SlideShare a Scribd company logo

Building Secure Apps in the Cloud

•
•
Atlassian
Atlassian

As companies move towards offering SaaS products in the cloud, it becomes increasingly important to ensure these products are secured by default. This is because customers are no longer in control of their data, but data now resides on a third-party cloud provider. Security is everyone's responsibility. It is now imperative that these cloud products be built with security in mind from the beginning. In this session, Anshuman Bhartiya will discuss ways to build secure applications in the cloud.

Technology
1 of 30
Download to read offline
ANSHUMAN BHARTIYA | PRINCIPAL SECURITY ENGINEER | ATLASSIAN | @ANSHUMAN_BH | GITHUB.COM/ANSHUMANBH Building Secure Apps
 in the Cloud
Agenda Problem Statement Security Fundamentals Building A Secure App In The Cloud Atlassian Connect - Special Case Of Cloud APIs Some Examples Of Security Vulnerabilities Conclusion
How do we build secure apps in the cloud?
Data Security Where do we store it? How do we secure it? Security Fundamentals SDLC Activities / OWASP Top 10 Identifying bugs at an early stage Authentication & Authorization Who are you? What do you have access to? Secure By Design
Ingress & Egress How do we prevent malicious input & access to internal services? Security Fundamentals Monitor, Alert & Log How do we alert on anomalies & misconfigs? What data do we log? Secrets Management How do we store secrets? How do we provide secrets during runtime? Secure The Code Secure The OperationsSecure The Code
Secure By Design AuthN & AuthZ Data Security Atlassian Connect Framework to integrate your third party apps Scopes App level permissions, principle of least privileged access Authorization Checks on each API call SDLC Activities OAuth2 Getting the OAuth2 dance right
Secure By Design AuthN & AuthZ Data Security SDLC Activities Encryption at rest Encrypt and store in S3, Database layer encryption, allowing only certain users access to the DB Encryption in transit All requests must have SSL enabled Tokenization Abstract the data sensitivity via tokens
Secure By Design AuthN & AuthZ Data Security SDLC Activities Threat Modeling Focus on high impact components, keep iterating Static Analysis Language dependent - Brakeman (Ruby), Bandit (Python), GoSec (Golang) Dynamic Analysis Burpsuite, OWASP ZAP Dependency Checks Snyk, Sourceclear Secure by Default frameworks Prevents application wide vulnerabilities Bug Bounty Programs Work with us in order to start a bug bounty program - security@atlassian.com
OWASP Top 10
Secure The Code Ingress & Egress Secrets Management Do not hardcode sensitive data Use environment variables to substitute Providing short lived keys during runtime Use Cloud APIs such as KMS or secret management tools like Vault Securing APIs Do not upload sensitive data to code repos Implement checks pre push and post push
Secure The Code Ingress & Egress Secrets Management Securing APIs Validate all input All input must be validated and sanitized to prevent injection based attacks Encode all output Browsers interpret data and code in different contexts Egress Traffic Whitelist domains, redirect via proxy, restrict access to internal domains
