@DanielDeogun @DanielSawano #DevoxxPL Platinum Sponsor: Creating Secure Software Benefits from Cloud Thinking Daniel Deogun & Daniel Sawano
A presentation at Devoxx Poland 2018 in June 2018 in Kraków, Poland by Daniel Sawano
@DanielDeogun @DanielSawano #DevoxxPL Platinum Sponsor: Creating Secure Software Benefits from Cloud Thinking Daniel Deogun & Daniel Sawano
@DanielDeogun @DanielSawano #DevoxxPL Daniel Deogun Daniel Sawano
@DanielDeogun @DanielSawano #DevoxxPL Security benefits from cloud thinking?
@DanielDeogun @DanielSawano #DevoxxPL Cloud concepts • Codebase One codebase tracked in revision control, many deploys
• Dependencies Explicitly declare and isolate dependencies
• Config Store configuration in the environment
• Backing services Treat backing services as attached resources
• Build, release, run Strictly separate build and run stages
• Processes Execute the app as one or more stateless processes
• Port binding Export services via port binding
• Concurrency Scale out via the process model
• Disposability Maximize robustness with fast startup and graceful shutdown
• Dev/prod parity Keep development, staging, and production as similar as possible
• Logs Treat logs as event streams
• Admin processes Run admin/management tasks as one-off processes Twelve-factor app https://12factor.net A cloud-native application is an application that has been designed and implemented to run on a Platform-as-a-Service
installation and to embrace horizontal elastic scaling . Cloud-native Kevin Hoffman, Beyond the Twelve-Factor App
@DanielDeogun @DanielSawano #DevoxxPL What we’ll cover today • Configuration • Separate processes • Logging • The three R’s of enterprise security
@DanielDeogun @DanielSawano #DevoxxPL Configuration “Store configuration in the environment”
@DanielDeogun @DanielSawano #DevoxxPL Configuration public class ServiceConfiguration {
1023 ;
ofSeconds ( 5 );
// ... } Configuration in code
@DanielDeogun @DanielSawano #DevoxxPL Configuration public class ServiceConfiguration {
1023 ;
ofSeconds ( 5 );
“client-app” ;
"yC6@SX5O" ;
// ... } Configuration in code
@DanielDeogun @DanielSawano #DevoxxPL Configuration Configuration in code — challenges
• Anyone with access to the code can read the secrets • No audit trail
@DanielDeogun @DanielSawano #DevoxxPL Configuration environments: dev: service: port: 2864
connection-timeout: 5000
username: dev-client-app
password: spring2019
prod: service: port: 1023
connection-timeout: 1000
username: client-app
password: yC6@SX5O Configuration in resource files
@DanielDeogun @DanielSawano #DevoxxPL Configuration Configuration in resource files — challenges
• Anyone with access to the conf can read the secrets • No, or very limited, audit trail • Encrypting values creates new problems
@DanielDeogun @DanielSawano #DevoxxPL Configuration environment port=1023 username=client-app password=yC6@SX5O Application injected by platform Configuration in the environment
@DanielDeogun @DanielSawano #DevoxxPL Configuration Configuration in the environment - solved security challenges
• Audit trail Responsibility put on the platform. Some aspects can be solved with IAM .
• Sharing secrets Minimized. Only managed by platform admins.
• Encryption Not completely solved. Can be solved with ephemeral secrets.
