Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Application Security in a Container World - Akash Mahajan - BCC 2017

4,767 views

Published on

Docker containers have taken the developer world by a storm and are poised to transform how majority of applications are built, deployed and operated. This presentation from Akash talks about how to deal with application security in a container world.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Application Security in a Container World - Akash Mahajan - BCC 2017

  1. 1. APPSEC IN A CONTAINER WORLD AKASH MAHAJAN - DIRECTOR APPSECCO
  2. 2. WE NOW LIVE IN A CONTAINER WORLD # Container(Camp|Conf|World)
  3. 3. IT/OPS AND DEVS ARE COMING TOGETHER # devops
  4. 4. THERE IS A MAJOR SHIFT IN SECURITY #SHIFTLEFT Shannon Lietz (Keynote at DevSecCon Asia 2017)
  5. 5. APPSEC TESTING HAS TO BECOME PART OF THE DEVOPS OR BE LEFT BEHIND The reality is, Microsoft Security Dev Lifecycle is about 17 Years Old!
  6. 6. CONTAINERS ENABLE SELF-SERVICE AN IMPORTANT ASPECT OF DEVOPS
  7. 7. CONTINUOUS * PIPELINE MODE ON CONTAINERS ENABLE INTEGRATION AND DEPLOYMENT ON TAP
  8. 8. From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment CHECK FOR SECURITY 1 2 3 4
  9. 9. CONTAINERS, APP SEC & OWASP
  10. 10. RELEVANT APPSEC RISKS FROM THE POINT OF VIEW OF CONTAINERS OWASP Top 10 Issue What is that? A1 Injection Stuff that harms the server A2 Broken AuthN Stuff that lets attackers access parts of the application, which allows them to upload stuff that harms the serverA4 Insecure Direct Object Reference A5 Security Misconfiguration Stuff that makes the infra supporting the app insecure A9 Using components with Known Vulnerabilities Stuff that possibly enables any or all of the above, due to using 3rd party stuff
  11. 11. A5 IS A SOLVED PROBLEM, MAYBE!! OWASP A5 - SECURITY MISCONFIGURATION
  12. 12. PATCHED UN-PATCHED
  13. 13. IMMUTABLE INFRASTRUCTURE FTW!!! Akash Mahajan THERE IS NO REASON TO HARDEN EVERY TIME, WE JUST START FROM SCRATCH AND TAKE THE LATEST PATCHED VERSION EVERY SINGLE TIME
  14. 14. A9 CAN BE SOLVED WITH PRIVATE REPOS & REGISTRIES MAYBE OWASP A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES
  15. 15. SO WHAT IS YOUR SECURITY NIGHTMARE, KEEPING YOU AWAKE?
  16. 16. WHAT ABOUT APPLICATION’S SECURITY?
  17. 17. WHAT IS THIS THAT IS GOING TO BURST OUR BUBBLE? 15,000,000 RECORDS FOUND BECAUSE MANAGEMENT HAD WEAK PASSWORD ON APPLICATION 3000 PASSPORTS AND DRIVER’S LICENSES LEAKED BECAUSE THE CONTRACTOR DIDN’T RESET THE CEO’S WEAK PASSWORD ROOT ON RETAIL E-COMMERCE SERVER BECAUSE OUTSOURCED VENDOR ALWAYS USES COMPANY NAME AS CMS ADMIN PASSWORD
  18. 18. TYPICALLY AT THIS POINT PEOPLE TRY TO SOLVE SECURITY BY
  19. 19. MONITORING IS NOT SECURITY MONITORING IS NOT SECURITY MONITORING IS NOT SECURITY
  20. 20. WHILE AUTHN AND AUTHZ GO A LONG WAY IN ENSURING SECURITY OF ACCESS
  21. 21. NO AMOUNT OF AUTOMATION CAN SOLVE BIZ LOGIC ISSUES
  22. 22. IF ALL YOUR PROCESS ALLOWS FOR IS A FINAL SECURITY REVIEW, THEN
  23. 23. From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment CHECK FOR SECURITY 1 2 3 4 AUTOMATED AUTOMATED AUTOMATED NOT-AUTOMATED
  24. 24. WHAT CAN THIS NON-AUTOMATED APPROACH LOOK LIKE? IS THERE A CHECKLIST WE CAN FOLLOW?
  25. 25. Issues OWASP Top 10 Input based A1, A3, A4, A8, A10 Logic & Design based A2, A5, A6, A7 Access Control A2, A5, A6, A7 Any other A9 API Testing Can span multiple TAKEAWAY
  26. 26. THAT APPLICATION SECURITY GUY
  27. 27. QUESTIONS @makash | https://linkd.in/webappsecguy | akash@appsecco.com

×