Secure The Code Ingress & Egress Secrets Management Securing APIs Unit Testing POSTMAN, beware of hidden or undocumented API endpoints Prevent information disclosures Error messages, un-documented/obsolete API endpoints Open source tools for API testing Parameth, Astra
Secure The Operations Constant monitoring and alerting Open S3 buckets, lax security groups, dangling subdomains, expired SSL certs Alerting on misconfigurations MFA disabled, inbound/outbound port changes Alerting on anomalies Check for unexpected events in logs Monitoring & Alerting Logging
Secure The Operations Monitoring & Alerting Logging Targeted Logging Log activities, metadata but not sensitive information Don’t just log, setup alerts on them Filters, Dashboards Centralized Logging Try to avoid log spread as much as possible Log in queryable format JSON logs with standard headers
Atlassian Connect - Special Case Of Cloud APIs
ATLASSIAN CONNECT APPS Descriptor Files Key, baseUrl, authentication, scopes Security Context Exchanged with the app. Used to create and validate JWTs. Has a shared secret and the client key. Stored by the app JWT (JSON Web Token) Used for API Calls. No Authorization header in the first install but all subsequent installs contain the shared secret
ATLASSIAN CONNECT APPS Verify incoming requests Decode and verify the JWT * Extract JWT * Decode without verification * Extract ISS from decoded blob - client key * Look up the shared secret from security context * Verify signature w/shared secret & also * Verify the query hash
ATLASSIAN CONNECT APPS JWT Gotchas * “Alg” being none * Unrecognized issuers * Unrecognized client key * expiration time to prevent replay attacks
ATLASSIAN CONNECT APPS User Impersonation Authorization Grants (2LOi)
36% - IMPROPER ACCESS CONTROLS / AUTHORIZATION FLAWS 25% - SSRF (SERVER SIDE REQUEST FORGERY) ATTACKS 11% - INFORMATION DISCLOSURE
EXAMPLES - AUTHORIZATION FLAWS
EXAMPLES - AUTHORIZATION FLAWS
EXAMPLES - INFORMATION DISCLOSURE
EXAMPLES - INFORMATION DISCLOSURE
EXAMPLES - SSRF AKA SERVER SIDE REQUEST FORGERY
EXAMPLES - SSRF AKA SERVER SIDE REQUEST FORGERY
CONCLUSION Authenticate and Authorize all calls Sanitize all input and output Encrypt all data in transit and in rest Continually test your APIs Monitor and Alert on anomalies Continue investing more in SDLC activities
CONCLUSION Don’t leak sensitive information via API endpoints in error messages Don’t hardcode sensitive keys in code Don't log sensitive information
References: • https://www.youtube.com/watch?time_continue=518&v=uEOqKcZa9o0 • https://www.youtube.com/watch?v=N0AW2-O06L0 • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Links: • https://www.getpostman.com/) • https://github.com/maK-/parameth) • https://github.com/flipkart-incubator/Astra) • https://www.youtube.com/watch?v=KGy_KCRUGd4) • https://brakemanscanner.org/ • https://pypi.org/project/bandit/ • https://github.com/securego/gosec • https://portswigger.net/burp • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project • https://snyk.io/ • https://www.sourceclear.com/ • https://www.youtube.com/watch?v=66ni2BTIjS8 • https://developer.atlassian.com/cloud/jira/platform/oauth-2-authorization-code-grants-3lo-for-apps/
ANSHUMAN BHARTIYA | PRINCIPAL SECURITY ENGINEER | ATLASSIAN | @ANSHUMAN_BH | GITHUB.COM/ANSHUMANBH Thank you!

