12

Best practices for proactive security testing

  • Upload
    others

  • View
    2

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Best practices for proactive security testing
Page 2: Best practices for proactive security testing

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Best practices for proactive security testing

S E C 2 1 5 - R

Kevin Higgins

Senior Cloud Infrastructure Architect

Amazon Web Services

Page 3: Best practices for proactive security testing

Agenda

Introduction to threat modeling

Exercise—threat modeling AWS architectures

Demo

Page 4: Best practices for proactive security testing

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Page 5: Best practices for proactive security testing

Threat modeling

What is threat modeling?

Process and methodologies

Components of a threat modelAssets and information flows (Amazon EC2, Amazon S3, Amazon RDS, data)

System edges and entry points

External dependencies and assumptions

Classes of actors and action/trust (app users, admin, services)

Threat model outputRisks and mitigations

Page 6: Best practices for proactive security testing

Simple 3-tier applicationAWS account

VPC

Amazon EC2

Elastic Load Balancing

Amazon RDS

Bucket with

objects

Amazon

CloudFront

Amazon Route 53

Application

users

Cloud

architects

Developers,

DBAs, testers

Objectives:

1. Security group not

open to 0.0.0.0/0

2. S3 bucket not publicly

readable/writable

3. Amazon EBS and

Amazon RDS are

encrypted

4. All admins access AWS

account via SAML-

based federation

Page 7: Best practices for proactive security testing

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Page 8: Best practices for proactive security testing

AWS components

Amazon EC2 and Amazon S3

Let’s enumerate threats to these components in isolation

List out AWS constructs that represent trust boundaries

For each threat, let us enumerate a directive by policy, preventive, detective, and responsive countermeasures to reduce the risk

Let us develop a test case/acceptance criteria along the lines of BDD

Page 9: Best practices for proactive security testing

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Page 10: Best practices for proactive security testing

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

30+ free digital courses cover topics related to cloud security, including Introduction to Amazon GuardDuty and Deep Dive on Container Security

Learn security with AWS Training and Certification

Visit aws.amazon.com/training/paths-specialty/

Classroom offerings, like AWS Security Engineering on AWS, feature AWS expert instructors and hands-on activities

Validate expertise with the AWS Certified Security - Specialty exam

Resources created by the experts at AWS to help you build and validate cloud security skills

Page 11: Best practices for proactive security testing

Thank you!

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Kevin Higgins

[email protected]

Page 12: Best practices for proactive security testing

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.


Proactive Best Practices for Payables and Payments Oracle E-Business Suite R12 Andrew Lumpe & Stephen Horgan Oracle Proactive Support Services October

Proactive Best Practices for Payables and Payments Oracle E-Business Suite R12 Andrew Lumpe & Stephen Horgan Oracle Proactive Support Services October

Documents
Micronaut Testing Best Practices

Micronaut Testing Best Practices

Documents
Webinar Presentation: Proactive vs Reactive Glass Delamination Testing for Pharmaceuticals

Webinar Presentation: Proactive vs Reactive Glass Delamination Testing for Pharmaceuticals

Science
Proactive WiFi Testing and Monitoring · WiFi Scanner Manager (WFSM): Proactive Testing and Monitoring • Ready to deploy software for all major OSes: Mac, Windows, Android, iOS

Proactive WiFi Testing and Monitoring · WiFi Scanner Manager (WFSM): Proactive Testing and Monitoring • Ready to deploy software for all major OSes: Mac, Windows, Android, iOS

Documents
Disciplined Software Testing Practices

Disciplined Software Testing Practices

Documents
Well Testing Recommended Practices

Well Testing Recommended Practices

Documents
OWASP Top 10 Proactive Controls Project · Take advantage of agile practices like Test Driven Development, Continuous Integration and relentless testing. These practices make developers

OWASP Top 10 Proactive Controls Project · Take advantage of agile practices like Test Driven Development, Continuous Integration and relentless testing. These practices make developers

Documents
Email Testing - Best Practices

Email Testing - Best Practices

Technology
S-CUBE LP: Online Testing for Proactive Adaptation

S-CUBE LP: Online Testing for Proactive Adaptation

Technology
AB Testing : 8 Best Practices

AB Testing : 8 Best Practices

Technology
Mobile testing practices

Mobile testing practices

Mobile
User Interface Testing | Best Practices

User Interface Testing | Best Practices

Technology
Best Practices in Developing Proactive Supply · PDF fileDeveloping Proactive Supply Strategies for ... ing and Supply Chain Management: ... iv Best Practices in Developing Proactive

Best Practices in Developing Proactive Supply · PDF fileDeveloping Proactive Supply Strategies for ... ing and Supply Chain Management: ... iv Best Practices in Developing Proactive

Documents
Agile Testing Practices

Agile Testing Practices

Documents
Gwt Testing Best Practices

Gwt Testing Best Practices

Documents
From Passive to Proactive: Best Practices for Citizen

From Passive to Proactive: Best Practices for Citizen

Documents
Proactive Security Testing-Protecting Against Tomorrow's Threats Today

Proactive Security Testing-Protecting Against Tomorrow's Threats Today

Documents
Copper Testing Best Practices

Copper Testing Best Practices

Documents
Load Testing Best Practices

Load Testing Best Practices

Technology
Software Testing Practices 1

Software Testing Practices 1

Documents
Proactive IVR Contact: Strategies & Best Practices

Proactive IVR Contact: Strategies & Best Practices

Technology
Proactive vs Reactive Glass Delamination Testing in Pharmaceuticals

Proactive vs Reactive Glass Delamination Testing in Pharmaceuticals

Science
Agile Testing Best Practices

Agile Testing Best Practices

Documents
Proactive well control practices avert dangers

Proactive well control practices avert dangers

Documents
DOCSIS® Best Practices and Guidelines Proactive Network

DOCSIS® Best Practices and Guidelines Proactive Network

Documents
B4 Enhancing the Classroom: Proactive Practices

B4 Enhancing the Classroom: Proactive Practices

Documents
Webinar Presentation: Proactive vs Reactive Glass Delamination Testing in Pharmaceuticals

Webinar Presentation: Proactive vs Reactive Glass Delamination Testing in Pharmaceuticals

Science
Leadership : Best Practices in the Use of Proactive Influence Tactics by Leaders

Leadership : Best Practices in the Use of Proactive Influence Tactics by Leaders

Leadership & Management
Gates Advocates for Proactive Tax Planning for Medical Practices

Gates Advocates for Proactive Tax Planning for Medical Practices

Health & Medicine
Proactive and Preventive Best Practices In the Wake of

Proactive and Preventive Best Practices In the Wake of

Documents