We Can (Not) Secure

Introduction to SecDevOps!

This talk is dedicated to

Segment-your-network Woman
and Patch-your-shit Man!

 

Infracode loves Security

This talk is heavily focused on the buzzy wuzzy cloudy wowdy

AWS Cloudformation kind of environments, but similar patterns can be used in similar "Cloud Orchestrator" Tools*.

My loose interpretation of "DevOps" is the idea of
source control, testing, deployment and code reuse ;)

Infracode is quicker and easier than maintaining different technical silos.... Pulling in infracode PR from a developer to open a Port on the firewall

*HarshiCorp Terraform, OpenStack Heat, Atlas and others.

Amazon Web Services (AWS) 

• CloudFormation: IaaS Templates
• Elastic Compute Cloud "EC2": Xen based Virtual Machines
• Elastic Block Store (EBS): Block level storage
   
• Simple Storage Service (S3): Networked Storage
• Route 53: DNS (Public and Private Zones)
• Virtual Private Cloud (VPC): isolated networks
• Elastic Load Balancing (ELB): TCP Frontend
• Relational Database Service (RDS): MySQL
   
• CloudWatch: Monitoring log streams
• CloudTrail: Monitoring AWS API
• Identity and Access Management (IAM): Least privledge
• Simple Queue Service (SQS): One way messaging

Good Buzzwords

• Defense in depth
• Isolation/Seperation/segmentation
• Principle of least privilege (ACL)
• Cattle, not pets

1) Source Control

Maintain a solid git repository for as much as possible: Application Source/infracode/Jenkins/enviromental data.

For the following examples - Assume the following:

• SOE-RHEL72 Repo
• Shared Infracode Repo (Cloudformation & Jenkins)
• Environment Non-Production Repo
• Environment Production Repo
• Microservice (Java) Repo

Each of these Repos are accessible from inside the VPN
to people in the correct LDAP security groups.

+ Read-only access is given as required.

2) One SOE to build them all

The "Hardened" SOE is the sidekick of "patch your shit man"

All of my AWS environment servers are based on a single AMI.

1) Harden single RHEL 7.2 gold release and
utilise in Dev,Test,Pre-Prod and Production. 

2) Build AWS launch configuration userdata scripts to maintained to your freerange bespoke machines, but always built on the SOE.

      AWS RHEL      Packer     Serverspec       SOE

• Bastion
• Frontend
• Backend
• Build

Tools: Packer by Hashicorp

Tweaking  /etc/sysctl.cfg, confirming timezone, installing bastion keys (revoking older keys), run openscap-scanner

Tools: ServerSpec

Test suites meant to be run against machines

3) AWS Account isolation

Seperate the business functions

into different accounts inside AWS.

• CloudOPS-Build for AMI/SOE
• CloudOPS for Management (Jenkins)
• Digital for Deployment

Seperate roles in each account to protect against stolen sessions!

Restrict functionality as required.
 

@dagrz loves popping AWS

4) VPC/Network Isolation

Cloudformation allows for the creation of new VPC and Subnets inside these VPCs easily.

Public subnets can be accessible from internet facing addresses

Private subnets can be accessible from public devices

Restricted can ONLY be accessed by private services with the correct security groups!

            Preprod                                               Production

5) Immutable infrastructure

CloudFormation is my home boy

8) Secrets and AWS KMS Roles

KEEP YOUR PASSWORDS OUT OF THE SOURCE CONTROL FOR THE LOVE OF CHRIST! YOU GOD DAMN SAVAGES!

Tools: Credstash/Unicreds

KMS and Credstore dynamodb
Limit write access to passwords

KMS and Credstore dynamodb
Limit read access to passwords