Continuous Security on AWS
-
Upload
hosting -
Category
Technology
-
view
241 -
download
0
Transcript of Continuous Security on AWS
Continuous Security on AWSChuck Dudley, VP of Services, Stelligent
2www.stelligent.com
Housekeeping
• This webinar is being recorded and an on-demand version will be available at the same URL at the conclusion of the webinar
• Please submit questions via the button on the bottom left of the viewer
• If we don’t get to your question during the webinar, we will follow up with you via email
• Download PowerPoint slides via the “Attachments” button below the viewing panel
• On Twitter [@HOSTINGdotcom] [@Stelligent] or LinkedIn [HOSTING] [Stelligent] . . . Be sure to follow for news, resources and announcements for future webinars!
3www.stelligent.com
Continuous Security
Continuous Security is the application of
security in the development process
through the practice of Continuous
Delivery.
With DevOps comes the opportunity to
treat our infrastructure as code and apply
the principles of Continuous Delivery to it in
concert with our application code.
The principles of continuous security are
the same as that of continuous delivery...
4www.stelligent.com
Continuous Security Principles• The process for releasing/deploying software applying
security MUST be repeatable and reliable.
• Automate everything, including security!
• If something security is difficult or painful, do it more often
(and it always is).
• Keep everything in source control, including your security
posture and tests.
• Done means released secured.
• Build quality security in.
• Everybody has responsibility for the release process
security.
• Improve security continuously.
5www.stelligent.com
Development + Operations
Development Through Operations
QA Security
What is DevOps?
6www.stelligent.com
What is Continuous Delivery?
Continuous Delivery is a software
development discipline where you build
software (and its supporting
infrastructure) in such a way that the
software can be released to production
at any time.
7www.stelligent.com
Continuous Delivery Pipeline
• A secure automated transport mechanism
• Moves a resources from point A to point B
8www.stelligent.com
Commit Acceptance Capacity Pre-Prod Production
The Stelligent Pipeline
9www.stelligent.com
GOAL:
Fast feedback for developers
PIPELINE ACTIONS:
1. Unit Tests2. Static Code Analysis
Commit Acceptance Capacity Pre-Prod Production
The Commit Stage
10www.stelligent.com
GOAL:
Fast feedback for developers
Commit Acceptance Capacity Pre-Prod Production
The Commit Stage
SECURITY TESTS:
1. Security static analysis of application code
PIPELINE ACTIONS:
1. Unit Tests2. Static Code Analysis
11www.stelligent.com
GOAL:
Fast feedback for developers
Commit Acceptance Capacity Pre-Prod Production
The Commit Stage
SECURITY TESTS:
1. Security static analysis of application code
2. Security static analysis of infrastructure code
PIPELINE ACTIONS:
1. Unit Tests2. Static Code Analysis
12www.stelligent.com
Security Static Analysis of CloudFormation
• Security static analysis builds a model of templates in order to verify compliance with best practices and organizational standards.
• This can be a powerful tool to stop bad things before they happen.
• A security organization can define their policy in code and have all development efforts unambiguously verify against that standard without manual intervention.
13www.stelligent.com
Static Analysis of CloudFormation with cfn-nag
• The cfn-nag tool inspects the JSON of a CloudFormationtemplate before convergence to find patterns that may indicate:
• Overly permissive IAM policies• Overly permissive security groups• Disabled access logs• Disabled server-side encryption
14www.stelligent.com
GOAL:
Comprehensive testing of the application and its infrastructure
PIPELINE ACTIONS:
1. Integration Tests2. Acceptance Tests
Commit Acceptance Capacity Pre-Prod Production
The Acceptance Stage
15www.stelligent.com
GOAL:
Comprehensive testing of the application and its infrastructure
SECURITY TESTS:
1. Infrastructure Analysis
PIPELINE ACTIONS:
1. Integration Tests2. Acceptance Tests
Commit Acceptance Capacity Pre-Prod Production
The Acceptance Stage
16www.stelligent.com
Testing Infrastructure Changes
Problems to solve:
• Prevent infrastructure changes that violate company security policies.
• Need the ability to codify security rules and get notifications when violations occur.
• Ability to execute on-demand compliance testing.
17www.stelligent.com
config-rule-status
ConfigRuleStatus is an open source tool that enables continuous monitoring and on-demand testing of security compliance for infrastructure through the AWS Config service.
How does it solve the problem?
Sets up AWS Config for resource monitoring.
Creates Config Rules and Lambda functions to evaluate security compliance.
Creates a Tester Lambda function that returns aggregated compliance status.
18www.stelligent.com
GOAL:
Test the system under real world conditions
The Capacity Stage
Commit Acceptance Capacity Pre-Prod Production
PIPELINE ACTIONS:
1. Performance Tests2. Load Tests
19www.stelligent.com
GOAL:
Test the system under real world conditions
The Capacity Stage
Commit Acceptance Capacity Pre-Prod Production
PIPELINE ACTIONS:
1. Performance Tests2. Load Tests
SECURITY TESTS:
1. Penetration Testing2. Vulnerability Scanning
20www.stelligent.com
Penetration Testing
• View of system security posture from the outside.
• Typical tools like OWASP ZAP, Nessus, Metasploit.
• Automated pen testing from within the VPC is OK.
• Automated pen testing from outside the VPC requires approval process.
21www.stelligent.com
GOAL:
Go / no-go decision for blue/green deployment
PIPELINE ACTIONS:
1. Build Pre-Prod Stack2. Data Migration3. Blue/green Deployment
Commit Acceptance Capacity Pre-Prod Production
The Production Stage
22www.stelligent.com
SECURITY ACTIONS:
1. Prevent out-of-band changes2. Security metrics for feedback
loops
PIPELINE ACTIONS:
1. Build Pre-Prod Stack2. Data Migration3. Blue/green Deployment
GOAL:
Go / no-go decision for blue/green deployment
Commit Acceptance Capacity Pre-Prod Production
The Production Stage
23www.stelligent.com
Prevent Out-of-band Changes
• Config Rules continues to apply the same rules to the monitoring of environment changes as during the pipeline process.
• This catches out-of-band manual changes that might degrade security posture.
• Important that your testing/validation criteria become the lynchpin of your operational monitoring.
24www.stelligent.com
Key Takeaways
• Infrastructure IS code… treat it as such. Applying
modern development techniques such as TDD
and Continuous Delivery yields immense value.
• Infrastructure is part of the solution in application
development now. Its development should be
integrated into the application development
process, treating the solution as an integrated
entity.
25www.stelligent.com
Key Takeaways
• From within development team, CD reduces cycle time for
releases and improves confidence in released code
(including infrastructure code).
• From outside, it allows security/governance/ compliance to
inject best practices as automated gates in the delivery
process without introducing delays for review and approval.
• This allows for control at scale without grinding to a halt.
For more information on how Stelligent can help you with AWS Automation, go to www.stelligent.com
Q&A