SlideShare ist ein Scribd-Unternehmen logo
1 von 25
Downloaden Sie, um offline zu lesen
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Building Security into CI/CD
Pipelines for Effective Security
Automation on AWS
Ram Boreda
Director, Product Management
Palo Alto Networks
SDD351-S
Kevin Paige
CISO
Flexport
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• The need for security, early in development cycle
• The approach taken by Flexport
• Security during the build phase
• Security during the deployment phase
• Security during the production phase
• Q&A
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
About Your Speakers
Ram Boreda
Driving product strategy and roadmap of public
cloud security products at Palo Alto Networks.
@Amazon AWS - was responsible for AWS
Transit Gateway and VPN services.
Led product management of security products at
Verisign iDefense and CipherCloud.
Kevin Paige
Chief Information Security Officer (CISO) at
Flexport
CISO at MuleSoft
Technical leadership roles at Salesforce, xMatters,
the U.S. Army and U.S. Air Force.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Security Analyst Dilemma
174,000
alerts/week
7%
reviewed
Mean Time To Identify
197days
Mean Time To Contain
69days
State of SOAR Report 2018, Demisto Cost of a Data Breach Study, 2018, Ponemon Institute
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Issues Start Early in the Build Phase
State of open source security report, 2019, Synk
1 in 2
developers don’t security test
images
~30
known vulnerabilities
4 in 10
Docker images can fix known
vulnerabilities with base
image tag update
TOP 10
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Perils of Automation During Deployment Phase
*2018 Cloud Security Report (https://www.paloaltonetworks.com/resources/research/2018-cloud-security-report-palo-alto-networks)
Easy to deploy misconfigured resources at
scale
Increased risk when governance/compliance
checks are not met
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Palo Alto Networks Proprietary and Confidential 8
SECURITY BUILT-IN SECURITY BOLTED ON
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Our Cloud Security
Challenge
• Hypergrowth
• Business wants more
features faster
• Lack of alignment and
ownership between teams
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shifting Left – Our
Approach
• Align and influence
• Get and give visibility
• Hold people accountable
• Get identity and access
control right
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dashboard Example
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shifting Left – Key
Outcomes
• Culture shift
• Accountability drove
behavior changes
• Increase in velocity
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
RUN
DEPLOY
Start Security From The Build Phase….
13
BUILD
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
And Cover the Entire Development Lifecycle
Scan images prior to
registry upload
Scan configurations
prior to deployment
• IaC
• k8s app manifest
YAML
DEPLOY
Image scanning in registry
Configuration scanning
Detect drifts from
templates
Continuous monitoring
Detect & respond to
attacks
RUN
Vulnerability scanning
packages
Analyze code
BUILD
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Give simple security tools to development
Development identifies
vulnerable packages and
fixes them
Builds pass and
images get pushed
to registry
Vulnerability scanning and
runtime issues with context
facilitate remediation
Scenario 2
Start Left To Drive Consistent And Secure Releases
Development starts without security, siloed security
Build fails with vuln & config issues.
Dev questions the need to fix
Scenario 1
Vuln scan & runtime issues without
context frustrate dev & security
BUILD DEPLOY RUN
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Integrating Security into Dev & CI/CD
AWS Cloud
Prisma Public Cloud
Scanning Service
AWS CodePipeline
Container Registry Amazon S3
Amazon RDS
Amazon ECS
AWS Lambda
Amazon EKS
Amazon EC2
Vuln scan OS packages in Docker
files in developer environment
before check in Git
1
Vuln scan OS packages
in Docker images in
CI/CD before push to
registry
2
Config scan CFT /
Terraform before
deployment to runtime
3
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Integrating Security into CI/CD
AWS Cloud
Prisma Public Cloud
Scanning Service
AWS CodePipeline
Container Registry Amazon S3
Amazon RDS
Amazon ECS
AWS Lambda
Amazon EKS
Amazon EC2
Vuln scan OS packages in Docker
files in developer environment
before check in Git
1
Vuln scan OS packages
in Docker images in
CI/CD before push to
registry
2
Config scan CFT /
Terraform before
deployment to runtime
3
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How
Configure CI/CD projects to vuln scan Docker images, triggered by Pull
Request (PR) in Git / build in CI/CD
Why
Verify that Docker images do not have vulnerabilities that violate policies
Benefit
• Eliminate vulnerabilities in Docker images
• Reduce attack surface of images before check into Git / push to
registry
Vulnerability Scan: For OS Packages In CI/CD
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo Time
Vulnerability Scanning During CI/CD
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Integrating Security into CI/CD
AWS Cloud
Prisma Public Cloud
Scanning Service
AWS CodePipeline
Container Registry Amazon S3
Amazon RDS
Amazon ECS
AWS Lambda
Amazon EKS
Amazon EC2
Vuln scan OS packages in Docker
files in developer environment
before check in Git
1
Vuln scan OS packages
in Docker images in
CI/CD before push to
registry
2
Config scan CFT /
Terraform before
deployment to runtime
3
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How
Configure CI/CD project to scan IAC templates, triggered by PR in Git
Why
Verify that IAC templates do not violate security policies
Benefit
• Eliminate insecure config in IAC before check into Git/deployment to
runtime
• Reduce attack surface of infrastructure when deployed to runtime
IaC Scan: For CFT / Terraform in CI/CD
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo Time
IaC Config Scanning During CI/CD
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Continuous Security During Run Phase
AWS Cloud
Container Registry Amazon S3
Amazon RDS
Amazon ECS
AWS Lambda
Amazon EKS
Amazon EC2
CRITICAL ALERTS
CONTINUOUS
MONITORING
RESPONSE
Demisto
Prisma Public Cloud
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo Time
Continuous Security During Run Phase
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start Left
Achieve Better Security Outcomes
with Security Built-In
developers.paloaltonetworks.com/prisma
Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Stop by Palo Alto Networks booth #707
Sign up for a free trial -
http://go.paloaltonetworks.com/awsmarketplace
Ram Boreda
rboreda@paloaltonetworks.com

