alphaspirit - Fotolia

Manage Learn to apply best practices and optimize your operations.

Implementing security operations management in AWS

Developers put security second in the software development process. SecOps rolls the continuous threat testing and monitoring makes it a priority.

Security has traditionally been an afterthought in the software development process. But publicity of the recent heartbleed vulnerability and associated patching difficulties has moved security to the forefront. And a secure software development lifecycle approach using security operations management, or SecOps, can help improve security for AWS applications.

A SecOps approach mirrors DevOps principles of better communication between developers and operations in the security realm, said Todd Vernon, CEO of VictorOps, a DevOps tool provider. DevOps allows IT teams to make quick changes to cloud applications prior to deploying them into production.  But this can also introduce significant security problems. 

"In the past, you would get a security audit once in a while. But how can that help now?" Vernon asked. Security operations management is the process of continuously developing, testing and monitoring systems for threats. It also provides checks and balances to DevOps.

Put security into the design

"It's critical to design-in security from the start," said David Eads, CEO of Mobile Strategy Partners, a security consultancy. "If security is an afterthought, there's no hope to be secure." This is amplified for cloud-based environments, he added.

In the cloud, new vulnerabilities can be patched quickly. Cloud configuration scripts can ensure fixes are propagated quickly to all other affected environments so vulnerabilities don't return. The cloud also makes it possible to look for similar issues, patch those scripts, and the secure environments that might have related but different issues.

"There's no way IT staff could do this in a traditional environment," said Eads. If the organization has a reactive software development culture, it likely will take a near disaster before they take security seriously -- and that's sometimes just too late.

"Code Spaces is a good example of this," said Sirish Raghuram, CEO of Platform9, a private cloud infrastructure provider. "They were missing some fairly basic security precautions to their Amazon [Web Services] account, and they never got a second chance. You need to have someone influential within the organization who will not wait until it’s too late to instill change."

Stay ahead of new vulnerabilities

Organizations that weave secure coding practices throughout their process are more likely to think about security correctly, said Zulfikar Ramzan, CTO of Elastica, a cloud based SecOps provider. While security testing after the fact has value, it will never uncover underlying issues.

The Heartbleed bug, for example, was alarmingly severe. Yet, it was hiding in plain sight for years. Part of the challenge is that various development processes are interlinked in a fairly complex patchwork. Making one change -- even if that change seems innocuous -- can wreak havoc on downstream processes. In addition, customers demand evidence of secure coding practices from cloud services, said Ramzan. Enterprises that entrust vendors with processing their data must increase levels of assurance that the vendor is doing so in a reasonably safe and sane fashion. The Cyber Supply Chain Management and Transparency Act of 2014 mandates that cloud service providers, such as AWS, disclose known vulnerabilities to government clients. 

Improving security engineering

There is no substitute for engineering vulnerabilities out of the design first. Handling security issues while they're still in code is better for preventing cross-site scripting attacks, SQL injections, and other known vulnerabilities, said Mark Patton, vice president of engineering at Malwarebytes, an anti-malware vendor. And knowing best practices for cloud-based systems versus on-premises systems is often a challenge.  

Organizations that adopt secure coding practices after design should follow these tips to ensure the environment is better protected from vulnerabilities:

  • Consider the security of the API surface is as important as securing Web pages
  • Look at cloud platform security, AWS Virtual Private Cloud layout and use AWS security groups
  • Discuss the techniques for authentication (username and password, tokens, two-factor authentication, etc.)
  • Do not embed credentials into code – this could leak them out to users
  • Architect the access of cloud resources using role-based "need-to-know" or "need-to-access" bases

A successful and secure organization will provide incentives for teams around security, as well as features and schedules. Business should define success to include security as first-class citizen that is everyone's project from day one.

Identify tactical hurdles to secure development

Making the transition to a secure development lifecycle is not trivial. According to security-based security provider Veracode, companies must overcome a number of tactical hurdles to create a security-conscious culture. 

