Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps
2 likes422 views
The document discusses strategies to tackle security challenges associated with cloud-native applications, emphasizing the need for faster, integrated security measures that coincide with development and deployment processes. It highlights the importance of visibility and feedback as key components in modern security practices, advocating for a blend of bug bounty programs and penetration tests to enhance vulnerability detection. Ultimately, the text reiterates that security must evolve to keep pace with rapid software development while ensuring robust protection against potential attacks.
![Visibility + Feedback success story:
“I discovered the vulnerability late Friday afternoon and
wasn't quite ready to email it to them … [Etsy] had
detected my requests and pushed a patch Saturday
morning before I could email them. This was by far the
fastest response time by any company I've reported to.”
- Source: https://www.reddit.com/r/netsec/comments/vbrzg/
etsy_has_been_one_of_the_best_companies_ive](https://image.slidesharecdn.com/strategiesonhowtoovercomesecuritychallengesuniquetocloud-nativeapps-170518014129/85/Strategies-on-How-to-Overcome-Security-Challenges-Unique-to-Cloud-Native-Apps-46-320.jpg)
Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps
- 1. Strategies on How to Overcome Security Challenges Unique to Cloud- Native Apps Zane Lackey @ZaneLackey Kamala Dasika @DasikaKN
- 2. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Transform how the world builds software. Modern Software Methodology | Modern Cloud-Native Platform About Pivotal
- 4. © Copyright 2017 Pivotal Software, Inc. All rights reserved. 76% 35% 100- 150 * April 2017 Internet Security Threat Report + Web Applications Security Statistics Report 2016 Websites with Vulnerabilities* Increase in Ransomeware* Days to Patch/Fix in Enterprises+ Security Matters to All of Us
- 5. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Bespoke Application Process Drives Complex, Manual Deploys & Waterfall Release Cycles
- 6. © Copyright 2017 Pivotal Software, Inc. All rights reserved. The brittle stack. The long accreditation cycle. The culture of no. The unpatched server. The un-versioned application. The inconsistent configuration The leaked credential. Security Tradition
- 7. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Security Tradition Reduce risk by slowing down.
- 8. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Reduce risk by going faster.Cloud Native Security
- 9. © Copyright 2017 Pivotal Software, Inc. All rights reserved. CORE PILLARS Turn-key Compliance Repair Repave Rotate Starve Resources Needed for Attacks Time/Delays, Misconfigured/Unpatched Software, Leaked Credentials Address vlnerabilities caused by
- 10. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Immutable consistent infrastructure 2-layer scheduler Hardened container boundary Constant, full-stack patching Ephemeral servers Fully encrypted network Ubiquitous policy enforcement Control of software supply chain Monitoring and scanning integration Turn-key compliance Platform Security Concepts
- 11. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Everything to Deploy and Manage the App 4. Health management 2. Metrics 3. Log Aggregation 1. Roles and Policy 5. Security and Isolation 7. Scaling 6. Blue- Green deploymentü Consistent Contracts ü Fully Automated, Repeatable platform managed DevOps processes ü Developer + Ops + Security Friendly Constructs ü Infrastructure Failure Agnostic Structured Automation
- 12. © Copyright 2017 Pivotal Software, Inc. All rights reserved. 12 Deployment & Buildpacks cf push cf push –b <buildpack> Deployed Artifact Detect (Buildpack) Compile (Dependencies) Release (Execution config & command) Community Buildpacks Custom Buildpacks Partner Buildpacks Built-In Code Artifacts
- 13. © Copyright 2017 Pivotal Software, Inc. All rights reserved. 13 Deployment & Buildpacks cf push cf push –b <buildpack> Deployed Artifact Detect (Buildpack) Compile (Dependencies) Release (Execution config & command) Community Buildpacks Custom Buildpacks Partner Buildpacks Built-In Code Artifacts Detect Compile Release
- 14. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Stemcell Hardening • Stemcell = Bare minimal OS + PCF specific utilities and configuration files • Hardening guidance from commercial and govt. sources • BOSH Add Ons – Ensure certain software runs on all VMs managed by the Director. – E.g. security agents like Tripwire, IPsec, etc., anti- viruses like McAfee, health monitoring agents l and logging agents BOSH/ Ops Manager Stemcell VM VMVM VM VM VM Release Manifest (simplified to illustrate the point)
