advanced security automation in devops · sydney level 8, 66 king street sydney nsw 2000 melbourne...
TRANSCRIPT
![Page 1: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/1.jpg)
SydneyLevel 8, 66 King StreetSydney NSW 2000
MelbourneLevel 15, 401 Docklands DriveDocklands VIC 3008
Tel. 1300 922 923Intl. +61 2 9290 4444www.senseofsecurity.com.au
Sense of Security Pty LtdABN 14 098 237 908
@ITSecurityAU
Security, it’s all we do. Knowledge, Experience & Trust.
Advanced SecurityAutomation in DevOpsMurray Goldschmidt | Chief Operating Officer
Mar-17
![Page 2: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/2.jpg)
The Robot Barista
Source: https://www.wired.com/2017/01/cafe-x-robot-barista/
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 2
![Page 3: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/3.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 3
Why does Automation matter?
![Page 4: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/4.jpg)
Ransomware Automation
Source: http://www.zdnet.com/article/new-dark-web-scheme-lets-wannabe-cybercriminals-get-in-on-ransomware-for-free/
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 4
![Page 5: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/5.jpg)
Guess Who?
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 5
![Page 6: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/6.jpg)
Guess Who?
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 6
![Page 7: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/7.jpg)
Yes, that’s YOU - DevOps DJ
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 7
![Page 8: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/8.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 8
![Page 9: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/9.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 9
DevOps Coverage: Speed & Timing
Core Infrastructure (Fabric Functions: AWS IAM, EC2, Azure)
Cloud Platform (Amazon RDS, S3, Lambda, etc.)
Network & OS (Linux, Windows, etc.)
Application Framework (Tomcat, Apache, .Net, IIS etc.)
Custom Application (1ST party code, 3rd party libraries, etc.)
![Page 10: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/10.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 10
Introducing StackSec
Core Infrastructure (Fabric Functions: AWS IAM, EC2, Azure, etc.)
Cloud Platform (Amazon RDS, S3, Lambda, etc.)
Network & OS (Linux, Windows, etc.)
Application Framework (Tomcat, Nginx, Apache, etc.)
Custom Application (1ST party code, 3rd party libraries, etc.)
![Page 11: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/11.jpg)
www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited
Continuous Monitoring
![Page 12: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/12.jpg)
StackSec – Layer by Layer
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 12
![Page 13: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/13.jpg)
DevOps Mayhem
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 13
![Page 14: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/14.jpg)
Tools, Tools & More Tools
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 14
Source: Momentum Partners
![Page 15: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/15.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 15
Coverage Across Public, Private & Hybrid Clouds
![Page 16: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/16.jpg)
DevSecOps Lab
Source Code Repository
CI Build Server
Staging Environment
Production Environment
IDEContinuous Deployment
OWASP ZAP
Continuous Monitoring
AppScanning
Code Analysis
Configuration/Vuln
Management
Coding Helpers
Advanced Security Automation
Supply Chain Risk
![Page 17: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/17.jpg)
StackSec – Shifting Left
Source Code Repository
CI Build Server
Staging Environment
Production Environment
IDEContinuous Deployment
OWASP ZAP
Continuous Monitoring
AppScanning
Code Analysis
Configuration/Vuln
Management
Coding Helpers
Advanced Security Automation
Supply Chain Risk
![Page 18: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/18.jpg)
DevSecOps – All Encompassing
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 18
DevSecOps
Stack Security
Traditional DevOps
Application Security
![Page 19: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/19.jpg)
Security Automation: Custom Application
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 19
Per Developer IDE Integration
Per Developer Sandbox Testing
Combined Project Static Analysis
Dynamic Testing
Continuous Monitoring (Public)
![Page 20: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/20.jpg)
Code Commit Build Test Deploy UAT Production
App Sec: Defense in Depth
Layer #1 – The developer has an
opportunity to avoid introducing a
security vulnerability in their IDE.
Layer #3 – Automated dynamic
scanning of the application detects the
same vulnerability if it gets this far.
Layer #2 – Static code analysis
triggered by the code commit action
identifies the vulnerability – build fails.
Layer #4 –Continuous Monitoring
through Vulnerability Management
Program detects the exposed
vulnerability. Add comprehensive
Manual Pen Test.
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 20
![Page 21: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/21.jpg)
• Veracode Greenlight• Eclipse
• Visual Studio
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 21
Security Bug Detection at the IDE
![Page 22: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/22.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 22
Security Bug Detection at the IDE
![Page 23: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/23.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 23
And Don’t Forget the O/S & 3rd Party Code + Dependency Chain
https://www.grammatech.com/
44% of applications contain critical vulnerabilities in an open source component.~ Veracode
![Page 24: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/24.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 24
Third Party Components @ IDE
• Advanced binary fingerprinting identifies all open source and proprietary
components and dependencies.
