overcoming the old ways of working with devsecops assets... · manifesto for modern cybersecurity...
TRANSCRIPT
Seattle | September 16-17, 2019
Overcoming the old ways of working with
DevSecOpsERKANG ZHENG
Seattle | September 16-17, 2019
Security is an organizational challenge.What is DevSecOps? How does security keep up with DevOps?
Seattle | September 16-17, 2019
DevOps | DevSecOps
Move fast and automate everything you can,
DevOps DevSecOps
Continuous Integration / Continuous Delivery (Deployment)
CI / CDContinuous Assurance / Continuous Compliance
CA / C
with confidence
Culture Culture
CI / CD CA / CC
Seattle | September 16-17, 2019
Manifesto for Modern Cybersecurityhttps://securitymanifesto.net
Assume compromise, but expose no single point of compromise.
Track everything since you cannot protect what you can’t see.
Engage everyone for there is power in the crowd; two is stronger than one.
Automation is key because people don't scale and changes are constant.
Build products that are secure by design and secure by default.
Favor transparency over obscurity, practicality over process, and usability over complexity.
We must keep security simple, open, collaborative, enabling and rewarding.
ZERO TRUST
ASSET CMDB
DEV + BUG BOUNTY
SECURITY AS CODE
THREAT MODEL
OPEN & SIMPLE
Seattle | September 16-17, 2019
What enables DevSecOps?
Seattle | September 16-17, 2019
The two aspects of DevSecOps
Security as an enabler for DevOps
• Automate security checks, gates and approvals in the DevOps CI/CD pipeline
Check out “Fully automated production deployments with HIPAA / HITRUST compliance” by Matt Lavin tomorrow at 1:45pm
Development as an enabler for SecOps
• Aggregate data from source to gain visibility and insight
• Automate security operations and manage artifacts with code
• Achieve provable security with CA/CC
VISIBILITY
GOVERNANCE
ASSURANCE
Seattle | September 16-17, 2019
Security Program Pick assessor
Perform gap assessment
Implement remediation
Collect evidences
Assess and certify
Documented data
flows
Conducted risk
analysis
Wrote policies and
procedures
Created infrastructure
and security
architecture diagrams
REPEATMonitor, Manage, Optimize
START
Implemented 100+
controls
Endpoint
malware
protection
Server
vulnerability
scanning
Production
change
management
SSO + MFA
Application
code
scanning +
pen testing
User training
Configuration
audit
Endpoint
compliance
agents
Vendor risk
management
Firewalls
and security
groups
Data
encryption
WAF + DDoS
protection
Asset
inventory and
tagging
Activity and
log
monitoring
YOU
YOU
AUDITOR
Seattle | September 16-17, 2019
Security Program
DATA
+
GRAPH
+
QUERY
Pick assessor
Perform gap assessment
Implement remediation
Monitor, Manage, Optimize
Collect evidences
Assess and certify
Documented data
flows
Conducted risk
analysis
Wrote policies and
procedures
Created infrastructure
and security
architecture diagrams
REPEAT
START
Implemented 100+
controls
Endpoint
malware
protection
Server
vulnerability
scanning
Production
change
management
SSO + MFA
Application
code
scanning +
pen testing
User training
Configuration
audit
Endpoint
compliance
agents
Vendor risk
management
Firewalls
and security
groups
Data
encryption
WAF + DDoS
protection
Asset
inventory and
tagging
Activity and
log
monitoring
YOU
AUDITOR
CA / CC
VISIBILITY
GOVERNANCE
ASSURANCE
Seattle | September 16-17, 2019
Security is a data challenge.Overcome SecOps complexity with DATA, GRAPH, and QUERY
Attackers think in graphs; Defenders operate with lists.
That’s why attackers win.
Seattle | September 16-17, 2019
Derive meaningful context from relationships, not lists
Stop thinking in lists and tables.Start thinking in entities and relationships.
Seattle | September 16-17, 2019
Seattle | September 16-17, 2019
AWS CloudSecurity
Which EC2 instances are exposed to the Internet?
