SlideShare a Scribd company logo

DevSecOps: Key Controls for Modern Security Success

Puma Security, LLC
Puma Security, LLC

In this updated slideshare, Principal Security Engineer, Eric Johnson shows engineers, developers and application security professionals how to start conversations on implementing security into the DevOps workflow. You’ll learn about: 1) Cloud and DevSecOps Practices 2) Pre-Commit: The Paved Road 3) Commit: CI / CD Security Controls 4) Acceptance: Supply Chain Security 5) Operations: Continuous Security Compliance For questions, please contact our team at sales [at] pumascan [dot] com. Thanks for taking time to further your understanding of DevSecOps!

Technology
1 of 32
Download to read offline
© 2019 Puma Security, LLC | All Rights Reserved DEVOPS DAYS DES MOINES DevSecOps Key Controls For Modern Security Success 05/02/2019
© 2019 Puma Security, LLC | All Rights Reserved Principal Security Engineer, Puma Security Coder Static analysis engine, cloud automation, security tools Security Assessments DevSecOps, cloud, source code, web apps, mobile apps Principal Instructor DevSecOps Curriculum Manager SANS Principal Instructor Contributing author of SEC540, DEV544, and DEV531 Education and Training Iowa State M.S. Information Assurance, B.S. Computer Engineering AWS Certified Developer CISSP, GSSP, GWAPT Contact Information Email: eric.johnson@pumascan.com Twitter: @emjohn20 LinkedIn: linkedin.com/in/ eric-m-johnson @ $WHOAMI
© 2019 Puma Security, LLC | All Rights Reserved KEYS FOR MODERN SECURITY SUCCESS Cloud & DevSecOps Practices Pre-Commit: The Paved Road Commit: CI / CD Security Controls Acceptance: Supply Chain Security Operations: Continuous Security Compliance Agenda
© 2019 Puma Security, LLC | All Rights Reserved WHAT ARE THE GOALS AND PRINCIPLES IN DEVSECOPS? Make security a first- class problem in DevOps Make security a first-class participant in DevOps Increase trust between dev, ops, and sec Integrate security practices and ideas into DevOps culture Wire security into DevOps workflows to incrementally improve security 01 02 04 03 05 SecDevOps / DevSecOps / DevOpsSec / Rugged DevOps
© 2019 Puma Security, LLC | All Rights Reserved Secure Cloud & DevOps Practices | sans.org/u/OGx Cloud Security Top 10 Serverless Security Top 10 DevSecOps Toolchain Building a DevSecOps Program
© 2019 Puma Security, LLC | All Rights Reserved PRE-COMMIT Threat Modeling IDE Security Plugins Pre-Commit Hooks Peer Code Reviews COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS Static Code Analysis Security Unit Tests Container Security Dependency Management Infrastructure as Code Cloud Infrastructure Dynamic Security Tests Security Acceptance Tests Security Smoke Tests Secrets Management Security Configuration Server Hardening Blameless Postmortems Continuous Monitoring Penetration Testing Threat Intelligence Cloud & DevSecOps Security Controls
© 2019 Puma Security, LLC | All Rights Reserved Pre-Commit: The Paved Road
© 2019 Puma Security, LLC | All Rights Reserved Dev, Sec, and Ops teams build secure by default frameworks, libraries, and services Popularized by Netflix "Gates to Guardrails" Operations: Automated pipelines build, certify, and publish cloud infrastructure / machine images Development: Secure templates for Web, APIs, front-end, serverless projects Security: Automated security pipeline scans, unit tests, acceptance tests, production assertions Build The Paved Road PRE-COMMIT
© 2019 Puma Security, LLC | All Rights Reserved Network, Cloud, Infrastructure as Code templates for quickly provisioning certified environments for the development team to use: Cloud network infrastructure Virtual machine gold images Container gold base images Managing Functions as a Service (FaaS) Network hardware devices Opera&ons Paved Road API gateway appliances for microservices
