Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevOpsDays - DevOps: Security 干我何事?

資安問題牽涉到的層面太過廣範,從線上系統一路到辦公室門禁都被包含在其中 DevOps 的 CAMS 精神其實剛剛好可以跟資安融合在一起,從 Configuration Management, Infrastructure as Code 到最近很紅的 ChatOps 都可以用來幫助加強資安,此分享從大企業與新創一路跌跌撞撞所學以致用的血淚經驗

  • Be the first to comment

DevOpsDays - DevOps: Security 干我何事?

  1. 1. DevOps: Security 干我何事?
  2. 2. HELLO! I am smalltown AMIS Site Reliability Engineer Taipei HashiCorp User Group Organizer AWS User Group Taiwan Staff
  3. 3. HUG http://bit.ly/taipei-hug
  4. 4. Workshop Infrastructure as Code Terraform ❤ AWS EKS
  5. 5. “ Do You Think Security is Important in Software Development?
  6. 6. “ Everything Goes Well With Waterfall Model
  7. 7. “ Agile Model Made Software Delivery Faster and Faster
  8. 8. “ It’s Impossible to Test After Done of Development
  9. 9. DevOps Power By Testing Ref
  10. 10. “ Security Also Encounter The Same Problem
  11. 11. DevOps Power By Security Security Thank for Coming Today
  12. 12. Three Elements of DevSecOps OperationDeveloper Information Security Security factor into release pipeline Unite developers, security and operation Increase Visibility
  13. 13. Outline ⊡ Security Gene in Development ⊡ Secret Management ⊡ Infrastructure As Must Be Code ⊡ System Management ⊡ C.A.S. C.A.M.S.
  14. 14. Security Gene in Development 1
  15. 15. “ Penetration Testing Need to be Fast and Seamless with Development Process
  16. 16. Penetration Test in Traditional Way ⊡ When new service online, performing penetration testing By... □ Information Security Department □ Third Party Penetration Service ⊡ But … Agile development teams focus on producing code Not Enhance Security
  17. 17. Penetration Testing in Development ⊡ Static application security testing (SAST) ⊡ Runtime application self-protection (RASP) Ref
  18. 18. Penetration Testing in Development ⊡ Dynamic application security testing (DAST) ⊡ Interactive application security testing (IAST) Ref
  19. 19. “ A Chain is Only as Strong as Its Weakest Link
  20. 20. “ Penetration Test Need Include Both Human and System
  21. 21. Penetration Test for Human ⊡ Although written tests/inform orally is not avoid ⊡ But the exercise make things well imprinted on human’s brain. ⊡ After all, practice makes perfect
  22. 22. Penetration Test for Human ⊡ Don’t Need Strong Knowledge/Skill ⊡ All you need to do is … □ Leverage Human’s Greedy/Fear □ Get the organization member contact info □ Automatic send mail/sms mechanism □ Host Fake website to collect feedback (e.g. CredSniper, SET)
  23. 23. “ Trust Me, The Result Will Make Your Jaw Drop
  24. 24. Secret Management 2
  25. 25. “ Have You Rotated Production Database Account/Password Recently?
  26. 26. Rotate Credentials ⊡ The database credentials will be rotated when… □ Database migration □ External auditing ⊡ Only if the rotate mechanism is implemented at first, then it truly happens
  27. 27. HashiCorp Vault ⊡ Secures, stores, and tightly controls access to tokens, passwords, certificates, API keys ⊡ Handles leasing, key revocation, key rolling, and auditing
  28. 28. Authentication ⊡ Vault provide various auth method □ Tokens, AppRole □ AWS, Azure, Google Cloud □ LDAP, GitHub □ ...etc
  29. 29. Authorization ⊡ Vault store credentials like key/value database, e.g. □ /secret/stag/database/admin □ /secret/prod/database/admin ⊡ Hence, predefined policy grant appropriate permission, e.g. path "secret/stag/database/admin" { capabilities = ["read"] }
