Towards Verifiable Infrastructure Security

Transcript

1. Infrastructure as Code Towards Verifiable Infrastructure Security Abhisek Datta Head

   of Technology, Appsecco

2. About Me – Abhisek Datta • Head of Technology (appsecco.com)

   • A boutique security consulting company • TechWing @ null0x00 (null.co.in) • An Open Security Community • Security Researcher • Discovered vulnerabilities in MS Office, Internet Explorer, HP SiteScope etc. • Open Source Contributor • Wireplay, RbWinDBG etc. github.com/abhisek

3. Attackers Attack What They See • Real world examples? •

   Equifax • Accenture • LinkedIN • Verizon Name any major company and its probably breached once!

4. What is the root cause? In spite of so much

   investment in security, why does low hanging fruits still exist for an attacker to exploit?

5. • We react to security issues • Complexity • Lack

   of visibility • Lack for formal security testing methodology especially for infrastructure What is the root cause? (In my opinion) We REACT to Security Issues

6. How to be Proactively Secure? By establishing TRUST

7. Verification and Validation How to Establish Trust

8. How does trust looks like? A DFD representing the Transaction

   Flow in an Online Banking Application Re-auth Anti- fraud Confirm with sender for high value transactions

9. How do we Proactively Secure Infrastructure?

10. The Challenge of Security at Scale This is the Amazon

    Microservices Graph The Challenge of Security at Scale is really – The SCALE

11. How do we solve this? (My Opinion) • Instead of

    responding to vulnerabilities, we must proactively prevent them .. Continuously • We do this by applying the principles of Secure Software Development Life-cycle while building Infrastructure

12. Infrastructure as Code (IaC)

13. What is it? • The process of provisioning and managing

    infrastructure through machine readable code & configuration • It is an alternative approach compared to managing physical hardware and provisioning them with interactive setup and configuration tools

14. The Tooling with an Example 1. Setup 3 EC2 instances

    in AWS 2. Setup an EFS for shared state 3. Deploy workload 4. Get output 5. Destroy https://github.com/abhisek/afl-in-the-cloud Image Source: https://docs.microsoft.com/en-us/azure/devops/learn/what-is-infrastructure-as-code

15. Options for Adoption - Infrastructure IaaS Platform Tools Vendor GCP,

    AWS, Azure Terraform, Ansible, SaltStack - AWS Cloud Formations AWS Azure Azure Resource Manager Microsoft Google Cloud Deployment Manager Google

16. What can be done with it? • Codify infrastructure •

    Version control • Test & Verify • Bug Fix • Automated & Continuous Deployment

17. Verifiable Infrastructure What is it really?

18. Enterprise Security Requirements Can we agree, that the most important

    requirement is To not get breached?

19. How to be secure? By establishing TRUST

20. Secure Software Development Lifecycle Security Requirements Secure Architecture Secure Development

    Security Testing Release Management

21. Mapping SSDLC to Infrastructure as Code SSDLC Secure Infrastructure Security

    Requirements Security Requirements Secure Architecture Secure Architecture Secure Development Infrastructure as Code Security Testing Static Analysis and Verification Release Management Release Management

22. An Example of Verifying Infrastructure A journey towards adopting infrastructure

    as code

23. An example network architecture

24. Codify the Infrastructure (Example for AWS)

25. The Graph

26. The Threat Model

27. Now what? • Add security controls (mitigations) in architecture •

    Edit code to include the required resources and configuration • Push to repository • This triggers CI/CD • CI/CD runs test cases on code (if any) • CI/CD update the live infrastructure

28. Build Test Deploy Audit Update How does it all look

    like? Threat Model

29. Questions? [email protected] That’s all for now.. https://appsecco.com @abh1sek github.com/abhisek