Splitting the Check on Compliance and Security презентация

Содержание

2015 for Developers

Слайд 1Splitting the Check on Compliance and Security
Jason Chan
Engineering Director –

Cloud Security
@chanjbs



Слайд 22015 for Developers


Слайд 32015 for Auditors and Security Teams


Слайд 4The Problem


Слайд 5Developers:
Incentives
Speed
Features
Want
Freedom to innovate
New technology


Incentives and Perspectives
Auditors:
Incentives
Compliance with regulatory obligations
Verifiable processes
Want
Well-known technology
Predictability

and stability

Слайд 6The Resolution


Слайд 7“You build it, you run it.”
-Werner Vogels, Amazon CTO (June 2006)


Слайд 8Who Cares About These Answers?
When did that code change?
Who made

the change?
Who logged in to that host?
What did they do?
Who pushed that code?
When was this dependency introduced?
Was that build tested before deployment?
What were the test results?

?


Слайд 9Before
Developers and Auditors
After


Слайд 10How Do We Get There?


Слайд 11Two Approaches to Compliance


Слайд 12Pillars for Effective, Efficient, and Flexible Compliance


Слайд 13The Pillars
Traceability in development
Continuous security visibility
Compartmentalization


Слайд 14Discussion Format


Слайд 15Traceability in Development


Слайд 16Common Audit Requirements for Software Development
Review changes.
Track changes.
Test changes.
Deploy only approved

code.
For all actions:
Who did it?
When?


Слайд 17Spinnaker for Continuous Deployment
Customizable development pipelines (workflows)
Based on team requirements
Single interface

to entire deployment process
Answers who, what, when, and why
For developers and auditors

Слайд 18Spinnaker: Compliance-Relevant Features
Integrated access to development artifacts
Pull requests, test results, build

artifacts, etc.
Push authorization
Restricted deployment windows (time, region)
Deployment notifications

Слайд 19Spinnaker: App-Centric View & Multistage Pipeline


Слайд 20Automated Canary Analysis


Слайд 21Manual Approval (Optional)


Слайд 22Restricted Deployment Window (Optional)


Слайд 23Restricted Deployment Window (Optional)


Слайд 24Deployment Notification (Optional)


Слайд 25Spinnaker vs. Manual Deployments
Deployment is independent of languages and other underlying

technology.
Java, Python, Linux, Windows…
Multiple stages of automated testing.
Integration, security, functional, production canary.
Fully traceable pipeline.
Changes and change drivers are fully visible.
All artifacts and test results available.


Слайд 26Control Mapping


Слайд 27Continuous Security Visibility


Слайд 28Issues with Application Security Risk Management
Spreadsheets and surveys!
Human driven.
Presuppose managed intake.
One-time

vs. continuous.

Слайд 30Penguin Shortbread – Automated Risk Analysis for Microservice Architectures
Analyze microservice connectivity.
Passively

monitor app and cloud configuration.
Develop risk scoring based on observations.

Слайд 31Application Risk Metric


Слайд 32Application Risk Rollup


Слайд 33Control Mapping


Слайд 34Compartmentalization


Слайд 35Compartmentalization
Resilience: Limit blast radius
Confidentiality: Need to know


Слайд 36Monolithic Card Processing in the Data Center



Слайд 37Microservices and Tokenization in AWS




Слайд 38Control Mapping


Слайд 39Wrapping Up!
Limit investments in approaches that meet narrow regulatory needs.
Embrace core

security design and operational principles.
Focus on tools and techniques that serve multiple audiences.

Слайд 40@chanjbs - chan@netflix.com


Обратная связь

Если не удалось найти и скачать презентацию, Вы можете заказать его на нашем сайте. Мы постараемся найти нужный Вам материал и отправим по электронной почте. Не стесняйтесь обращаться к нам, если у вас возникли вопросы или пожелания:

Email: Нажмите что бы посмотреть 

Что такое ThePresentation.ru?

Это сайт презентаций, докладов, проектов, шаблонов в формате PowerPoint. Мы помогаем школьникам, студентам, учителям, преподавателям хранить и обмениваться учебными материалами с другими пользователями.


Для правообладателей

Яндекс.Метрика