Juanjo: Welcome to this second episode of our videocast series about DevOps for Financial Services. My name is Juan José Rodríguez and I am VP of engineering, here, on ClickIT Smart Technologies.
Alfonso: And I am Alfonso Valdés, the CEO and founder, here, at ClickIT Smart Technologies.
Juanjo: How is everything going, Alfonso?
Alfonso: I'm very good, I'm very excited to have this DevOps Talk about Financial Services and Security. So, yeah, let's start.
Juanjo: So, guys, on the first episode, we talked a little about what are those main benefits and the business value that FinTech companies can get from DevOps, so, on this video, we will focus on one of the main concerns that these Fintech companies have which is security and we will also talk about all the tools that those FinTech companies can use on their internal processes and most importantly we will discuss about what are the most important requirements that Fintech companies must implement in their processes in order to have security just like a bank.
Alfonso: So, yeah, let's start with the first requirement, which is DevSecOps.
Juanjo: That's good.
Alfonso: So what is DevSecOps? Well, initially let's start thinking about What is DevOps? As you may know, DevOps is an alignment between development operations, where operation needs to understand development and development needs to understand IT operations. Now, we left security behind, security needs to be injected between those two words as a
DevSecOps. Also, is known that DevSecOps needs to be included in the left side of your continuous delivery pipeline. And, as well, the developer needs to think in a secure way, what I mean is to be like coding with security from the repository and from your ID development tool, in this case.
Juanjo: Okay is clear.
Alfonso: Also, What practices are covered in DevSecOps? Well, initially, the first practice is security testing which includes SQL injection, cross-site scripting attacks, file inclusion, cross-site request forgery and also broken authentication which is very common where you can get lost or get stolen your passwords or your user. Something very prominent it's you need to include in these security testing, or this automotive testing, you need to include the OWASP methodology. So, those aspects that I have mention, SQL injection, are based on the OWASP methodology where you can use the ZAP tool, use OWASP and also use those aspects.
Alfonso: Now, a second practice is a statical analysis which is a white box testing and it analyzes, or this practice has the ability to scan the repositories.
Juanjo: That's interesting...
Alfonso: Yeah, to search vulnerabilities, to search errors, box or any serial, vulnerability as well. Another practice to consider is dynamic analysis testing which consists of running an automated vulnerability assessment. Also, in this practice, it lives in the testing phase, you can scan to a live testing website compared to a static analysis. It lives in the development phase in the case of a static-dynamic code analysis that lives in the testing case where you can use POST requests, you can test input fields, forms and you can use as well the Burp suite and ZAP tool. Now, there's another practice which is called interactive application security testing which is an old practice, but with more elaborate scenarios patterns and it's a complex test case, you need to elaborate complex test cases. But can be automated as well. And the last practice is you have to analyze and review your operating system, your containers, your frameworks, and libraries. You need to find vulnerabilities on those spaces, as you may know, in order to speed up your development, you get along or you work with open source tools, where those open-source tools are from the community. So, it needs to be tested very very well in order to don't get any vulnerability. So, using or analyzing containers operating system can help you with this practice. To conclude this requirement, What DeSecOps tools are recommended by ClickIt? Well, from my point of view, I will recommend CheckMarx, Veracode, SonaQube or now it's SonaCloud, and also Snyk
Juanjo: Now, guys, we will go on the second requirement that every Fintech company must have in order to comply with security, and that's having a Threat Intelligence System. It is a very common term over the technology environment, but let's define a threat intelligence system like having, first of all, a list of all the risk and the threats that your system can have for being on the internet. It can be hackers, it can be brute force attacks, it can be viruses, etc.
Juanjo: Secondly, you already have the plan, but you now need to count with the necessary tools to keep a constant monitoring over your applications and system, and here, we can find, for example, an application-level monitoring tool, we can also have in this case some IDS, Intrusion Detection Systems, over in the server. So, that we can detect if anyone can harm, or want to harm us, or want to damage our system. And, the third factor that defines a Threat Intelligence System is to have a list, or a database, if you want to call it that way, with all the risks and the threats that you have faced in your experience during the operation of your application, and of course, you need to have all the paths and all the solutions that you used to get away from those risk and from those threats. So that will be, in summary, the definition of having a Threat Intelligence System, so, perhaps you will ask yourself well, what benefit can I get from having a Threat Intelligence System over my applications and systems? Well, just imagine this, if you have a Threat Intelligence System you will have a full vision and constant vision over what's going on in your system, you will have a full vision of all those possible attacks that you may suffer on the Internet. And, of course, you will be able to take corrective action, in order to avoid this in the immediate future. So, you can see that if you are prepared to face these risks and you are prepared to face these threats, then your application will suffer less downtime, will suffer less damage, and of course, you will have happier customers. That will make more business for you.
