O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

DevSecOps-The Key of Continuous Security

How to secure your DevOps tech and flow.

  • Seja o primeiro a comentar

DevSecOps-The Key of Continuous Security

  1. 1. DevSecOps The key of continuous security 2019@DevOpsDays
  2. 2. 4ndersonLin Whois I am Anderson MaiCoin Security Engineer AWS Certified All-5 + Sec specialty Too many interests...
  3. 3. Agenda ➔ Sec with DevOps ➔ About continuous security ➔ Monitor and Automation ➔ Conclusions
  4. 4. DevOps + Sec = ?
  5. 5. Make DevOps secure DevOps 帶給我們自動化的機會 Sec 帶給我們安全的機會
  6. 6. Make DevOps secure or die 哪些人需要同時擁抱DevOps和Sec。
  7. 7. Make DevOps secure or die 於是,這些怕死的人就試著把它們合在一起。
  8. 8. DevSecOps
  9. 9. Why DevSecOps? 軟性需求 追求流程安全性 追求產品安全性 減少Sec和DevOps的隔閡 剛性需求(沒有會死) 合規性 資產價值高 資安風險高
  10. 10. Why DevSecOps?
  11. 11. 1. 確保DevOps技術和方法的安全性 2. 資安人員融入和適應DevOps Two faces of DevSecOps Build ReleaseTest Plan Monitor Security Dev Ops Sec 100 10 1
  12. 12. Chance of DevSecOps Build/Test faster 所以... 我們有機會更早/快發現漏洞 Release/deploy faster 所以... 我們有機會更快的修補漏洞 More monitoring details 所以... 我們有機會更快的反應問題
  13. 13. Challenge of DevSecOps 傳統的資安工具不支援... Cloud service : Native solution Container : New tools 難以保護的pipeline... Protect the credentials first 資安人擁抱自動化從何開始... 熟悉的工具開始 : SAST, DAST 自動化監控和回應
  14. 14. Well Known DevSecOps life cycle
  15. 15. lifecycle Build ReleaseTest Plan Monitor Code analysis SAST Code review Common test DAST Compliance check Configuration validation Log information Detect attack Update threat model Analysis incident
  16. 16. Under the Application 在Application之下,關於Infrastrcture的部分, 我們有沒有機會用類似的方法,持續的保持它的安全性呢? Yes, we can.
  17. 17. Before we run 我們需要準備什麼? 1. Everything as Code(IaC, PaC) 2. Secure by default 3. 請使用有提供API的工具和服務 4. 融入追求安全的精神
  18. 18. Continuous security Build ReleaseTest Plans Monitor Build ReleaseTest Plan Monitor Linting Infra uni test Infra integration test Configuration validation Automated detection and responseAnalysis incident Plan for next
  19. 19. Continuous Security Build phase
  20. 20. Life cycle : Build phase Build ReleaseTest Plan Monitor Linting Infra uni test
  21. 21. Pro and Con Pros: - 可以測試到每個resource - 確保產出的Code具備最基本的可靠性 Cons: - 逐一寫出的測試後續難以維運 - 覆蓋面可能不夠廣泛
  22. 22. Continuous Security Test phase
  23. 23. Life cycle : Test phase Build ReleaseTest Plan Monitor Infra integration test
  24. 24. Life of Test phase Infra as Code > Testing - Terratest - Cloudformation validation pipeline
  25. 25. Pro and Con Pro: - 有較完整的測試,和預期結果的偏差較小。 Con: - 還不足以確認完全符合Compliance和Policy的需求
  26. 26. Continuous Security Release phase
  27. 27. Life cycle : Release phase Build ReleaseTest Plans Monitor Configuration validation
  28. 28. Life of Release phase Policy as code - AWS Config - Chef InSpec - Open policy agent
