WIXLIB

Logging, Monitoring, and Alerting§ Logs are a part of daily life in the DevOps world§ In security, we focus on particular logs to detect securityanomalies and for forensic capabilities§ A basic logging pipeline can be shared between Developers,Operations, and Security teams:– Log Aggregation: Used to ingest logs from systems,applications, network components, etc.– Long Term Storage: Filesystem which retains logs for anextended period of time. Good for forensics or breachinvestigation.– Short Term Storage: Filesystem or DB which stores logs tobe queried quickly and easily.– Alerting: Anomaly detection system which is responsible forsending alerts to teams when a deviation occursCOPYRIGHT 2019 MANICODE SECURITY76

Logging and Monitoring PipelineLong TermStorageIaaSLogAggregationShort TermStorageQuery InterfaceAnomalyCOPYRIGHT 2019 MANICODE SECURITYAlerting SystemDevSecOps77

Infrastructure as CodeCOPYRIGHT 2019 MANICODE SECURITY78

Building Infrastructure§Is your infrastructure §Self documenting?§Version controlled?§Capable of continuous delivery?§Integration tested?§Immutable?Remember: ”It’s all software"COPYRIGHT 2019 MANICODE SECURITY79

Immutable Infrastructure“Immutable infrastructure is compromised of components which arereplaced during deployment rather than being updated in place”COPYRIGHT 2019 MANICODE SECURITY80

Security and Immutable Infrastructure§An immutable infrastructure starts with a“Golden Image” in a version catalog§Security teams have a central location tovalidate images as compliant and enforce OShardening policies§No more guesswork what is installedAutomation can flag security anomalies vs.human intervention§Tags help teams wrangle infrastructure“Push Security to the Left”COPYRIGHT 2019 MANICODE SECURITY81

Simple Immutable InfrastructureInstance 1Version CatalogBaseImageBaseImage0.20.2Base OSPackagesInstance 2BaseImage0.2Base ContainerLatest CodeInstance nBaseImage0.2COPYRIGHT 2019 MANICODE SECURITY82

Proving Immutability96c5 07e4bbInstance 1SHA1(Base Image)Version CatalogBaseImageBaseImage0.20.2Base OSPackages96c5 07e4bbInstance 2BaseImage0.2Base Container96c5 07e4bbInstance nLatest CodeBaseImage0.2COPYRIGHT 2019 MANICODE SECURITY83

Shellshock?Instance 1Version CatalogBaseImageBaseImage0.20.2Base OSPackagesInstance 2BaseImage0.2Base ContainerLatest CodeInstance nBaseImage0.2COPYRIGHT 2019 MANICODE SECURITY84

Shellshock?Instance 1Version CatalogBaseImageBaseImage0.30.3Base OSInstance 2PackagesBaseImage0.3Base ContainerInstance nLatest CodeEmergencyPatch!COPYRIGHT 2019 MANICODE SECURITYBaseImage0.385

Cattle, not pets.COPYRIGHT 2019 MANICODE SECURITY86

Security Wins§Security team now has insight into the entiresystem§Infrastructure is auditable and versioncontrolled, just like source code§Patching can be applied programmatically witha high level of certainty§Alerting can be built for changes to specificareas of the infrastructure– A new firewall rule is created or deleted– Administrative user is created– New VPC rolled out§Testing can occur much earlier in the pipelineCOPYRIGHT 2019 MANICODE SECURITY87

Infrastructure as Code - TerraformCOPYRIGHT 2019 MANICODE SECURITY88

Infrastructure as Code – K8sCOPYRIGHT 2019 MANICODE SECURITY89

”Chaos” TestingCOPYRIGHT 2019 MANICODE SECURITY90

Brief Introduction to ContainersCOPYRIGHT 2019 MANICODE SECURITY91

Containers, Containers, Containers, Containers COPYRIGHT 2019 MANICODE SECURITY92

Software Deployment is Changing§Massive shift toward cloud computing§Increased demand for application and infrastructureportability across environments§Avoid vendor “lock in” when possibleProcess§Increase in microservicesAKASecurityloosely coupled servicesProcess IsolationCOPYRIGHT 2019 MANICODE SECURITY93

Modern Applications§Breaking monolithic applications into smaller servicesoffers several advantages:- Scale independently- Stateless- High Availability- API-Driven- Faster iteration timesCOPYRIGHT 2019 MANICODE SECURITYProcess SecurityProcess Isolation94

Issues with Modern Applications§Organizations often operate in an Ops vs. Dev vs. Secworld§Applications and microservices are written in a variety oflanguages and frameworksProcessSecurity§Applications need to runon differenttechnology stacks:–Virtual MachinesProcess Isolation–Windows Server–Bare Metal Servers–Cloud Environments–On-Prem Environments–Developer LaptopsCOPYRIGHT 2019 MANICODE SECURITY95

ApplicationOperating SystemPhysical ServerCOPYRIGHT 2019 MANICODE SECURITYPhysicalHost

ApplicationOperating SystemPhysical ServerCOPYRIGHT 2019 MANICODE SECURITY§One application per server§Slow deployment times§Low resource utilization§Scaling challenges§Migration challenges§ §Difficult to replicate locally

Physical orHost Operating SystemCOPYRIGHT 2019 MANICODE SECURITYVM

Physical orHost Operating SystemCOPYRIGHT 2019 MANICODE SECURITY§One physical server andmultiple applications§Each application runs in aVirtual Machine§Better resource utilization§Easier to scale§VMs live in the Cloud§Still requires completeguest Operating Systems§Application portability notguaranteed

Physical ServerContainerContainerContainerApp 1App 2App 3BinsLibsBinsLibsBinsLibsDocker (CRI)Host Operating SystemCOPYRIGHT 2019 MANICODE SECURITYContainer

Physical ServerContainerContainerContainerApp 1App 2App 3BinsLibsBinsLibsBinsLibsDocker (Container Runtime)Host Operating SystemCOPYRIGHT 2019 MANICODE SECURITY§Containers are anapplication layer construct§VMs allow us to convertone physical machine intomany servers§No Operating System toboot (fast!)§Most portable out of alloptions§Less OS overhead usingshared kernel model

Physical ServerVM 1VM 2VM 3ContainerContainerContainerApp 1App 2App rvisorHost Operating SystemCOPYRIGHT 2019 MANICODE SECURITYContainersand VMsare HappyTogether

It's been a pleasure.jmesta@manicode.comJimmy Mesta Secure Coding Instructor www.manicode.com

Logging, Monitoring, and Alerting 76 §Logs are a part of daily life in the DevOps world . -A new firewall rule is created or deleted -Administrative user is created -New VPC rolled out §Testing can occur much earlier in the pipeline. . Virtual Machine