Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne...
Transcript of Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne...
SydneyLevel 8, 66 King StreetSydney NSW 2000
MelbourneLevel 15, 401 Docklands DriveDocklands VIC 3008
Tel. 1300 922 923Intl. +61 2 9290 4444www.senseofsecurity.com.au
Sense of Security Pty LtdABN 14 098 237 908
@ITSecurityAU
Security, it’s all we do. Knowledge, Experience & Trust.
Advanced SecurityAutomation in DevOpsMurray Goldschmidt | Chief Operating Officer
Mar-17
The Robot Barista
Source: https://www.wired.com/2017/01/cafe-x-robot-barista/
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 2
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 3
Why does Automation matter?
Ransomware Automation
Source: http://www.zdnet.com/article/new-dark-web-scheme-lets-wannabe-cybercriminals-get-in-on-ransomware-for-free/
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 4
Guess Who?
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 5
Guess Who?
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 6
Yes, that’s YOU - DevOps DJ
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 7
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 8
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 9
DevOps Coverage: Speed & Timing
Core Infrastructure (Fabric Functions: AWS IAM, EC2, Azure)
Cloud Platform (Amazon RDS, S3, Lambda, etc.)
Network & OS (Linux, Windows, etc.)
Application Framework (Tomcat, Apache, .Net, IIS etc.)
Custom Application (1ST party code, 3rd party libraries, etc.)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 10
Introducing StackSec
Core Infrastructure (Fabric Functions: AWS IAM, EC2, Azure, etc.)
Cloud Platform (Amazon RDS, S3, Lambda, etc.)
Network & OS (Linux, Windows, etc.)
Application Framework (Tomcat, Nginx, Apache, etc.)
Custom Application (1ST party code, 3rd party libraries, etc.)
www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited
Continuous Monitoring
StackSec – Layer by Layer
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 12
DevOps Mayhem
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 13
Tools, Tools & More Tools
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 14
Source: Momentum Partners
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 15
Coverage Across Public, Private & Hybrid Clouds
DevSecOps Lab
Source Code Repository
CI Build Server
Staging Environment
Production Environment
IDEContinuous Deployment
OWASP ZAP
Continuous Monitoring
AppScanning
Code Analysis
Configuration/Vuln
Management
Coding Helpers
Advanced Security Automation
Supply Chain Risk
StackSec – Shifting Left
Source Code Repository
CI Build Server
Staging Environment
Production Environment
IDEContinuous Deployment
OWASP ZAP
Continuous Monitoring
AppScanning
Code Analysis
Configuration/Vuln
Management
Coding Helpers
Advanced Security Automation
Supply Chain Risk
DevSecOps – All Encompassing
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 18
DevSecOps
Stack Security
Traditional DevOps
Application Security
Security Automation: Custom Application
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 19
Per Developer IDE Integration
Per Developer Sandbox Testing
Combined Project Static Analysis
Dynamic Testing
Continuous Monitoring (Public)
Code Commit Build Test Deploy UAT Production
App Sec: Defense in Depth
Layer #1 – The developer has an
opportunity to avoid introducing a
security vulnerability in their IDE.
Layer #3 – Automated dynamic
scanning of the application detects the
same vulnerability if it gets this far.
Layer #2 – Static code analysis
triggered by the code commit action
identifies the vulnerability – build fails.
Layer #4 –Continuous Monitoring
through Vulnerability Management
Program detects the exposed
vulnerability. Add comprehensive
Manual Pen Test.
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 20
• Veracode Greenlight• Eclipse
• Visual Studio
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 21
Security Bug Detection at the IDE
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 22
Security Bug Detection at the IDE
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 23
And Don’t Forget the O/S & 3rd Party Code + Dependency Chain
https://www.grammatech.com/
44% of applications contain critical vulnerabilities in an open source component.~ Veracode
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 24
Third Party Components @ IDE
• Advanced binary fingerprinting identifies all open source and proprietary
components and dependencies.
• Categories: exact, similar or unknown.
