A presentation at GeeCON Kraków 2018 in in Kraków, Poland by Daniel Sawano
Creating Secure Software Daniel Sawano Kraków, 9-11 May 2018 Benefits from Cloud Thinking
Daniel Sawano
@DanielSawano #SecureByDesign #GeeCON Security benefits from cloud thinking?
@DanielSawano #SecureByDesign #GeeCON Cloud concepts • Codebase One codebase tracked in revision control, many deploys
• Dependencies Explicitly declare and isolate dependencies
• Config Store configuration in the environment
• Backing services Treat backing services as attached resources
• Build, release, run Strictly separate build and run stages
• Processes Execute the app as one or more stateless processes
• Port binding Export services via port binding
• Concurrency Scale out via the process model
• Disposability Maximize robustness with fast startup and graceful shutdown
• Dev/prod parity Keep development, staging, and production as similar as possible
• Logs Treat logs as event streams
• Admin processes Run admin/management tasks as one-off processes Twelve-factor app https://12factor.net A cloud-native application is an application that has been designed and implemented to run on a Platform-as-a-Service
installation and to embrace horizontal elastic scaling . Cloud-native Kevin Hoffman, Beyond the Twelve-Factor App
@DanielSawano #SecureByDesign #GeeCON What we’ll cover today • Configuration • Separate processes • Logging • The three R’s of enterprise security
@DanielSawano #SecureByDesign #GeeCON Configuration “Store configuration in the environment”
@DanielSawano #SecureByDesign #GeeCON Configuration Configuration in code
@DanielSawano #SecureByDesign #GeeCON Configuration public class DatabaseConnection {
1521 ;
ofSeconds ( 5 );
// ... } Configuration in code
@DanielSawano #SecureByDesign #GeeCON Configuration public class DatabaseConnection {
1521 ;
ofSeconds ( 5 );
"service-A" ;
"yC6@SX5O" ;
// ... } Configuration in code
@DanielSawano #SecureByDesign #GeeCON Configuration Configuration in code — challenges
• Anyone with access to the code can read the secrets • No audit trail
@DanielSawano #SecureByDesign #GeeCON Configuration environments: dev: database: port: 1521
connection-timeout: 5000
username: dev-service-A
password: spring2019
prod: database: port: 1521
connection-timeout: 1000
username: service-A
password: yC6@SX5O Configuration in resource files
@DanielSawano #SecureByDesign #GeeCON Configuration Configuration in resource files — challenges
• Anyone with access to the conf can read the secrets • No, or very limited, audit trail • Encrypting values creates new problems
@DanielSawano #SecureByDesign #GeeCON Configuration environment db_port=1521 username=service-A password=yC6@SX5O Application injected by platform Configuration in the environment
@DanielSawano #SecureByDesign #GeeCON Configuration Configuration in the environment - solved security challenges
• Audit trail Responsibility put on the platform. Some aspects can be solved with IAM .
• Sharing secrets Minimized. Only managed by platform admins.
• Encryption Not completely solved. Can be solved with ephemeral secrets.
@DanielSawano #SecureByDesign #GeeCON What we’ll cover today ✓ Configuration • Separate processes • Logging • The three R’s of enterprise security
@DanielSawano #SecureByDesign #GeeCON Separate processes Run apps as separate stateless processes
@DanielSawano #SecureByDesign #GeeCON Separate processes • Run the app as multiple stateless processes
• Separate the deployment and running of the application • Only communicate via backing services
@DanielSawano #SecureByDesign #GeeCON Separate processes Run the app as multiple stateless processes • Security benefit: increased availability and integrity
@DanielSawano #SecureByDesign #GeeCON CIA • Confidentiality — data must only be disclosed to authorized users
• Integrity — data modification is only allowed in an authorized manner
• Availability — data must be available when needed
@DanielSawano #SecureByDesign #GeeCON Separate processes Run the app as multiple stateless processes • Security benefit: increased availability and integrity
@DanielSawano #SecureByDesign #GeeCON Separate processes Separate the deployment and running of the application • Security benefit: principle of least privilege
@DanielSawano #SecureByDesign #GeeCON Separate processes Only communicate via backing services • Security benefit: improves availability and integrity by allowing apps to be stateless
@DanielSawano #SecureByDesign #GeeCON What we’ll cover today ✓ Configuration ✓ Separate processes • Logging • The three R’s of enterprise security
@DanielSawano #SecureByDesign #GeeCON Logging Use logging as a service
@DanielSawano #SecureByDesign #GeeCON Logging Logging to disk - challenges
• Confidentiality • May contain sensitive information • Hard to control access • Hard to get a good audit trail • Hard prevent illegal access
@DanielSawano #SecureByDesign #GeeCON Logging Logging to disk - challenges
• Integrity • Maintaining integrity often overlooked • Write access to log files usually not restricted or audited
@DanielSawano #SecureByDesign #GeeCON Logging Logging to disk - challenges
• Availability • Log files are lost when servers are replaced • Disk space runs out
@DanielSawano #SecureByDesign #GeeCON Logging Logging as a service Application Log service
@DanielSawano #SecureByDesign #GeeCON Logging Logging as a service Application Log service
@DanielSawano #SecureByDesign #GeeCON Logging Logging as a service - solved security challenges
• Confidentiality Easy to restrict access and prevent illegal access. Audit trail.
• Integrity Mutating operations not exposed/implemented. Can even digitally sign log events
• Availability Log storage is handled explicitly so no log files can go missing Storage is a primary concern so no accidental shortage of disk space.
@DanielSawano #SecureByDesign #GeeCON What we’ll cover today ✓ Configuration ✓ Separate processes ✓ Logging • The three R’s of enterprise security
@DanielSawano #SecureByDesign #GeeCON The three R’s The three R’s of enterprise security Justin Smith, 2016
@DanielSawano #SecureByDesign #GeeCON The three R’s The three R’s of enterprise security • Rotate Rotate secrets every few minutes or hours
• Repave Repave servers and applications every few hours
• Repair Repair vulnerable software a few hours after patch is available
@DanielSawano #SecureByDesign #GeeCON The three R’s Increase change to reduce risk
@DanielSawano #SecureByDesign #GeeCON
The three R’s
Rotate
secrets every few minutes or hours
environment
password=yC6@SX5O
certificate=xyz
Application
ephemeral
secrets
injected by platform
@DanielSawano #SecureByDesign #GeeCON The three R’s Rotate secrets every few minutes or hours password=yC6@SX5O Application password? Secret Service
@DanielSawano #SecureByDesign #GeeCON The three R’s • Passwords • Certificates • Access tokens • … Rotate secrets every few minutes or hours
@DanielSawano #SecureByDesign #GeeCON The three R’s Repave servers and applications every few hours • Recreate servers and apps from a know good state • Use rolling deployments to eliminate downtime • Burn old instances to the ground • If running containers, consider also repaving the host
@DanielSawano #SecureByDesign #GeeCON The three R’s • Applies to both operating systems and applications • No incremental updates, repave instead Repair vulnerable software a few hours after patch is available
@DanielSawano #SecureByDesign #GeeCON The three R’s Repair vulnerable software a few hours after patch is available
@DanielSawano #SecureByDesign #GeeCON The three R’s Repair vulnerable software a few hours after patch is available Patch available New known good state Repave
@DanielSawano #SecureByDesign #GeeCON The three R’s • Applies to both operating systems and yo ur o w n applications • No incremental updates, repave instead • CI/CD enables you to repair your own applications • Don’t forget 3rd party dependencies Repair vulnerable software a few hours after patch is available
@DanielSawano #SecureByDesign #GeeCON The three R’s Ever-changing software is the nemesis of persistent threats
@DanielSawano #SecureByDesign #GeeCON Summary ✓ Configuration ✓ Separate processes ✓ Logging ✓ The three R’s of enterprise security
bit.ly/secure-by-design Manning Publication
@DanielSawano #SecureByDesign #GeeCON Q&A [2]
Daniel Sawano Kraków, 9-11 May 2018 Thanks!
Security is a tricky field – as developers, it doesn’t seem to matter how the software is designed. There’s always someone able to hack it. But as it turns out, software design can bring security benefits. Often when we hear the word ‘cloud’ we think it’s insecure, but in this talk you’ll learn how design patterns based on concepts such as 12-factor and cloud native apps not only yield great software, but also bring security benefits as an implicit side effect. These design patterns are applicable to legacy as well as green-field development, and regardless if you are running in the cloud or on-premise, you still get the same security benefits. And on top of this, you’ll see how it all comes together to create the foundation of modern software security – software that is secure by design.
for free. You
can too.