• Categories: exact, similar or unknown.
• Configure policy actions to automatically prevent applications from moving
forward with unwanted or unapproved components.
• Setup automated notifications when unwanted components are being used in
your applications.
![Page 25: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/25.jpg)
Software Composition Analysis @ Build
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 25
![Page 26: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/26.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 26
Early Dev, Mid Dev & Build Coverage on Commit
![Page 27: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/27.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 27
Scan Early, Scan Often
Applications that
used sandbox had
an average fix
rate of 59%, or a
2x improvement
in fix rate
![Page 28: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/28.jpg)
• Veracode• Static Code Analysis
• Dynamic Code Analysis
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 28
Static Binary and Dynamic Application Scanning
![Page 29: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/29.jpg)
• Remember your DevOps tools too!
• Many don’t have out of the box security controls enabled
• E.g. Jenkins default installation –• NO access control
• NO audit of
configuration changes.
• #facepalm
StackSec: Configuration Management
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 29
![Page 30: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/30.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 30
Jenkins on the ‘Net in AU
![Page 31: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/31.jpg)
Preventing a deployment if
something fails.
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 31
Automating Security at the Deploy Layer
Using Scan 1218389
Checks Failed
POST BUILD TASK : FAILURE
END OF POST BUILD TASK: 0
ESCALATE FAILED POST BUILD TASK
TO JOB STATUS
Build step ‘Post build task’
changed build result to FAILURE
Finished: FAILURE
![Page 32: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/32.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 32
Security Automation: App Delivery, OS & N/W
• Vulnerability Management
• Patch Management
• Configuration Management
• Hardening of Framework
Configurations
• Hardening of OS & Apps
• Policy Compliance Automated
Testing
• Continuous Monitoring – External &
Internal
![Page 33: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/33.jpg)
• Automation through Deployment Through Code
• Use Immutable Objects
• Update Source Repo’s
• Use Deployment Mgt to focus on StackSec:
(a) access control,
(b) integrity of configuration
(c) auditability of changes.
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 33
Security for Deployment Automation
![Page 34: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/34.jpg)
• Concerns in this layer:
• Heartbleed
• Expired SSL Certs
• Assessed through external continuous scans
• Unpatched/Vulnerable server apps like Tomcat/Apache
• Configuration Management issues
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 34
Use Automation to Solve Common Issues
![Page 35: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/35.jpg)
Network & OS: Continuous Scanning
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 35
![Page 36: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/36.jpg)
Network & OS: Continuous Scanning
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 36
![Page 37: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/37.jpg)
Network & OS: Continuous Scanning
![Page 38: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/38.jpg)
• Coverage across OS
& App configs needed
• Combination of FIM &
Policy Compliance,
Hardening Checks
• SoD for Development,
Staging and Prod
Environments
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 38
Configuration Management – Infra & OS
![Page 39: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/39.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 39
Production Environment Policy Scanning
![Page 40: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/40.jpg)
Preventing a deployment if
something fails.
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 40
Automating Security at the Deploy Layer
Using Scan 1218389
Checks Failed
POST BUILD TASK : FAILURE
END OF POST BUILD TASK: 0
ESCALATE FAILED POST BUILD TASK
TO JOB STATUS
Build step ‘Post build task’
changed build result to FAILURE
Finished: FAILURE
![Page 41: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/41.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 41
Verification of Hardening via Policy Scanning
• Ensuring that production
environments are
verifiably hardened before
deployment.
• Can be automated to
prevent a production
deployment.
![Page 42: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/42.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 42
Security Automation: Cloud Platform & Core Infra
• Cloud Platform Configuration Scanning• Best Practice & Policy Compliance Tests
• Access & Network Control Auditing (ACLS)• Visualisation of Tenancy
• Self Healing of Defined Controls• AWS IAM Config Checks
![Page 43: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/43.jpg)
• Automation to detect any change
as it occurs
• Self Healing for API Bind with
R/W Permissions
• Cut Your Own Code (Lambda) or
use Commercial Products
• Setting policies for Best Practice
and/or PCI/ISM etc compliance
Core Infrastructure
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 43
![Page 44: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/44.jpg)
Cloud Configuration Analysis
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 44
• Dome9• Detecting configuration issues
• Automated Fixes thru “Self Healing” of defined Mandatory Controls
• Extension to API for Deployment Mgt Jenkins
![Page 45: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/45.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 45
Visualise the VPC & View Flow Logs
![Page 46: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/46.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 46
Visualiase Connectivity on Per Instance Basis
![Page 47: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/47.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 47
Policy Compliance for Cloud Infra
![Page 48: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/48.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 48
Automated API Amazon Configuration Scan
![Page 49: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/49.jpg)
Full Spectrum (Stack) Security
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 49
![Page 50: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/50.jpg)
• Automation can dramatically improve security
• Make the application build success rely on the security
state of the entire stack environment.