  • Create testing methods that scale. As organizations move to Agile and continuous deployment, they need testing methods that are automated and that can be integrated with existing processes.
  • Provide results that are useful to developers. One drawback of manual testing (and some automated testing results) is that it's difficult to make information accessible so developers can fix the issues. Line-of-code reports are more useful than vulnerability type reports that don't include diagnostic information about what went wrong.
  • Hire enough talent. It takes specialized skills to apply security to software development and to bring developers along in the process. For most organizations, there aren’t enough people with the right skills in the market to make a program work at scale.

Plan for a secure architecture

Organizations need to incorporate security architecture, design reviews, code reviews and security testing, along with vulnerability management and environment hardening, said Sachin Agarwal, vice president of product marketing and strategy at SOA Software. There are several tools in the market that enforce Agile governance to ensure best practices across design, development and operation of application and services.

Relying on tools alone is not enough; tools can give IT teams a false sense of security, said Patton. Using tools to analyze and audit code on a consistent and regular basis is an important part of secure coding. But using tools such as AWS, VPC, and AWS security groups has no effect on vulnerabilities that can be exploited over ports that must be open for the application to function, Patton added. Coders also need to keep in mind that they write software that runs on a customer's computer, which can be targeted directly.

Next Steps

Code Spaces suffers after AWS cloud security hack

AWS beefs up cloud security

Dig Deeper on AWS security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How do you design security into your AWS environment?
There's such a great deal of opinion and advice being offered about how to secure cloud applications and architectures, it's difficult for anyone implementing security to find clear, definitive answers on how to go about it. Contributing to that difficulty, security tool vendors are publishing white papers and advisories almost daily that offer insights and recommendations more slanted towards their commercial products and services than providing actionable, objective information. 

The recent, dramatic increase in security incidents reported by the OMB for Federal IT systems, despite costly implementation of FISMA and other security regulations adds to the perception and suspicions that security remains a losing battle against a rising tide of sophisticated threats.   
In recent times, especially following the increased use of cloud computing, security has become a key concern. Since my enterprise uses AWS extensively, DevOps has proven to be a very valuable tool. Cloud computing and DevOps  has proven to be directly linked especially when it comes to security issues. We have realized that we have improved security significantly. We have incorporated security as part of the development process rather than at the end.
There are a number of commercial application security solutions available on the market.  That said, there are also many free application security offerings available from OWASP -- most of which offer free point-in-time assessments of an application, code, or infrastructure.  Some companies offer free point in time assessments of application security as well (full disclosure, I work for Sonatype and we offer a free application health check for open source components used in Java apps).

There are then additional tools from commercial vendors that offer on-going assessments and analysis that continually track for new vulnerabilities.  For those with critical systems, these on-going and continuous checks should be considered.  The tools offering continuous analysis across the software development lifecycle should be highly valued by those pursuing continuous development efforts.  Security that is built-in to these tools and processes will be much more valuable that those bolting-on security to the end of a process or approaching security as a policing or taxing approach.  
Other options include using some of the excellent SaaS-based services that provide security for AWS environments - such as
I think a risk-based approach to security is really important. As you build out an application consider the security implications and act accordingly. Build in extra validation and verification for cloud systems that touch on critical systems and information. Make sure those sensitive systems can't be manipulated by less-secure systems. Rock solid transaction logging can also help with forensics to better discover, discourage, and disarm attackers.
After seeing enough issues come out of development, it’s good to see that someone is taking security seriously before the products hit production.
The full lifecycle of product and infrastructure requires security consistency. The challenge in AWS is operating a continuous, infrastructure-focused security practice. Application security has solutions that port to AWS with no issue, but the traditional IDS/IPS, Host-based agent, and network-scanning technologies all fall apart in AWS environments for various reasons.

You have to move to a DevSecOps style practice to be successful, otherwise security impedes agility and the whole team stumbles (and points fingers, and argues). This puts us in the situation where security-minded folk are on the sidelines while the business runs forward, and when a security incident occurs… well they usually just say “told ya so”. That’s not good for anyone involved.

On the flip-side, organizations using security automation technologies for AWS infrastructure are seeing the rewards of Engineering and Operations (DevOps) teams managing secure infrastructure, while security operations tracks and intervenes only as a support role. This gets both things accomplished — compliance/governance is achieved, agility is maintained, and competitive advantage is earned. It’s hard to argue with the results.

Tim @