© 2019 Puma Security, LLC | All Rights Reserved AWS CloudFormation infrastructure paved road example: 1 2 3 4 5 6 7 8 9 10 11 12 13 { } LaunchConfiguration: Type: AWS::AutoScaling::LaunchConfiguration Metadata: Properties: ImageId: !FindInMap [ AWSRegionToAMI, !Ref "AWS::Region", AMI ] IamInstanceProfile: !Ref InstanceProfile KeyName: "devsecops" SecurityGroups: - !Ref SecurityGroup UserData: "Fn::Base64": !Sub | #!/bin/bash yum update -y { Gold Image } { Least privilege } { Admin Access } { Network configuration } { Supply chain security } Operations Paved Road Example
© 2019 Puma Security, LLC | All Rights Reserved Templates covering approved technology stacks with protection for common application security issues and misconfigurations: Include common libraries for data validaHon, logging, encoding, etc. Node.js, Django, Spring Boot, .NET Core, Ruby Rails, Functions, etc. Secrets management storage Secure transport configuration (HTTPS) Enable authentication / authorization Configure password management / single sign on Development Paved Road
© 2019 Puma Security, LLC | All Rights Reserved .NET Core paved road example w/ security protecGons pre-configured: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 { } public void ConfigureServices(IServiceCollection services) { services.Configure<IdentityOptions>(options => { options.Password.RequiredLength = 15; options.Lockout.MaxFailedAccessAttempts = 5; } services.AddMvc(options => { options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder() .RequireAuthenticatedUser().Build())); }); } public void Configure(IApplicationBuilder app, IHostingEnvironment env) { app.UseRewriter(new RewriteOptions().AddRedirectToHttps()); app.AddSecurityHeaders(); { Password Configuration } { Authorization} { HTTPS } { Security Headers} Development Paved Road Example
© 2019 Puma Security, LLC | All Rights Reserved CI / CD Security Controls Commit:
© 2019 Puma Security, LLC | All Rights Reserved Integrate tools to automate build, test, acceptance, and deployment of infrastructure, cloud, and applications into a repeatable workflow Continuous Integration & Delivery Security Controls COMMIT (CI)
© 2019 Puma Security, LLC | All Rights Reserved Merging new features requires approval from peers and security team prior to triggering the build pipeline: 116 117 118 119 120 121 122 123 { } LoadBalanceArn: !Ref Load Balancer Port: !Ref HttpsPort Protocol: HTTPS SslPolicy: ELBSecurityPolicy-TLS-1-0-2015-04 SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01 Certificates: - CertificateArn !Ref CertificateArn DefaultActions: CI / CD Security Controls: Version Control
© 2019 Puma Security, LLC | All Rights Reserved Approved merge request triggers automated unit tests, security scans, audit reports, and fast feedback CI / CD Security Controls: Acceptance Tes7ng
© 2019 Puma Security, LLC | All Rights Reserved Build pipelines contain artifacts from security scans and compliance checks CI / CD Security Controls: Audit Reports
© 2019 Puma Security, LLC | All Rights Reserved Supply Chain Security Acceptance:
© 2019 Puma Security, LLC | All Rights Reserved Serious vulnerabilities can be inherited from open source libraries, docker images, infrastructure templates, and serverless functions: WARNING: Some tools may not check transitive dependencies Carefully review content before usage Run tools to automatically the scan code base / images Identify external dependencies Check against public vulnerability database(s) Integrate supply chain security scanning into CI/CD Supply Chain Security
© 2019 Puma Security, LLC | All Rights Reserved OWASP Dependency Check (Java, .NET, Ruby, Python) - h?ps://www.owasp.org/index.php/OWASP_Dependency_Check NPM Audit / Retire.JS (NodeJS) - https://retirejs.github.io/retire.js/ - https://docs.npmjs.com/cli/audit Bundler-Audit (Ruby) - https://github.com/rubysec/bundler-audit PHP Security Checker - https://security.sensiolabs.org/ DEPENDENCY MANAGEMENT Supply Chain Security: Application Scanning Tools ACCEPTANCE
© 2019 Puma Security, LLC | All Rights Reserved OWASP Dependency Check scan and vulnerability report in a Jenkins CI pipeline Supply Chain Security: Application Scanning Example