• Don’t make it too complicated
Achieving Full Spectrum
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 50
![Page 51: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/51.jpg)
DevSecOps Lab – App Layer – IDE & Build
Source Code Repository
CI Build Server
Staging Environment
Production Environment
IDEContinuous Deployment
OWASP ZAP
Continuous Monitoring
AppScanning
Code Analysis
Coding Helpers
Advanced Security Automation
Supply Chain Risk
![Page 52: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/52.jpg)
DevSecOps Lab – App Layer –Build & Deploy
Source Code Repository
CI Build Server
Staging Environment
Production Environment
IDEContinuous Deployment
OWASP ZAP
Continuous Monitoring
AppScanning
Code Analysis
Coding Helpers
Advanced Security Automation
Supply Chain Risk
![Page 53: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/53.jpg)
DevSecOps Lab – App Layer – Deploy, Stage, Prod
Source Code Repository
CI Build Server
Staging Environment
Production Environment
IDEContinuous Deployment
OWASP ZAP
Continuous Monitoring
AppScanning
Code Analysis
Coding Helpers
Advanced Security Automation
Supply Chain Risk
![Page 54: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/54.jpg)
DevSecOps Lab – App Layer Continuous Monitoring
Source Code Repository
CI Build Server
Staging Environment
Production Environment
IDEContinuous Deployment
OWASP ZAP
Continuous Monitoring
AppScanning
Code Analysis
Coding Helpers
Advanced Security Automation
Supply Chain Risk
![Page 55: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/55.jpg)
DevSecOps Lab – Cloud & Server Infrastructure Layer
Staging Environment
Production Environment
Continuous Monitoring
VulnerabilityManagement
Policy Compliance
Configuration Management
Hardening
Advanced Security Automation
Infra as Code
Repository
CI Build Server
Machine Image
Repository
Continuous Deployment
Cloud Environment
![Page 56: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/56.jpg)
DevSecOps Lab – Cloud & Server Infrastructure Layer
Staging Environment
Production Environment
Continuous Monitoring
VulnerabilityManagement
Policy Compliance
Configuration Management
Hardening
Advanced Security Automation
Infra as Code
Repository
CI Build Server
Machine Image
Repository
Continuous Deployment
Cloud Environment
![Page 57: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/57.jpg)
DevSecOps Lab – Cloud & Server Infrastructure Layer
Staging Environment
Production Environment
Continuous Monitoring
VulnerabilityManagement
Policy Compliance
Configuration Management
Hardening
Advanced Security Automation
Infra as Code
Repository
CI Build Server
Machine Image
Repository
Continuous Deployment
Cloud Environment
![Page 58: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/58.jpg)
DevSecOps Lab – Cloud & Server Infrastructure Layer
Staging Environment
Production Environment
Continuous Monitoring
VulnerabilityManagement
Policy Compliance
Configuration Management
Hardening
Advanced Security Automation
Infra as Code
Repository
CI Build Server
Machine Image
Repository
Continuous Deployment
Cloud Environment
![Page 59: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/59.jpg)
DevSecOps Lab – Cloud & Server Infrastructure Layer
Staging Environment
Production Environment
Continuous Monitoring
VulnerabilityManagement
Policy Compliance
Configuration Management
Hardening
Advanced Security Automation
Infra as Code
Repository
CI Build Server
Machine Image
Repository
Continuous Deployment
Cloud Environment
![Page 60: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/60.jpg)
Mar-17www.senseofsecurity.com.au © 2002-2017 Sense of Security Pty Limited Page 60
Yes You Can Achieve StackSec!
Core Infrastructure (Fabric Functions: AWS IAM, EC2, Azure, etc.)
Cloud Platform (Amazon RDS, S3, Lambda, etc.)
Network & OS (Linux, Windows, etc.)
Application Framework (Tomcat, Nginx, Apache, etc.)
Custom Application (1ST party code, 3rd party libraries, etc.)
![Page 61: Advanced Security Automation in DevOps · Sydney Level 8, 66 King Street Sydney NSW 2000 Melbourne Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290](https://reader033.vdocuments.mx/reader033/viewer/2022042218/5ec489a7d525127af9606cbd/html5/thumbnails/61.jpg)
SydneyLevel 8, 66 King StreetSydney NSW 2000
MelbourneLevel 15, 401 Docklands DriveDocklands VIC 3008
Tel. 1300 922 923Intl. +61 2 9290 4444www.senseofsecurity.com.au
Sense of Security Pty LtdABN 14 098 237 908
@ITSecurityAU
Security, it’s all we do. Knowledge, Experience & Trust.
Thank You!
© 2002 – 2017 Sense of Security Pty Limited. All rights reserved.
Some images used under license from Shutterstock.com or with permission from respective trademark owners. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher.
Murray Goldschmidt | Chief Operation Officer