AWS Security Users Group Malaysia’s Inaugural Meetup MY (Malaysia)
We are thrilled to announce the inaugural session of the AWS Security Users Group Malaysia, slated for May 9th at the AWS offices located in the heart of Kuala Lumpur. It’s not just about presentations and deep dives into crucial topics, but also an excellent opportunity to network with peers over delightful refreshments.
The inaugural AWS Security Users Group Malaysia Meetup wouldn’t have been as enriching without the invaluable contributions from our esteemed speakers. I would like to take a moment to acknowledge and appreciate them.
- Leo da Silva is an AWS Security Specialist Solutions Architect. He opened the event with insightful notes and later returned to demonstrate the setup of mTLS authentication on EKS with short-lived certificates and AWS Private CA. His expertise in AWS security solutions and hands-on approach made complex concepts accessible to all attendees.
- Liang Yang Loi is an AWS Senior Security Specialist in Enterprise Support. His session on protecting Internet-facing workloads in AWS was an eye-opener. He adeptly navigated us through the ways to shield our cloud assets from Internet-based threats, leveraging the robust security measures provided by AWS.
- I, Varun Kumar Manik, DevSecOps Manager at Deloitte Malaysia, had the privilege of guiding you through the integration of security into the DevOps process, with a live demonstration of a DevSecOps pipeline using Jenkins and the manik-calculator project.
Each session was designed to impart practical knowledge and foster discussions around the pivotal role of security in today’s cloud computing landscape.
For those interested in future meetups and events, you can stay updated by joining the AWS Security Users Group Malaysia on Meetup.
I want to extend my gratitude to all the speakers and attendees who made this event a success. A special thanks to Cheong Hoon Sin, AWS Security Solutions Architect, ASEAN, for his impeccable organization of the event.
Session 2:
As the speaker for the Second session, I would like to share a brief overview of what we will be discussing.
DevOps is much more than a buzzword. It’s a paradigm shift in software development, emphasizing collaboration, automation, and a seamless blend of development and operations tasks. While it promises speed and efficiency, it brings its share of security challenges. Balancing speed with security, mitigating human errors, and promoting secure coding practices become paramount.
This is where DevSecOps enters the picture, integrating security into every stage of the development process. But how do we go about it? We need to instill a culture of security, implement security testing throughout the Software Development Life Cycle (SDLC), automate security processes, and ensure cross-team collaboration.
Embracing DevSecOps can significantly enhance an organization’s security posture, reduce risks and vulnerabilities, and foster a more efficient development process. However, it’s not an overnight transformation but a journey that requires consistent effort and learning.
In the upcoming meetup, we will delve deeper into these topics and explore the best practices in DevSecOps. If you’re as excited as we are, do join us for this enriching session. Let’s collectively strive for a more secure and efficient development environment.
During my session on DevSecOps at the AWS Security Users Group meetup, I was delighted to demonstrate a real-world example of a DevSecOps pipeline using Jenkins. The pipeline was built around a simple project called “manik-calculator”, which is a basic calculator application.
Here’s a high-level overview of the pipeline and the various stages involved:
- Checkout: The pipeline begins with a checkout stage, where the code is fetched from the ‘main’ branch of the manik-calculator repository.
- Maven Clean: The next stage involves running ‘mvn clean’, a command that cleans the project and removes all files generated by the previous build.
- Maven Build: In this stage, ‘mvn compile’ is run to compile the source code of the project.
- Unit Test: The unit test stage involves running ‘mvn test’, which executes the unit tests of the application to ensure all components are functioning as expected.
- SonarQube Analysis: In this critical stage, the SonarQube tool is used to perform a static analysis of the code to detect bugs, code smells, and security vulnerabilities. The pipeline uses credentials to connect to the SonarQube server and performs the analysis.
- Maven Package: Once the code analysis is complete, ‘mvn package’ is run. This command takes the compiled code and packages it into its distributable format, such as a JAR.