Recommended

Integrating Jira Software Cloud With the AWS Code Suite
Integrating Jira Software Cloud With the AWS Code SuiteIntegrating Jira Software Cloud With the AWS Code Suite
Integrating Jira Software Cloud With the AWS Code SuiteAtlassian
 
Leaning into Server to Cloud App Migration
Leaning into Server to Cloud App MigrationLeaning into Server to Cloud App Migration
Leaning into Server to Cloud App MigrationAtlassian
 
Serverless Analytics and Monitoring For Your Cloud App
Serverless Analytics and Monitoring For Your Cloud AppServerless Analytics and Monitoring For Your Cloud App
Serverless Analytics and Monitoring For Your Cloud AppAtlassian
 
From AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud AppsFrom AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud AppsAtlassian
 
Forge: Under the Hood
Forge: Under the HoodForge: Under the Hood
Forge: Under the HoodAtlassian
 
Monitoring As Code: How to Integrate App Monitoring Into Your Developer Cycle
Monitoring As Code: How to Integrate App Monitoring Into Your Developer CycleMonitoring As Code: How to Integrate App Monitoring Into Your Developer Cycle
Monitoring As Code: How to Integrate App Monitoring Into Your Developer CycleAtlassian
 
Building Faster With Your Team's UI Kit
Building Faster With Your Team's UI KitBuilding Faster With Your Team's UI Kit
Building Faster With Your Team's UI KitAtlassian
 
The New & Improved Confluence Server and Data Center
The New & Improved Confluence Server and Data CenterThe New & Improved Confluence Server and Data Center
The New & Improved Confluence Server and Data CenterAtlassian
 

Recommended

Integrating Jira Software Cloud With the AWS Code Suite
Integrating Jira Software Cloud With the AWS Code SuiteIntegrating Jira Software Cloud With the AWS Code Suite
Integrating Jira Software Cloud With the AWS Code SuiteAtlassian
 
Leaning into Server to Cloud App Migration
Leaning into Server to Cloud App MigrationLeaning into Server to Cloud App Migration
Leaning into Server to Cloud App MigrationAtlassian
 
Serverless Analytics and Monitoring For Your Cloud App
Serverless Analytics and Monitoring For Your Cloud AppServerless Analytics and Monitoring For Your Cloud App
Serverless Analytics and Monitoring For Your Cloud AppAtlassian
 
From AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud AppsFrom AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud AppsAtlassian
 
Forge: Under the Hood
Forge: Under the HoodForge: Under the Hood
Forge: Under the HoodAtlassian
 
Monitoring As Code: How to Integrate App Monitoring Into Your Developer Cycle
Monitoring As Code: How to Integrate App Monitoring Into Your Developer CycleMonitoring As Code: How to Integrate App Monitoring Into Your Developer Cycle
Monitoring As Code: How to Integrate App Monitoring Into Your Developer CycleAtlassian
 
Building Faster With Your Team's UI Kit
Building Faster With Your Team's UI KitBuilding Faster With Your Team's UI Kit
Building Faster With Your Team's UI KitAtlassian
 
The New & Improved Confluence Server and Data Center
The New & Improved Confluence Server and Data CenterThe New & Improved Confluence Server and Data Center
The New & Improved Confluence Server and Data CenterAtlassian
 
What's New in Jira Cloud for Developers
What's New in Jira Cloud for DevelopersWhat's New in Jira Cloud for Developers
What's New in Jira Cloud for DevelopersAtlassian
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...Apigee | Google Cloud
 
Dev Tested, Ops Approved: 10 Guardrails from Atlassian for Better, Faster Dev...
Dev Tested, Ops Approved: 10 Guardrails from Atlassian for Better, Faster Dev...Dev Tested, Ops Approved: 10 Guardrails from Atlassian for Better, Faster Dev...
Dev Tested, Ops Approved: 10 Guardrails from Atlassian for Better, Faster Dev...Amazon Web Services
 
Start Up Austin 2017: Serverless Real Time Analytics
Start Up Austin 2017: Serverless Real Time AnalyticsStart Up Austin 2017: Serverless Real Time Analytics
Start Up Austin 2017: Serverless Real Time AnalyticsAmazon Web Services
 
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayLeveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayAWS Germany
 
Trusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy ModelTrusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy ModelAtlassian
 
Updates on the Data Center Apps Program
Updates on the Data Center Apps ProgramUpdates on the Data Center Apps Program
Updates on the Data Center Apps ProgramAtlassian
 
Access to User Activities - Activity Platform APIs
Access to User Activities - Activity Platform APIsAccess to User Activities - Activity Platform APIs
Access to User Activities - Activity Platform APIsAtlassian
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyChris Farris
 
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017Amazon Web Services
 
Next level of Appium
Next level of AppiumNext level of Appium
Next level of AppiumKeshav Kashyap
 
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...Amazon Web Services
 
Securing Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web DaySecuring Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web DayAWS Germany
 
DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...
DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...
DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...Amazon Web Services
 
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)Jeremy Daly
 
Serverless Summit 21 - Resilient serverless architecture on AWS
Serverless Summit 21 - Resilient serverless architecture on AWSServerless Summit 21 - Resilient serverless architecture on AWS
Serverless Summit 21 - Resilient serverless architecture on AWSLee Gilmore
 