@DanielDeogun @DanielSawano #DevoxxPL What we’ll cover today ✓ Configuration • Separate processes • Logging • The three R’s of enterprise security
@DanielDeogun @DanielSawano #DevoxxPL Separate processes Run apps as separate stateless processes
@DanielDeogun @DanielSawano #DevoxxPL Separate processes • Run the app as multiple stateless processes
• Separate the deployment and running of the application • Only communicate via backing services
@DanielDeogun @DanielSawano #DevoxxPL Separate processes Run the app as multiple stateless processes • Security benefit: increased availability and integrity
@DanielDeogun @DanielSawano #DevoxxPL CIA • Confidentiality — data must only be disclosed to authorized users
• Integrity — data modification is only allowed in an authorized manner
• Availability — data must be available when needed
@DanielDeogun @DanielSawano #DevoxxPL Separate processes Run the app as multiple stateless processes • Security benefit: increased availability and integrity
@DanielDeogun @DanielSawano #DevoxxPL Separate processes Separate the deployment and running of the application • Security benefit: principle of least privilege
@DanielDeogun @DanielSawano #DevoxxPL Separate processes Only communicate via backing services • Security benefit: improves availability and integrity by allowing apps to be stateless
@DanielDeogun @DanielSawano #DevoxxPL What we’ll cover today ✓ Configuration ✓ Separate processes • Logging • The three R’s of enterprise security
@DanielDeogun @DanielSawano #DevoxxPL Logging Use logging as a service
@DanielDeogun @DanielSawano #DevoxxPL Logging Logging to disk - challenges
• Confidentiality • May contain sensitive information • Hard to control access • Hard to get a good audit trail • Hard prevent illegal access
@DanielDeogun @DanielSawano #DevoxxPL Logging Logging to disk - challenges
• Integrity • Maintaining integrity often overlooked • Write access to log files usually not restricted or audited
@DanielDeogun @DanielSawano #DevoxxPL Logging Logging to disk - challenges
• Availability • Log files are lost when servers are replaced • Disk space runs out
@DanielDeogun @DanielSawano #DevoxxPL Logging Logging as a service Application Log service
@DanielDeogun @DanielSawano #DevoxxPL Logging Logging as a service - solved security challenges
• Confidentiality Easy to restrict access and prevent illegal access. Audit trail.
• Integrity Mutating operations not exposed/implemented. Can even digitally sign log events
• Availability Log storage is handled explicitly so no log files can go missing Storage is a primary concern so no accidental shortage of disk space.
@DanielDeogun @DanielSawano #DevoxxPL What we’ll cover today ✓ Configuration ✓ Separate processes ✓ Logging • The three R’s of enterprise security
@DanielDeogun @DanielSawano #DevoxxPL The three R’s The three R’s of enterprise security Justin Smith, 2016
@DanielDeogun @DanielSawano #DevoxxPL The three R’s The three R’s of enterprise security • Rotate Rotate secrets every few minutes or hours
• Repave Repave servers and applications every few hours
• Repair Repair vulnerable software a few hours after patch is available
@DanielDeogun @DanielSawano #DevoxxPL The three R’s Increase change to reduce risk
@DanielDeogun @DanielSawano
#DevoxxPL
The three R’s
Rotate
secrets every few minutes or hours
environment
password=yC6@SX5O
certificate=xyz
Application
ephemeral
secrets
injected by platform
@DanielDeogun @DanielSawano #DevoxxPL The three R’s Rotate secrets every few minutes or hours password=yC6@SX5O Application password? Secret Service
@DanielDeogun @DanielSawano #DevoxxPL The three R’s • Passwords • Certificates • Access tokens • … Rotate secrets every few minutes or hours
@DanielDeogun @DanielSawano #DevoxxPL The three R’s Repave servers and applications every few hours • Recreate servers and apps from a know good state • Use rolling deployments to eliminate downtime • Burn old instances to the ground • If running containers, consider also repaving the host
@DanielDeogun @DanielSawano #DevoxxPL The three R’s • Applies to both operating systems and applications • No incremental updates, repave instead Repair vulnerable software a few hours after patch is available
@DanielDeogun @DanielSawano #DevoxxPL The three R’s Repair vulnerable software a few hours after patch is available Patch available New known good state Repave
@DanielDeogun @DanielSawano #DevoxxPL The three R’s • Applies to both operating systems and yo ur o w n applications • No incremental updates, repave instead • CI/CD enables you to repair your own applications • Don’t forget 3rd party dependencies Repair vulnerable software a few hours after patch is available
@DanielDeogun @DanielSawano #DevoxxPL The three R’s Ever-changing software is the nemesis of persistent threats
@DanielDeogun @DanielSawano #DevoxxPL Summary ✓ Configuration ✓ Separate processes ✓ Logging ✓ The three R’s of enterprise security
@DanielDeogun @DanielSawano
#DevoxxPL
bit.ly/secure-by-design
Manning Publication
40% discount
ctwdevoxxpl18
@DanielDeogun @DanielSawano
#DevoxxPL
Q&A
[2]
40% discount
ctwdevoxxpl18
bit.ly/secure-by-design
@DanielDeogun @DanielSawano #DevoxxPL Thanks!