- Deploy On Server: Finally, the application is deployed on a server using the deploy command. In this case, it’s being deployed on a Tomcat server at the specified URL.
The post block of the pipeline defines actions to take place based on the result of the pipeline. It always publishes the test results to JUnit. Upon successful completion of the pipeline, it prints the application URL.
This DevSecOps pipeline is a shining example of how security can be seamlessly integrated into the DevOps process. Not only does it automate the build, test, and deployment stages, but it also includes a security analysis stage using SonarQube, ensuring that the application is secure from the get-go.
The manik-calculator project serves as a simple yet powerful demonstration of how DevSecOps principles can be applied in real-world scenarios. By integrating security checks into the development pipeline, we can ensure that our applications are not just functionally robust, but also secure against potential threats. It’s this blend of speed, efficiency, and security that makes DevSecOps a crucial practice in today’s software development landscape.
For more details, you can visit my DevSecOps Presentation on GitHub and feel free to connect with me on LinkedIn.
Session 1: Setting up mTLS Authentication on EKS with Short-lived Certificates and AWS Private CA
Leo da Silva will round up the event with an exciting session on setting up mutual TLS (mTLS) authentication on Amazon Elastic Kubernetes Service (EKS) using short-lived certificates and AWS Private Certificate Authority (CA).
The session will provide a deep dive into how mTLS adds an extra layer of security by requiring both the client and the server to verify each other’s identities before any communication takes place. It’s a significant upgrade from the standard TLS protocol, which only requires the server to prove its identity to the client.
Leo will guide you through the steps of setting up mTLS on EKS, a service that makes it easy to deploy, manage, and scale containerized applications using Kubernetes. He will discuss the advantages of using short-lived certificates, such as reducing the window of opportunity for attackers if a certificate gets compromised.
The session promises a practical demonstration that could be an invaluable learning experience for anyone interested in enhancing the security posture of their Kubernetes applications.
Join us on May 9th for this insightful event, and let’s together stride towards a more secure and efficient future in cloud computing!
Session 3: Protecting Internet-facing Workloads in AWS
Liang Yang Loi, an AWS Senior Security Specialist, will be exploring the protection of Internet-facing workloads in AWS. In the age of cloud computing, organizations are increasingly moving their workloads to the cloud. While this transition offers countless benefits, it also exposes workloads to a myriad of Internet-based threats.
Liang will discuss the importance of implementing robust security measures to shield these workloads. He’ll highlight various AWS services and features that help protect your assets, touching on the concept of a ‘defense in depth’ approach. This approach involves multiple layers of security measures, creating a comprehensive security strategy that is much harder for attackers to penetrate.
Expect an in-depth discussion on AWS security best practices, including but not limited to, the use of security groups, network access control lists (ACLs), and AWS WAF for application-level protection.
Conclusion:
In conclusion, the AWS Security Users Group Malaysia Meetup was a resounding success, reflecting the collective enthusiasm of a community deeply invested in exploring the nuances of cloud security. Each speaker brought a unique perspective, contributing to a comprehensive understanding of DevSecOps and AWS security practices.
The interactive sessions underscored the importance of integrating security into every stage of the development process, protecting internet-facing workloads, and leveraging AWS’s robust security features. These discussions served as a reminder of how proactive and continuous learning is crucial in the ever-evolving landscape of cloud computing and security.
As a speaker and participant, I am gratified by the knowledge exchange that transpired during the meetup. The questions, discussions, and insights shared have not only enriched my understanding but have also reaffirmed my commitment to promoting secure DevOps practices.
The future of DevSecOps is promising, and events like these play a pivotal role in shaping that future. Here’s to many more such insightful sessions, stimulating discussions, and shared learning experiences in our journey towards a more secure and efficient cloud computing ecosystem.
Remember, the quest for knowledge never ends. Keep exploring, keep learning, and most importantly, keep securing!
