#RSAC
SESSIONID: CSV-T11
DevSecOpsInTheCloudIsNotJust
CI/CD:EmbracingSecurityAutomation
HenrikJohansson
SecuritySpecialistSolutionsArchitect
AmazonWebServices
@henrikjay
#RSAC
TerminologyDisclaimer
import re
re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]ugged\s[Dd]ev)[Oo]ps')
=
SecurityAutomation
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
TerminologyDisclaimer
import re
re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]ugged\s[Dd]ev)[Oo]ps')
=
SecurityAutomation
AtScale
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
Why/Who/Where/When/What
4
#RSAC
Why
GoalsofDevSecOps
Why- GoalsofDevSecOps
PaceofInnovation…meetPaceofSecurityAutomation
Elasticandautonomoussecurityvalidationofinstancedeployments
Risk/ratingbasedactions
AutomaticIncidentResponseRemediation
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
Why- GoalsofDevSecOps
PaceofInnovation…meetPaceofSecurityAutomation
Elasticandautonomoussecurityvalidationofinstancedeployments
Risk/ratingbasedactions
AutomaticIncidentResponseRemediation
Securityatscale
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
#RSAC
Who
Me?
#RSAC
Purpose
Securityisaserviceteam,notablocker
Securityiseveryone'sjob
Allowflexibilityandfreedom
butcontroltheflowandresult.
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
Meetthenewsecurityteam
Operations
Engineering
ApplicationSecurity
Compliance
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
Meetthenewsecurityteam
Operations
Engineering
Development
ApplicationSecurity
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Compliance
#RSAC
Where
3(+)places
#RSAC
Where
1.
•
•
2.
•
•
SecurityoftheCI/CDPipeline
Accessroles
Hardeningbuildservers/nodes
SecurityintheCI/CDPipeline
Artifactvalidation
Staticcodeanalysis
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
CI/CDforDevOps
ArtifactRepo
Deploymenttemplatesforinfrastructure
Generate
Config
Code
Config
Tests
Dev
Committo
Git/master
Package
Builder
Install
Create
Images
Push
TestEnv
Version
Control
Get/
Pull
Code
CIServer
Deploy
Server
StagingEnv
ProdEnv
DistributedBuilds
RunTestsinparallel
SendBuildReporttoDev
Stopeverythingifbuild failed
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
CI/CDforDevSecOps
Deploymenttemplatesforinfrastructure
Continuous
Scan
Config
Code
Config
Tests
Dev
Blockcreds
Fromgit
Package
Builder
Checksum
Audit/Validate
Images
TestEnv
Version
Control
Get/
Pull
Code
Promote
Process
CIServer
Scanhook
StagingEnv
ProdEnv
Logforaudit
SendBuildReporttoSecurity
Stopeverythingifaudit/validationfailed
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
Whataboutmyotherstuff?
#RSAC
Where
3.
CloudscaleSecurity
akaalltheotherstuffpeoplearereallytalkingabout
Infrastructureascode
Runtimesecurity
Splitownership
Tagbasedtargeting
Pre-deployvalidation
Rip-n-replace
Continuouspentesting
Elasticsecurityautomation
APIdriven
Immutableinfrastructure
Autoscalinggroups– hooks
Validationandenforcement
Executionlayerscaleswithtargets
Integratewithmanagedservices
…
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
When
#RSAC
When
Easy
Allthetime!
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
When– ControlandValidate
Pre-event- Whenpossible
Storeinfrastructureincoderepository
Validateeachpush(githooks)
— Usemanagedmicroservicesasexecutionengine
— Scancloudinfrastructuretemplatesforunwanted/riskvaluedconfigurations
— ValidateContainerdefinitions
—
Validatesystemcodeearlyon
—
Findunwantedlibrariesetc.
Forceinfrastructurechangesthroughtemplates
Blockifneeded/unsure
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
When– ControlandValidate
Post-event- Always
Follow-uponsensitiveAPI’s
IAM,SecurityGroups/Firewall,Encryptionkeys,Logging,etc.