  30. 30. Dynamic Credentials ⊡ Vault support many secret backend □ AWS, Azure, GCP, Database...etc ⊡ Take database for example, you could generate dynamic database credentials $ vault read database/creds/my-role Key Value --- ----- lease_duration 1h password 8cab931c-d62e-a73d-60d3-5ee85139cd66 username v-root-e2978cd0-
  31. 31. Infrastructure As Must Be Code 3
  32. 32. “Network Misconfigurations Are Major Source Of Reliability and Security Issues In a report summarizing the findings of 124 penetration tests, security firm Rapid7 found that more than two-thirds of sites were vulnerable because of a misconfiguration Ref
  33. 33. “ Why So Many Important Internal Server Can Be Accessed Publicly?!
  34. 34. Keep Server Private Private Network - Kubernetes - Database - NAT Gateway - ... Public Network - Load Balancer - Linux Gateway - ... - Non-Employee: Only access product service through load balancer - Employee: Access server through VPN/Bastion - Don’t forgot to enable WAF
  35. 35. “ In Fact, Not Only Network Related Configuration, Every Program Misconfiguration Makes Issues
  36. 36. Infrastructure As Code ⊡ There are so many benefits when adopting IaC □ Save time & Avoid human error □ Code review & Knowledge transfer easily □ Testing (kitchen, terratest...etc)
  37. 37. Infrastructure As Code ⊡ There are many tools which can achieve IaC ⊡ Servers: □ Ansible, Chef, Puppet, SaltStack...etc ⊡ Cloud Providers: □ Terraform, AWS CloudFormation, Azure Resource Manager, GCP Deployment Manager...etc
  38. 38. System Management 4
  39. 39. 9 Key Point ⊡ Authentication (Later) ⊡ Authorization (Later) ⊡ Secret Management (HashiCorp Vault) ⊡ Don’t Share Account ⊡ Least Privilege Policy ⊡ Log Everything ⊡ Manage and Record Privileged Activity (Later) ⊡ Alert and Notify of Suspicious Activity (Later) ⊡ Identity Centralize and Unify
  40. 40. Authentication for Human ⊡ Adopt Password Manager to avoid credential stuffing attacks ⊡ Must Enable 2FA: What-you-know, What-you-have and What-you-are (2 out of the 3 types)
  41. 41. “ A: I Need Sudo Permission for Production Deployment Tomorrow
  42. 42. Manage and Record Privileged Activity ⊡ The traditional way maybe… □ File a ticket □ Wait the ticket assign □ Information collection □ Approved by someone □ Wait for operator change permission □ Confirm you really get the permission □ Start the task □ Remove the permission by operator
  43. 43. “ How About Achieving This Efficiently Through ChatBot!
  44. 44. Using Chatbot
  45. 45. Using ChatBot
  46. 46. “Get All Security Information and Auditing Function Ready, No Matter From Cloud Provider or Third-Party Solution
  47. 47. Alert and Notify of Suspicious Activity ⊡ Only having enough data, then the security checks and monitoring can happen ⊡ Setup basic rule set to monitor abnormal behavior ⊡ Using AI to train the rule set
  48. 48. “ How do You Patch Vulnerability?
  49. 49. Patch Vulnerability Actively
  50. 50. “ More Secure CI/CD Flow - GitOps
  51. 51. GitOps WebHook GitOps Push Push Push Push Like Agent Pulling More Network Settings, Credentials
  52. 52. C.A.S. C.A.M.S. 5
  53. 53. DevOps Core Value
  54. 54. Culture ⊡ Except information security department, everyone should have security knowledge
  55. 55. Automate ⊡ Penetration test integrate with release pipeline ⊡ Iac avoid misconfiguration ⊡ Secret management rotate credentials ⊡ Chatbot ⊡ ...
  56. 56. Measure ⊡ Continuous security testing measure how your service health ⊡ Rich system log measure how your system safe
  57. 57. Share ⊡ Internal sharing makes vulnerability can be excluded ⊡ External sharing make new patch implemented quickly, incident decrease
  58. 58. THANKS! Any questions? You can find me at facebook.com/smalltown0110

×