Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Towards Verifiable Infrastructure Security

Towards Verifiable Infrastructure Security

Slides from my talk on Infrastructure as Code: Towards Verifiable Infrastructure Security delivered at StepIN Summit 2019 (Bangalore)

Abhisek Datta

August 23, 2019
Tweet

More Decks by Abhisek Datta

Other Decks in Technology

Transcript

  1. About Me – Abhisek Datta • Head of Technology (appsecco.com)

    • A boutique security consulting company • TechWing @ null0x00 (null.co.in) • An Open Security Community • Security Researcher • Discovered vulnerabilities in MS Office, Internet Explorer, HP SiteScope etc. • Open Source Contributor • Wireplay, RbWinDBG etc. github.com/abhisek
  2. Attackers Attack What They See • Real world examples? •

    Equifax • Accenture • LinkedIN • Verizon Name any major company and its probably breached once!
  3. What is the root cause? In spite of so much

    investment in security, why does low hanging fruits still exist for an attacker to exploit?
  4. • We react to security issues • Complexity • Lack

    of visibility • Lack for formal security testing methodology especially for infrastructure What is the root cause? (In my opinion) We REACT to Security Issues
  5. How does trust looks like? A DFD representing the Transaction

    Flow in an Online Banking Application Re-auth Anti- fraud Confirm with sender for high value transactions
  6. The Challenge of Security at Scale This is the Amazon

    Microservices Graph The Challenge of Security at Scale is really – The SCALE
  7. How do we solve this? (My Opinion) • Instead of

    responding to vulnerabilities, we must proactively prevent them .. Continuously • We do this by applying the principles of Secure Software Development Life-cycle while building Infrastructure
  8. What is it? • The process of provisioning and managing

    infrastructure through machine readable code & configuration • It is an alternative approach compared to managing physical hardware and provisioning them with interactive setup and configuration tools
  9. The Tooling with an Example 1. Setup 3 EC2 instances

    in AWS 2. Setup an EFS for shared state 3. Deploy workload 4. Get output 5. Destroy https://github.com/abhisek/afl-in-the-cloud Image Source: https://docs.microsoft.com/en-us/azure/devops/learn/what-is-infrastructure-as-code
  10. Options for Adoption - Infrastructure IaaS Platform Tools Vendor GCP,

    AWS, Azure Terraform, Ansible, SaltStack - AWS Cloud Formations AWS Azure Azure Resource Manager Microsoft Google Cloud Deployment Manager Google
  11. What can be done with it? • Codify infrastructure •

    Version control • Test & Verify • Bug Fix • Automated & Continuous Deployment
  12. Mapping SSDLC to Infrastructure as Code SSDLC Secure Infrastructure Security

    Requirements Security Requirements Secure Architecture Secure Architecture Secure Development Infrastructure as Code Security Testing Static Analysis and Verification Release Management Release Management
  13. Now what? • Add security controls (mitigations) in architecture •

    Edit code to include the required resources and configuration • Push to repository • This triggers CI/CD • CI/CD runs test cases on code (if any) • CI/CD update the live infrastructure