Weitere ähnliche Inhalte

Was ist angesagt?

강의 3. AWS 보안 및 AWS Identity and Access Managment (IAM)::AWSome Day Online Con...
강의 3. AWS 보안 및 AWS Identity and Access Managment (IAM)::AWSome Day Online Con...강의 3. AWS 보안 및 AWS Identity and Access Managment (IAM)::AWSome Day Online Con...
강의 3. AWS 보안 및 AWS Identity and Access Managment (IAM)::AWSome Day Online Con...Amazon Web Services Korea
 
Too Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsToo Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsAmazon Web Services
 
AWS セキュリティとコンプライアンス
AWS セキュリティとコンプライアンスAWS セキュリティとコンプライアンス
AWS セキュリティとコンプライアンスAmazon Web Services Japan
 
Amazon Personalize Event Tracker 실시간 고객 반응을 고려한 추천::김태수, 솔루션즈 아키텍트, AWS::AWS ...
Amazon Personalize Event Tracker 실시간 고객 반응을 고려한 추천::김태수, 솔루션즈 아키텍트, AWS::AWS ...Amazon Personalize Event Tracker 실시간 고객 반응을 고려한 추천::김태수, 솔루션즈 아키텍트, AWS::AWS ...
Amazon Personalize Event Tracker 실시간 고객 반응을 고려한 추천::김태수, 솔루션즈 아키텍트, AWS::AWS ...Amazon Web Services Korea
 
20200303 AWS Black Belt Online Seminar AWS Cloud Development Kit (CDK)
20200303 AWS Black Belt Online Seminar AWS Cloud Development Kit (CDK)20200303 AWS Black Belt Online Seminar AWS Cloud Development Kit (CDK)
20200303 AWS Black Belt Online Seminar AWS Cloud Development Kit (CDK)Amazon Web Services Japan
 
(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon InspectorAmazon Web Services
 
20210526 AWS Expert Online マルチアカウント管理の基本
20210526 AWS Expert Online マルチアカウント管理の基本20210526 AWS Expert Online マルチアカウント管理の基本
20210526 AWS Expert Online マルチアカウント管理の基本Amazon Web Services Japan
 
(DVO202) DevOps at Amazon: A Look At Our Tools & Processes
(DVO202) DevOps at Amazon: A Look At Our Tools & Processes(DVO202) DevOps at Amazon: A Look At Our Tools & Processes
(DVO202) DevOps at Amazon: A Look At Our Tools & ProcessesAmazon Web Services
 
Continuous Delivery using AWS CodePipeline, AWS Lambda & AWS ElasticBeanstalk
Continuous Delivery using AWS CodePipeline, AWS Lambda & AWS ElasticBeanstalkContinuous Delivery using AWS CodePipeline, AWS Lambda & AWS ElasticBeanstalk
Continuous Delivery using AWS CodePipeline, AWS Lambda & AWS ElasticBeanstalkThomas Shaw
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon InspectorAmazon Web Services
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019Amazon Web Services
 