Automating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAutomating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAmazon Web Services
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksAmazon Web Services
 
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Amazon Web Services
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Amazon Web Services
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontOry Segal
 

More Related Content

What's hot

What's New in Jira Cloud for Developers
What's New in Jira Cloud for DevelopersWhat's New in Jira Cloud for Developers
What's New in Jira Cloud for DevelopersAtlassian
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...Apigee | Google Cloud
 
Dev Tested, Ops Approved: 10 Guardrails from Atlassian for Better, Faster Dev...
Dev Tested, Ops Approved: 10 Guardrails from Atlassian for Better, Faster Dev...Dev Tested, Ops Approved: 10 Guardrails from Atlassian for Better, Faster Dev...
Dev Tested, Ops Approved: 10 Guardrails from Atlassian for Better, Faster Dev...Amazon Web Services
 
Start Up Austin 2017: Serverless Real Time Analytics
Start Up Austin 2017: Serverless Real Time AnalyticsStart Up Austin 2017: Serverless Real Time Analytics
Start Up Austin 2017: Serverless Real Time AnalyticsAmazon Web Services
 
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayLeveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayAWS Germany
 
Trusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy ModelTrusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy ModelAtlassian
 
Updates on the Data Center Apps Program
Updates on the Data Center Apps ProgramUpdates on the Data Center Apps Program
Updates on the Data Center Apps ProgramAtlassian
 
Access to User Activities - Activity Platform APIs
Access to User Activities - Activity Platform APIsAccess to User Activities - Activity Platform APIs
Access to User Activities - Activity Platform APIsAtlassian
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyChris Farris
 
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017Amazon Web Services
 
Next level of Appium
Next level of AppiumNext level of Appium
Next level of AppiumKeshav Kashyap
 
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...Amazon Web Services
 
Securing Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web DaySecuring Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web DayAWS Germany
 
DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...
DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...
DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...Amazon Web Services
 
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)Jeremy Daly
 
Serverless Summit 21 - Resilient serverless architecture on AWS
Serverless Summit 21 - Resilient serverless architecture on AWSServerless Summit 21 - Resilient serverless architecture on AWS
Serverless Summit 21 - Resilient serverless architecture on AWSLee Gilmore
 
Automating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAutomating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAmazon Web Services
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksAmazon Web Services
 
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Amazon Web Services
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Amazon Web Services
 

What's hot (20)

What's New in Jira Cloud for Developers
What's New in Jira Cloud for DevelopersWhat's New in Jira Cloud for Developers
What's New in Jira Cloud for Developers
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
 
Dev Tested, Ops Approved: 10 Guardrails from Atlassian for Better, Faster Dev...
Dev Tested, Ops Approved: 10 Guardrails from Atlassian for Better, Faster Dev...Dev Tested, Ops Approved: 10 Guardrails from Atlassian for Better, Faster Dev...
Dev Tested, Ops Approved: 10 Guardrails from Atlassian for Better, Faster Dev...
 
Start Up Austin 2017: Serverless Real Time Analytics
Start Up Austin 2017: Serverless Real Time AnalyticsStart Up Austin 2017: Serverless Real Time Analytics
Start Up Austin 2017: Serverless Real Time Analytics
 
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayLeveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
 
Trusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy ModelTrusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy Model
 
Updates on the Data Center Apps Program
Updates on the Data Center Apps ProgramUpdates on the Data Center Apps Program
Updates on the Data Center Apps Program
 
Access to User Activities - Activity Platform APIs
Access to User Activities - Activity Platform APIsAccess to User Activities - Activity Platform APIs
Access to User Activities - Activity Platform APIs
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
 
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
 
Next level of Appium
Next level of AppiumNext level of Appium
Next level of Appium
 
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security ...
 
Securing Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web DaySecuring Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web Day
 
DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...
DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...
DevOps on AWS: Accelerating Software Delivery with AWS Developer Tools | AWS ...
 