Find aws_subnet with public=true
that HAS aws_instance
that PROTECTS aws_security_group
that ALLOWS Internet
return tree
Seattle | September 16-17, 2019
AWS CloudSecurity
Are there Internet-facing EC2 instances that are allowed access to non-public S3 buckets?
find Internet
that ALLOWS aws_security_group
that PROTECTS aws_instance
with active=true
that USES aws_iam_role
that ASSIGNED AccessPolicy
that ALLOWS (aws_s3|aws_s3_bucket)
with classification!='public’
return tree
Seattle | September 16-17, 2019
Cross-AccountTrust
What are the cross-account IAM trust relationships in my AWS environment?
Find aws_iam_role as a
that TRUSTS (Account|AccessRole) as b
where
a.tag.AccountName != b.tag.AccountName
return tree
Seattle | September 16-17, 2019
S3 BucketAccess
Are there non-public S3 bucket access granted to anybody outside of its account?
Find aws_s3_bucket with
classification!='public' as bucket
that ALLOWS * as grantee
where
bucket.tag.AccountName !=
grantee.tag.AccountName
return tree
Seattle | September 16-17, 2019
SSO Access
Which Okta user is assigned what AWS IAM role?
find okta_user
that ASSIGNED aws_iam_role
return tree
Seattle | September 16-17, 2019
App Componentsand Data Flow
Show the connections and flow diagram from:
• CloudFront to API Gateway
• CloudFront to S3
• API GW to Lambda Functions
• Lambda to other resources
Seattle | September 16-17, 2019
VulnerabilityManagement
Which systems or apps are vulnerable to what CVEs?
Find CVE that RELATES TO(Host|HostAgent|Application)
return tree
Seattle | September 16-17, 2019
DevelopmentInsight
Which PRs did Adam open this past week?
'Adam' that OPENED PRwith createdOn > date.now-7days
return tree
Seattle | September 16-17, 2019
Vulnerabilityin Code
Which PRs / developer introduced new vulnerability findings this past week?
Find User that OPENED PRwith createdOn > date.now-7days
that RELATES TO CodeRepothat HAS (Vulernability|Finding)
with _createdOn > date.now-7days return tree
Seattle | September 16-17, 2019
Use query to create alerts and trigger remediation
Alert rules from query with actions:
• Send Email
• Send Slack message
• Create Jira issue
• Capture Trend
Future remediation automation:
• Trigger Webhook
• Invoke Lambda Function
• etc.
Seattle | September 16-17, 2019
Security Artifacts as Code
Seattle | September 16-17, 2019
Security Policy and Procedure Documents
github.com/jupiterone/security-policy-templates
• Written in Markdown
• Small, individual files –
“micro-docs” like micro-services
• Linked together via config.json
• Document reviews and approvals via PRs
• Templatized and published in HTML
Seattle | September 16-17, 2019
Security Policy and Procedure Documents (published)
https://security.lifeomic.com/psp
Seattle | September 16-17, 2019
Manual Assessments and Findings
• Covers a variety of testing
• Manual penetration testing
• Risk assessment
• Privacy impact assessment
• Threat modeling
• Assessment objects and findings written inJSON or YAML
• Publish to graph for report and analysis
Follows the same code deploy process when PR is merged to `master` branch
github.com/jupiterone/secops-automation-examples
- entityKey: assessment:prodsec:2019q1entityType: prodsec_assessmententityClass: Assessmentproperties:
name: internal-pen-test-2019q1displayName: LifeOmic Internal Penetration Test 2019Q1summary: LifeOmic Internal Penetration Test conducted between Mar 18th - Mar 29thdescription:
Performed a thorough security assessment of the LifeOmic product line.Scope includes PHC, Life 2.0 ios/Android, Connect and LifeExtend ios/Android.
category: penetration-testingstatus: completeassessors:
- [email protected]: falseclassification: confidentialcompletedOn: 2019-04-05reportURL: https://bitbucket.org/lifeomic/prodsec-assessments/src......
- entityKey: finding:prodsec:2019q1:app-api-1entityType: pentest_findingentityClass: Findingproperties:
name: Some made up issuedisplayName: ’[Medium] What it says’summary: Summary of the made up issuetargets:
- Service APIdescription: >
Within the application API, ....stepsToReproduce:
- '1 - Add ...’- '2 - Use ...’- '3 - Verify ...’
impact: ...severity: medium...
