As companies move towards offering SaaS products in the cloud, it becomes increasingly important to ensure these products are secured by default. This is because customers are no longer in control of their data, but data now resides on a third-party cloud provider.
Security is everyone's responsibility. It is now imperative that these cloud products be built with security in mind from the beginning.
In this session, Anshuman Bhartiya will discuss ways to build secure applications in the cloud.
4. Data Security
Where do we store it? How
do we secure it?
Security Fundamentals
SDLC Activities /
OWASP Top 10
Identifying bugs at an early
stage
Authentication &
Authorization
Who are you? What do you
have access to?
Secure By Design
5. Ingress & Egress
How do we prevent malicious
input & access to internal
services?
Security Fundamentals
Monitor, Alert & Log
How do we alert on
anomalies & misconfigs?
What data do we log?
Secrets Management
How do we store secrets?
How do we provide secrets
during runtime?
Secure The Code Secure The OperationsSecure The Code
6. Secure By Design
AuthN & AuthZ
Data Security
Atlassian Connect
Framework to integrate your third party apps
Scopes
App level permissions, principle of least privileged access
Authorization
Checks on each API call
SDLC Activities
OAuth2
Getting the OAuth2 dance right
7. Secure By Design
AuthN & AuthZ
Data Security
SDLC Activities
Encryption at rest
Encrypt and store in S3, Database layer encryption,
allowing only certain users access to the DB
Encryption in transit
All requests must have SSL enabled
Tokenization
Abstract the data sensitivity via tokens
8. Secure By Design
AuthN & AuthZ
Data Security
SDLC Activities
Threat Modeling
Focus on high impact components, keep iterating
Static Analysis
Language dependent - Brakeman (Ruby), Bandit (Python), GoSec (Golang)
Dynamic Analysis
Burpsuite, OWASP ZAP
Dependency Checks
Snyk, Sourceclear
Secure by Default frameworks
Prevents application wide vulnerabilities
Bug Bounty Programs
Work with us in order to start a bug bounty program - security@atlassian.com
10. Secure The Code
Ingress & Egress
Secrets Management
Do not hardcode sensitive data
Use environment variables to substitute
Providing short lived keys during runtime
Use Cloud APIs such as KMS or secret management
tools like Vault
Securing APIs Do not upload sensitive data to code repos
Implement checks pre push and post push
11. Secure The Code
Ingress & Egress
Secrets Management
Securing APIs
Validate all input
All input must be validated and sanitized to prevent
injection based attacks
Encode all output
Browsers interpret data and code in different contexts
Egress Traffic
Whitelist domains, redirect via proxy, restrict access to
internal domains
12. Secure The Code
Ingress & Egress
Secrets Management
Securing APIs
Unit Testing
POSTMAN, beware of hidden or undocumented API
endpoints
Prevent information disclosures
Error messages, un-documented/obsolete API endpoints
Open source tools for API testing
Parameth, Astra
13. Secure The Operations
Constant monitoring and alerting
Open S3 buckets, lax security groups, dangling
subdomains, expired SSL certs
Alerting on misconfigurations
MFA disabled, inbound/outbound port changes
Alerting on anomalies
Check for unexpected events in logs
Monitoring & Alerting
Logging
14. Secure The Operations
Monitoring & Alerting
Logging
Targeted Logging
Log activities, metadata but not sensitive information
Don’t just log, setup alerts on them
Filters, Dashboards
Centralized Logging
Try to avoid log spread as much as possible
Log in queryable format
JSON logs with standard headers
16. ATLASSIAN CONNECT APPS
Descriptor Files
Key, baseUrl, authentication, scopes
Security Context
Exchanged with the app. Used to create and
validate JWTs. Has a shared secret and the client
key. Stored by the app
JWT (JSON Web Token)
Used for API Calls. No Authorization header in
the first install but all subsequent installs contain
the shared secret
17. ATLASSIAN CONNECT APPS
Verify incoming requests
Decode and verify the JWT
* Extract JWT
* Decode without verification
* Extract ISS from decoded blob - client key
* Look up the shared secret from security context
* Verify signature w/shared secret & also
* Verify the query hash
18. ATLASSIAN CONNECT APPS
JWT Gotchas
* “Alg” being none
* Unrecognized issuers
* Unrecognized client key
* expiration time to prevent replay attacks
27. CONCLUSION
Authenticate and Authorize all calls
Sanitize all input and output
Encrypt all data in transit and in rest
Continually test your APIs
Monitor and Alert on anomalies
Continue investing more in SDLC activities
28. CONCLUSION
Don’t leak sensitive information via API endpoints in error messages
Don’t hardcode sensitive keys in code
Don't log sensitive information