Continuous Security on AWS

Continuous Security on AWSChuck Dudley, VP of Services, Stelligent

2www.stelligent.com

Housekeeping

• This webinar is being recorded and an on-demand version will be available at the same URL at the conclusion of the webinar

• Please submit questions via the button on the bottom left of the viewer

• If we don’t get to your question during the webinar, we will follow up with you via email

• Download PowerPoint slides via the “Attachments” button below the viewing panel

• On Twitter [@HOSTINGdotcom] [@Stelligent] or LinkedIn [HOSTING] [Stelligent] . . . Be sure to follow for news, resources and announcements for future webinars!

3www.stelligent.com

Continuous Security

Continuous Security is the application of

security in the development process

through the practice of Continuous

Delivery.

With DevOps comes the opportunity to

treat our infrastructure as code and apply

the principles of Continuous Delivery to it in

concert with our application code.

The principles of continuous security are

the same as that of continuous delivery...

4www.stelligent.com

Continuous Security Principles• The process for releasing/deploying software applying

security MUST be repeatable and reliable.

• Automate everything, including security!

• If something security is difficult or painful, do it more often

(and it always is).

• Keep everything in source control, including your security

posture and tests.

• Done means released secured.

• Build quality security in.

• Everybody has responsibility for the release process

security.

• Improve security continuously.

5www.stelligent.com

Development + Operations

Development Through Operations

QA Security

What is DevOps?

6www.stelligent.com

What is Continuous Delivery?

Continuous Delivery is a software

development discipline where you build

software (and its supporting

infrastructure) in such a way that the

software can be released to production

at any time.

7www.stelligent.com

Continuous Delivery Pipeline

• A secure automated transport mechanism

• Moves a resources from point A to point B

8www.stelligent.com

Commit Acceptance Capacity Pre-Prod Production

The Stelligent Pipeline

9www.stelligent.com

GOAL:

Fast feedback for developers

PIPELINE ACTIONS:

1. Unit Tests2. Static Code Analysis


The Commit Stage

10www.stelligent.com

GOAL:



The Commit Stage

SECURITY TESTS:

1. Security static analysis of application code

PIPELINE ACTIONS:



GOAL:



The Commit Stage

SECURITY TESTS:

1. Security static analysis of application code

2. Security static analysis of infrastructure code

PIPELINE ACTIONS:



Security Static Analysis of CloudFormation

• Security static analysis builds a model of templates in order to verify compliance with best practices and organizational standards.

• This can be a powerful tool to stop bad things before they happen.

• A security organization can define their policy in code and have all development efforts unambiguously verify against that standard without manual intervention.


Static Analysis of CloudFormation with cfn-nag

• The cfn-nag tool inspects the JSON of a CloudFormationtemplate before convergence to find patterns that may indicate:

• Overly permissive IAM policies• Overly permissive security groups• Disabled access logs• Disabled server-side encryption


GOAL:

Comprehensive testing of the application and its infrastructure

PIPELINE ACTIONS:

1. Integration Tests2. Acceptance Tests


The Acceptance Stage


GOAL:

Comprehensive testing of the application and its infrastructure

SECURITY TESTS:

1. Infrastructure Analysis

PIPELINE ACTIONS:

1. Integration Tests2. Acceptance Tests


The Acceptance Stage


Testing Infrastructure Changes

Problems to solve:

• Prevent infrastructure changes that violate company security policies.

• Need the ability to codify security rules and get notifications when violations occur.

• Ability to execute on-demand compliance testing.


config-rule-status

ConfigRuleStatus is an open source tool that enables continuous monitoring and on-demand testing of security compliance for infrastructure through the AWS Config service.

How does it solve the problem?

Sets up AWS Config for resource monitoring.

Creates Config Rules and Lambda functions to evaluate security compliance.

Creates a Tester Lambda function that returns aggregated compliance status.


GOAL:

Test the system under real world conditions

The Capacity Stage


PIPELINE ACTIONS:

1. Performance Tests2. Load Tests


GOAL:

Test the system under real world conditions

The Capacity Stage


PIPELINE ACTIONS:

1. Performance Tests2. Load Tests

SECURITY TESTS:

1. Penetration Testing2. Vulnerability Scanning


Penetration Testing

• View of system security posture from the outside.

• Typical tools like OWASP ZAP, Nessus, Metasploit.

• Automated pen testing from within the VPC is OK.

• Automated pen testing from outside the VPC requires approval process.


GOAL:

Go / no-go decision for blue/green deployment

PIPELINE ACTIONS:

1. Build Pre-Prod Stack2. Data Migration3. Blue/green Deployment


The Production Stage


SECURITY ACTIONS:

1. Prevent out-of-band changes2. Security metrics for feedback

loops

PIPELINE ACTIONS:

1. Build Pre-Prod Stack2. Data Migration3. Blue/green Deployment

GOAL:

Go / no-go decision for blue/green deployment


The Production Stage


Prevent Out-of-band Changes

• Config Rules continues to apply the same rules to the monitoring of environment changes as during the pipeline process.

• This catches out-of-band manual changes that might degrade security posture.

• Important that your testing/validation criteria become the lynchpin of your operational monitoring.


Key Takeaways

• Infrastructure IS code… treat it as such. Applying

modern development techniques such as TDD

and Continuous Delivery yields immense value.

• Infrastructure is part of the solution in application

development now. Its development should be

integrated into the application development

process, treating the solution as an integrated

entity.


Key Takeaways

• From within development team, CD reduces cycle time for

releases and improves confidence in released code

(including infrastructure code).

• From outside, it allows security/governance/ compliance to

inject best practices as automated gates in the delivery

process without introducing delays for review and approval.

• This allows for control at scale without grinding to a halt.

For more information on how Stelligent can help you with AWS Automation, go to www.stelligent.com

Q&A

Continuous Security on AWS

Technology

Transcript of Continuous Security on AWS