• Configure policy actions to automatically prevent applications from moving
forward with unwanted or unapproved components.
• Setup automated notifications when unwanted components are being used in
your applications.
Software Composition Analysis @ Build
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 25
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 26
Early Dev, Mid Dev & Build Coverage on Commit
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 27
Scan Early, Scan Often
Applications that
used sandbox had
an average fix
rate of 59%, or a
2x improvement
in fix rate
• Veracode• Static Code Analysis
• Dynamic Code Analysis
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 28
Static Binary and Dynamic Application Scanning
• Remember your DevOps tools too!
• Many don’t have out of the box security controls enabled
• E.g. Jenkins default installation –• NO access control
• NO audit of
configuration changes.
• #facepalm
StackSec: Configuration Management
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 29
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 30
Jenkins on the ‘Net in AU
Preventing a deployment if
something fails.
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 31
Automating Security at the Deploy Layer
Using Scan 1218389
Checks Failed
POST BUILD TASK : FAILURE
END OF POST BUILD TASK: 0
ESCALATE FAILED POST BUILD TASK
TO JOB STATUS
Build step ‘Post build task’
changed build result to FAILURE
Finished: FAILURE
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 32
Security Automation: App Delivery, OS & N/W
• Vulnerability Management
• Patch Management
• Configuration Management
• Hardening of Framework
Configurations
• Hardening of OS & Apps
• Policy Compliance Automated
Testing
• Continuous Monitoring – External &
Internal
• Automation through Deployment Through Code
• Use Immutable Objects
• Update Source Repo’s
• Use Deployment Mgt to focus on StackSec:
(a) access control,
(b) integrity of configuration
(c) auditability of changes.
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 33
Security for Deployment Automation
• Concerns in this layer:
• Heartbleed
• Expired SSL Certs
• Assessed through external continuous scans
• Unpatched/Vulnerable server apps like Tomcat/Apache
• Configuration Management issues
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 34
Use Automation to Solve Common Issues
Network & OS: Continuous Scanning
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 35
Network & OS: Continuous Scanning
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 36
Network & OS: Continuous Scanning
• Coverage across OS
& App configs needed
• Combination of FIM &
Policy Compliance,
Hardening Checks
• SoD for Development,
Staging and Prod
Environments
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 38
Configuration Management – Infra & OS
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 39
Production Environment Policy Scanning
Preventing a deployment if
something fails.
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 40
Automating Security at the Deploy Layer
Using Scan 1218389
Checks Failed
POST BUILD TASK : FAILURE
END OF POST BUILD TASK: 0
ESCALATE FAILED POST BUILD TASK
TO JOB STATUS
Build step ‘Post build task’
changed build result to FAILURE
Finished: FAILURE
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 41
Verification of Hardening via Policy Scanning
• Ensuring that production
environments are
verifiably hardened before
deployment.
• Can be automated to
prevent a production
deployment.
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 42
Security Automation: Cloud Platform & Core Infra
• Cloud Platform Configuration Scanning• Best Practice & Policy Compliance Tests
• Access & Network Control Auditing (ACLS)• Visualisation of Tenancy
• Self Healing of Defined Controls• AWS IAM Config Checks
• Automation to detect any change
as it occurs
• Self Healing for API Bind with
R/W Permissions
• Cut Your Own Code (Lambda) or
use Commercial Products
• Setting policies for Best Practice
and/or PCI/ISM etc compliance
Core Infrastructure
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 43
Cloud Configuration Analysis
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 44
• Dome9• Detecting configuration issues
• Automated Fixes thru “Self Healing” of defined Mandatory Controls
• Extension to API for Deployment Mgt Jenkins
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 45
Visualise the VPC & View Flow Logs
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 46
Visualiase Connectivity on Per Instance Basis
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 47
Policy Compliance for Cloud Infra
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 48
Automated API Amazon Configuration Scan
Full Spectrum (Stack) Security
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 49
• Automation can dramatically improve security
• Make the application build success rely on the security
state of the entire stack environment.