— Alert/Inform
—
Usesourceoftruth
—
Lockedtoexecutionfunction(ReadOnly)
Validatesource
—
HumanorMachine/CICD
Decideonremediation
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
When- Trigger
Trigger:
Perchange
APIbased
— Eventlogs
—
Perday
Perframework
Overallinfrastructure,componentsandresources
— Onecomponentmultipleframeworks
—
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
#RSAC
What
Givemesomeexamples
Givemesomeexamples
Securityvalidationinaelasticinfrastructure
Implement->Validate->Decide
Terminateuponfailure
AutomaticIncidentResponseRemediation
Autoheallogging
Disableoffender
Integratehost-basedandcloud-based
Immutableinfrastructure- Isolateinstance
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
Example– Autoisolation
Modify
/etc/pam.d/sshd
Executescriptuponlogon
sessionoptionalpam_exec.so/path/trigger.sh
Triggercloudbasedeventasmarker
#!/bin/bash
INSTANCE_ID=$(wget-q-O- http://169.254.169.254/latest/meta-data/instance-id)
REGION=$(wget-q-O- http://169.254.169.254/latest/meta-data/placement/availability-zone|sed's/.\\{1\\}$//')DATE=$(date)
awsec2--region$REGIONcreate-tags--resources$INSTANCE_ID--tags\"Key=Tainted,Value=$DATE\”
Executecloudfunctiononmarkerdetection
Removefromloadbalancer/scalinggroups(willauto-heal)
Blockin/outgoingtrafficusingcloudcontrols
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
Example– Autoisolation
Don’tforgetsafeguards!
HowmanyinstancescanIisolatebefore
Ifisolated>x:
wake_human()
Remember,xcouldbe0
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
Examplelogging
Detect
Cloudloggingdisabled
Priority
Enablelogging
Forensics
Havethishappenedbefore
Countermeasures
Ifnum_disabled>x:#xcouldbezerobasedontypeanduser
disable_user()
Alert!
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
#RSAC
Cool…soIjustfixthings??
Well…yes...but...
#RSAC
Risks
Failureisalwaysanoption,nowatscriptspeed
Weforgottotellyou…
Noproperalerting,loggingorfollow-uponautomatedevents
Yougotscripts…theygotscripts
Howdoyouminimizeriskoffailedremediationfunctions?
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
Implementremediation
framework
#RSAC
Know
Continuous/
Eventbased
Execution
constraints
Willaction
riskbreaking
something
Willchange
affectcost
Istherea
sourceof
truth
Execute
Theanatomyofremediation
Priority
Action
Forensic
Counter
measures
Alerts
Log
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
Attheendoftherainbow…
Whatarewetryingtoaccomplish?
#RSAC
Goals
Minimizerelyingonhumans
Automationdoesn’tsleep,eatorneedcoffeeinthemorning
Preventbadconfigurationsbeforetheyareimplemented
Autocorrect/remediateviolationswherepossible
Daily/instantbenchmarkvalidationofinfrastructure
Validateagainstindustryframeworks
Extendtoremediation
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Yournextstep
Lookthroughyourinfrastructuresecurityrunbook
Whatcanyouautomate?
Howcanyouvalidate?
Example:OSSvalidationforCISAWSFoundationFramework
https://github.com/awslabs/aws-security-benchmark
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
OSSCodetolearnfrom
#RSAC
git-secrets - Preventsyoufromcommittingpasswordsandothersensitiveinformationtoagit repository.
aws-security-benchmark - Benchmarkscriptsmappedagainsttrustedsecurityframeworks.
aws-config-rules - [Node,Python,Java]RepositoryofsampleCustomRulesforAWSConfig
Netflix/security_monkey - MonitorspolicychangesandalertsoninsecureconfigurationsinanAWSaccount.
Netflix/edda - EddaisaServicetotrackchangesinyourclouddeployments.
ThreatResponse - OpenSourceSecuritySuiteforhardeningandrespondinginAWS.
CloudSploit – Capturingthingslikeopensecuritygroups,misconfiguredVPCsandmore.
Stelligent/Cfn_nag – LooksforpatternsinCloudFormation templatesthatmayindicateinsecureinfrastructure.
Capitalone/cloud-custodian - RulesengineforAWSfleetmanagement.
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remember
It’sactuallynotwho,when,whereorwhat...
It’sjusthow
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#RSAC
© Copyright 2026 Paperzz