Was ist angesagt? (20)

AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
강의 3. AWS 보안 및 AWS Identity and Access Managment (IAM)::AWSome Day Online Con...
강의 3. AWS 보안 및 AWS Identity and Access Managment (IAM)::AWSome Day Online Con...강의 3. AWS 보안 및 AWS Identity and Access Managment (IAM)::AWSome Day Online Con...
강의 3. AWS 보안 및 AWS Identity and Access Managment (IAM)::AWSome Day Online Con...
 
Too Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsToo Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational Models
 
AWS セキュリティとコンプライアンス
AWS セキュリティとコンプライアンスAWS セキュリティとコンプライアンス
AWS セキュリティとコンプライアンス
 
Amazon Personalize Event Tracker 실시간 고객 반응을 고려한 추천::김태수, 솔루션즈 아키텍트, AWS::AWS ...
Amazon Personalize Event Tracker 실시간 고객 반응을 고려한 추천::김태수, 솔루션즈 아키텍트, AWS::AWS ...Amazon Personalize Event Tracker 실시간 고객 반응을 고려한 추천::김태수, 솔루션즈 아키텍트, AWS::AWS ...
Amazon Personalize Event Tracker 실시간 고객 반응을 고려한 추천::김태수, 솔루션즈 아키텍트, AWS::AWS ...
 
20200303 AWS Black Belt Online Seminar AWS Cloud Development Kit (CDK)
20200303 AWS Black Belt Online Seminar AWS Cloud Development Kit (CDK)20200303 AWS Black Belt Online Seminar AWS Cloud Development Kit (CDK)
20200303 AWS Black Belt Online Seminar AWS Cloud Development Kit (CDK)
 
(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector
 
AWS CodeDeploy
AWS CodeDeployAWS CodeDeploy
AWS CodeDeploy
 
20210526 AWS Expert Online マルチアカウント管理の基本
20210526 AWS Expert Online マルチアカウント管理の基本20210526 AWS Expert Online マルチアカウント管理の基本
20210526 AWS Expert Online マルチアカウント管理の基本
 
Deep Dive on AWS Lambda
Deep Dive on AWS LambdaDeep Dive on AWS Lambda
Deep Dive on AWS Lambda
 
AWS WAF - A Web App Firewall
AWS WAF - A Web App FirewallAWS WAF - A Web App Firewall
AWS WAF - A Web App Firewall
 
Introduction to DevOps on AWS
Introduction to DevOps on AWSIntroduction to DevOps on AWS
Introduction to DevOps on AWS
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
(DVO202) DevOps at Amazon: A Look At Our Tools & Processes
(DVO202) DevOps at Amazon: A Look At Our Tools & Processes(DVO202) DevOps at Amazon: A Look At Our Tools & Processes
(DVO202) DevOps at Amazon: A Look At Our Tools & Processes
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trail
 
ここから始めるAWSセキュリティ
ここから始めるAWSセキュリティここから始めるAWSセキュリティ
ここから始めるAWSセキュリティ
 
Continuous Delivery using AWS CodePipeline, AWS Lambda & AWS ElasticBeanstalk
Continuous Delivery using AWS CodePipeline, AWS Lambda & AWS ElasticBeanstalkContinuous Delivery using AWS CodePipeline, AWS Lambda & AWS ElasticBeanstalk
Continuous Delivery using AWS CodePipeline, AWS Lambda & AWS ElasticBeanstalk
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
 
DevOps and AWS
DevOps and AWSDevOps and AWS
DevOps and AWS
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019
 

Ähnlich wie Build security into CI/CD pipelines for effective security automation on AWS - SDD351-S - AWS re:Inforce 2019

Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Amazon Web Services
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitAmazon Web Services
 
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...Amazon Web Services
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsCobus Bernard
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Amazon Web Services
 
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Amazon Web Services
 
CICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdfCICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdfAmazon Web Services
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessPuma Security, LLC
 
Securing your Amazon SageMaker model development in a highly regulated enviro...
Securing your Amazon SageMaker model development in a highly regulated enviro...Securing your Amazon SageMaker model development in a highly regulated enviro...
Securing your Amazon SageMaker model development in a highly regulated enviro...Amazon Web Services
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 Amazon Web Services
 