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)
 
Serverless Summit 21 - Resilient serverless architecture on AWS
Serverless Summit 21 - Resilient serverless architecture on AWSServerless Summit 21 - Resilient serverless architecture on AWS
Serverless Summit 21 - Resilient serverless architecture on AWS
 
Automating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDocAutomating Threat Detection and Remediation at ZocDoc
Automating Threat Detection and Remediation at ZocDoc
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
 
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
 

Similar to Building Secure Apps in the Cloud

Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontOry Segal
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIsSteven Chen
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 ProjectMuhammad Shehata
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIsđź’» Javier Garza
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API ManagementApigee | Google Cloud
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful APIMuhammad Zbeedat
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecDroidConTLV
 
R U aBLE? BLE Application Hacking
R U aBLE? BLE Application HackingR U aBLE? BLE Application Hacking
R U aBLE? BLE Application HackingTal Melamed
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...apidays
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Making Security Approachable for Developers and Operators
Making Security Approachable for Developers and OperatorsMaking Security Approachable for Developers and Operators
Making Security Approachable for Developers and OperatorsArmonDadgar
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixSBWebinars
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 

Similar to Building Secure Apps in the Cloud (20)

Web API Security
Web API SecurityWeb API Security
Web API Security
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIs
 
A talk on OWASP Top 10 by Mukunda Tamly
A talk on OWASP Top 10 by Mukunda TamlyA talk on OWASP Top 10 by Mukunda Tamly
A talk on OWASP Top 10 by Mukunda Tamly
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSec
 
R U aBLE? BLE Application Hacking
R U aBLE? BLE Application HackingR U aBLE? BLE Application Hacking
R U aBLE? BLE Application Hacking
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
Making Security Approachable for Developers and Operators
Making Security Approachable for Developers and OperatorsMaking Security Approachable for Developers and Operators
Making Security Approachable for Developers and Operators
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 

More from Atlassian

International Women's Day 2020
International Women's Day 2020International Women's Day 2020
International Women's Day 2020Atlassian
 
10 emerging trends that will unbreak your workplace in 2020
10 emerging trends that will unbreak your workplace in 202010 emerging trends that will unbreak your workplace in 2020
10 emerging trends that will unbreak your workplace in 2020Atlassian
 
Forge App Showcase
Forge App ShowcaseForge App Showcase
Forge App ShowcaseAtlassian
 
Let's Build an Editor Macro with Forge UI
Let's Build an Editor Macro with Forge UILet's Build an Editor Macro with Forge UI
Let's Build an Editor Macro with Forge UIAtlassian
 
Meet the Forge Runtime
Meet the Forge RuntimeMeet the Forge Runtime
Meet the Forge RuntimeAtlassian
 
Forge UI: A New Way to Customize the Atlassian User Experience
Forge UI: A New Way to Customize the Atlassian User ExperienceForge UI: A New Way to Customize the Atlassian User Experience
Forge UI: A New Way to Customize the Atlassian User ExperienceAtlassian
 
Take Action with Forge Triggers
Take Action with Forge TriggersTake Action with Forge Triggers
Take Action with Forge TriggersAtlassian
 
Observability and Troubleshooting in Forge
Observability and Troubleshooting in ForgeObservability and Troubleshooting in Forge
Observability and Troubleshooting in ForgeAtlassian
 
Designing Forge UI: A Story of Designing an App UI System
Designing Forge UI: A Story of Designing an App UI SystemDesigning Forge UI: A Story of Designing an App UI System
Designing Forge UI: A Story of Designing an App UI SystemAtlassian
 
Design Your Next App with the Atlassian Vendor Sketch Plugin
Design Your Next App with the Atlassian Vendor Sketch PluginDesign Your Next App with the Atlassian Vendor Sketch Plugin
Design Your Next App with the Atlassian Vendor Sketch PluginAtlassian
 