© 2019 Puma Security, LLC | All Rights Reserved Anchore - https://anchore.com/opensource/ Clair - https://github.com/coreos/clair Actuary - https://github.com/diogomonica/actuary Falco - https://github.com/draios/falco Supply Chain Security: Container Image Scanning Tools CONTAINER SECURITY ACCEPTANCE
© 2019 Puma Security, LLC | All Rights Reserved Invoking an Anchore image scan and capturing vulnerability data in a Jenkins CI pipeline Supply Chain Security: Container Image Scanning Example
© 2019 Puma Security, LLC | All Rights Reserved DevSec Hardening Templates - Automated hardening framework using Puppet, Chef, Ansible - Linux, Windows, SSH, Docker, K8S, Apache, Nginx - https://github.com/dev-sec Hardened infrastructure templates can be used as references Supply Chain Security: Hardened Infrastructure Templates INFRASTRUCTURE AS CODE System Integrity Management Platform(SIMP) - Hardened Puppet infrastructure configuration and testing - NIST 800-53, DISA STIG, FIPS 140-2 RHEL & CentOS templates - https://github.com/simp/ { } ACCEPTANCE
© 2019 Puma Security, LLC | All Rights Reserved Managing function dependencies in AWS Lambda can be achieved using Layers: Buildpipelines removethird-party librariesfrom deployment packages CloudOpsmanages centralizedlayers containingapproved third-partylibraries Third-partyvendorsare leveragingLayerstofurther hardenfunctionruntime environments: PureSecFunctionShield TwistlockDefender Supply Chain Security: FaaS Dependency Management
© 2019 Puma Security, LLC | All Rights Reserved Opera&ons: Continuous Security Compliance
© 2019 Puma Security, LLC | All Rights Reserved Leveraging security configuration tools to automate audit and compliance checks: Test the server and infrastructure configuration against expected baseline and report any deviations Tests should include severity, risk level, and description information Match tests against compliance checklist items or regulatory policies Automated testing tools available for Linux, Unix, Windows, AWS, Azure and VMWare Con9nuous Security Compliance PRODUCTION
© 2019 Puma Security, LLC | All Rights Reserved SECURITY CONFIGURATION InSpec - https://github.com/inspec/inspec Cloud Custodian (AWS, GCP, Azure) - https://github.com/cloud-custodian/cloud-custodian OpenSCAP - https://github.com/OpenSCAP Security compliance / acceptance testing tools: Scout Suite (AWS, GCP, Azure) - https://github.com/nccgroup/ScoutSuite AWS Benchmark Scanner https://github.com/awslabs/aws-security-benchmark Supply Chain Security: Application Scanning Tools PRODUCTION
© 2019 Puma Security, LLC | All Rights Reserved Running InSpec against a running Docker container: 1 2 { } $ docker run -it --rm -v $(pwd):/share chef/inspec exec baseline -t docker://container_id Example InSpec output results from the Linux baseline profile:{ } 1 2 3 4 5 6 7 8 9 ✅ os-01: Trusted hosts login ✅‍ Command find / -name '.rhosts' stdout should be empty ✅ Command find / -name 'hosts.equiv' stdout should be empty X os-02: Check owner and permissions for /etc/shadow (1 failed) ✅ File /etc/shadow should exist ✅ File /etc/shadow should be file ✅ File /etc/shadow should be owned by "root" ✅ File /etc/shadow should not be executable X File /etc/shadow group should eq nil Continuous Security Compliance: InSpec Docker Scan
© 2019 Puma Security, LLC | All Rights Reserved Exporting InSpec results to JUnit format and integrating with Jenkins CI Continuous Security Compliance: Jenkins InSpec Integration
© 2019 Puma Security, LLC | All Rights Reserved Running the AWS CIS Benchmark scan via AWS Config rules Continuous Security Compliance: AWS CIS Benchmark Scan
© 2019 Puma Security, LLC | All Rights Reserved Thank you for attending! Keys for Modern Security Success Contact Information: E | eric.johnson@pumascan.com ü Cloud & DevSecOps Practices ü Pre-Commit: The Paved Road ü Commit: CI / CD Security Controls ü Acceptance: Supply Chain Security ü Operations: Continuous Security Compliance SUMMARY @emjohn20

