How To Integrate Security into the DevOps Pipeline In AWS 2022?

February 25, 2022
iam.awslagi
0

Rate this post

In this post, we will share details about How To Integrate Security into the DevOps Pipeline In AWS 2022. This is an official document from AWS. Thank AWS for sharing awesome documents. We learn a lot of things from you. The document helped us a lot for security improvement for almost all of the deployment pipelines and we apply it for many of our projects. Many benefits when integrating Static Analysis (SAST), Dynamic Analysis (DAST), Runtime Security (RASP) into the DevOps pipeline.

Introduction: AppSec Best Practices for the Cloud

Applications are more dynamic and robust than we’ve seen in the past.
The pace of development in the cloud era is faster than ever.
With this change in pace and style of development, though, comes a need to more rapidly implement security best practices in all facets of application development.
It’s imperative that any control options be as integrated and automated as possible, too.

Integrating Security into Development and DevOps

For day-to-day cloud engineering, oversight, and administration (including change management), include:

Image management.
Information security.
Central DevOps and cloud engineering.
Identity and access management (IAM).

Integrating Security into Development and DevOps

To help shift the culture toward one that is more collaborative, security teams need to integrate with the developers promoting code.
To ensure cohesion across teams, there should be a cloud governance committee.
In addition, security teams need to determine which tools they have in operations that can be integrated into a DevSecOps environment.
Standards should also be defined and published for numerous areas of development and deployment.

Integrating Security into Development and DevOps

Risk assessment and analysis practices should be updated to continually review the following:

Security tools and controls, both in-house and in the cloud.
Internal development and orchestration tools and platforms.
Cloud provider security controls, capabilities, and compliance status.
Operations management and monitoring tools.

Static Application Security Testing

Common SAST assessment models:

Configuration assessment.
Code structure assessment.
Contextual analysis.
Code control/flow assessment.
Data flow analysis.
Static Application Security Testing (SAST) consists of security testing that analyzes application source code for software vulnerabilities and gaps against best practices.

Benefits of SAST

Known benefits to using SAST approaches in secure application development:

Efficient vulnerable code discovery.
Shifting left.
Automation capabilities.
Pre-execution security analysis.
Minimal planning requirements.

More on SAST

Many SAST tools are expanding their capabilities and coverage to include infrastructure-as-code (IaC) templates.

Depending on the size of the code base and files assessed, SAST tools can take significant time to complete scans.

Implementing SAST

Another cloud-native code review and assessment service is Amazon CodeGuru.
CodeGuru Profiler monitors the runtime behavior of applications to detect anomalies.
CodeGuru Reviewer Security Detectors can improve code security and resilience.
AWS CodeCommit is a fully-managed source control service that hosts secure Git-based repositories that encrypts all files both in transit and at rest.
As a key application security-focused element of today’s DevOps pipelines, SAST should be implemented as broadly as possible to analyze source code and IaC templates for vulnerabilities.

Dynamic Application Security Testing (DAST)

Most DAST tools employ fault injection techniques to deliberately inject unauthorized data to input elements in an effort to identify common security vulnerabilities.
DAST is a scanning approach that can find security vulnerabilities and weaknesses in running applications.
DAST also exposes runtime security problems that can’t be identified by static analysis techniques.

DAST Benefits and Drawbacks

DAST tools have some disadvantages, however:

They may be limited in some testing approaches.
They may run slowly.
They don’t cover all aspects of an application.

DAST platforms provide several benefits:

Fewer false positives.
Rapid retesting of remediated vulnerabilities.
Language agnostic

DAST Best Practices

A wide variety of DAST solutions available today can work in both on-premises and cloud-based pipeline environments.
To get the most out of DAST tools and testing, consider these best practices:

Incorporate regression testing.
Plan test cases and scenarios.
Build automation sequences.

Runtime Application Security

RASP watches a company’s application at runtime, analyzing its behavior as well as the context in which the behavior occurs.
Another control gaining a lot of traction is Runtime Application Self-Protection (RASP).
If RASP detects a security event, such as an attempt to launch a shell, access a file, or query a database, that action can be terminated.

RASP Advantages

Integrating RASP into cloud application stacks requires a fair amount of testing and tuning, but may offer some distinct advantages in DevOps:

Modern RASP solutions can also be deployed for container-based and serverless applications through IaC templates and add-in components.
RASP solutions offer significant context about an application’s behavior.

RASP Considerations

There are numerous RASP key considerations and best practices when planning to deploy this technology into cloud application workloads:

Evaluate integration opportunities for any RASP technologies you’re considering.
Incorporate performance testing and tuning into deployment strategies.
Look for leading third-party solutions that are available in the cloud provider marketplace.
Develop testing plans for prevention and alerting policies that include development and security operations teams.

How to integrate security into the DevOps pipeline in AWS

Old school CI/CD pipeline

Modern CI/CD pipeline with integrated security

AWS CodeBuild buildspec.yml: Pre_build Phase SCA

buildspec.yml

phases:
pre_build:
commands:
– export CX_REPO_NAME=$(basename “$CODEBUILD_SOURCE_REPO_URL” .git)
– export CX_REPO_BRANCH=$(basename “$CODEBUILD_WEBHOOK_HEAD_REF”)
– |
if expr “${CX_REPO_BRANCH}”; then
export CX_PROJECT=$(echo “$CODEBUILD_BUILD_ID” | cut -f1 -d:)-${CX_REPO_BRANCH}
else
export CX_PROJECT=$(echo “$CODEBUILD_BUILD_ID” | cut -f1 -d:)
fi
– |
${CX_FLOW_EXE} \
–scan \
–app=”${CX_REPO_NAME}” \
–namespace=”${CX_REPO_NAME}” \
–repo-name=”${CX_REPO_NAME}” \
–repo-url=”${CI_REPOSITORY_URL}” \
–cx-team=”${CX_TEAM}” \
–cx-project=”${CX_PROJECT}” \
–branch=”${CX_REPO_BRANCH}” \
–spring.profiles.active=”${CX_FLOW_ENABLED_VULNERABILITY_SCANNERS}” \
–f=.
${PARAMS}

Security code review best practices

template.yml

AWSTemplateFormatVersion: 2010-09-09
Description: >-
AWS CloudFormation template creates a APP instance
PDIAMUser:
Type: ‘AWS::IAM::User’
Properties:
ManagedPolicyArns:
– arn:aws:iam::aws:policy/AdministratorAccess
CPDIAMUserAccessKey:
Type: ‘AWS::IAM::AccessKey’
Properties:
UserName: !Ref PDIAMUser
WSCredentialSecret:
Type: “AWS::SecretsManager::Secret”
Properties:
SecretString: !Sub – ‘{“aws_secret_access_key”:”UULKJLKUELGW”, “aws_access_key_id”:”LKJLKJAIOUPELKAJKLDJF”}’

Are you interested in taking the AWS exam?

We’re sharing a lot of good practice exams and an actual exam version includes real questions to help you clear the exam in the easiest way and with videos to help you practice anytime and anywhere.

Actual Exam Version:

AWS Certified Security Specialty SCS-C01 Actual Exam

Video:

Practice Exam Version:

https://www.awslagi.com/course/aws-certified-security-specialty-scs-c01-practice-exam/

Source:

AWS Official Document
awslagi.com

Tags: AWS Certification Exam AWS Certified Security Specialty

Cart