Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Hands-On Security in DevOps

You're reading from   Hands-On Security in DevOps Ensure continuous security, deployment, and delivery with DevSecOps

Arrow left icon
Product type Paperback
Published in Jul 2018
Publisher
ISBN-13 9781788995504
Length 356 pages
Edition 1st Edition
Concepts
Arrow right icon
Author (1):
Arrow left icon
Tony Hsiang-Chih Hsu Tony Hsiang-Chih Hsu
Author Profile Icon Tony Hsiang-Chih Hsu
Tony Hsiang-Chih Hsu
Arrow right icon
View More author details
Toc

Table of Contents (23) Chapters Close

Preface 1. DevSecOps Drivers and Challenges FREE CHAPTER 2. Security Goals and Metrics 3. Security Assurance Program and Organization 4. Security Requirements and Compliance 5. Case Study - Security Assurance Program 6. Security Architecture and Design Principles 7. Threat Modeling Practices and Secure Design 8. Secure Coding Best Practices 9. Case Study - Security and Privacy by Design 10. Security-Testing Plan and Practices 11. Whitebox Testing Tips 12. Security Testing Toolkits 13. Security Automation with the CI Pipeline 14. Incident Response 15. Security Monitoring 16. Security Assessment for New Releases 17. Threat Inspection and Intelligence 18. Business Fraud and Service Abuses 19. GDPR Compliance Case Study 20. DevSecOps - Challenges, Tips, and FAQs 21. Assessments 22. Other Books You May Enjoy

Security compliance

For cloud services, it's very important to have security compliance-ready. Security compliance not only shows how the security controls of the cloud service meet security standards but also demonstrates security trustworthiness for customers and partners. Security compliance provides an overview of a security assurance program, but it won't specifically tell us which security technical approach it should apply. For frequent cloud service releases, constantly monitoring and auditing to meet security compliance can be a big challenge.

Although most cloud service providers are security compliance ready (ISO, PCI, FedRAMP, SOC, and so on), it's still the cloud service customer's responsibility to secure data and manage their own application compliance assessment. Both cloud service customers and providers need to maintain system or application audit logs, configuration lists, and change histories for compliance assessment. The compliance assessment should be considered a continuous activity—not a one-time audit check.

In this chapter, we will introduce key cloud services security compliance as a reference to building a security assurance program, and how these security compliance standards relate to DevSecOps.

ISO 27001

ISO 27001 is an information security management system (ISMS). It provides an overview of organization-level security assurance programs. ISO 27001 won't specify a technical security approach, but it provides a complete set of a security management programs. As the diagram shows, the segments in the upper parts may be more directly related to DevOps security practices, such as compliance, business continuity, operation security, access control, software development, cryptography, incident management, and communication. This will serve as a guideline to further developing our own DevOps security program:

We won't introduce ISO 27001 details, but the following table summarizes how ISO 27001 relates to each role and the DevOps team:

Role

Company/organization security policy

Operation or DevOps team

Development team

ISO 27001 chapters

5 Information security policies

6 Organization of information security

7 Human resource security

8 Assess management

15 Supplier relationships

11 Physical and environmental security

9 Access Control

10 Cryptography

12 Operation security

13 Communication security

17 Information security aspects of business continuity management

16 Information security incident management

18 Compliance; with internal requirements, such as policies, and external requirements, such as laws

19 Cloud services control

14 System development

10 Cryptography

9 Access control

ISO 27017 and ISO 27018

ISO 27018 is mainly for the protection of personally identifiable information (PII) in the cloud. It's an extended security compliance based on ISO 27001 and ISO 27002. On top of ISO 27001/27002, ISO 27018 additionally defines PII protection security requirements

ISO 27017 provides both service providers and cloud service consumers with the ability to implement security controls for cloud services. ISO 27017 is an extension to ISO 27002 to address cloud-specific security issues.

Cloud Security Alliance (CSA)

As there are many cloud security compliance methods out there, we may get frustrated trying to follow each of them. The CSA (Cloud Security Alliance) Cloud Controls Matrix (CCM) consolidated most security compliance methods into one matrix called CCM. Take application and interface application security as an example—CCM includes all security compliance controls such as ISO, FedRAMP, and NIST 800-53 related to this area, and defines the control ID. The key benefit of referring to CCM is that we can simply focus on CCM and know all other security compliance regulations will be met as well.

In addition, CSA provides a Consensus Assessments Initiative Questionnaire (CAIQ). It's a yes/no questionnaire for cloud consumers or cloud provides to do security self-assessment and to understand the requirements of security controls. Google Vendor Security Assessment Questionnaires (VSAQ) also provide a security assessment questionnaire in terms of Web Application Security, Security and Privacy Program, Infrastructure Security and Physical and Datacenter Security.

Furthermore, if you are looking for the top cloud threats and security control mitigations, Cloud Security Alliance (CSA) cloud top threats provide guidelines. At the time of writing, it defines the top 12 cloud threats, mappings to threat analysis, CCM/Control ID, and the domains of CSA Security Guidance reference. The following table shows related CSA security guides and how to apply security practices in your organization:

CSA security guides

What it is?

When to apply?