  29. 29. Pro and Con Pro: - 確保了產出的系統設定的符合預定的policy Con: - 每個平台和工具有不同的DSL要學
  30. 30. Take a break Recap
  31. 31. Recap of life cycle Build ReleaseTest Plan Monitor Linting Infra uni test Infra integration test Configuration validation
  32. 32. Monitor and Automation
  33. 33. Life cycle : Monitor phase Build ReleaseTest Plan Monitor Automated detection and response
  34. 34. Why we need to do this 確保持續的一致性和合規性 對抗風險: - 未授權的行為 - 惡意攻擊 - 違反Compliance rule ...
  35. 35. Monitor and Automation 自動化偵測並採取行動
  36. 36. Detection 偵測的內容: - 異常變更 - 異常存取 - 惡意攻擊 - PCI requirement - CIS control ...
  37. 37. 依據嚴重程度不同,自動採取不同行為: - 告警 - 還原變更 - 關閉/隔離/移除異常個體 - 停用/刪除User或API Key - 建立Reputation list(整合內部和外部的情資) Action
  38. 38. Overview VPC WAF Cloudflare Incapsula Firewall GW EC2 EC2 Container Endpoint protect Guardduty VPC Flowlog CW Event CloudTrail KMSIAM Security Group Config Security Hub Reputation
  39. 39. VPC Revoked & Comment 異常變更 EC2 EC2 CW event CloudTrail 發生可能由維運人員手動或是未經審核的變更時... 例如Security Group規則突然被異動 Original Allow 192.168.10.1 : 443 Modified Allow Any : 443 Security Group https://github.com/4ndersonLin/serverless-sg-sentry
  40. 40. 異常存取 Guardduty CloudTrail KMS IAM 發生維運人員或駭客存取時... 例如某個IAM User使用了他平常不用的API 或是KMS裡面的加密金鑰在異常的時間或地點被存取 Disable API Key
  41. 41. 惡意攻擊 VPC WAF Cloudflare Incapsula Firewall GW EC2 EC2 Endpoint protect Guardduty VPC Flowlog Security Group 發生從外部發起的攻擊時... Reputation
  42. 42. 惡意攻擊 VPC Firewall GW EC2 EC2 Container Endpoint protect Guardduty VPC Flowlog Security Group 發現從內部發起的攻擊時... Reputation Move to Deny all Ban IP Hunting Ref: https://aws.amazon.com/tw/blogs/opensource/securing-amazon-eks-lambda-falco/ https://sysdig.com/blog/how-to-identify-malicious-ip-activity-using-falco/
  43. 43. PCI requirement VPC EC2 EC2 KMS Security Group Config 保持系統符合PCI的要求,例如: Load balancer - SSL Cipher policy - Storage encryption TLS 1.2 & Strong cipher KMS encrypted
  44. 44. VPC CIS control EC2 EC2 CW Event KMSIAM Security Group Config Security Hub https://github.com/4ndersonLin/AWS-CIS-alert 保持系統符合CIS的要求, 例如: - IAM User變更警告 - 必須使用MFA - 網路架構變更警告 - KMS變更警告 - 未授權API使用警告
  45. 45. Overview Again VPC/Local network WAF Cloudflare Incapsula Firewall GW EC2 EC2 Container Endpoint protect Guardduty VPC Flowlog CW Event CloudTrail KMSIAM Security Group Config Security Hub Reputation WAF KMS/HSM SIEM/SOC LDAP/AD/ SSO
  46. 46. Conclusions
  47. 47. Conclusions Back to the requirement 我們是否真的需要DevSecOps? 有沒有我們可以立刻開始做的? 我們要做到什麼成熟度? CI/CD with Security Testing, IaC PaC, Automation response 軟性需求、剛性需求
  48. 48. Conclusions 最痛苦的地方是... 開源工具不夠成熟 較為成熟的工具又有限定語言或是限定vendor的問題
  49. 49. thanks! Any questions? You can find me at security@maicoin.com
  50. 50. We are Hiring Software Engineer in Test Software Engineer https://github.com/MaiAmis/Careers

×