Recommended

The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
Hendri Karisma
 

Recommended

The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
Hendri Karisma
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
Amazon Web Services
 
AWS ECS vs EKS
AWS ECS vs EKSAWS ECS vs EKS
AWS ECS vs EKS
Norberto Enomoto
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
Turja Narayan Chaudhuri
 
How to build your containerization strategy
How to build your containerization strategyHow to build your containerization strategy
How to build your containerization strategy
Docker, Inc.
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Cheah Eng Soon
 
Cloud native principles
Cloud native principlesCloud native principles
Cloud native principles
Diego Pacheco
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for Enterprise
Opsta
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
Amazon Web Services
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Tom Stiehm
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWS
Amazon Web Services
 
App Modernization with Microsoft Azure
App Modernization with Microsoft AzureApp Modernization with Microsoft Azure
App Modernization with Microsoft Azure
Microsoft Tech Community
 
What is Cloud Native Explained?
What is Cloud Native Explained?What is Cloud Native Explained?
What is Cloud Native Explained?
jeetendra mandal
 
How to implement DevOps in your Organization
How to implement DevOps in your OrganizationHow to implement DevOps in your Organization
How to implement DevOps in your Organization
Dalibor Blazevic
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
Araf Karsh Hamid
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Amazon Web Services
 

More Related Content

What's hot

How to build your containerization strategy
How to build your containerization strategyHow to build your containerization strategy
How to build your containerization strategy
Docker, Inc.
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWS
Amazon Web Services
 

What's hot (20)

DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
AWS ECS vs EKS
AWS ECS vs EKSAWS ECS vs EKS
AWS ECS vs EKS
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
 
How to build your containerization strategy
How to build your containerization strategyHow to build your containerization strategy
How to build your containerization strategy
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Cloud native principles
Cloud native principlesCloud native principles
Cloud native principles
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for Enterprise
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWS
 
App Modernization with Microsoft Azure
App Modernization with Microsoft AzureApp Modernization with Microsoft Azure
App Modernization with Microsoft Azure
 
What is Cloud Native Explained?
What is Cloud Native Explained?What is Cloud Native Explained?
What is Cloud Native Explained?
 
How to implement DevOps in your Organization
How to implement DevOps in your OrganizationHow to implement DevOps in your Organization
How to implement DevOps in your Organization
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
 

Similar to DevSecOps: Key Controls for Modern Security Success

Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Amazon Web Services
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Amazon Web Services
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...
Amazon Web Services
 
CICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdfCICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdf
Amazon Web Services
 
CICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdfCICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdf
Amazon Web Services
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Amazon Web Services
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2
Puma Security, LLC
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
Amazon Web Services
 

Similar to DevSecOps: Key Controls for Modern Security Success (20)

DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
 
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
 
Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...Build security into CI/CD pipelines for effective security automation on AWS ...
Build security into CI/CD pipelines for effective security automation on AWS ...
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...
 
CICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdfCICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdf
 
Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...
 
CICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdfCICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdf
 
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS services
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applications
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
 
Elevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloudElevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloud
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata Service
 
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
 

More from Puma Security, LLC

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless Infrastructure
Puma Security, LLC
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
Puma Security, LLC
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
 

More from Puma Security, LLC (9)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless Infrastructure
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
 

Recently uploaded

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

DevSecOps: Key Controls for Modern Security Success

  • 1. © 2019 Puma Security, LLC | All Rights Reserved DEVOPS DAYS DES MOINES DevSecOps Key Controls For Modern Security Success 05/02/2019
  • 2. © 2019 Puma Security, LLC | All Rights Reserved Principal Security Engineer, Puma Security Coder Static analysis engine, cloud automation, security tools Security Assessments DevSecOps, cloud, source code, web apps, mobile apps Principal Instructor DevSecOps Curriculum Manager SANS Principal Instructor Contributing author of SEC540, DEV544, and DEV531 Education and Training Iowa State M.S. Information Assurance, B.S. Computer Engineering AWS Certified Developer CISSP, GSSP, GWAPT Contact Information Email: eric.johnson@pumascan.com Twitter: @emjohn20 LinkedIn: linkedin.com/in/ eric-m-johnson @ $WHOAMI
  • 3. © 2019 Puma Security, LLC | All Rights Reserved KEYS FOR MODERN SECURITY SUCCESS Cloud & DevSecOps Practices Pre-Commit: The Paved Road Commit: CI / CD Security Controls Acceptance: Supply Chain Security Operations: Continuous Security Compliance Agenda
  • 4. © 2019 Puma Security, LLC | All Rights Reserved WHAT ARE THE GOALS AND PRINCIPLES IN DEVSECOPS? Make security a first- class problem in DevOps Make security a first-class participant in DevOps Increase trust between dev, ops, and sec Integrate security practices and ideas into DevOps culture Wire security into DevOps workflows to incrementally improve security 01 02 04 03 05 SecDevOps / DevSecOps / DevOpsSec / Rugged DevOps
  • 5. © 2019 Puma Security, LLC | All Rights Reserved Secure Cloud & DevOps Practices | sans.org/u/OGx Cloud Security Top 10 Serverless Security Top 10 DevSecOps Toolchain Building a DevSecOps Program
  • 6. © 2019 Puma Security, LLC | All Rights Reserved PRE-COMMIT Threat Modeling IDE Security Plugins Pre-Commit Hooks Peer Code Reviews COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS Static Code Analysis Security Unit Tests Container Security Dependency Management Infrastructure as Code Cloud Infrastructure Dynamic Security Tests Security Acceptance Tests Security Smoke Tests Secrets Management Security Configuration Server Hardening Blameless Postmortems Continuous Monitoring Penetration Testing Threat Intelligence Cloud & DevSecOps Security Controls
  • 7. © 2019 Puma Security, LLC | All Rights Reserved Pre-Commit: The Paved Road
  • 8. © 2019 Puma Security, LLC | All Rights Reserved Dev, Sec, and Ops teams build secure by default frameworks, libraries, and services Popularized by Netflix "Gates to Guardrails" Operations: Automated pipelines build, certify, and publish cloud infrastructure / machine images Development: Secure templates for Web, APIs, front-end, serverless projects Security: Automated security pipeline scans, unit tests, acceptance tests, production assertions Build The Paved Road PRE-COMMIT
  • 9. © 2019 Puma Security, LLC | All Rights Reserved Network, Cloud, Infrastructure as Code templates for quickly provisioning certified environments for the development team to use: Cloud network infrastructure Virtual machine gold images Container gold base images Managing Functions as a Service (FaaS) Network hardware devices Opera&ons Paved Road API gateway appliances for microservices