Tear Up Your Roadmap and Get Out of the Building
Tear Up Your Roadmap and Get Out of the BuildingTear Up Your Roadmap and Get Out of the Building
Tear Up Your Roadmap and Get Out of the BuildingAtlassian
 
Nailing Measurement: a Framework for Measuring Metrics that Matter
Nailing Measurement: a Framework for Measuring Metrics that MatterNailing Measurement: a Framework for Measuring Metrics that Matter
Nailing Measurement: a Framework for Measuring Metrics that MatterAtlassian
 
Building Apps With Color Blind Users in Mind
Building Apps With Color Blind Users in MindBuilding Apps With Color Blind Users in Mind
Building Apps With Color Blind Users in MindAtlassian
 
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...Atlassian
 
Beyond Diversity: A Guide to Building Balanced Teams
Beyond Diversity: A Guide to Building Balanced TeamsBeyond Diversity: A Guide to Building Balanced Teams
Beyond Diversity: A Guide to Building Balanced TeamsAtlassian
 
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed TeamThe Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed TeamAtlassian
 
Building Apps With Enterprise in Mind
Building Apps With Enterprise in MindBuilding Apps With Enterprise in Mind
Building Apps With Enterprise in MindAtlassian
 
Shipping With Velocity and Confidence Using Feature Flags
Shipping With Velocity and Confidence Using Feature FlagsShipping With Velocity and Confidence Using Feature Flags
Shipping With Velocity and Confidence Using Feature FlagsAtlassian
 
Build With Heart and Balance, Remote Work Edition
Build With Heart and Balance, Remote Work EditionBuild With Heart and Balance, Remote Work Edition
Build With Heart and Balance, Remote Work EditionAtlassian
 
How to Grow an Atlassian App Worthy of Top Vendor Status
How to Grow an Atlassian App Worthy of Top Vendor StatusHow to Grow an Atlassian App Worthy of Top Vendor Status
How to Grow an Atlassian App Worthy of Top Vendor StatusAtlassian
 

More from Atlassian (20)

International Women's Day 2020
International Women's Day 2020International Women's Day 2020
International Women's Day 2020
 
10 emerging trends that will unbreak your workplace in 2020
10 emerging trends that will unbreak your workplace in 202010 emerging trends that will unbreak your workplace in 2020
10 emerging trends that will unbreak your workplace in 2020
 
Forge App Showcase
Forge App ShowcaseForge App Showcase
Forge App Showcase
 
Let's Build an Editor Macro with Forge UI
Let's Build an Editor Macro with Forge UILet's Build an Editor Macro with Forge UI
Let's Build an Editor Macro with Forge UI
 
Meet the Forge Runtime
Meet the Forge RuntimeMeet the Forge Runtime
Meet the Forge Runtime
 
Forge UI: A New Way to Customize the Atlassian User Experience
Forge UI: A New Way to Customize the Atlassian User ExperienceForge UI: A New Way to Customize the Atlassian User Experience
Forge UI: A New Way to Customize the Atlassian User Experience
 
Take Action with Forge Triggers
Take Action with Forge TriggersTake Action with Forge Triggers
Take Action with Forge Triggers
 
Observability and Troubleshooting in Forge
Observability and Troubleshooting in ForgeObservability and Troubleshooting in Forge
Observability and Troubleshooting in Forge
 
Designing Forge UI: A Story of Designing an App UI System
Designing Forge UI: A Story of Designing an App UI SystemDesigning Forge UI: A Story of Designing an App UI System
Designing Forge UI: A Story of Designing an App UI System
 
Design Your Next App with the Atlassian Vendor Sketch Plugin
Design Your Next App with the Atlassian Vendor Sketch PluginDesign Your Next App with the Atlassian Vendor Sketch Plugin
Design Your Next App with the Atlassian Vendor Sketch Plugin
 
Tear Up Your Roadmap and Get Out of the Building
Tear Up Your Roadmap and Get Out of the BuildingTear Up Your Roadmap and Get Out of the Building
Tear Up Your Roadmap and Get Out of the Building
 
