DeepSec 2018 Talk: Orchestrating Security Tools with AWS Step Functions – Jules Denardou & Justin Massey
Increasingly frequent deployments make it impossible for security teams to manually review all of the code before it is released. Jules Denardou and Justin Massey wrote a Terraform-deployed application to solve this problem by tightly integrating into the developer workflow. The plugin-based application has three core components, each represented by at least one Lambda function: a trigger, processing and analysis, and output. The plugins, such as static analysis, dependency checking, github integrations, container security scanning, or secret leak detection can be written in any language supported by AWS Lambda.
The underlying technology for this tool is a serverless system utilizing several AWS Services, such as API Gateways, Step Functions and Lambdas.
In this talk you’ll not only learn about our tool and how to implement it in your CI/CD pipeline, but also how to easily deploy complex serverless systems and step functions for your own automated tooling.
We asked Jules and Justin a few more questions about their topic of expertise.
Please tell us the top 5 facts about your talk.
- AWS Step Functions are amazing!
- This project will be open-sourced after our talk.
- We first attempted to recreate the wheel because we were not aware of AWS Step Functions. Don’t make the same mistake as us!
- We will show you how you can integrate an entire workflow: from opening a pull request, to scanning the source code with “github.com/securego/gosec”, then commenting on a pull request.
- Justin has never been to Austria (or even Europe) before. Make sure to buy him an Austrian beer!
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
We were in the process of designing and creating multiple tools to support application security efforts and quickly realized that they shared many similar features. We needed a middle layer that contained a framework necessary for communicating with our CI/CD pipeline and a modular framework that would allow us to iterate more quickly and future-proof our security testing as the company scales up.
Why do you think this is an important topic?
Integrating security fluidly into the developers’ workflows is imperative to run a successful application security program. Finding vulnerabilities is only the only the first step in the process to secure an application. Everybody in the development workflow must work together and this should involve developers as early as possible. Developer and security departments working together as a team is the key to success. The tooling discussed during this talk will bridge the gap between development and security teams.
Is there something you want everybody to know – some good advice for our readers maybe?
Want to bridge the gap between developers and security? Security needs to start giving immediate feedback to the developers. To make this scalable, security tooling that provides actionable results during the development process is necessary.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
As more companies embrace modern development practices, we think the need for security testing and tooling that provides actionable feedback early in the development process will continue to grow. Security teams will never scale the same as engineering teams and cannot manually review all code before it is deployed to production – automation and enabling developers is the key to growth in this area.
Jules Denardou is a Security Engineer at Datadog. He got his MS Degree in Computer Science at Ecole Centrale Paris in France, before joining the company in New York City. He especially focuses on integrating security into the developers workflow rather than blocking it. Blue teaming during the week, he is also a CTF Player on weekends.
Justin Massey is a Security Engineer at Datadog. His background in managing the technical operations of an MSP led him to discovering weaknesses in many businesses’ networks and applications. After leaving the MSP, he transitioned into the role of penetration tester to identify the weaknesses before the attackers. Justin’s current focus is to discover new ways to ensure product security, while maintaining developers efficiency and happiness.