SlideShare ist ein Scribd-Unternehmen logo

Using Cloud to Improve AppSec

Phillip Marlow
Phillip Marlow

A lot of focus has been placed on securing the cloud, but the cloud can also be used to help secure applications. Find out how the same principles that apply to building cloud scale applications can also be used to deploy test environments in the cloud that support application security testing. Never again fear that your automated security testing, penetration testing, and customer A/B testing will collide. This talk will cover how applications that abide by the 12 Factors (https://12factor.net/) are easier to test. It will also discuss how the extreme flexibility of cloud resources allows easy separation of different types of application testing, ensuring that security tests can be run without interfering with business objectives.

Technologie
1 von 18
Using the Cloud to Improve AppSec Phillip Marlow SANS CloudSecNext Summit 2021 Approved for Public Release; Distribution Unlimited. Case Number 21-1574
Disclaimers Approved for Public Release; Distribution Unlimited. Case Number 21-1574 ©2021 The MITRE Corporation. ALL RIGHTS RESERVED. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.
Too Long; Didn’t Listen • Designing applications and services for the cloud helps achieve security improvements – even if the application is never deployed to the cloud • This makes applications more resilient against technical and environmental failures as well as attacks • It also improves the business’ ability to deliver on their mission
> iam list-roles • Developer • Systems Engineer • DevOps Engineer • Cloud Engineer • Security Engineer • Advisor • Manager • Architect • Hacker • Builder of Things
Why AppSec? • Everything is an application • Applications are core to the business, so their security should be too • Bad application security beats good add-on defenses
Typical Application Promotion Process Development.env Test.env Production.env Application v1.0 Application v1.0 Application v1.0
Application Development Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.1
Mature Application Deployment Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 – instance 1 Application v1.1 Application v1.1 – instance N Test App2 v2.1 App2 v2.1 App2 v2.1
The Big Problem • Can multiple versions of an application be hosted in each environment? • This design creates choke points on work at each environment
Designing for the Cloud is Better • The Twelve-Factor App, developed by Adam Wiggins & Heroku • https://12factor.net/ Apps that: • Use declarative formats for setup automation, to minimize time and cost for new developers joining the project; • Have a clean contract with the underlying operating system, offering maximum portability between execution environments; • Are suitable for deployment on modern cloud platforms, obviating the need for servers and systems administration; • Minimize divergence between development and production, enabling continuous deployment for maximum agility; • And can scale up without significant changes to tooling, architecture, or development practices.
Twelve-Factor Alternatives • Microservices Reference Architecture from NGINX • https://www.nginx.com/blog/introducing-the-nginx- microservices-reference-architecture/ • Beyond the Twelve-Factor App by Kevin Hoffman • https://www.oreilly.com/library/view/beyond-the-twelve- factor/9781492042631/
I. Codebase • Partially solves the big problem of multiple deploys in an environment One codebase tracked in revision control, many deploys
II. Dependencies • Known dependencies are a start to supply chain risk management • No reliance on dependencies installed in the deployment environment makes it possible to scale the number of deployments and environments as needed Explicitly declare and isolate dependencies
X. Dev/Prod Parity • Independent tests results are applicable to the final deployment Keep development, staging, and production as similar as possible
XI. Logs • Integrate with cloud logging (e.g., CloudWatch) and SIEMs Treat logs as event streams
XII. Admin Processes • Reduced attack surface • Easier to monitor these risky events Run admin/management tasks as one-off processes
Wins • Tests can be run simultaneously AND independently • It’s easy to add another instance of an app or a whole environment • Applications are designed for easy integration with other tools, including cloud security platforms • Common operational patterns can be used to make the application more resilient against a variety of failures and attacks
Thank You! Phillip Marlow @wolramp

Empfohlen

Testing 12-Factor Apps
Testing 12-Factor AppsTesting 12-Factor Apps
Testing 12-Factor AppsPhillip Marlow
 
Application Darwinism - Why Most Enterprise Apps Will Evolve to the Cloud
Application Darwinism - Why Most Enterprise Apps Will Evolve to the CloudApplication Darwinism - Why Most Enterprise Apps Will Evolve to the Cloud
Application Darwinism - Why Most Enterprise Apps Will Evolve to the CloudSkytap Cloud
 
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...Daniel Berg
 
Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...
Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...
Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...Michael Elder
 
Accelarting Hybrid Cloud Adoption through Use Cases in vCloud Air
Accelarting Hybrid Cloud Adoption through Use Cases in vCloud AirAccelarting Hybrid Cloud Adoption through Use Cases in vCloud Air
Accelarting Hybrid Cloud Adoption through Use Cases in vCloud AirNitin Saxena
 
ThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.jsThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.jsBrad Williams
 
End to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOpsEnd to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOpseG Innovations
 
Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...
Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...
Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...DigitalOcean
 

Empfohlen

Testing 12-Factor Apps
Testing 12-Factor AppsTesting 12-Factor Apps
Testing 12-Factor AppsPhillip Marlow
 
Application Darwinism - Why Most Enterprise Apps Will Evolve to the Cloud
Application Darwinism - Why Most Enterprise Apps Will Evolve to the CloudApplication Darwinism - Why Most Enterprise Apps Will Evolve to the Cloud
Application Darwinism - Why Most Enterprise Apps Will Evolve to the CloudSkytap Cloud
 
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...Daniel Berg
 
Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...
Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...
Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...Michael Elder
 
Accelarting Hybrid Cloud Adoption through Use Cases in vCloud Air
Accelarting Hybrid Cloud Adoption through Use Cases in vCloud AirAccelarting Hybrid Cloud Adoption through Use Cases in vCloud Air
Accelarting Hybrid Cloud Adoption through Use Cases in vCloud AirNitin Saxena
 
ThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.jsThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.jsBrad Williams
 
End to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOpsEnd to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOpseG Innovations
 
Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...
Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...
Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...DigitalOcean
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksDevOps.com
 
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...Amazon Web Services
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
Microservices
MicroservicesMicroservices
MicroservicesAxEdge Consulting
 
2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your BusinessWeCode Inc
 
Diving Into Docker
Diving Into Docker Diving Into Docker
Diving Into Docker XebiaLabs
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsXebiaLabs
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXNGINX, Inc.
 
Cloud Infrastructure Modernisation Guide
Cloud Infrastructure Modernisation GuideCloud Infrastructure Modernisation Guide
Cloud Infrastructure Modernisation GuideMontel Intergalactic
 
Mendix Platform
Mendix PlatformMendix Platform
Mendix PlatformSAKTHIVEL PERIYASAMY
 
VMworld 2015: No App is An Island
VMworld 2015: No App is An IslandVMworld 2015: No App is An Island
VMworld 2015: No App is An IslandVMworld
 
Enabling multicloud in the enterprise with DevSecOps
Enabling multicloud in the enterprise with DevSecOpsEnabling multicloud in the enterprise with DevSecOps
Enabling multicloud in the enterprise with DevSecOpsJosh Boyd
 
Continuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scopeContinuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scopeSanjeev Sharma
 
What is Cloud Native Explained?
What is Cloud Native Explained?What is Cloud Native Explained?
What is Cloud Native Explained?jeetendra mandal
 
Azure Application Modernization
Azure Application ModernizationAzure Application Modernization
Azure Application ModernizationKarina Matos
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-ServiceNGINX, Inc.
 
The Advent of Serverless Technologies
The Advent of Serverless TechnologiesThe Advent of Serverless Technologies
The Advent of Serverless TechnologiesCloudflare
 
Dev ops for mainframe innovate session 2402
Dev ops for mainframe innovate session 2402Dev ops for mainframe innovate session 2402
Dev ops for mainframe innovate session 2402Rosalind Radcliffe
 
Cloud Native Ninja - kickoff.pdf
Cloud Native Ninja - kickoff.pdfCloud Native Ninja - kickoff.pdf
Cloud Native Ninja - kickoff.pdfNilesh Gule
 
Ms.azure in detail
Ms.azure in detailMs.azure in detail
Ms.azure in detailNeethu Kuruvilla
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Weitere ähnliche Inhalte

Ähnlich wie Using Cloud to Improve AppSec

Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksDevOps.com
 
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...Amazon Web Services
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your BusinessWeCode Inc
 
Diving Into Docker
Diving Into Docker Diving Into Docker
Diving Into Docker XebiaLabs
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsXebiaLabs
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXNGINX, Inc.
 
Cloud Infrastructure Modernisation Guide
Cloud Infrastructure Modernisation GuideCloud Infrastructure Modernisation Guide
Cloud Infrastructure Modernisation GuideMontel Intergalactic
 
VMworld 2015: No App is An Island
VMworld 2015: No App is An IslandVMworld 2015: No App is An Island
VMworld 2015: No App is An IslandVMworld
 
Enabling multicloud in the enterprise with DevSecOps
Enabling multicloud in the enterprise with DevSecOpsEnabling multicloud in the enterprise with DevSecOps
Enabling multicloud in the enterprise with DevSecOpsJosh Boyd
 
Continuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scopeContinuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scopeSanjeev Sharma
 
What is Cloud Native Explained?
What is Cloud Native Explained?What is Cloud Native Explained?
What is Cloud Native Explained?jeetendra mandal
 
Azure Application Modernization
Azure Application ModernizationAzure Application Modernization
Azure Application ModernizationKarina Matos
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-ServiceNGINX, Inc.
 
