20241009 JAX 2024 Putting Sec in DevSecOps for an AWS Lambda Based System
CraegStrong
25 views
20 slides
Oct 14, 2024
Slide 1 of 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Presentation
In this talk, I’ll dive into the development journey of Seatbelt, a transformative software plugin for Atlassian Jira that empowers teams by enhancing their reporting accuracy and reliability. Seatbelt helps identify incomplete or incorrect data within Jira workflows, making it easier for users to...
Slide Content
TRACK: DEVSECOPS
October 09, 2024
Craeg Strong, Ariel Partners
Putting the Sec in DevSecOps
for an AWS Lambda Based
System
October 09, 2024
Craeg Strong, Ariel Partners
Putting the Sec in DevSecOps
for an AWS Lambda Based
System
TRACK: DEVSECOPSCraeg Strong
▪Software Development since 1988
▪Large Commercial & Government Projects
▪Kanban Coach / DevOps Engineer
▪Kanban Trainer / SpecFlow Trainer
▪Performance & Scalability Architect
▪Certified Ethical Hacker
▪New York & Washington DC Area
CTO, Ariel Partners
FLC, AKC, AKT, KCP, KMP, CSM, CSP,
CSPO, ITILv3, PMI-ACP, PMP, CLP, SPC,
ICP-ACC, ICP-ATF, PSM-II, PSK
www.arielpartners.com
[email protected]
@ckstrong1
▪Software Development since 1988
▪Large Commercial & Government Projects
▪Kanban Coach / DevOps Engineer
▪Kanban Trainer / SpecFlow Trainer
▪Performance & Scalability Architect
▪Certified Ethical Hacker
▪New York & Washington DC Area
CTO, Ariel Partners
FLC, AKC, AKT, KCP, KMP, CSM, CSP,
CSPO, ITILv3, PMI-ACP, PMP, CLP, SPC,
ICP-ACC, ICP-ATF, PSM-II, PSK
www.arielpartners.com
[email protected]
@ckstrong1
TRACK: DEVSECOPSAgenda
•About Me
•Background and Context
•Serverless Version
•Cyber Security Practices
•Architecture
•Getting to Zero Trust
•CI/CD Pipeline
•Vulnerability Scanning
•Kubernetes Version
•Architecture
•Zero Trust
•Summary and Takeaways
•About Me
•Background and Context
•Serverless Version
•Cyber Security Practices
•Architecture
•Getting to Zero Trust
•CI/CD Pipeline
•Vulnerability Scanning
•Kubernetes Version
•Architecture
•Zero Trust
•Summary and Takeaways
TRACK: DEVSECOPS
•Modern Project/Task
Management Tools are
Complex & Flexible
•Agile Teams Don’t Have a
Dedicated PM Resource
•Team Members Are not Tool
Experts
•Agile teams place more value
in delivering beautiful software
rather than beautiful reports
•Many teams receive
inadequate training for tools
•Agile Management Tools
are full of missing,
incomplete, or incorrect
data
•Reports are somewhat
misleading, totally wrong,
or won’t run at all
•Senior management
cannot not get aggregated
reports they need to make
decisions
Cause Effect
Context
•Modern Project/Task
Management Tools are
Complex & Flexible
•Agile Teams Don’t Have a
Dedicated PM Resource
•Team Members Are not Tool
Experts
•Agile teams place more value
in delivering beautiful software
rather than beautiful reports
•Many teams receive
inadequate training for tools
•Agile Management Tools
are full of missing,
incomplete, or incorrect
data
•Reports are somewhat
misleading, totally wrong,
or won’t run at all
•Senior management
cannot not get aggregated
reports they need to make
decisions
Cause Effect
Context
TRACK: DEVSECOPS
Manual Verification Checks: Agency 1
Manual Verification Checks: Agency 1
TRACK: DEVSECOPS
Manual Verification Checks: Agency 2
Manual Verification Checks: Agency 2
TRACK: DEVSECOPS
•Jira Plugin
•Helps Teams Keep Jira
Clean by reducing “Tool
Debt”
•Uses Gamification
•Helps Enforce Jira Usage
Policies
Seatbelt for Jira
•Jira Plugin
•Helps Teams Keep Jira
Clean by reducing “Tool
Debt”
•Uses Gamification
•Helps Enforce Jira Usage
Policies
Seatbelt for Jira
TRACK: DEVSECOPS
Seatbelt for Jira
Seatbelt for Jira
TRACK: DEVSECOPS
Zero Trust for
Serverless
Zero Trust for
Serverless
TRACK: DEVSECOPS
Zero
Trust
1.Ensure the organization is observing
good cyber hygiene
2.Secure all the software components
3.Track and manage all third-party
dependencies
4.Secure the build/release process
5.Secure the deployment infrastructure
6.Secure data at rest and in motion
7.Don't trust any network, including your
own. Enforce authentication and
authorization everywhere. Assume the
network is hostile.
Securing Our Architecture
Zero
Trust
1.Ensure the organization is observing
good cyber hygiene
2.Secure all the software components
3.Track and manage all third-party
dependencies
4.Secure the build/release process
5.Secure the deployment infrastructure
6.Secure data at rest and in motion
7.Don't trust any network, including your
own. Enforce authentication and
authorization everywhere. Assume the
network is hostile.
