SlideShare a Scribd company logo

Using Cloud to Improve AppSec

Phillip Marlow, profile picture
Phillip Marlow

The document discusses how designing applications for the cloud can enhance security and resilience, even when not deployed in the cloud. It highlights the importance of application security, refers to the twelve-factor app methodology for development practices, and emphasizes the benefits of modern cloud architectures in improving application management. Additionally, it addresses challenges of hosting multiple application versions and suggests integrating testing and deployment processes for agility and security.

Technology
Related topics:
Software Testing Insights
1 of 18
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Using the Cloud to Improve AppSec Phillip Marlow SANS CloudSecNext Summit 2021 Approved for Public Release; Distribution Unlimited. Case Number 21-1574
Disclaimers Approved for Public Release; Distribution Unlimited. Case Number 21-1574 ©2021 The MITRE Corporation. ALL RIGHTS RESERVED. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.
Too Long; Didn’t Listen • Designing applications and services for the cloud helps achieve security improvements – even if the application is never deployed to the cloud • This makes applications more resilient against technical and environmental failures as well as attacks • It also improves the business’ ability to deliver on their mission
> iam list-roles • Developer • Systems Engineer • DevOps Engineer • Cloud Engineer • Security Engineer • Advisor • Manager • Architect • Hacker • Builder of Things
Why AppSec? • Everything is an application • Applications are core to the business, so their security should be too • Bad application security beats good add-on defenses
Typical Application Promotion Process Development.env Test.env Production.env Application v1.0 Application v1.0 Application v1.0
Application Development Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.1
Mature Application Deployment Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 – instance 1 Application v1.1 Application v1.1 – instance N Test App2 v2.1 App2 v2.1 App2 v2.1
The Big Problem • Can multiple versions of an application be hosted in each environment? • This design creates choke points on work at each environment
Designing for the Cloud is Better • The Twelve-Factor App, developed by Adam Wiggins & Heroku • https://12factor.net/ Apps that: • Use declarative formats for setup automation, to minimize time and cost for new developers joining the project; • Have a clean contract with the underlying operating system, offering maximum portability between execution environments; • Are suitable for deployment on modern cloud platforms, obviating the need for servers and systems administration; • Minimize divergence between development and production, enabling continuous deployment for maximum agility; • And can scale up without significant changes to tooling, architecture, or development practices.
Twelve-Factor Alternatives • Microservices Reference Architecture from NGINX • https://www.nginx.com/blog/introducing-the-nginx- microservices-reference-architecture/ • Beyond the Twelve-Factor App by Kevin Hoffman • https://www.oreilly.com/library/view/beyond-the-twelve- factor/9781492042631/
I. Codebase • Partially solves the big problem of multiple deploys in an environment One codebase tracked in revision control, many deploys
II. Dependencies • Known dependencies are a start to supply chain risk management • No reliance on dependencies installed in the deployment environment makes it possible to scale the number of deployments and environments as needed Explicitly declare and isolate dependencies
X. Dev/Prod Parity • Independent tests results are applicable to the final deployment Keep development, staging, and production as similar as possible
XI. Logs • Integrate with cloud logging (e.g., CloudWatch) and SIEMs Treat logs as event streams
XII. Admin Processes • Reduced attack surface • Easier to monitor these risky events Run admin/management tasks as one-off processes
Wins • Tests can be run simultaneously AND independently • It’s easy to add another instance of an app or a whole environment • Applications are designed for easy integration with other tools, including cloud security platforms • Common operational patterns can be used to make the application more resilient against a variety of failures and attacks
Thank You! Phillip Marlow @wolramp

More Related Content

PPTX
Testing 12-Factor Apps
Phillip Marlow
 
PPTX
Top10 Characteristics of Awesome Apps
Casey Lee
 
PDF
Cloud-Native Workshop - Santa Monica
VMware Tanzu
 
PDF
15-factor-apps.pdf
Nilesh Gule
 
PPTX
12 factor app an introduction
Krishna-Kumar
 
PDF
MongoDB World 2018: MongoDB and Cloud Foundry – A Match Made for the Cloud
MongoDB
 
PDF
RedisConf18 - Common Redis Use Cases for Cloud Native Apps and Microservices
Redis Labs
 
PDF
Adopting the Cloud
Tapio Rautonen
 
Testing 12-Factor Apps
Phillip Marlow
 
Top10 Characteristics of Awesome Apps
Casey Lee
 
Cloud-Native Workshop - Santa Monica
VMware Tanzu
 
15-factor-apps.pdf
Nilesh Gule
 
12 factor app an introduction
Krishna-Kumar
 
MongoDB World 2018: MongoDB and Cloud Foundry – A Match Made for the Cloud
MongoDB
 
RedisConf18 - Common Redis Use Cases for Cloud Native Apps and Microservices
Redis Labs
 
Adopting the Cloud
Tapio Rautonen
 

Similar to Using Cloud to Improve AppSec (20)

PPTX
The twelve factor app
Ravi Okade
 
PDF
Evolving to Cloud-Native - Anand Rao
VMware Tanzu
 
PPTX
The Twelve-Factor App
Yaroslav Novytskyy
 
PDF
The Twelve Factor App
Pablo Fullana
 
PDF
Beyond the Twelve-Factor App
Kazuya Takahashi
 
PPTX
BuildStuffConf Going beyond the 12 factors
Grace Jansen
 
PDF
Cloud-Native Fundamentals: An Introduction to 12-Factor Applications
VMware Tanzu
 