The Advent of Serverless Technologies
The Advent of Serverless TechnologiesThe Advent of Serverless Technologies
The Advent of Serverless TechnologiesCloudflare
 
Dev ops for mainframe innovate session 2402
Dev ops for mainframe innovate session 2402Dev ops for mainframe innovate session 2402
Dev ops for mainframe innovate session 2402Rosalind Radcliffe
 
Cloud Native Ninja - kickoff.pdf
Cloud Native Ninja - kickoff.pdfCloud Native Ninja - kickoff.pdf
Cloud Native Ninja - kickoff.pdfNilesh Gule
 

Ähnlich wie Using Cloud to Improve AppSec (20)

Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
 
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 
Microservices
MicroservicesMicroservices
Microservices
 
2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business
 
Diving Into Docker
Diving Into Docker Diving Into Docker
Diving Into Docker
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale Organizations
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINX
 
Cloud Infrastructure Modernisation Guide
Cloud Infrastructure Modernisation GuideCloud Infrastructure Modernisation Guide
Cloud Infrastructure Modernisation Guide
 
Mendix Platform
Mendix PlatformMendix Platform
Mendix Platform
 
VMworld 2015: No App is An Island
VMworld 2015: No App is An IslandVMworld 2015: No App is An Island
VMworld 2015: No App is An Island
 
Enabling multicloud in the enterprise with DevSecOps
Enabling multicloud in the enterprise with DevSecOpsEnabling multicloud in the enterprise with DevSecOps
Enabling multicloud in the enterprise with DevSecOps
 
Continuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scopeContinuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scope
 
What is Cloud Native Explained?
What is Cloud Native Explained?What is Cloud Native Explained?
What is Cloud Native Explained?
 
Azure Application Modernization
Azure Application ModernizationAzure Application Modernization
Azure Application Modernization
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-Service
 
The Advent of Serverless Technologies
The Advent of Serverless TechnologiesThe Advent of Serverless Technologies
The Advent of Serverless Technologies
 
Dev ops for mainframe innovate session 2402
Dev ops for mainframe innovate session 2402Dev ops for mainframe innovate session 2402
Dev ops for mainframe innovate session 2402
 
Cloud Native Ninja - kickoff.pdf
Cloud Native Ninja - kickoff.pdfCloud Native Ninja - kickoff.pdf
Cloud Native Ninja - kickoff.pdf
 
Ms.azure in detail
Ms.azure in detailMs.azure in detail
Ms.azure in detail
 

Kürzlich hochgeladen

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Kürzlich hochgeladen (20)

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Using Cloud to Improve AppSec

  • 1. Using the Cloud to Improve AppSec Phillip Marlow SANS CloudSecNext Summit 2021 Approved for Public Release; Distribution Unlimited. Case Number 21-1574
  • 2. Disclaimers Approved for Public Release; Distribution Unlimited. Case Number 21-1574 ©2021 The MITRE Corporation. ALL RIGHTS RESERVED. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.
  • 3. Too Long; Didn’t Listen • Designing applications and services for the cloud helps achieve security improvements – even if the application is never deployed to the cloud • This makes applications more resilient against technical and environmental failures as well as attacks • It also improves the business’ ability to deliver on their mission
  • 4. > iam list-roles • Developer • Systems Engineer • DevOps Engineer • Cloud Engineer • Security Engineer • Advisor • Manager • Architect • Hacker • Builder of Things
  • 5. Why AppSec? • Everything is an application • Applications are core to the business, so their security should be too • Bad application security beats good add-on defenses
  • 6. Typical Application Promotion Process Development.env Test.env Production.env Application v1.0 Application v1.0 Application v1.0
  • 7. Application Development Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.1
  • 8. Mature Application Deployment Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 – instance 1 Application v1.1 Application v1.1 – instance N Test App2 v2.1 App2 v2.1 App2 v2.1
  • 9. The Big Problem • Can multiple versions of an application be hosted in each environment? • This design creates choke points on work at each environment
  • 10. Designing for the Cloud is Better • The Twelve-Factor App, developed by Adam Wiggins & Heroku • https://12factor.net/ Apps that: • Use declarative formats for setup automation, to minimize time and cost for new developers joining the project; • Have a clean contract with the underlying operating system, offering maximum portability between execution environments; • Are suitable for deployment on modern cloud platforms, obviating the need for servers and systems administration; • Minimize divergence between development and production, enabling continuous deployment for maximum agility; • And can scale up without significant changes to tooling, architecture, or development practices.
  • 11. Twelve-Factor Alternatives • Microservices Reference Architecture from NGINX • https://www.nginx.com/blog/introducing-the-nginx- microservices-reference-architecture/ • Beyond the Twelve-Factor App by Kevin Hoffman • https://www.oreilly.com/library/view/beyond-the-twelve- factor/9781492042631/
  • 12. I. Codebase • Partially solves the big problem of multiple deploys in an environment One codebase tracked in revision control, many deploys
  • 13. II. Dependencies • Known dependencies are a start to supply chain risk management • No reliance on dependencies installed in the deployment environment makes it possible to scale the number of deployments and environments as needed Explicitly declare and isolate dependencies
  • 14. X. Dev/Prod Parity • Independent tests results are applicable to the final deployment Keep development, staging, and production as similar as possible
  • 15. XI. Logs • Integrate with cloud logging (e.g., CloudWatch) and SIEMs Treat logs as event streams
  • 16. XII. Admin Processes • Reduced attack surface • Easier to monitor these risky events Run admin/management tasks as one-off processes
  • 17. Wins • Tests can be run simultaneously AND independently • It’s easy to add another instance of an app or a whole environment • Applications are designed for easy integration with other tools, including cloud security platforms • Common operational patterns can be used to make the application more resilient against a variety of failures and attacks