CSA Security Guidance reference

Cloud security white paper

If your organization needs a cloud service security guideline or white paper, this can be a good reference.

Cloud top threats

Top 12 cloud threats and mappings to threat analysis, CCM/Control ID, and domains of CSA Security Guidance reference

It can be the basis for cloud threat modeling.

CAIQ

Yes/no questionnaire

A list of yes/no questions for self-assessment to understand existing security control requirements.

CSA CCM

One consolidated worldwide security standard mapping

It's a great consolidated reference and includes most security compliance standards (ISO 27001, PCI, NIST, and so on). It's the only matrix you need to review security standards compliance.

Federal Information Processing Standards (FIPS)

The FIPS mainly defines minimum security requirements for the use of cryptographic modules. Every organization that is not going to get a FIPS certificate should also refer to it. It's highly recommended that you refer to Security Requirements for Cryptographic Modules to understand what cryptographic modules may be considered safe, legacy, or weak.

For developers who would like to learn how to implement cryptographic modules correctly, the following resources are recommended.

  • OWASP Cryptographic Storage Cheat Sheet.
  • OWASP Guide to Cryptography
  • OWASP Key Management Cheat Sheet

Here is a summary of the minimum security requirements for each cryptography algorithm and its usage:

Usage scenario

Unsafe cryptography algorithm

(key length)

Legacy Systems Only

Recommended cryptography algorithm

Symmetric encryption

Blowfish, DES, Skipjack, RC4

3 DES only when

(key 1 != key 2 != key 3)

AES > 128 bits

Asymmetric encryption

RSA (< 1024 bits)

RSA (1024 bits)

RSA (> 1024 bits)

Hash

MD5

SHA1 (1024 bits)

SHA256

Digital signature

RSA (< 1024 bits)

DSA (< 1024 bits)

ECDSA (<= 160 bits)

DSA (1024 bits)

RSA (1024 bits)

RSA (>=2048 bits)

DSA (>=2048 bits)

ECDSA (>=256 bits)

Hellman key exchange (DH)

DH ( < 1024 bits)

DH (1024-2047 bits)

DH (>=2048 bits)

ECDH(>-256 bits)

Center for Internet Security (CIS) and OpenSCAP – securing your infrastructure

The CIS defines security benchmarks and the National Checklist Program (NCP), defined by the NIST SP 800-70, provides guidance on the security configurations of the operating system, database, virtualization, framework, and applications.

The IT and operation team are primarily responsible for ensuring the security of the infrastructure. However, the development team may also share some responsibilities for securing the infrastructure. For example, the development team may decide to deliver the application package in the form of a container or to apply Infrastructure as Code frameworks, such as Puppet or Chef. These technologies allow development teams to define a secure configuration, even in the development stage, and the operation team just needs to apply the secure configuration definition during application deployment.

In addition, it's also the development team's job to provide a list of configuration changes for every release's deployment. This will allow the operation team to review if the configuration changes are secure and appropriate. Due to the complexity and the amount of configuration that needs to be reviewed, the adoption of scanning tools to check if all the configurations are secure and comply with industry best practices is necessary. Cloud service providers may provide such scanning services or tools. Here, we recommend open source tools such as CIS-CAT Lite provided by CIS and OpenSCAP.

The journey to secure the infrastructure and platform can be completed in three stages. The first stage is to define a secure configuration baseline by referring to industry practices such as CIS or NIST NCP. Then, we may apply tools such as Chef or Puppet to ensure every deployment includes a secure configuration as well. The final stage is to do constant monitoring of frequent configuration changes and security compliance assessment.

Typical infrastructure components are listed in the following table. CIS provides secure configuration suggestions to each system component and also tools to do the scanning against the security best practice baseline.

CIS provides the CIS Benchmark, which defines the secure configuration of operating systems, server software, cloud services, networking devices, and so on. It helps operation teams to understand how to secure and configure an infrastructure and platform.

Infrastructure layers

System

Web services

Apache, Nginx, IIS

Database

MS SQL, MySQL, Oracle, MongoDB

Virtualization/container

VMware, Docker, Kubernetes

Networking

Cisco devices

Operating systems

Windows, Linux, Ubuntu, CentOS, SUSE

In addition to CIS Benchmark documents, CIS also provides tools to infrastructure or operation teams for secure configuration scanning. The CIS Security website provides related security configuration scanning tools to download.

Source: https://www.cisecurity.org/cybersecurity-tools/

National Checklist Program (NCP) repository

The NCP repository provides secure configuration for specific software components. For example, if you are looking for Apache security configuration or the CIS of Apache, you may use the NCP to do the search. The screenshot is from the NIST NCP (National Checklist Program).

Source: https://nvd.nist.gov/ncp/repository

OpenSCAP tools

OpenSCAP is similar to CIS security benchmarks; it also provides a secure configuration baseline. In addition, OpenSCAP also provides different kinds of tool for operation or infrastructure teams to do secure configuration evaluation and scanning. Depending on the requirements, there are four kinds of tool provided, as shown in the following screenshot:

Source: https://www.open-scap.org/tools/
You have been reading a chapter from
Hands-On Security in DevOps
Published in: Jul 2018
Publisher:
ISBN-13: 9781788995504
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime