We cannot protect what we don’t know exists. A key part of building security into our products is to make key security decisions based on data and not intuition or tribal knowledge alone. In Razorpay, we have hundreds of microservices deployed across multiple EKS clusters, some of which deploy multiple times each day. Any manually built inventory will be out of date within a few hours. In this talk, we will talk about how we built an automated software asset inventory that solves this problem by answering questions such as:
- What AWS services does a given application use?
- Which applications run on a given subdomain?
- Which applications have write access to a given AWS service (e.g.: S3 bucket)?
- For a given business unit, how many “high” risk defects are still open and for how long have they been open?
- Which applications use a particular programming language (useful when incidents such as Log4J strike)?
- List “High” risk applications which have not gone through a security review for over 12 months
We will demonstrate how the application collects data from various AWS services (100+ S3 buckets, 3000+ subdomains from Route 53, IAM, KMS and so on) and other sources ( Github, Jira, Harbor, app manifests etc.) to help answer key security questions and present them in Looker dashboards for on-demand consumption.