• Don’t make it too complicated
Achieving Full Spectrum
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 50
DevSecOps Lab – App Layer – IDE & Build
Source Code Repository
CI Build Server
Staging Environment
Production Environment
IDEContinuous Deployment
OWASP ZAP
Continuous Monitoring
AppScanning
Code Analysis
Coding Helpers
Advanced Security Automation
Supply Chain Risk
DevSecOps Lab – App Layer –Build & Deploy
Source Code Repository
CI Build Server
Staging Environment
Production Environment
IDEContinuous Deployment
OWASP ZAP
Continuous Monitoring
AppScanning
Code Analysis
Coding Helpers
Advanced Security Automation
Supply Chain Risk
DevSecOps Lab – App Layer – Deploy, Stage, Prod
Source Code Repository
CI Build Server
Staging Environment
Production Environment
IDEContinuous Deployment
OWASP ZAP
Continuous Monitoring
AppScanning
Code Analysis
Coding Helpers
Advanced Security Automation
Supply Chain Risk
DevSecOps Lab – App Layer Continuous Monitoring
Source Code Repository
CI Build Server
Staging Environment
Production Environment
IDEContinuous Deployment
OWASP ZAP
Continuous Monitoring
AppScanning
Code Analysis
Coding Helpers
Advanced Security Automation
Supply Chain Risk
DevSecOps Lab – Cloud & Server Infrastructure Layer
Staging Environment
Production Environment
Continuous Monitoring
VulnerabilityManagement
Policy Compliance
Configuration Management
Hardening
Advanced Security Automation
Infra as Code
Repository
CI Build Server
Machine Image
Repository
Continuous Deployment
Cloud Environment
DevSecOps Lab – Cloud & Server Infrastructure Layer
Staging Environment
Production Environment
Continuous Monitoring
VulnerabilityManagement
Policy Compliance
Configuration Management
Hardening
Advanced Security Automation
Infra as Code
Repository
CI Build Server
Machine Image
Repository
Continuous Deployment
Cloud Environment
DevSecOps Lab – Cloud & Server Infrastructure Layer
Staging Environment
Production Environment
Continuous Monitoring
VulnerabilityManagement
Policy Compliance
Configuration Management
Hardening
Advanced Security Automation
Infra as Code
Repository
CI Build Server
Machine Image
Repository
Continuous Deployment
Cloud Environment
DevSecOps Lab – Cloud & Server Infrastructure Layer
Staging Environment
Production Environment
Continuous Monitoring
VulnerabilityManagement
Policy Compliance
Configuration Management
Hardening
Advanced Security Automation
Infra as Code
Repository
CI Build Server
Machine Image
Repository
Continuous Deployment
Cloud Environment
DevSecOps Lab – Cloud & Server Infrastructure Layer
Staging Environment
Production Environment
Continuous Monitoring
VulnerabilityManagement
Policy Compliance
Configuration Management
Hardening
Advanced Security Automation
Infra as Code
Repository
CI Build Server
Machine Image
Repository
Continuous Deployment
Cloud Environment
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 60
Yes You Can Achieve StackSec!
Core Infrastructure (Fabric Functions: AWS IAM, EC2, Azure, etc.)
Cloud Platform (Amazon RDS, S3, Lambda, etc.)
Network & OS (Linux, Windows, etc.)
Application Framework (Tomcat, Nginx, Apache, etc.)
Custom Application (1ST party code, 3rd party libraries, etc.)
SydneyLevel 8, 66 King StreetSydney NSW 2000
MelbourneLevel 15, 401 Docklands DriveDocklands VIC 3008
Tel. 1300 922 923Intl. +61 2 9290 4444www.senseofsecurity.com.au
Sense of Security Pty LtdABN 14 098 237 908
@ITSecurityAU
Security, it’s all we do. Knowledge, Experience & Trust.
Thank You!
© 2002 – 2017 Sense of Security Pty Limited. All rights reserved.
Some images used under license from Shutterstock.com or with permission from respective trademark owners. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher.
Murray Goldschmidt | Chief Operation Officer