DevOps - Moving to DevOps the Amazon Way
DevOps - Moving to DevOps the Amazon WayDevOps - Moving to DevOps the Amazon Way
DevOps - Moving to DevOps the Amazon WayAmazon Web Services
 
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...Amazon Web Services
 
Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Amazon Web Services
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Amazon Web Services
 
CICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdfCICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdfAmazon Web Services
 
NIST Compliance, AWS Federal Pop-Up Loft
NIST Compliance, AWS Federal Pop-Up LoftNIST Compliance, AWS Federal Pop-Up Loft
NIST Compliance, AWS Federal Pop-Up LoftAmazon Web Services
 
CI/CD pipelines on AWS - Builders Day Israel
CI/CD pipelines on AWS - Builders Day IsraelCI/CD pipelines on AWS - Builders Day Israel
CI/CD pipelines on AWS - Builders Day IsraelAmazon Web Services
 
CI/CD best practices for building modern applications - MAD310 - New York AWS...
CI/CD best practices for building modern applications - MAD310 - New York AWS...CI/CD best practices for building modern applications - MAD310 - New York AWS...
CI/CD best practices for building modern applications - MAD310 - New York AWS...Amazon Web Services
 

Ähnlich wie Build security into CI/CD pipelines for effective security automation on AWS - SDD351-S - AWS re:Inforce 2019 (20)

Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
 
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applications
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
 
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
 
CICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdfCICDforModernApplications-Oslo.pdf
CICDforModernApplications-Oslo.pdf
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
 
Securing your Amazon SageMaker model development in a highly regulated enviro...
Securing your Amazon SageMaker model development in a highly regulated enviro...Securing your Amazon SageMaker model development in a highly regulated enviro...
Securing your Amazon SageMaker model development in a highly regulated enviro...
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
 
DevOps - Moving to DevOps the Amazon Way
DevOps - Moving to DevOps the Amazon WayDevOps - Moving to DevOps the Amazon Way
DevOps - Moving to DevOps the Amazon Way
 
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
 
Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...
 
CICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdfCICDforModernApplications_Stockholm.pdf
CICDforModernApplications_Stockholm.pdf
 
Containers on AWS
Containers on AWSContainers on AWS
Containers on AWS
 
NIST Compliance, AWS Federal Pop-Up Loft
NIST Compliance, AWS Federal Pop-Up LoftNIST Compliance, AWS Federal Pop-Up Loft
NIST Compliance, AWS Federal Pop-Up Loft
 
CI/CD pipelines on AWS - Builders Day Israel
CI/CD pipelines on AWS - Builders Day IsraelCI/CD pipelines on AWS - Builders Day Israel
CI/CD pipelines on AWS - Builders Day Israel
 
CI/CD best practices for building modern applications - MAD310 - New York AWS...
CI/CD best practices for building modern applications - MAD310 - New York AWS...CI/CD best practices for building modern applications - MAD310 - New York AWS...
CI/CD best practices for building modern applications - MAD310 - New York AWS...
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Build security into CI/CD pipelines for effective security automation on AWS - SDD351-S - AWS re:Inforce 2019