- 15. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Stemcell Hardening • Stemcell = Bare minimal OS + PCF specific utilities and configuration files • Hardening guidance from commercial and govt. sources • BOSH Add Ons – Ensure certain software runs on all VMs managed by the Director. – E.g. security agents like Tripwire, IPsec, etc., anti- viruses like McAfee, health monitoring agents l and logging agents BOSH/ Ops Manager Stemcell VM VMVM VM VM VM Release Manifest (simplified to illustrate the point)
- 16. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Each Layer Upgradable with No Downtime App Runtime* File system mapping Application Linux host & kernel Blue-Green deploy Canary style deploy * e.g. Embedded webserver, app configurations, JRE, agents for services packaged as buildpacks C o n t a i n e r
- 17. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Upgrade and patch with rolling “canary” deploys X YM NA B Update introduced. If the tests pass, keep going X YM NA B X YM NA B Apps redeployed to clear VMs A,B,M,N,X,Y - Application instances - VM prior to update
- 18. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Upgrade and patch with rolling “canary” deploys X YM NA B X YM NA B X YM N X YM NA B X YM NA B Automated, No downtime Atomic rolling update X YM NA B A B
- 19. 19 “The first time ever we fully upgraded Cloud Infrastructure with Zero Impact. In Production. During Business Hours. During Peak Business Hours.” Source: Internal Feedback Shown by Greg Otto, Executive Director@Comcast at Cloud Foundry Summit 2016
- 20. © Copyright 2017 Pivotal Software, Inc. All rights reserved. Guest Speaker: Zane Lackey • Started out in offense – iSEC Partners / NCC Group • Moved to defense – First head of security at Etsy, built and lead the four security groups • Now scaling defense for many orgs – Co-founder / CSO at Signal Sciences, delivering a product that defends web applications in the DevOps/Cloud world
- 21. Lessons learned being at the forefront of the shift to DevOps/Cloud
- 22. Spoiler: Security shifts from being a gatekeeper to enabling teams to be secure by default
- 24. The new realities in a DevSecOps world: 1. Changes happen multiple orders of magnitude faster than previously 2. Security only becomes successful if it can bake in to the Development/DevOps process 3. For many apps, cost of attack is so low you will be attacked even if you’re not a brand name
- 25. The new realities in a DevSecOps world: 1. Changes happen multiple orders of magnitude faster than previously 2. Security only becomes successful if it can bake in to the Development/DevOps process 3. For many apps, cost of attack is so low you will be attacked even if you’re not a brand name
- 26. The new realities in a DevSecOps world: 1. Changes happen multiple orders of magnitude faster than previously 2. Security only becomes successful if it can bake in to the Development/DevOps process 3. For many apps, cost of attack is so low you will be attacked even if you’re not a brand name
- 28. What new concepts should security focus on?
- 29. What new concepts should security focus on? Visibility + Feedback
- 30. Except… These aren’t new concepts!
- 31. Performance monitoring, data analytics, A/B testing are all about visibility + feedback
- 32. The same hard lessons are slowly shifting to security
- 33. First, a story from the old days…
- 36. How can we improve?
- 37. Ex: Which of these is a quicker way to spot an attack?
- 40. Surface security visibility for everyone, not just the security team (if the security team even exists)
- 43. Three keys to modern feedback loops: 1. Combination of bug bounty + pentests 2. Bounty is not a replacement for pentest, it augments pentest 3. Bounty gives general but more real time feedback, pentest shifts to giving more directed but less frequent feedback
- 44. Three keys to modern feedback loops: 1. Combination of bug bounty + pentests 2. Bounty is not a replacement for pentest, it augments pentest 3. Bounty gives general but more real time feedback, pentest shifts to giving more directed but less frequent feedback
- 45. Three keys to modern feedback loops: 1. Combination of bug bounty + pentests 2. Bounty is not a replacement for pentest, it augments pentest 3. Bounty gives general but more real time feedback, pentest shifts to giving more directed but less frequent feedback
- 46. Visibility + Feedback success story: “I discovered the vulnerability late Friday afternoon and wasn't quite ready to email it to them … [Etsy] had detected my requests and pushed a patch Saturday morning before I could email them. This was by far the fastest response time by any company I've reported to.” - Source: https://www.reddit.com/r/netsec/comments/vbrzg/ etsy_has_been_one_of_the_best_companies_ive
- 47. Embrace DevOps, Cloud, and other means of increasing velocity. But do safely by obtaining: Visibility + Feedback
- 48. Thanks!
- 49. Strategies on How to Overcome Security Challenges Unique to Cloud- Native Apps Zane Lackey @ZaneLackey Kamala Dasika @DasikaKN