Securing Devops Security in the Cloud

Securing Devops Security in the Cloud

Security in the cloud Julien Vehent MANNING www.allitebooks.com www.allitebooks.com Securing DevOps Security in the Cloud JULIEN VEHENT MANNING SHELTER ISLAND www.allitebooks.com For online information and ordering of this and other Manning books, please visit www.manning.com. The publisher offers discounts on this book when ordered in quantity. For more information, please contact Special Sales Department Manning Publications Co. 20 Baldwin Road PO Box 761 Shelter Island, NY 11964 Email: [email protected] ©2018 by Manning Publications Co. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps. ∞ Recognizing the importance of preserving what has been written, it is Manning’s policy to have the books we publish printed on acid- free paper, and we exert our best efforts to that end. Recognizing also our responsibility to conserve the resources of our planet, Manning books are printed on paper that is at least 15 percent recycled and processed without the use of elemental chlorine. Manning Publications Co. Development editors: Dan Maharry and Toni Arritola 20 Baldwin Road Technical development editor: Luis Atencio PO Box 761 Project manager: Janet Vail Shelter Island, NY 11964 Proofreader: Katie Tennant Technical proofreader: Andrew Bovill Typesetter: Happenstance Type-o-Rama Cover designer: Marija Tudor ISBN 9781617294136 Printed in the United States of America 1 2 3 4 5 6 7 8 9 10 – DP – 23 22 21 20 19 18 www.allitebooks.com To my wife, Bogdana To all the folks at Mozilla who keep the web secure and open www.allitebooks.com brief contents 1 ■ Securing DevOps 1 Part 1 Case study: applying layers of security to a simple DevOps pipeline ...................................19 2 ■ Building a barebones DevOps pipeline 21 3 ■ Security layer 1: protecting web applications 45 4 ■ Security layer 2: protecting cloud infrastructures 78 5 ■ Security layer 3: securing communications 119 6 ■ Security layer 4: securing the delivery pipeline 148 Part 2 Watching for anomalies and protecting services against attacks ......................................177 7 ■ Collecting and storing logs 179 8 ■ Analyzing logs for fraud and attacks 208 9 ■ Detecting intrusions 240 10 ■ The Caribbean breach: a case study in incident response 275 Part 3 Maturing DevOps security ..................................299 11 ■ Assessing risks 301 12 ■ Testing security 329 13 ■ Continuous security 354 v contents preface xiii acknowledgments xvi about this book xviii about the author xxi about the cover illustration xxii Securing DevOps 1 1 1.1 The DevOps approach 2 Continuous integration 4 ■ Continuous delivery 4 Infrastructure as a service 5 ■ Culture and trust 6 1.2 Security in DevOps 7 1.3 Continuous security 8 Test-driven security 10 ■ Monitoring and responding to attacks 12 ■ Assessing risks and maturing security 16 Part 1 Case study: applying layers of security to a simple DevOps pipeline ... 19 Building a barebones DevOps pipeline 21 2 2.1 Implementation roadmap 22 2.2 The code repository: GitHub 24 2.3 The CI platform: CircleCI 24 vii viiiviii CONTENTS 2.4 The container repository: Docker Hub 28 2.5 The production infrastructure: Amazon Web Services 30 Three-tier architecture 31 ■ Configuring access to AWS 32 ■ Virtual Private Cloud 33 ■ Creating the database tier 34 ■ Creating the first two tiers with Elastic Beanstalk 36 ■ Deploying the container onto your systems 40 2.6 A rapid security audit 43 Security layer 1: protecting web applications 45 3 3.1 Securing and testing web apps 46 3.2 Website attacks and content security 50 Cross-site scripting and Content-Security Policy 51 ■ Cross-site request forgery 57 ■ Clickjacking and IFrames protection 62 3.3 Methods for authenticating users 63 HTTP basic authentication 63 ■ Password management 65 Identity providers 67 ■ Sessions and cookie security 71 ■ Testing authentication 72 3.4 Managing dependencies 72 Golang vendoring 73 ■ Node.js package management 74 ■ Python requirements 76 Security layer 2: protecting cloud infrastructures 78 4 4.1 Securing and testing cloud infrastructure: the deployer app 79 Setting up the deployer 80 ■ Configuration notifications between Docker Hub and the deployer 81 ■ Running tests against the infrastructure 81 ■ Updating the invoicer environment 82 4.2 Restricting network access 83 Testing security groups 84 ■ Opening access between security groups 86 4.3 Building a secure entry point 88 Generating SSH keys 89 ■ Creating a bastion host in EC2 91 ■ Enabling two-factor authentication with SSH 92 ■ Sending notifications on accesses 98 ■ General security considerations 100 ■ Opening access between security groups 106 CONTENTS ix 4.4 Controlling access to the database 108 Analyzing the database structure 108 ■ Roles and permissions in PostgreSQL 110 ■ Defining fine-grained permissions for the invoicer application 111 ■ Asserting permissions in the deployer 116 Security layer 3: securing communications 119 5 5.1 What does it mean to secure communications? 