DevOps Security

These are some really rough notes that I took while watching some of the talks found in the Resources section below.

Security as Code

  • If an instance goes up that we did not want to be launched, terminate immediately

  • Have known good state of your instances

  • Make sure for a given new instance that it is conforming to the proper standards i.e. using the right security group

Build code securely
Unit tests for your code from an attackers perspective

Build security tests into CI
Automate detection and response

Automate Compliance Audits

Automated Defense (forcibly correct and quarantine):
https://github.com/Securosis/SecuritySquirrel

Getting people to address issues:

JIRA service desk for security alerts

Find tickets assigned to people and past due, escalate automatically
Inspect ticket metadata, carry out duties
Find sketchy internal actors, mistakes like creating a new user

Chef hardening resources

https://github.com/dev-sec/chef-os-hardening
https://github.com/chef-cookbooks/aws
https://supermarket.chef.io/cookbooks/cis_benchmark

Puppet hardening resources

https://forge.puppet.com/netmanagers/fail2ban
https://forge.puppet.com/arusso/iptables

Resources

https://www.youtube.com/watch?v=mSWsgJzzJn0
https://www.youtube.com/watch?v=0HQIiT39baQ