"DevOps practices help push applications faster into production through better collaboration and automated testing. During that process, security is often seen as an inhibitor to speed. The challenge for many organizations is delivering applications at a fast pace while embedding security at the speed of DevOps. In this session, learn how products and customers in the AWS Marketplace help make DevSecOps a well-orchestrated methodology for ensuring the speed, stability, and security of your applications.

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ensure the integrity of your code for
fast and secure deployments
Benjamin Andrew
Global Head, Cloud Security & Infrastructure
AWS Marketplace
S D D 3 1 9

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Quick
Get the software you need in minutes
with just a few clicks or use the 1-Click
deployment option.
Software in AWS Marketplace is ready-
to-run on AWS.
Pay-as-you-go
Pay only for what you use through
various payment options and receive
discounts on longer or custom terms.
All charges from AWS Marketplace are
consolidated into one bill from AWS.
Verified
All software in AWS Marketplace is
continuously scanned to ensure
reliability.
AWS Marketplace
A curateddigitalsoftwarecatalogthathelps
you find,buy,test,anddeploysoftware

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
A growing digital software catalog
• AWS Marketplace offers 39 software categories
• More than 4,800 software listings
• More than 1,400 ISVs (Independent Software Vendors)
• More than 230,000 active customers
• More than 1 million current subscriptions
• AWS customers use over 650 million hours a month of Amazon
EC2 for AWS Marketplace products
• AWS Marketplace is available in 18 AWS regions
• Flexible consumption and contract models
• Easy and secure deployment, almost instantly
• One consolidated bill
• Always evolving

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Operating
systems SIEMStorage BIDatabase DevOpsNetworking
Eight popular categories most often provisioned
Security

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security in the cloud
Identify
Security fundamentally anchors
on having sufficient knowledge
of your world
Protect
The best defense is an offense
but …
Detect
One must “assume breach”
and have a strong defense
Knowing and being able to act
swiftly is key in the cloud
Respond/Recover

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Speed! Collaboration! Automation!
Waterfall
Agile
DevOps

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
7
Why DevSecOps?
Business imperatives
Competing forces
Development
Build it faster
Operations
Keep it stable
Security
Make it secure
D e v O p s
Build Test Distribute
Monitor
Developers Users
D e v S e c O p s
Build Test Distribute
Monitor
Developers Users
Security

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security and compliance of the code in the pipeline
Precommit Commit Acceptance Deploy
 Continuous compliance →
Threat modeling
Initial SAST inside IDE
Code review
“Break the build“
Compile/build checks
SCA
Container security
Additional SAST
Unit test
Secure infra build
Functional testing
SCA DAST
Unit testing
Security attacks
Deep SAST
Fuzzing, pen tests
Provision runtime
environment
Config management
RASP
Security
Compliance
CI/CD

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security and compliance of the code in the pipeline
Precommit
Threat modeling
Initial SAST inside IDE
Code review
Security
Compliance
CI/CD

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Static Analysis Security Testing (SAST) in IDE
What it is: Automatically analyzes code for
security early without slowing down
development
Why it’s important: Introduces code
analysis as ‘far left’ as possible
Why it’s critical to security: Catches
vulnerabilities at the first point they can
enter the application pipeline to reduce
significant impacts

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Vendor highlight: Veracode Greenlight

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security and compliance of the code IN the pipeline
Commit
“Break the build“
Compile/build checks
SCA
Container security
Unit test
Security
Compliance
CI/CD Precommit Commit Acceptance Deploy

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Software Composition Analysis (SCA)
What it is: Vulnerability scanning tool for
open source
Why it’s important: Most static analysis
tools aren’t relevant for open source
Why it’s critical to security: Reduces the
threat of vulnerabilities from dependencies
on open-source components

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Vendor highlight: WhiteSource

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
WhiteSource SaaS in AWS Marketplace

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Container Vulnerability Analysis (CVA)
What it is: Vulnerability scanning tools that
specifically target containers
Why it’s important: Security needs to be
tailored to containerized applications
Why it’s critical to security: A vulnerability in
one container can spread to others without
isolation between containers

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Vendor highlight: Aqua

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Aqua SaaS in AWS Marketplace

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security and compliance of the code in the pipeline
Acceptance
Secure infra build
Functional testing
SCA DAST
Unit testing
Security attacks
Deep SAST
Fuzzing, pen tests
Security
Compliance
CI/CD Precommit Commit Acceptance Deploy

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dynamic Analysis Security Testing (DAST)
What it is: Tests web applications for exposed
HTTP and HTML interfaces while they are
running
Why it’s important: Dynamic, for running
applications, vulnerability scanning in testing,
staging, and production
Why it’s critical to security: Looks for a broad
range of vulnerabilities, such as input/output
validation issues leading to cross-site scripting
(XSS) or SQL injection

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Vendor highlight: Qualys Web Application Scanner

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Qualys WAS SaaS in AWS Marketplace

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security and compliance of the code in the pipeline
Provision runtime
environment
Config management
RASP
Security
Compliance
CI/CD
Precommit Commit Acceptance Deploy

24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Runtime Application Self-Protection (RASP)
What it is: Controls execution and prevents
real-time attacks in application runtime
environment
Why it’s important: Targets application code
security at runtime (powerful addition to a
WAF)
Why it’s critical to security: Protects against
OWASP top runtime threats. Can capture zero-
day vulnerabilities

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Vendor highlight: Prevoty

26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Prevoty AMI in AWS Marketplace

27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security and compliance of the code in the pipeline
 Continuous compliance →
Security
Compliance
CI/CD Precommit Commit Acceptance Deploy

28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Continuous compliance
What it is: Automate the compliance of your
*infrastructure* code
Why it’s important: Ensure regulatory
compliance
Why it’s critical to security: Secure application
code can run on compliant/
safe infrastructure

29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Vendor highlight: Dome9

30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dome9 in AWS Marketplace

31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Making DevOps Sec-sy

32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customize the way you provision software
Find
Machine learning
Containers
Networking
Security
Storage
DevOps
Database
Operating systems
BI and Big Data
From a breadth
of categories:
Buy
Free trial
Pay-as-you-go
Hourly
Monthly
Annual and multi-year
Bring your own license (BYOL)
Seller private offers
Through flexible
pricing options:
Deploy
Amazon Elastic Container Service (Amazon
ECS)
Amazon Elastic Container Service for
Kubernetes (Amazon EKS)
Amazon Machine Image (AMI)
Application Program Interface (API)
Amazon SageMaker
AWS Fargate
AWS CloudFormation template
SaaS
With multiple
deployment options:

33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
“The ability to deploy software instantaneously anywhere in the world means we’re able to scale
immediately, and stretch or shrink the environment to accommodate our needs.”
“Integrated billing on AWS Marketplace is very slick, very straightforward. One place, one
dashboard where all my costs appear.”
Why customers buy in AWS Marketplace?
Flexible
consumption and
contract models
Easy and secure
deployment, almost
instantly
Single, consolidated
bill
Speed, simplicity, and scalability
“One benefit of the pay-as-you-go model is the ability to deploy anywhere without having to do a
capital approval process to pay for infrastructure that may or may not be used.”
—Rob Gillan, CTO, SimplePay
—Briley James Yetter, Director of Technology, Goodwill Industries
—Richard Williams, Sr. Engineer, MakerBot

34. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benjamin Andrew
Global Lead Security, Networking & DevSecOps
AWS Marketplace
benand@amazon.com
www.linkedin.com/in/benandrew