BE CALLED FROM CONTINUOUS INTEGRATION & CONTINUOUS DEPLOYMENT PIPELINE
• RESPONDERS CAN TRIGGER INLINE TESTING TO IDENTIFY VULNERABILITIES UNDER ATTACK
• ATTACKS ARE DEFINED IN GHERKIN• API TO REQUEST TESTING BY TYPE
ZAP PROXYGAUNTLTNESSUS
NEXPOSEMETASPLOITBURP SUITE
LIFECYCLE/AUDITOR
SCHEDULER & QUEUES
• SCHEDULING FOR BASELINE CHECKS• AD-HOC OPERATIONS REQUIRE QUEUES• COORDINATION AMONG MICRO-
SERVICES• MULTI-USE DATA SUPPORTS VARYING
SECURITY VIEWS
RESQUESNS SQSKINESISKAFKA
RECONNAISSANCE: DATA IS CRITICAL
insightssecuritysciencesecurity
tools & data
AWS accounts
S3
Glacier
EC2
CloudTrail
ingestion
threat intel
SELF-SERVICE
RESPONDER, SELFIE & GRAVE ROBBER
• TOOLKIT FOR INCIDENT RESPONDERS TO TRIAGE & QUERY ACCOUNT & INSTANCES AT SAME TIME
• SNAPSHOT INSTANCES FOR REAL-TIME ANALYSIS
• LOTS OF STORAGE, FASTER WHEN BIG DATA IS APPLIED
RUBYAWS API
DR ACCOUNTENCASE
LESSONS
TABLE STAKES
• GO NATIVE, WHEN POSSIBLE• MFA -> TABLE-STAKES, USE IT.• PRIVILEGED ACCESS -> USE LEAST PRIVILEGE, ASSUMEROLE WHEN
NEEDED• SECURITY GROUPS -> LIMIT ACCESS AND SCOPE TO SPECIFIC NEEDS• DEPLOYMENT AUTOMATION -> OVER-PRIVILEGED, UNDER-SECURED• RE-STACK OFTEN -> CRITICAL VULNERABILITIES OCCUR ON AVERAGE EVERY 10
DAYS.• USE ENCRYPTION OPTIONS
DON’T BE AN ALL-*
DON’T EMBED SECRETS…
…DON’T PUT ANY API KEYS, SSH PRIVATE KEYS, OR SSL PRIVATE KEYS IN :• CLOUDFORMATION, • USER-DATA, • GIT, • OR ANYWHERE ELSE THAT CAN’T KEEP A SECRET,
SECRET
DON’T OVER-SHARE…
WE DON’T WANT TO KNOW YOUR SECRETS…
…AND YOU DON’T WANT YOUR SECRETS GETTING OUT.
DON’T BE A ZERO
CHOICE?
EMERGING SECURITY TRENDS
• SHORTAGE OF SECURITY PROFESSIONALS• BIG COMPANIES ARE ATTEMPTING TO SCALE SECURITY
TO MOVE FASTER: FACEBOOK, NETFLIX, LINKEDIN, AWS, INTUIT
• INDUSTRY LEADERS TALKING ABOUT THE INTEGRATION OF DEVOPS & SECURITY: JOE SULLIVAN, JASON CHAN, GENE KIM, JOSH CORMAN
• INTRODUCTION OF DEVSECOPS AT MIRCON IN 2014• SECDEVOPS AT RSA 2015 WAS FULL DAY OF
DEDICATED CONTENT• LINKEDIN PEOPLE SEARCH: 36 DEVSECOPS, 13
SECDEVOPS, 11 DEVOPSSEC, 33K+ CLOUD SECURITY
GET INVOLVED
• DEVSECOPS.ORG• @DEVSECOPS ON TWITTER• DEVSECOPS ON LINKEDIN• RUGGEDSOFTWARE.ORG• JOIN US !!!