Alfonso: I agree with you, totally.
Juanjo: So, that's the main business value that you can get from having a Threat Intelligence System. And now, if we want to know what tools can be useful for having a basic Threat Intelligence System over our applications and system, we'll be, number one an application-level monitoring tool, such as New Relic, which is the choice, which is a tool that we most use here on ClickIT. Then, if you want to have intrusion detection systems we have OSAC which is a very good option for us, and then, we have some other and more complex tools such as Twistlock and thread stack which give us more vision over all the server processes that are going on, all the file changes that you can have on the servers, they inform you about all the activity of the users that are interacting with your systems, so they are pretty complete and they're pretty, how can we say? They are pretty exact on the reports that they give to you, and our best recommendation to implement the Threat Intelligence System is to start for implementing an application level monitoring tools such as New Relic, and having complex tools such as Twistlock and Thread stack for the start. That's for, that's a basic understanding and that's a basic implementation of a Threat Intelligence System on your application, but of course, you can extend that according to your requirements, okay?
Alfonso: So, the third requirement is class security and automation. First, we need to dissect in four significant aspects, the first one is security automation which is said the engineering process to handle repetitive tasks related to security without human intervention,
or manual interaction. That's the core thing that you need to do. Now, that includes vulnerability assessment, scanning, server hardening and security testing [Okay] on the aspect. So, How can you perform security automation? Well, you need a configuration management system similar to Ansible, Terraform or even, AWS Cloud Formation
So, what is a CMS? what's a Configuration Management System? Well, it's a platform to automate sysadmin and Devops tasks. Now, something important about the CMS
is that you have a ready template, ready pre-built configurations, where you can secure your environment Imagine that you're a financial company and you required to include a new application and API application for example, and that application needs to be PCI compliant. If you bring up those templates coming from a security automation either you're using Ansible, AWS CloudFormation, or even Terraform you can build very fast. Another example that I usually try to explain to our clients is that if you adopt security automation you can recover from a data breach faster.
Juanjo: Oh that's cool!
Alfonso: Yeah, because if you get hacked or you suffer from a data breach you can apply that patching in a few seconds with just one command compared without security automation where you will have to patch to the entire farm of servers.
Juanjo: That's pretty optimal, eh?
Alfonso: Yeah, definitely. Something important, that I have here, is that you to decode, as well, your continuous delivery pipeline. From permissions, deployment, access management, Keys and more. Now, the second aspect is encryption, which is a very important topic. It can be said, it's segmenting in different aspects or elements, but we added it here, in this section, where financial services need to encrypt everything. All communications, all the storage and anything that can be connecting or communicating between them. First, first of them, of the encryption that I will suggest using, or encrypted Disk and EBS, or S3.
Juanjo: That's for start.
Alfonso: Also, you need to encrypt, or you need to have a private network using a VPN alongside with a VPC, as you may know, we need best practices for Amazon, which, including a VPC, you need to design, or also segment, a public and private network adding the databases or private servers in the, obviously, in the private network. And also, the load balancer, or any public API, including the public cloud, on the public network.
Alfonso: Something important to mention is that you need to increase your webserver using TLS or SSL, product rules, the APIs, and also the communication between the containers and services, that's a very important item.
Alfonso: And also, finally, the database encryption, need to be encrypted, whenever you need, or required, to pull over some data is recommended that sensitive information need to be encrypted. And the third aspect is access management, so, we should start with: What is a KMS? What is a Case Management System? Well, definitely, is just a tool to save passwords, secrets, tokens, on APIs. Whenever you need to save any critical information you should add KMS. So, what are the tools recommended for this aspect? or this first kind of service? Well, I will recommend Hashicorp Vault. I'll recommend, as well, AWS KMS, and also, Google Cloud KMS.
Alfonso: Another practice that is important, is to add user policies where you need to organize your access from servers applications and the AWS organizations because you know, you have developers, you have operations, you might have a Sys Administrator, or even a Project Manager which would like to have access to the resources. So, it's very important that organizations have a user policy on this aspect.
