SECURITY AS CODE

A NEW FRONTIER

Christian PriceCloud Security Architect, Intuit

Shannon LietzSr. Mgr & DevSecOps Leader, Intuit

IN THE BEGINNING

COMPLIANCE • 375 PAGE DOCUMENT• MINIMUM BASELINE: 87 RATIONALIZED

CONTROLS• RISK BASED ON IMPACT & LIKELIHOOD

SOFTWARE DEVELOPER• OK – HOW DOES THAT APPLY TO WHAT I

DO?

Page 3 of 375

Security Configuration ProceduresV 3.6.0.1.1,January 2011

UBERSECRET

CHOICE

WHO WE ARE

• CLOUD SECURITY ENGINEERING @ INTUIT• 20+ YEARS OF SECURITY EXPERIENCE • DIVERSIFIED GROUP OF DEVELOPERS,

OPERATIONS & SECURITY• FOUNDERS OF DEVSECOPS.ORG• RUGGED BUNCH OF RESEARCHERS &

EMERGING TECHNOLOGISTS-- FOUNDER --

QUICK OVERVIEW• PROBLEM STATEMENT• DEVOPS REQUIRES CONTINUOUS DEPLOYMENTS• FAST DECISION MAKING IS CRITICAL TO DEVOPS SUCCESS• TRADITIONAL SECURITY JUST DOESN’T SCALE OR MOVE

FAST ENOUGH

• WELCOME DEVSECOPS!• CUSTOMER FOCUSED MINDSET• SCALE, SCALE, SCALE• OBJECTIVE CRITERIA• PROACTIVE HUNTING• CONTINUOUS DETECTION & RESPONSE

BangHead Here

RUGGED SECURITY

Com

plia

nce

Oper

atio

ns

Secu

rity

Ope

ratio

ns Security Sc

ience

Security

Engineering

OPSSECDEVAppSec

NEW

NEW

NEW

• Security as Code• Self-Service Testing• Red Team/Blue Team• Inline Enforcement• Analytics & Insights• Detect & Contain• Incident Response• Investigations• Forensics

THE ART OF DEVSECOPS -> SECURITY AS CODE

DevSecOps

Security Engineering

Experiment, Automate, Test

Security Operations

Hunt, Detect, Contain

Compliance Operations

Respond, Manage, Train

Security Science

Learn, Measure, Forecast

EVOLUTION

FULL STACK VULNERABILITIES

• API KEY EXPOSURE -> 8

HRS• DEFAULT

CONFIGS -> 24 HRS

• SECURITY GROUPS -> 24

HRS • ESCALATION OF

PRIVS -> 5 DAYS

• KNOWN VULN -> 8 HRS

SECURITY AS CODE

• INFRASTRUCTURE -> TEMPLATES & RECIPES• FIREWALLS -> SECURITY GROUPS• ACCESS CONTROLS -> IAM USERS AND POLICIES• IDS -> HOST AGENTS & RESOURCE TESTING• LOGGING -> API & INSTANCE LOGGING• FORENSICS -> SNAPSHOTS & API PROFILE• VULNERABILITY SCORES -> GRADES

SOFTWARE DEFINED UPS & DOWNS

PLUS• FAR MORE DATA THAT SIMPLY NEEDS TO BE HARNESSED• FASTER DETECTION, CONTAINMENT & REMEDIATION• ABILITY TO REFRESH STACKS TO AVOID CRITICAL ISSUES

MINUS• MUCH EASIER TO MAKE CRITICAL MISTAKES• MOST EVENTS COME FROM DEFAULT IMPLEMENTATIONS• HUGE DATA MAKES EVERYTHING HARDER

+/-

LOW FRICTION TRANSPARENT GOVERNANCE

Central Account(Trusted)

Admin

IAM IAMIAM IAM IAM IAM

SecRole SecRole SecRole SecRole SecRole SecRole

IAM

How did we decide which roles would be deployed?• Human

• IAM Admin• Incident Response• Read Only

• Services• IAM Grantor• Instance Roles required to support

security services• Read Only

TOOLS

ENVIRONMENT

• SOFTWARE-DEFINED ENVIRONMENT

• BLAST RADIUS CONTAINMENT• NATIVE MULTI-FACTOR AUTH• GRANULAR ACCESS CONTROLS• EXTENSIVE LOGGING

AWSRUBY, PYTHON,

GOAPI/MICRO-SERVICES

LOG EVENTS

GITHUB

• BASELINE TEMPLATES (CLOUDFORMATION, SCRIPTS, ETC.)