  • 10. © 2019 Puma Security, LLC | All Rights Reserved AWS CloudFormation infrastructure paved road example: 1 2 3 4 5 6 7 8 9 10 11 12 13 { } LaunchConfiguration: Type: AWS::AutoScaling::LaunchConfiguration Metadata: Properties: ImageId: !FindInMap [ AWSRegionToAMI, !Ref "AWS::Region", AMI ] IamInstanceProfile: !Ref InstanceProfile KeyName: "devsecops" SecurityGroups: - !Ref SecurityGroup UserData: "Fn::Base64": !Sub | #!/bin/bash yum update -y { Gold Image } { Least privilege } { Admin Access } { Network configuration } { Supply chain security } Operations Paved Road Example
  • 11. © 2019 Puma Security, LLC | All Rights Reserved Templates covering approved technology stacks with protection for common application security issues and misconfigurations: Include common libraries for data validaHon, logging, encoding, etc. Node.js, Django, Spring Boot, .NET Core, Ruby Rails, Functions, etc. Secrets management storage Secure transport configuration (HTTPS) Enable authentication / authorization Configure password management / single sign on Development Paved Road
  • 12. © 2019 Puma Security, LLC | All Rights Reserved .NET Core paved road example w/ security protecGons pre-configured: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 { } public void ConfigureServices(IServiceCollection services) { services.Configure<IdentityOptions>(options => { options.Password.RequiredLength = 15; options.Lockout.MaxFailedAccessAttempts = 5; } services.AddMvc(options => { options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder() .RequireAuthenticatedUser().Build())); }); } public void Configure(IApplicationBuilder app, IHostingEnvironment env) { app.UseRewriter(new RewriteOptions().AddRedirectToHttps()); app.AddSecurityHeaders(); { Password Configuration } { Authorization} { HTTPS } { Security Headers} Development Paved Road Example
  • 13. © 2019 Puma Security, LLC | All Rights Reserved CI / CD Security Controls Commit:
  • 14. © 2019 Puma Security, LLC | All Rights Reserved Integrate tools to automate build, test, acceptance, and deployment of infrastructure, cloud, and applications into a repeatable workflow Continuous Integration & Delivery Security Controls COMMIT (CI)
  • 15. © 2019 Puma Security, LLC | All Rights Reserved Merging new features requires approval from peers and security team prior to triggering the build pipeline: 116 117 118 119 120 121 122 123 { } LoadBalanceArn: !Ref Load Balancer Port: !Ref HttpsPort Protocol: HTTPS SslPolicy: ELBSecurityPolicy-TLS-1-0-2015-04 SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01 Certificates: - CertificateArn !Ref CertificateArn DefaultActions: CI / CD Security Controls: Version Control
  • 16. © 2019 Puma Security, LLC | All Rights Reserved Approved merge request triggers automated unit tests, security scans, audit reports, and fast feedback CI / CD Security Controls: Acceptance Tes7ng
  • 17. © 2019 Puma Security, LLC | All Rights Reserved Build pipelines contain artifacts from security scans and compliance checks CI / CD Security Controls: Audit Reports
  • 18. © 2019 Puma Security, LLC | All Rights Reserved Supply Chain Security Acceptance:
  • 19. © 2019 Puma Security, LLC | All Rights Reserved Serious vulnerabilities can be inherited from open source libraries, docker images, infrastructure templates, and serverless functions: WARNING: Some tools may not check transitive dependencies Carefully review content before usage Run tools to automatically the scan code base / images Identify external dependencies Check against public vulnerability database(s) Integrate supply chain security scanning into CI/CD Supply Chain Security
  • 20. © 2019 Puma Security, LLC | All Rights Reserved OWASP Dependency Check (Java, .NET, Ruby, Python) - h?ps://www.owasp.org/index.php/OWASP_Dependency_Check NPM Audit / Retire.JS (NodeJS) - https://retirejs.github.io/retire.js/ - https://docs.npmjs.com/cli/audit Bundler-Audit (Ruby) - https://github.com/rubysec/bundler-audit PHP Security Checker - https://security.sensiolabs.org/ DEPENDENCY MANAGEMENT Supply Chain Security: Application Scanning Tools ACCEPTANCE
