continuous security – securing clouds in a devops world
TRANSCRIPT
Vinay Bansal
Security Architect, Cisco Systems
Oct. 2016
Continuous Security –Securing Clouds in a DevOps World
• Cloud and Devops
• Why traditional security does not help
• Automation Demo
• Building Security with Devops• Security is visible
• Security is Automated
• Security Individuals Embedded
• Key Takeaways
Outline
• Security Slows down
• Security always says “No”
• Infosec not embracing new norms• Cloud
• Agile
• Virtualization
Devops : Security Preconception
1. Insecure Configs and Setups
2. Stack (Opensource) Vulnerabilities
3. Credential Management
4. Appcode (homegrown) Vulnerabilities
5. Lack of Active Log Analysis and Monitoring
Top Reasons for Security Incidents
MULTIPLE DEPLOYMENT MODELS
NORAD CLOUD(SECaaS)
• Plug and Play for users
NORAD HYBRID• User leverage Norad
Relay machine to
preform scans of
private assets
• Results still stored in
Norad Cloud
ENTERPRISE
• On-site deployment of all Norad infrastructure
NORAD Capabilities- Current and Planned
Platform Features
• Blackbox and Whitebox testing
• Cloud, hybrid, and on-prem operational models
• Web UI for defining assets, launching tests, and
viewing results
• Full API support for automation
• Cross-platform agent
• Cisco SSO integration
• Email notifications
• Community-based model for adding and
developing security test content
• Security containers for security tests
Security Tests Included
• Qualys vulnerability scanning
• Qualys WAS testing (OWASP top 10 testing)
• Qualys Compliance Check Scanning
• CIS Server Benchmarks
• CIS Docker Host hardening validation
• Docker Image vuln scanning
• OpenStack hardening validation
• Nmap/sslyze crypto tests
• Credentials brute-force testing
• CSDL PSB Validation (12)SEC-OPS-PUBCRYP-2, SEC-OPS-STRENGTH, SEC-DEF-CRED-2, SEC-INT-CRED-2, SEC-CRY-PRM, SEC-AUT-ACCDEF, SEC-CRY-STDCODE, SEC-509-CERTEXT, SEC-509-CHAIN, SEC-509-FQDN, SEC-509-LIFETIME, SEC-509-REVOKE