  • 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Building Security into CI/CD Pipelines for Effective Security Automation on AWS Ram Boreda Director, Product Management Palo Alto Networks SDD351-S Kevin Paige CISO Flexport
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda • The need for security, early in development cycle • The approach taken by Flexport • Security during the build phase • Security during the deployment phase • Security during the production phase • Q&A
  • 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. About Your Speakers Ram Boreda Driving product strategy and roadmap of public cloud security products at Palo Alto Networks. @Amazon AWS - was responsible for AWS Transit Gateway and VPN services. Led product management of security products at Verisign iDefense and CipherCloud. Kevin Paige Chief Information Security Officer (CISO) at Flexport CISO at MuleSoft Technical leadership roles at Salesforce, xMatters, the U.S. Army and U.S. Air Force.
  • 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. The Security Analyst Dilemma 174,000 alerts/week 7% reviewed Mean Time To Identify 197days Mean Time To Contain 69days State of SOAR Report 2018, Demisto Cost of a Data Breach Study, 2018, Ponemon Institute
  • 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Issues Start Early in the Build Phase State of open source security report, 2019, Synk 1 in 2 developers don’t security test images ~30 known vulnerabilities 4 in 10 Docker images can fix known vulnerabilities with base image tag update TOP 10
  • 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Perils of Automation During Deployment Phase *2018 Cloud Security Report (https://www.paloaltonetworks.com/resources/research/2018-cloud-security-report-palo-alto-networks) Easy to deploy misconfigured resources at scale Increased risk when governance/compliance checks are not met
  • 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Palo Alto Networks Proprietary and Confidential 8 SECURITY BUILT-IN SECURITY BOLTED ON
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our Cloud Security Challenge • Hypergrowth • Business wants more features faster • Lack of alignment and ownership between teams
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shifting Left – Our Approach • Align and influence • Get and give visibility • Hold people accountable • Get identity and access control right
  • 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dashboard Example
  • 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shifting Left – Key Outcomes • Culture shift • Accountability drove behavior changes • Increase in velocity
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. RUN DEPLOY Start Security From The Build Phase…. 13 BUILD
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. And Cover the Entire Development Lifecycle Scan images prior to registry upload Scan configurations prior to deployment • IaC • k8s app manifest YAML DEPLOY Image scanning in registry Configuration scanning Detect drifts from templates Continuous monitoring Detect & respond to attacks RUN Vulnerability scanning packages Analyze code BUILD
  • 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Give simple security tools to development Development identifies vulnerable packages and fixes them Builds pass and images get pushed to registry Vulnerability scanning and runtime issues with context facilitate remediation Scenario 2 Start Left To Drive Consistent And Secure Releases Development starts without security, siloed security Build fails with vuln & config issues. Dev questions the need to fix Scenario 1 Vuln scan & runtime issues without context frustrate dev & security BUILD DEPLOY RUN
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Integrating Security into Dev & CI/CD AWS Cloud Prisma Public Cloud Scanning Service AWS CodePipeline Container Registry Amazon S3 Amazon RDS Amazon ECS AWS Lambda Amazon EKS Amazon EC2 Vuln scan OS packages in Docker files in developer environment before check in Git 1 Vuln scan OS packages in Docker images in CI/CD before push to registry 2 Config scan CFT / Terraform before deployment to runtime 3
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Integrating Security into CI/CD AWS Cloud Prisma Public Cloud Scanning Service AWS CodePipeline Container Registry Amazon S3 Amazon RDS Amazon ECS AWS Lambda Amazon EKS Amazon EC2 Vuln scan OS packages in Docker files in developer environment before check in Git 1 Vuln scan OS packages in Docker images in CI/CD before push to registry 2 Config scan CFT / Terraform before deployment to runtime 3
  • 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Configure CI/CD projects to vuln scan Docker images, triggered by Pull Request (PR) in Git / build in CI/CD Why Verify that Docker images do not have vulnerabilities that violate policies Benefit • Eliminate vulnerabilities in Docker images • Reduce attack surface of images before check into Git / push to registry Vulnerability Scan: For OS Packages In CI/CD
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo Time Vulnerability Scanning During CI/CD
  • 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Integrating Security into CI/CD AWS Cloud Prisma Public Cloud Scanning Service AWS CodePipeline Container Registry Amazon S3 Amazon RDS Amazon ECS AWS Lambda Amazon EKS Amazon EC2 Vuln scan OS packages in Docker files in developer environment before check in Git 1 Vuln scan OS packages in Docker images in CI/CD before push to registry 2 Config scan CFT / Terraform before deployment to runtime 3
  • 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Configure CI/CD project to scan IAC templates, triggered by PR in Git Why Verify that IAC templates do not violate security policies Benefit • Eliminate insecure config in IAC before check into Git/deployment to runtime • Reduce attack surface of infrastructure when deployed to runtime IaC Scan: For CFT / Terraform in CI/CD
  • 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo Time IaC Config Scanning During CI/CD
  • 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Continuous Security During Run Phase AWS Cloud Container Registry Amazon S3 Amazon RDS Amazon ECS AWS Lambda Amazon EKS Amazon EC2 CRITICAL ALERTS CONTINUOUS MONITORING RESPONSE Demisto Prisma Public Cloud
  • 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo Time Continuous Security During Run Phase
  • 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Start Left Achieve Better Security Outcomes with Security Built-In developers.paloaltonetworks.com/prisma
  • 25. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Stop by Palo Alto Networks booth #707 Sign up for a free trial - http://go.paloaltonetworks.com/awsmarketplace Ram Boreda rboreda@paloaltonetworks.com