Nailing Measurement: a Framework for Measuring Metrics that Matter
Nailing Measurement: a Framework for Measuring Metrics that MatterNailing Measurement: a Framework for Measuring Metrics that Matter
Nailing Measurement: a Framework for Measuring Metrics that Matter
 
Building Apps With Color Blind Users in Mind
Building Apps With Color Blind Users in MindBuilding Apps With Color Blind Users in Mind
Building Apps With Color Blind Users in Mind
 
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
 
Beyond Diversity: A Guide to Building Balanced Teams
Beyond Diversity: A Guide to Building Balanced TeamsBeyond Diversity: A Guide to Building Balanced Teams
Beyond Diversity: A Guide to Building Balanced Teams
 
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed TeamThe Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
 
Building Apps With Enterprise in Mind
Building Apps With Enterprise in MindBuilding Apps With Enterprise in Mind
Building Apps With Enterprise in Mind
 
Shipping With Velocity and Confidence Using Feature Flags
Shipping With Velocity and Confidence Using Feature FlagsShipping With Velocity and Confidence Using Feature Flags
Shipping With Velocity and Confidence Using Feature Flags
 
Build With Heart and Balance, Remote Work Edition
Build With Heart and Balance, Remote Work EditionBuild With Heart and Balance, Remote Work Edition
Build With Heart and Balance, Remote Work Edition
 
How to Grow an Atlassian App Worthy of Top Vendor Status
How to Grow an Atlassian App Worthy of Top Vendor StatusHow to Grow an Atlassian App Worthy of Top Vendor Status
How to Grow an Atlassian App Worthy of Top Vendor Status
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Building Secure Apps in the Cloud