• PATTERNS & DECISIONS• RULES, SIGNATURES, SEARCH

QUERIES, ALERT DEFINITIONS• WHITELISTING & SHARING TO

EXTEND FOR SCALE

COMPONENTS

MACHINE IMAGESDOCKER

CONTAINERSBASELINE SCRIPTS

LIBRARIES & TOOLKITS

• BUILD SECURE COMPONENTS FOR INCLUSION

• MAKE RESOURCE LEVEL CHANGES AND DISSEMINATE TO TEAMS

• APPLY LESSONS FROM SECURITY OPERATIONS & INCIDENT RESPONSE TO BASELINE COMPONENTS

• MANAGE FOR DRIFT BY BUILDING OUT DIFF TOOLS

RESOURCE TESTING & VALIDATION

• RESOURCE AND COMPONENT TESTING IMPROVES RUGGEDNESS OF SOFTWARE DURING INTEGRATION

• TOOLS CAN BE CALLED FROM CONTINUOUS INTEGRATION & CONTINUOUS DEPLOYMENT PIPELINE

• RESPONDERS CAN TRIGGER INLINE TESTING TO IDENTIFY VULNERABILITIES UNDER ATTACK

• ATTACKS ARE DEFINED IN GHERKIN• API TO REQUEST TESTING BY TYPE

ZAP PROXYGAUNTLTNESSUS

NEXPOSEMETASPLOITBURP SUITE

LIFECYCLE/AUDITOR

SCHEDULER & QUEUES

• SCHEDULING FOR BASELINE CHECKS• AD-HOC OPERATIONS REQUIRE QUEUES• COORDINATION AMONG MICRO-

SERVICES• MULTI-USE DATA SUPPORTS VARYING

SECURITY VIEWS

RESQUESNS SQSKINESISKAFKA

RECONNAISSANCE: DATA IS CRITICAL

insightssecuritysciencesecurity

tools & data

AWS accounts

S3

Glacier

EC2

CloudTrail

ingestion

threat intel

SELF-SERVICE

RESPONDER, SELFIE & GRAVE ROBBER

• TOOLKIT FOR INCIDENT RESPONDERS TO TRIAGE & QUERY ACCOUNT & INSTANCES AT SAME TIME

• SNAPSHOT INSTANCES FOR REAL-TIME ANALYSIS

• LOTS OF STORAGE, FASTER WHEN BIG DATA IS APPLIED

RUBYAWS API

DR ACCOUNTENCASE

LESSONS

TABLE STAKES

• GO NATIVE, WHEN POSSIBLE• MFA -> TABLE-STAKES, USE IT.• PRIVILEGED ACCESS -> USE LEAST PRIVILEGE, ASSUMEROLE WHEN

NEEDED• SECURITY GROUPS -> LIMIT ACCESS AND SCOPE TO SPECIFIC NEEDS• DEPLOYMENT AUTOMATION -> OVER-PRIVILEGED, UNDER-SECURED• RE-STACK OFTEN -> CRITICAL VULNERABILITIES OCCUR ON AVERAGE EVERY 10

DAYS.• USE ENCRYPTION OPTIONS

DON’T BE AN ALL-*

DON’T EMBED SECRETS…

…DON’T PUT ANY API KEYS, SSH PRIVATE KEYS, OR SSL PRIVATE KEYS IN :• CLOUDFORMATION, • USER-DATA, • GIT, • OR ANYWHERE ELSE THAT CAN’T KEEP A SECRET,

SECRET

DON’T OVER-SHARE…

WE DON’T WANT TO KNOW YOUR SECRETS…

…AND YOU DON’T WANT YOUR SECRETS GETTING OUT.

DON’T BE A ZERO

CHOICE?

EMERGING SECURITY TRENDS

• SHORTAGE OF SECURITY PROFESSIONALS• BIG COMPANIES ARE ATTEMPTING TO SCALE SECURITY

TO MOVE FASTER: FACEBOOK, NETFLIX, LINKEDIN, AWS, INTUIT

• INDUSTRY LEADERS TALKING ABOUT THE INTEGRATION OF DEVOPS & SECURITY: JOE SULLIVAN, JASON CHAN, GENE KIM, JOSH CORMAN

• INTRODUCTION OF DEVSECOPS AT MIRCON IN 2014• SECDEVOPS AT RSA 2015 WAS FULL DAY OF

DEDICATED CONTENT• LINKEDIN PEOPLE SEARCH: 36 DEVSECOPS, 13

SECDEVOPS, 11 DEVOPSSEC, 33K+ CLOUD SECURITY

GET INVOLVED

• DEVSECOPS.ORG• @DEVSECOPS ON TWITTER• DEVSECOPS ON LINKEDIN• RUGGEDSOFTWARE.ORG• JOIN US !!!