  • 21. © 2019 Puma Security, LLC | All Rights Reserved OWASP Dependency Check scan and vulnerability report in a Jenkins CI pipeline Supply Chain Security: Application Scanning Example
  • 22. © 2019 Puma Security, LLC | All Rights Reserved Anchore - https://anchore.com/opensource/ Clair - https://github.com/coreos/clair Actuary - https://github.com/diogomonica/actuary Falco - https://github.com/draios/falco Supply Chain Security: Container Image Scanning Tools CONTAINER SECURITY ACCEPTANCE
  • 23. © 2019 Puma Security, LLC | All Rights Reserved Invoking an Anchore image scan and capturing vulnerability data in a Jenkins CI pipeline Supply Chain Security: Container Image Scanning Example
  • 24. © 2019 Puma Security, LLC | All Rights Reserved DevSec Hardening Templates - Automated hardening framework using Puppet, Chef, Ansible - Linux, Windows, SSH, Docker, K8S, Apache, Nginx - https://github.com/dev-sec Hardened infrastructure templates can be used as references Supply Chain Security: Hardened Infrastructure Templates INFRASTRUCTURE AS CODE System Integrity Management Platform(SIMP) - Hardened Puppet infrastructure configuration and testing - NIST 800-53, DISA STIG, FIPS 140-2 RHEL & CentOS templates - https://github.com/simp/ { } ACCEPTANCE
  • 25. © 2019 Puma Security, LLC | All Rights Reserved Managing function dependencies in AWS Lambda can be achieved using Layers: Buildpipelines removethird-party librariesfrom deployment packages CloudOpsmanages centralizedlayers containingapproved third-partylibraries Third-partyvendorsare leveragingLayerstofurther hardenfunctionruntime environments: PureSecFunctionShield TwistlockDefender Supply Chain Security: FaaS Dependency Management
  • 26. © 2019 Puma Security, LLC | All Rights Reserved Opera&ons: Continuous Security Compliance
  • 27. © 2019 Puma Security, LLC | All Rights Reserved Leveraging security configuration tools to automate audit and compliance checks: Test the server and infrastructure configuration against expected baseline and report any deviations Tests should include severity, risk level, and description information Match tests against compliance checklist items or regulatory policies Automated testing tools available for Linux, Unix, Windows, AWS, Azure and VMWare Con9nuous Security Compliance PRODUCTION
  • 28. © 2019 Puma Security, LLC | All Rights Reserved SECURITY CONFIGURATION InSpec - https://github.com/inspec/inspec Cloud Custodian (AWS, GCP, Azure) - https://github.com/cloud-custodian/cloud-custodian OpenSCAP - https://github.com/OpenSCAP Security compliance / acceptance testing tools: Scout Suite (AWS, GCP, Azure) - https://github.com/nccgroup/ScoutSuite AWS Benchmark Scanner https://github.com/awslabs/aws-security-benchmark Supply Chain Security: Application Scanning Tools PRODUCTION
  • 29. © 2019 Puma Security, LLC | All Rights Reserved Running InSpec against a running Docker container: 1 2 { } $ docker run -it --rm -v $(pwd):/share chef/inspec exec baseline -t docker://container_id Example InSpec output results from the Linux baseline profile:{ } 1 2 3 4 5 6 7 8 9 ✅ os-01: Trusted hosts login ✅‍ Command find / -name '.rhosts' stdout should be empty ✅ Command find / -name 'hosts.equiv' stdout should be empty X os-02: Check owner and permissions for /etc/shadow (1 failed) ✅ File /etc/shadow should exist ✅ File /etc/shadow should be file ✅ File /etc/shadow should be owned by "root" ✅ File /etc/shadow should not be executable X File /etc/shadow group should eq nil Continuous Security Compliance: InSpec Docker Scan
  • 30. © 2019 Puma Security, LLC | All Rights Reserved Exporting InSpec results to JUnit format and integrating with Jenkins CI Continuous Security Compliance: Jenkins InSpec Integration
  • 31. © 2019 Puma Security, LLC | All Rights Reserved Running the AWS CIS Benchmark scan via AWS Config rules Continuous Security Compliance: AWS CIS Benchmark Scan
  • 32. © 2019 Puma Security, LLC | All Rights Reserved Thank you for attending! Keys for Modern Security Success Contact Information: E | eric.johnson@pumascan.com ü Cloud & DevSecOps Practices ü Pre-Commit: The Paved Road ü Commit: CI / CD Security Controls ü Acceptance: Supply Chain Security ü Operations: Continuous Security Compliance SUMMARY @emjohn20