  • 1. ANSHUMAN BHARTIYA | PRINCIPAL SECURITY ENGINEER | ATLASSIAN | @ANSHUMAN_BH | GITHUB.COM/ANSHUMANBH Building Secure Apps
 in the Cloud
  • 2. Agenda Problem Statement Security Fundamentals Building A Secure App In The Cloud Atlassian Connect - Special Case Of Cloud APIs Some Examples Of Security Vulnerabilities Conclusion
  • 3. How do we build secure apps in the cloud?
  • 4. Data Security Where do we store it? How do we secure it? Security Fundamentals SDLC Activities / OWASP Top 10 Identifying bugs at an early stage Authentication & Authorization Who are you? What do you have access to? Secure By Design
  • 5. Ingress & Egress How do we prevent malicious input & access to internal services? Security Fundamentals Monitor, Alert & Log How do we alert on anomalies & misconfigs? What data do we log? Secrets Management How do we store secrets? How do we provide secrets during runtime? Secure The Code Secure The OperationsSecure The Code
  • 6. Secure By Design AuthN & AuthZ Data Security Atlassian Connect Framework to integrate your third party apps Scopes App level permissions, principle of least privileged access Authorization Checks on each API call SDLC Activities OAuth2 Getting the OAuth2 dance right
  • 7. Secure By Design AuthN & AuthZ Data Security SDLC Activities Encryption at rest Encrypt and store in S3, Database layer encryption, allowing only certain users access to the DB Encryption in transit All requests must have SSL enabled Tokenization Abstract the data sensitivity via tokens
  • 8. Secure By Design AuthN & AuthZ Data Security SDLC Activities Threat Modeling Focus on high impact components, keep iterating Static Analysis Language dependent - Brakeman (Ruby), Bandit (Python), GoSec (Golang) Dynamic Analysis Burpsuite, OWASP ZAP Dependency Checks Snyk, Sourceclear Secure by Default frameworks Prevents application wide vulnerabilities Bug Bounty Programs Work with us in order to start a bug bounty program - security@atlassian.com
  • 10. Secure The Code Ingress & Egress Secrets Management Do not hardcode sensitive data Use environment variables to substitute Providing short lived keys during runtime Use Cloud APIs such as KMS or secret management tools like Vault Securing APIs Do not upload sensitive data to code repos Implement checks pre push and post push
  • 11. Secure The Code Ingress & Egress Secrets Management Securing APIs Validate all input All input must be validated and sanitized to prevent injection based attacks Encode all output Browsers interpret data and code in different contexts Egress Traffic Whitelist domains, redirect via proxy, restrict access to internal domains
  • 12. Secure The Code Ingress & Egress Secrets Management Securing APIs Unit Testing POSTMAN, beware of hidden or undocumented API endpoints Prevent information disclosures Error messages, un-documented/obsolete API endpoints Open source tools for API testing Parameth, Astra
  • 13. Secure The Operations Constant monitoring and alerting Open S3 buckets, lax security groups, dangling subdomains, expired SSL certs Alerting on misconfigurations MFA disabled, inbound/outbound port changes Alerting on anomalies Check for unexpected events in logs Monitoring & Alerting Logging
  • 14. Secure The Operations Monitoring & Alerting Logging Targeted Logging Log activities, metadata but not sensitive information Don’t just log, setup alerts on them Filters, Dashboards Centralized Logging Try to avoid log spread as much as possible Log in queryable format JSON logs with standard headers
  • 15. Atlassian Connect - Special Case Of Cloud APIs
  • 16. ATLASSIAN CONNECT APPS Descriptor Files Key, baseUrl, authentication, scopes Security Context Exchanged with the app. Used to create and validate JWTs. Has a shared secret and the client key. Stored by the app JWT (JSON Web Token) Used for API Calls. No Authorization header in the first install but all subsequent installs contain the shared secret
  • 17. ATLASSIAN CONNECT APPS Verify incoming requests Decode and verify the JWT * Extract JWT * Decode without verification * Extract ISS from decoded blob - client key * Look up the shared secret from security context * Verify signature w/shared secret & also * Verify the query hash
  • 18. ATLASSIAN CONNECT APPS JWT Gotchas * “Alg” being none * Unrecognized issuers * Unrecognized client key * expiration time to prevent replay attacks
  • 19. ATLASSIAN CONNECT APPS User Impersonation Authorization Grants (2LOi)
  • 20. 36% - IMPROPER ACCESS CONTROLS / AUTHORIZATION FLAWS 25% - SSRF (SERVER SIDE REQUEST FORGERY) ATTACKS 11% - INFORMATION DISCLOSURE
  • 25. EXAMPLES - SSRF AKA SERVER SIDE REQUEST FORGERY
  • 26. EXAMPLES - SSRF AKA SERVER SIDE REQUEST FORGERY
  • 27. CONCLUSION Authenticate and Authorize all calls Sanitize all input and output Encrypt all data in transit and in rest Continually test your APIs Monitor and Alert on anomalies Continue investing more in SDLC activities
  • 28. CONCLUSION Don’t leak sensitive information via API endpoints in error messages Don’t hardcode sensitive keys in code Don't log sensitive information
  • 29. References: • https://www.youtube.com/watch?time_continue=518&v=uEOqKcZa9o0 • https://www.youtube.com/watch?v=N0AW2-O06L0 • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Links: • https://www.getpostman.com/) • https://github.com/maK-/parameth) • https://github.com/flipkart-incubator/Astra) • https://www.youtube.com/watch?v=KGy_KCRUGd4) • https://brakemanscanner.org/ • https://pypi.org/project/bandit/ • https://github.com/securego/gosec • https://portswigger.net/burp • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project • https://snyk.io/ • https://www.sourceclear.com/ • https://www.youtube.com/watch?v=66ni2BTIjS8 • https://developer.atlassian.com/cloud/jira/platform/oauth-2-authorization-code-grants-3lo-for-apps/
  • 30. ANSHUMAN BHARTIYA | PRINCIPAL SECURITY ENGINEER | ATLASSIAN | @ANSHUMAN_BH | GITHUB.COM/ANSHUMANBH Thank you!