PDF
Evolving to Cloud-Native - Nate Schutta 1/2
VMware Tanzu
 
PPTX
Microservices
Abdelrahman Badreldeen
 
PDF
MS Cloud Design Patterns Infographic 2015
James Tramel
 
PDF
Ms cloud design patterns infographic 2015
Kesavan Munuswamy
 
PPTX
Microsoft Cloud-Native Workshop Slides
VMware Tanzu
 
PPTX
Intro to Cloud Native _ v1.0en (2021/01)
Young Suk Ahn Park
 
PDF
Evolving to Cloud-Native - Nate Schutta (1/2)
VMware Tanzu
 
PPT
Cloud Computing Security Issues
Discover Cloud Computing
 
PPTX
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
Shikha Srivastava
 
PDF
Testing the Migration of Monolithic Applications to Microservices on the Cloud
Nagarro
 
PDF
GIDS_15FactorWorkshop.pdf
RichHagarty
 
PPTX
Devoxx Ukraine - Going beyond the 12 factors
Grace Jansen
 
PPTX
SwissJUG_15_factor_app.pptx
Grace Jansen
 
The twelve factor app
Ravi Okade
 
Evolving to Cloud-Native - Anand Rao
VMware Tanzu
 
The Twelve-Factor App
Yaroslav Novytskyy
 
The Twelve Factor App
Pablo Fullana
 
Beyond the Twelve-Factor App
Kazuya Takahashi
 
BuildStuffConf Going beyond the 12 factors
Grace Jansen
 
Cloud-Native Fundamentals: An Introduction to 12-Factor Applications
VMware Tanzu
 
Evolving to Cloud-Native - Nate Schutta 1/2
VMware Tanzu
 
Microservices
Abdelrahman Badreldeen
 
MS Cloud Design Patterns Infographic 2015
James Tramel
 
Ms cloud design patterns infographic 2015
Kesavan Munuswamy
 
Microsoft Cloud-Native Workshop Slides
VMware Tanzu
 
Intro to Cloud Native _ v1.0en (2021/01)
Young Suk Ahn Park
 
Evolving to Cloud-Native - Nate Schutta (1/2)
VMware Tanzu
 
Cloud Computing Security Issues
Discover Cloud Computing
 
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
Shikha Srivastava
 
Testing the Migration of Monolithic Applications to Microservices on the Cloud
Nagarro
 
GIDS_15FactorWorkshop.pdf
RichHagarty
 
Devoxx Ukraine - Going beyond the 12 factors
Grace Jansen
 
SwissJUG_15_factor_app.pptx
Grace Jansen
 

Recently uploaded (20)

PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 

Using Cloud to Improve AppSec

  • 1. Using the Cloud to Improve AppSec Phillip Marlow SANS CloudSecNext Summit 2021 Approved for Public Release; Distribution Unlimited. Case Number 21-1574
  • 2. Disclaimers Approved for Public Release; Distribution Unlimited. Case Number 21-1574 ©2021 The MITRE Corporation. ALL RIGHTS RESERVED. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.
  • 3. Too Long; Didn’t Listen • Designing applications and services for the cloud helps achieve security improvements – even if the application is never deployed to the cloud • This makes applications more resilient against technical and environmental failures as well as attacks • It also improves the business’ ability to deliver on their mission
  • 4. > iam list-roles • Developer • Systems Engineer • DevOps Engineer • Cloud Engineer • Security Engineer • Advisor • Manager • Architect • Hacker • Builder of Things
  • 5. Why AppSec? • Everything is an application • Applications are core to the business, so their security should be too • Bad application security beats good add-on defenses
  • 6. Typical Application Promotion Process Development.env Test.env Production.env Application v1.0 Application v1.0 Application v1.0
  • 7. Application Development Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.1
  • 8. Mature Application Deployment Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 – instance 1 Application v1.1 Application v1.1 – instance N Test App2 v2.1 App2 v2.1 App2 v2.1
  • 9. The Big Problem • Can multiple versions of an application be hosted in each environment? • This design creates choke points on work at each environment
  • 10. Designing for the Cloud is Better • The Twelve-Factor App, developed by Adam Wiggins & Heroku • https://12factor.net/ Apps that: • Use declarative formats for setup automation, to minimize time and cost for new developers joining the project; • Have a clean contract with the underlying operating system, offering maximum portability between execution environments; • Are suitable for deployment on modern cloud platforms, obviating the need for servers and systems administration; • Minimize divergence between development and production, enabling continuous deployment for maximum agility; • And can scale up without significant changes to tooling, architecture, or development practices.
  • 11. Twelve-Factor Alternatives • Microservices Reference Architecture from NGINX • https://www.nginx.com/blog/introducing-the-nginx- microservices-reference-architecture/ • Beyond the Twelve-Factor App by Kevin Hoffman • https://www.oreilly.com/library/view/beyond-the-twelve- factor/9781492042631/
  • 12. I. Codebase • Partially solves the big problem of multiple deploys in an environment One codebase tracked in revision control, many deploys
  • 13. II. Dependencies • Known dependencies are a start to supply chain risk management • No reliance on dependencies installed in the deployment environment makes it possible to scale the number of deployments and environments as needed Explicitly declare and isolate dependencies
  • 14. X. Dev/Prod Parity • Independent tests results are applicable to the final deployment Keep development, staging, and production as similar as possible
  • 15. XI. Logs • Integrate with cloud logging (e.g., CloudWatch) and SIEMs Treat logs as event streams
  • 16. XII. Admin Processes • Reduced attack surface • Easier to monitor these risky events Run admin/management tasks as one-off processes
  • 17. Wins • Tests can be run simultaneously AND independently • It’s easy to add another instance of an app or a whole environment • Applications are designed for easy integration with other tools, including cloud security platforms • Common operational patterns can be used to make the application more resilient against a variety of failures and attacks