Securing Our Architecture
TRACK: DEVSECOPS
AWS
AWS API
Gateway
Lambda
Seatbelt
API
AWS Step
Functions
Seatbelt
Actions
GlueAthena
S3
DynamoDB
Project
Data and
Metadata
Project
Data
Project
Metadata
S3Results
Jobs
AWS API
Gateway
JIRA
Webhook
Event
Query
ReST
API Call
Cognito
AWS
AWS API
Gateway
Lambda
Seatbelt
API
AWS Step
Functions
Seatbelt
Actions
GlueAthena
S3
DynamoDB
Project
Data and
Metadata
Project
Data
Project
Metadata
S3Results
Jobs
AWS API
Gateway
JIRA
Webhook
Event
Query
ReST
API Call
Cognito
TRACK: DEVSECOPS
•All services are locked down. Nothing can
connect to anything by default
•At runtime, Lambda are given temporary
limited credentials just to connect to the
services they need
•Lambdas typically run for less than one
minute and then the credentials are destroyed
What makes this zero trust?
Seatbelt
API
Identity &
Access Manager
S3
IAM
Credentials
Authenticated
Access
•All services are locked down. Nothing can
connect to anything by default
•At runtime, Lambda are given temporary
limited credentials just to connect to the
services they need
•Lambdas typically run for less than one
minute and then the credentials are destroyed
What makes this zero trust?
Seatbelt
API
Identity &
Access Manager
S3
IAM
Credentials
Authenticated
Access
TRACK: DEVSECOPS
Frontend:
NextJS TS
Backend:
Go Lang
compile
Static
analysis
CVE
analysis
Unit
test
SAM
deploy
E2e
test
compile
Static
analysis
CVE
analysis
Unit
test
SAM
deploy
E2e
test
Cyber
Tests
Vulnerability
Scan
Frontend:
NextJS TS
Backend:
Go Lang
compile
Static
analysis
CVE
analysis
Unit
test
SAM
deploy
E2e
test
compile
Static
analysis
CVE
analysis
Unit
test
SAM
deploy
E2e
test
Cyber
Tests
Vulnerability
Scan
TRACK: DEVSECOPS
Remediation Actions for ZAP Seatbelt
1.Return HTTP 400 for bad requests
2.Tune zap.tsv for false positives
3.Always return Content-Type header
4.Set Strict-Transport-Security
5.CORS fixes
Remediation Actions for ZAP Seatbelt
1.Return HTTP 400 for bad requests
2.Tune zap.tsv for false positives
3.Always return Content-Type header
4.Set Strict-Transport-Security
5.CORS fixes
TRACK: DEVSECOPS
TRACK: DEVSECOPS
CyberSecurityfor
Kubernetes
CyberSecurityfor
Kubernetes
TRACK: DEVSECOPS
IL4/IL6 or On Prem
Kubernetes
Control Plane
Container
Web App
Firewall
Container
Container
Go Lambda
Function
Container
MongoDBPrestoDB
Container
Authentication
Envoy Control
IL4/IL6 or On Prem
Kubernetes
Control Plane
Container
Web App
Firewall
Container
Container
Go Lambda
Function
Container
MongoDBPrestoDB
Container
Authentication
Envoy Control
TRACK: DEVSECOPS
•All services are locked down. Nothing can
connect to anything by default
•East-west traffic does not pass through the
aggregation point, so it’s protected via mesh
What makes this zero-trust?
•All services are locked down. Nothing can
connect to anything by default
•East-west traffic does not pass through the
aggregation point, so it’s protected via mesh
What makes this zero-trust?
TRACK: DEVSECOPSSummary
•Good Cyber Hygiene Involves many factors
•Zero trust means we don't trust any network,
including our own. We enforce authentication
and authorization everywhere. We assume the
network is hostile
•Serverless technology significantly reduces
attack surface
•Long-running services could increase attack
surface
•Service Mesh provides a control plane that can
be configured to enforce zero trust
•Good Cyber Hygiene Involves many factors
•Zero trust means we don't trust any network,
including our own. We enforce authentication
and authorization everywhere. We assume the
network is hostile
•Serverless technology significantly reduces
attack surface
•Long-running services could increase attack
surface
•Service Mesh provides a control plane that can
be configured to enforce zero trust
TRACK: DEVSECOPS
[email protected] https://linkedin.com/in/cstrong
@arielpartners https://youtube.com/@Ariel.Partnershttps://arielpartners.com
THANKYOU
[email protected] https://linkedin.com/in/cstrong
@arielpartners https://youtube.com/@Ariel.Partnershttps://arielpartners.com
THANKYOU
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 25
- Slides 20
- Age 414 days
Related Slideshows
1
MGV Residential Design projects for different clients, including a New Mexico Adobe project-1-.pdf
mannyvesa
27 views
16
EUNITED_Advocacy and Public Engagement through Visual Media
GeorgeDiamandis11
32 views
31
DESIGN THINKINGGG PPT 2 TOPIC IDEATION.pptx
HibaZaidi2
25 views
36
DESIGN THINKING CHAPTER 1 PPTT PPT 1.pptx
HibaZaidi2
29 views
112
Hinduism and Its History - PowerPoint Slides.pptx
ConorMcCormack10
25 views
20
Service Attributes of Manufactured Parts.pptx
MustafaEnesKrmac
25 views