120 Early symmetric cryptography 121 ■ Diffie-Hellman and RSA 122 Public-key infrastructures 125 ■ SSL and TLS 126 5.2 Understanding SSL/TLS 127 The certificate chain 128 ■ The TLS handshake 129 Perfect forward secrecy 131 5.3 Getting applications to use HTTPS 131 Obtaining certificates from AWS 132 ■ Obtaining certificates from Let’s Encrypt 133 ■ Enabling HTTPS on AWS ELB 135 5.4 Modernizing HTTPS 138 Testing TLS 139 ■ Implementing Mozilla’s Modern guidelines 141 ■ HSTS: Strict Transport Security 143 HPKP: Public Key Pinning 144 Security layer 4: securing the delivery pipeline 148 6 6.1 Access control to code-management infrastructure 151 Managing permissions in a GitHub organization 152 Managing permissions between GitHub and CircleCI 154 Signing commits and tags with Git 157 6.2 Access control for container storage 160 Managing permissions between Docker Hub and CircleCI 160 ■ Signing containers with Docker Content Trust 163 6.3 Access control for infrastructure management 164 Managing permissions using AWS roles and policies 164 ■ Distributing secrets to production systems 168 x CONTENTS Part 2 Watching for anomalies and protecting services against attacks ...................... 177 Collecting and storing logs 179 7 7.1 Collecting logs from systems and applications 182 Collecting logs from systems 183 ■ Collecting application logs 187 ■ Infrastructure logging 191 ■ Collecting logs from GitHub 194 7.2 Streaming log events through message brokers 196 7.3 Processing events in log consumers 198 7.4 Storing and archiving logs 202 7.5 Accessing logs 204 Analyzing logs for fraud and attacks 208 8 8.1 Architecture of a log-analysis layer 209 8.2 Detecting attacks using string signatures 216 8.3 Statistical models for fraud detection 220 Sliding windows and circular buffers 221 ■ Moving averages 223 8.4 Using geographic data to find abuses 227 Geo-profiling users 228 ■ Calculating distances 230 ■ Finding a user’s normal connection area 231 8.5 Detecting anomalies in known patterns 232 User-agent signature 232 ■ Anomalous browser 233 ■ Interaction patterns 233 8.6 Raising alerts to operators and end users 233 Escalating security events to operators 234 ■ How and when to notify end users 237 Detecting intrusions 240 9 9.1 The seven phases of an intrusion: the kill chain 241 9.2 What are indicators of compromise? 243 9.3 Scanning endpoints for IOCs 250 9.4 Inspecting network traffic with Suricata 262 Setting up Suricata 263 ■ Monitoring the network 264 Writing rules 266 ■ Using predefined rule-sets 267 CONTENTS xi 9.5 Finding intrusions in system-call audit logs 267 The execution vulnerability 268 ■ Catching fraudulent executions 269 ■ Monitoring the filesystem 271 ■ Monitoring the impossible 272 9.6 Trusting humans to detect anomalies 273 The Caribbean breach: a case study in incident response 275 10 10.1 The Caribbean breach 277 10.2 Identification 278 10.3 Containment 281 10.4 Eradication 283 Capturing digital forensics artifacts in AWS 284 ■ Outbound IDS filtering 286 ■ Hunting IOCs with MIG 290 10.5 Recovery 293 10.6 Lessons learned and the benefits of preparation 295 Part 3 Maturing DevOps security ..................... 299 Assessing risks 301 11 11.1 What is risk management? 302 11.2 The CIA triad 304 Confidentiality 305 ■ Integrity 306 ■ Availability 307 11.3 Establishing the top threats to an organization 309 11.4 Quantifying the impact of risks 311 Finances 311 ■ Reputation 311 ■ Productivity 312 11.5 Identifying threats and measuring vulnerability 313 The STRIDE threat-modeling framework 313 ■ The DREAD threat-modeling framework 315 11.6 Rapid risk assessment 316 Gathering information 318 ■ Establishing a data dictionary 319 ■ Identifying and measuring risks 321 ■ Making recommendations 324 11.7 Recording and tracking risks 325 Accepting, rejecting, and delegating risks 327 ■ Revisiting risks regularly 327 xii CONTENTS Testing security 329 12 12.1 Maintaining security visibility 330 12.2 Auditing internal applications and services 332 Web-application scanners 333 ■ Fuzzing 336 ■ Static code analysis 338 ■ Auditing Cloud Infrastructure 341 12.3 Red teams and external pen testing 345 12.4 Bug bounty programs 350 Continuous security 354 13 13.1 Practice and repetition: 10,000 hours of security 355 13.2 Year 1: integrating security into DevOps 356 Don’t judge too early 358 ■ Test everything and make dashboards 358 13.3 Year 2: preparing for the worst 359 Avoid duplicating infrastructure 360 ■ Build versus buy 361 ■ Getting breached 362 13.4 Year 3: driving the change 362 Revisit security priorities 363 ■ Progressing iteratively 364 index 365 preface I’m scavenging through shelves of discarded hardware in the basement of the old gov- ernment building, when a pair of sturdy-looking hard drives catch my attention.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    401 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us