Cyber Security, DevOps, Internet of Things (IoT)

4 Mins Read

Introduction to Security in DevOps

Voiced by Amazon Polly

Software and Data Integrity

Introduction

The new category for 2023 mostly focuses on assumptions related to critical data, software updates, and Continuous Integration with Continuous Deployment (CI/CD) pipelines without integrity verification.

The Software and Data integrity failures related to the code and infrastructure do not protect against integrity violations.

How to prevent it?

Use digital signatures or similar mechanisms.

Ensure that the libraries and other dependencies, like NPM or Maven, are available in trusted repositories.

Ensure a review process is always completed for the code and configuration changes.

Ensuring the CI/CD pipeline has a proper configuration, segregation, and access control.

Ensuring that unencrypted and unsigned serialized data is only sent to untrusted clients after the integrity check process is completed.

Example scenarios

Update without signing: Unsigned firmware like network routers and set-top boxes is a growing target day by day for attackers and is expected to get worse even further.

Insecure Deserialization: Unknown or untrusted data is used to inflict DoS attacks or DDoS attacks.

Infrastructure as Code

Allows the configuration and deployment of infrastructure.

Components are created faster with consistency by allowing them to be defined as code.

Enables repeatable deployments across environments.

Security Best Practices for IaC:

Deployment

Version control is the practice of tracking and managing changes to software code. Ensure all the changes to the IaC are tracked with the right set of information that helps in any revert operation.

The principle of least privilege defines access management policies based on the principle of least privilege.

Open-Source dependency check – Analyzes the open-source dependencies, such as OS packages, libraries, etc., to identify potential risks.

Managing secrets – Secrets are confidential data and information such as application tokens required for authentication, passwords, and SSH (Secure Shell) keys.

Threat modeling – Build the threat modeling landscape earlier in the development cycle.

IDE plug-ins – Leverage standard security plug-ins in the integrated development environment (IDE).

Commissioning – whenever a resource is deployed, ensure the resource is labeled, tracked, and logged as part of the inventory management.

Decommissioning – Ensure the underlying configurations are erased, data is securely deleted, and the resource is completely removed from the runtime and inventory management.

Tagging -During IaC operations, untagged assets are most likely to result in ghost resources that make detecting, visualizing, and gaining observability difficult.

Runtime

Immutability of infrastructure – The idea behind immutable infrastructure is to build the infrastructure components to an exact set of specifications.

Logging – Both security logs and audit logs – while provisioning infrastructure, as they help assess the security risks related to sensitive assets.

Monitoring – Continuous monitoring assists in looking out for security and compliance violations, helps identify attacks, and provides alerts upon such incidents.

AWS Partner – DevOps Services Competency

  • Reduced time to market
  • Rapid deployment
  • Zero downtime
Explore more

Security Logging and Monitoring Failures 

Introduction

Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring, and other active response that occurs at any time.

Warnings and errors generate inadequate or unclear log messages.

The applications cannot detect, alert, or escalate active attacks in real-time or near real-time.

How to prevent it?

Ensuring the logs are generated in such a format that the log management solutions can be easily consumed.

Ensuring the log data is properly encoded to prevent injections or attacks over the monitoring or logging systems.

DevSecOps teams should ensure effective alerting and monitoring such that suspicious activities are identified and responded to quickly.

Example Scenarios

An Indian Airline suffered a data breach that involved more than ten years’ worth of personal data of millions of passengers, which included passport and credit card data. The data breach that occurred at the third-party cloud hosting provider notified about the breach to Airline after some time.

A major European Airline suffered a GDPR reportable breach. The breach reportedly has been caused due to payment application security vulnerabilities that were exploited by the attackers, who harvested more than 400,000 customers’ payment records. The Airline was fined 20 million pounds due to the privacy regulator.

Implementation of Security Logging and Monitoring

Most developers use logging for debugging and diagnostic purposes. Security logging is to log security information during the operation runtime of an application.

Benefits of Security Logging

Security logging may be used:

For forensic analysis and applications.

For regulatory compliance requirements.

Best Practices

Follow a specific logging format within and across the system, such as Apache Framework, which helps provide logging consistency among C++, JAVA, and .NET PHP.

We must not log too much information or too little information.

Logging for Intrusion Detection and Response

We must use logging to identify activities when a user is behaving maliciously. Some of the malicious activity scenarios include:

  • The submitted data may be outside some numeric range.
  • Some requests violate the server-side access rules.

The applications in such use cases must log the activity and mark it as a severe issue. At the same time, the application must respond to a possible identifiable attack by either locking the account or invalidating the user’s session.

Design Approach for Secure Logging Design

Secure Logging can be implemented in the following ways.

  • Validate and encode any dangerous characters before logging to prevent Log Injection attacks.
  • Prevent logging sensitive information – like passwords, social security numbers, and credit cards.
  • Protecting logs integrity – An intruder may tamper with logs; therefore, the permissions for accessing log files must be restricted.
  • Migrate the logs from distributed system to a central and secure logging service. This will ensure that log data can be prevented from being lost if one node is compromised.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training PartnerAWS Migration PartnerAWS Data and Analytics PartnerAWS DevOps Competency PartnerAWS GenAI Competency PartnerAmazon QuickSight Service Delivery PartnerAmazon EKS Service Delivery Partner AWS Microsoft Workload PartnersAmazon EC2 Service Delivery PartnerAmazon ECS Service Delivery PartnerAWS Glue Service Delivery PartnerAmazon Redshift Service Delivery PartnerAWS Control Tower Service Delivery PartnerAWS WAF Service Delivery PartnerAmazon CloudFront Service Delivery PartnerAmazon OpenSearch Service Delivery PartnerAWS DMS Service Delivery PartnerAWS Systems Manager Service Delivery PartnerAmazon RDS Service Delivery PartnerAWS CloudFormation Service Delivery PartnerAWS ConfigAmazon EMR and many more.

WRITTEN BY Veeranna Gatate

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!