It comes to no surprise, that any micro-services, any security controls you use to build applications – will eventually be broken (or fail). Under certain pressure, some components will fail together.
The question is – how do we build our systems in a way that security incidents won't happen even if some components fail. And the data leaks won't occur even if penetration tests are successful. "Defense in depth is a security engineering pattern, that suggests building an independent set of security controls aimed at mitigating more risks even if the attacker crosses the outer perimeter. During the talk, we will model threats and risks for the modern web application, and improve it by building multiple lines of defense. We will overview high-level patterns and exact tools from the security engineering world and explain them to the modern web devs ;)
5. Plan for next 45 mins:
1. Intro (OWASP, leaks, GDPR)
@vixentael
2. Threats in common web architectures
3. Defence in Depth for data: why, when, how
4. Acra as example of DiD approach
5. Existing tools and solutions
6. Outro and links
7. users (upset, angry)
regulations (fines, GDPR, HIPPA, PCI DSS, DPB)
@vixentael
Why care anyway?
business continuity (fines, competitors, legal)
Google, Apple
8. GDPR
@vixentael
Article 32/35: responsibly store and process
data according to risks
Article 33/34: detecting data leakage and
alert users & controller
https://gdpr-info.eu/
11. OWASP Top-10 web risks
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project @vixentael
• Injection
• Broken Authentication and
Session Management
• Sensitive Data Exposure
• XML External Entity
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting
• Insecure deserialization
• Using Components With
Known Vulnerabilities
• Insufficient Logging and
Monitoring
12. @vixentael
Data & risks
PII
User data Service data
likes, preferences
purchase history
logs
keys, accesses, API tokens
backups
configurationslocations
28. Defense in Depth –
independent, yet interconnected,
set of security controls
aimed at mitigating multiple risks
during the whole application flow
29. @vixentael
1. Security controls protect data globally
(during the whole data flow / app lifecycle).
2. Whatever is the attack vector, there is a defense
layer.
Defense in Depth
3. For most popular attack vectors, we want as
many independent defenses as possible.
32. @vixentael
Predictable data flow
2. Write encrypted data to the database.
3. Read data from the database via decryption
proxy.
1. Separated encryption and decryption.
39. @vixentael
1. DB doesn’t know the nature of data.
2. App doesn’t have a way to decrypt data.
3. Data is being watched: key management, SQL
firewall, monitoring, access control, audit logs.
System compromise
41. @vixentael
System compromise
Or:
- compromise the backend app
& compromise SQL firewall
& compromise Acra and key store
& get around logs, SIEM, honey pots
The only way to attain plaintext from DB –
to request it through Acra.
46. @vixentael
How to build?
1. Build on your own (start from design).
2. Use boxed solutions (Oracle).
3. Build using existing tools:
DB + Acra + SIEM + WAF
DB + GreenSQL + libsodium + own decryption proxy + IDS +
SIEM + WAF
DB + Acra + AWS + SIEM
52. https://medium.com/@cossacklabs/12-and-1-ideas-how-to-enhance-backend-data-
security-4b8ceb5ccb88
12 and 1 ideas how to enhance backend data security
https://medium.freecodecamp.org/preventing-leaks-and-injections-in-your-database-
be3743af7614
How to prevent database leaks and injections
https://www.cossacklabs.com/blog/defense-in-depth-with-acra.html
Building Defence in Depth for your data using Acra
https://samnewman.io/talks/insecure-transit-microservice-security/
Insecure Transit - Microservice Security