9 hours 29 minutes
in this video, we'll continue our discussion on secure deployment.
We'll see how vulnerability assessment fits into that penetration. Testing the deployment pipeline security considerations and review infrastructure as code in immutable there. Few major patterns for incorporating and vulnerability assessment into your deployment process.
Pipeline based testing is good for immutable images and containers
you integrated into your C I C D pipeline. From there, you assess images and containers in a mocked out testbed area or in a copy of the real production environment
and images that have no known vulnerabilities. Get approved and move along down the pipeline.
Another approach for vulnerability assessment is installing an agent to run on the host virtual machines while that machine is running in production. The agent performed scans on the workstations and servers, and it reports any system conformance to the manager based on security standards that you've defined.
So I let you know when the configuration of the machine has drifted from the security standards that you have defined.
Let's take a moment and clarify differences between vulnerability assessments and penetration testing. Keep in mind a vulnerability assessment is where you identify the vulnerabilities, whereas penetration testing, you're not only identifying vulnerabilities, but you're gonna full on exploit the vulnerabilities to prove what was a hypothesis
actually allows you to do what you wanted to do.
In both circumstances, you want to be sure you have provider permission, and they're aware of the activities is they may not be able distinguish you from doing your own assessments and security testing from somebody that's trying to mount an attack. The bottom have two pictures which I will leave summarized the difference.
Vulnerability assessment is more of, ah, observe and report kind of a situation.
We're on the right. I have a picture of the iconic Rambo who's going in guns blazing penetration testing is a lot more aggressive in its method. Of course, you're hiring a penetration test of the goal is not to destroy your system. However, it's not unreasonable to expect. They may cause some damage when performing the penetration test themselves.
Specifically, when you're doing penetration in the cloud, you're gonna want to make sure to use a firm that has experience with the particular cloud provider
that the penetration tests is going to be conducted against the nuances and back doors at this level of detail, are gonna vary from one cloud provider to another. Moreover, they're gonna have a better feel for what? Of the cloud providers, regulations and expectations to give them notice and to only go so far in your penetration testing
to that point where the cloud providers going to get upset and perceived the person as actually performing a real world attack.
You want to include developers and administrators in the scope of the tests. This would be taking into account social engineering. Many of these individuals will have access to the management plane. And if they're vulnerable to this kind of social engineering, and somehow they give up their password or something like that,
and the penetration testers there through that means able to get access to the management plane.
It's a very successful test, and it also lets you know where you need to focus some of your non technical oriented training.
And finally, if you're in a multi tenant environment, give the firm access and ability to test that multi tenant isolation. This allows you to assess how well the cloud provider has done in ensuring multi tenant isolation unless, you know, if you're vulnerable from, not necessarily an external attack, but from an attack by a malicious co tenant.
Here's an image of the deployment pipeline.
This is something we really want to look at securing from an end end perspective. The first step requires we ensure that there's limited access is who can do what. On the far left, we have source code for applications. We have infrastructure templates. We have various server configuration files and automation scripts.
These all go into a version control repository. This is very important piece because it tracks and logs every code, infrastructure and configuration change, and each change is able to trace back to who is the individual that made this.
From that point, The information is pulled from the version control repository and used by a continuous integration server. It's gonna perform a variety of actions, including assembling the application or deploying the infrastructure to certain environments, and also initiate running different kinds of tests that we've discussed previously. This will all be done and targeted towards it
test environment at first.
Then, if anything is successful, it will be pushed and promoted into the production environment.
A key piece to this kind of traceability comes from infrastructure as code and immutable images. Both of these tactics Congrats, Lee. Improve your security and you will likely be tested on this. You're gonna use templates to define the infrastructure of virtual machines, images and the containers that are deployed into your environment.
Then you put those templates in the version control.
You may recall this was the far left of the previous diagram. The pipeline then detects changes to these files, performs a variety of operations and runs the testing Once the test passed, the build environment is in promoted and the old is replaced with the new.
This allows an entire environment to be consistently rebuilt. Disabling remote log in on the servers greatly increases your security posture. And this overall picture provides a consistency of control and integrated ought ability, making it a lot easier to adhere to a variety of compliance without the overhead of manual paperwork and stamping.
To summarize this video, we talked about vulnerabilities testing specifically in a cloud environment and integrating it into your security employment pipeline.
We reviewed penetration, testing and how that could be used,
talked about the deployment, pipeline security and the importance of securing the different access to that pipeline and then the benefits of infrastructures code and immutable servers. And finally, the security benefits that infrastructure is code and immutable servers bring to your world.
This course prepares you to take the CCSK certification by covering material included in the exam. It explains how the exam can be taken and how CCSK certification process works.