A lot of focus has been placed on securing the cloud, but the cloud can also be used to help secure applications. Find out how the same principles that apply to building cloud scale applications can also be used to deploy test environments in the cloud that support application security testing. Never again fear that your automated security testing, penetration testing, and customer A/B testing will collide. This talk will cover how applications that abide by the 12 Factors (https://12factor.net/) are easier to test. It will also discuss how the extreme flexibility of cloud resources allows easy separation of different types of application testing, ensuring that security tests can be run without interfering with business objectives.
Designing IA for AI - Information Architecture Conference 2024
Using Cloud to Improve AppSec
1. Using the Cloud to Improve
AppSec
Phillip Marlow
SANS CloudSecNext Summit 2021
Approved for Public Release; Distribution Unlimited. Case Number 21-1574
3. Too Long; Didn’t Listen
• Designing applications and services for the cloud helps achieve
security improvements – even if the application is never deployed to
the cloud
• This makes applications more resilient against technical and
environmental failures as well as attacks
• It also improves the business’ ability to deliver on their mission
4. > iam list-roles
• Developer
• Systems Engineer
• DevOps Engineer
• Cloud Engineer
• Security Engineer
• Advisor
• Manager
• Architect
• Hacker
• Builder of Things
5. Why AppSec?
• Everything is an application
• Applications are core to the business, so their security should be too
• Bad application security beats good add-on defenses
7. Application Development Process
Development Test Production
Application v1.0-katherine
Application v1.0-jenny
Application v1.1
Application v1.0-katherine
Application v1.0-jenny
Application v1.1 Application v1.1
8. Mature Application Deployment Process
Development
Test
Production
Application v1.0-katherine
Application v1.0-jenny
Application v1.1
Application v1.0-katherine
Application v1.0-jenny
Application v1.1 –
instance 1
Application v1.1
Application v1.1 –
instance N
Test
App2 v2.1
App2 v2.1 App2 v2.1
9. The Big Problem
• Can multiple versions of an application be hosted in each
environment?
• This design creates choke points on work at each environment
10. Designing for the Cloud is Better
• The Twelve-Factor App, developed by Adam
Wiggins & Heroku
• https://12factor.net/
Apps that:
• Use declarative formats for setup
automation, to minimize time and cost for
new developers joining the project;
• Have a clean contract with the underlying
operating system, offering maximum
portability between execution
environments;
• Are suitable for deployment on modern
cloud platforms, obviating the need for
servers and systems administration;
• Minimize divergence between
development and production, enabling
continuous deployment for maximum
agility;
• And can scale up without significant
changes to tooling, architecture, or
development practices.
11. Twelve-Factor Alternatives
• Microservices Reference Architecture from NGINX
• https://www.nginx.com/blog/introducing-the-nginx-
microservices-reference-architecture/
• Beyond the Twelve-Factor App by Kevin Hoffman
• https://www.oreilly.com/library/view/beyond-the-twelve-
factor/9781492042631/
12. I. Codebase
• Partially solves the big problem of multiple deploys in an environment
One codebase tracked in revision control, many deploys
13. II. Dependencies
• Known dependencies are a start to supply chain risk management
• No reliance on dependencies installed in the deployment
environment makes it possible to scale the number of deployments
and environments as needed
Explicitly declare and isolate dependencies
14. X. Dev/Prod Parity
• Independent tests results are applicable to the final deployment
Keep development, staging, and production as similar as possible
15. XI. Logs
• Integrate with cloud logging (e.g., CloudWatch) and SIEMs
Treat logs as event streams
16. XII. Admin Processes
• Reduced attack surface
• Easier to monitor these risky events
Run admin/management tasks as one-off processes
17. Wins
• Tests can be run simultaneously AND independently
• It’s easy to add another instance of an app or a whole environment
• Applications are designed for easy integration with other tools,
including cloud security platforms
• Common operational patterns can be used to make the application
more resilient against a variety of failures and attacks