Alfonso: Now, the Fourth aspect: Benchmarks and Checklists. So, what does it mean that? Well, it's important than any corporation or financial services need to run a checklist after any implementation [Okay] or even if you have been working in a DevOps implementation or in a security automation, you can get misconfiguration, you can forget, perhaps you launched any application and you forgot to secure it, you forgot to use, or to leverage the best practices. So it's important to use a checklist, in this case, I will recommend to use the NIST framework which is a cybersecurity framework. And the last framework that I will recommend is the CIS framework which is the center for information security and that last framework is more focus by technology and services. For example Nginx, you could harden or you can run that checklist basis on Nginx compared to the NIST framework where you have a checklist by industry or regulation.
Juanjo: Okay. The fourth specific requirements for security that every Fintech company must have is security compliance and what do we mean with security compliance? Well, we mean to get the FinTech business or the FinTech IT processes compliant with international standards, such as, PCI and SOC2. PCI is more focused on the security for the information of credit cards from customers, and SOC2 is more focused on getting security over the infrastructure level of the Fintech applications. So, we could say that they are both complement of each other, but nowadays PCI is being more widely use across the Fintech and IT market and that's actually one thing that we will recommend on ClickIT, that you first focus on getting compliant with PCI instead of SOC2, but you can do both if you want. Now, the interesting part here or perhaps one of the questions that you may have is: What are those main items that could help me, to me, as a Fintech, to get compliant with PCI or SOC2? Well, they share many of the standards of the regulations but one of them is to perform continuous penetration tests either internally by the own system administrators or the most recommended thing here is implementing the ethical hacking of third parties and let them make those penetration tests for you, so that they can explore all your vulnerabilities, okay? So, the second item to get compliant is to run continuous vulnerability assessments over the systems and application, you can either do it manually or you can use tools, such as/perhaps Nessus or something like that and that will make, that will give you another of the items that will help you to get compliant, continuous vulnerability assessment. Okay, the third item that PCI and SOC2 consider in their process is the database replication, failover, and encryption. You mentioned the topic of encryption which is a very important one. So, here we found it again, PCI and SOC2 put special attention over the data encryption. Why? because, as we said, they primarily focus on securing the credit card information and the infrastructural world, so, that's another important part. A fourth item that will help you to get compliant is to implement a Threat Monitoring System or a Threat Intelligence System which was the point number two of the requirements that we have just mentioned, right? And, the last item that will help you to get compliance is the first item that we mentioned in this video, which is, DevSecOps. So, you can see that is not really hard to get compliant with PCI or SOC2, or to comply with some of the most important of the other items. But, of course, you should always do it assessed by an expert. And of course, you need to know what to do on those cases. Now, if you ask us, we strongly recommend that you prefer to get compliant with PCI and to always make sure that you have your database encrypted, that you have replication for that database in case that one of the databases crashes then you have a backup for that, and that you have failover for that database. So, that in case you have emergencies, perhaps the database got crash, the database got messed up. So you got, if you have a failover, and if you have replication, you can always have a copy of that database and restore it. So, we really encourage the Fintech companies to get compliant with PCI or SOC2 because your customers will ask that to you, your users will be more confident that the service that they are using is reliable and that will be available at all time.
Alfonso: So, now guys, let's conclude with the security DevOps toolchain. The first element is DevSecOps. So, what are the best recommendation for DevSecOps? In my opinion, would be Sonatype which is a cost-effective solution for startups, and for small and medium businesses. But, if you are an Enterprise and you have a good budget I would recommend Checkmarx because it's very robust and it's literally in the gartner magic quadrant.
Juanjo: Now, for Threat Intelligence, I mentioned that before, I mention it again. The tools that we recommend for you to have a Threat Intelligence System is Number one, an application level monitoring tool: New Relic that's the one that we recommend and secondly a complex Threat Intelligence System such as Twistlock or Thread Stack.
Alfonso: Nice, now for cloud security, well, the most known is AWS, I will recommend to adopt AWS.
Alfonso: And use the toolchain [All the way] of that cloud, what includes that? I will say AWS Cloud formation for your security automation, cloud trail, also WAF, VPC. Enable this encryption, and also use on leverage and AWS
Juanjo: Correct. So guys, this is the end for this episode, we expect that this is useful for you, we expect that you have learned a lot about what are the most important requirements that every FinTech company must have regarding security and how DevOps can help them to comply with those requirements so we're really happy that you have watched this video, and well, we will see you on the third episode for this videocast series.
Alfonso: Yeah, see you later