Seattle | September 16-17, 2019
Vendors and External Organizations
• Maintain list of vendors as code
• Leverage product management and dev
leads to help maintain
• Trigger third party security review and
approval via PR
• Publish to graph for report and analysis
Follows the same code deploy process
when PR is merged to `master` branch
github.com/jupiterone/secops-automation-examples
- entityKey: vendor:appleentityType: appleentityClass: Vendorproperties:
name: AppledisplayName: Applecategory:
- software- mobile- development
description: >Provides Developer account and App Store Connect account for mobile apps...
validated: trueapproved: trueapprovalPRLink: https://bitbucket.org/lifeomic/security-artifacts/pull-requests/2approvalPRName: security-artifacts/2website: https://www.apple.comowners:
- [email protected] [email protected]
mainContactName:mainContactEmail:mainContactPhone:mainContactAddress:breachResponseDays:linkToNDA: https://developer.apple.com/terms/apple-developer-agreement/Apple-
Developer-Agreement-English.pdflinkToMSA: https://developer.apple.com/programs/whats-included/linkToSLA:criticality: 10risk: 5tag.PHI: falsetag.PII: truetag.PCI: falsestatusPage:notes:...
Seattle | September 16-17, 2019
Security and Privacy Considerations in Product Design RFC
• Engineering team writes product design RFC
documents and check into code
• RFC templates includes mandatory sections
for
• Security Considerations
• Privacy Considerations
• Bot to detect new RFC PR and alert security
team via Slack message
bitbucket-pr-detector
github.com/jupiterone/bitbucket-pr-detector
...
## Security considerations
### Data Flow
Does this feature collect or process additional data? Does it impact the currentdata flow of the system/application?
If so, create new or update the existing data flow diagram and document thedata flow.
### Secrets
Does this feature involve usage of additional secrets (API keys, tokens, etc.),either external (i.e. storing and using secrets from a provider) or internal(i.e. generating and using secrets as an internal component)?
If so, document the secret management process.
### Attack Scenarios
How could an attacker abuse this design? What risks does this approach presentand what mitigations can be pursued? What security requirements need to beincluded in the implementation?
An example of how to document this:
- **Abuse case name**- _Risk_ -- a description of the abuse case and the risks identified- _Mitigation_ -- what is being put in place as mitigation controls
This is a practice to ensure that some level of security considerations isalways included in the design of a new feature, component or process.
## Privacy Considerations
...
Seattle | September 16-17, 2019
Compliance Evidence Collection
• Compliance framework and control
requirements defined in JSON
• Map policy procedures to each control
requirement
• Map query questions to each control
requirement
• Write positive case queries and negative
case queries for automated gap analysis
• Include evidence associated with manual
processes
{"standard": "SOC 2","version": "2019","sections": [
{"title": "Access Controls","requirements": [
{"ref": "SOC2-01","title": "Single Sign On","summary": "SSO for all users ..."
},...
]}
]”domains": [
{"title": ”Control Domain A",”controls": [
{"ref": ”A-01","title": ”A technical control","summary": ”control description ..."
},...
]}
]}
{"title": "Which user accounts do not have multi-
factor authentication enabled?","description": ”...","queries": [
{"name": "bad","query": "Find User with mfaEnabled != true that !(ASSIGNED|USES|HAS) m
fa_device"},{
"name": "good","query": "Find User with mfaEnabled = true"
},{
"name": "goodToo","query": "Find User that (ASSIGNED|USES|HAS) mfa_device"
}],"compliance": [
{"standard": "CIS Controls","requirements": [
"4.5","12.11","16.3"
]},{
"standard": "HITRUST CSF","controls": [
"01.b","01.j","01.q"
]},{
"standard": "PCI DSS","requirements": [
"8.2","8.3"
]}
]}
github.com/jupiterone/security-policy-templates/tree/master/templates/standards
Seattle | September 16-17, 2019
In Summary, our approach to DevSecOps...
• Keep a simple, open, collaborative, enabling and rewarding security culture
• Use data, code and graph (not lists) to build a digital knowledgebase of your environment
• Use query to gain insights, provide assurance and collect compliance evidence continuously
• Automate security gates and approvals in code deployment pipeline(check out tomorrow’s session)
Continuous Assurance Provable Security Continuous Compliance
Seattle | September 16-17, 2019
Questions?Demo?
J U P I T E R O N E . C O M