Successfully reported this slideshow.
Your SlideShare is downloading. ×

Using Cloud to Improve AppSec

Dec. 06, 2022
0 likes 3 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Testing 12-Factor Apps
Testing 12-Factor Apps
Loading in …3
×

Check these out next

Container Patching: Cloud Native Security Con 2023
Greg Castle
SDNImpactonMPLS_AdrianFarrel_MPLS2012.ppt
MuhammadWaqasArshad10
Advance Website Helpdesk In odoo
Aagam infotech
GROUP 6 - MI.pptx
ReynanZamora2
DNS and BIND, 5th Edition.pdf
viditsir
CEPAR Conference _20230204.pdf
Nanda Mohan Shenoy
IOT In Home Automation.pptx
dtdsfg
ISV Email content.pptx
Ankur829275
1 of 18 Ad

Using Cloud to Improve AppSec

Dec. 06, 2022
0 likes 3 views
Technology

A lot of focus has been placed on securing the cloud, but the cloud can also be used to help secure applications. Find out how the same principles that apply to building cloud scale applications can also be used to deploy test environments in the cloud that support application security testing. Never again fear that your automated security testing, penetration testing, and customer A/B testing will collide. This talk will cover how applications that abide by the 12 Factors (https://12factor.net/) are easier to test. It will also discuss how the extreme flexibility of cloud resources allows easy separation of different types of application testing, ensuring that security tests can be run without interfering with business objectives.

A lot of focus has been placed on securing the cloud, but the cloud can also be used to help secure applications. Find out how the same principles that apply to building cloud scale applications can also be used to deploy test environments in the cloud that support application security testing. Never again fear that your automated security testing, penetration testing, and customer A/B testing will collide. This talk will cover how applications that abide by the 12 Factors (https://12factor.net/) are easier to test. It will also discuss how the extreme flexibility of cloud resources allows easy separation of different types of application testing, ensuring that security tests can be run without interfering with business objectives.

Technology
Advertisement

Recommended

Testing 12-Factor Apps
Phillip Marlow
3 views
17 slides
Hacking DevOps
Phillip Marlow
27 views
16 slides
Can't Touch This: Detecting Lateral Movement In Zero Touch Environments
Phillip Marlow
2 views
17 slides
Can't Touch This: Detecting Lateral Movement In Zero Touch Environments
Phillip Marlow
2 views
18 slides
Can't Touch This: Detecting Lateral Movement In Zero Touch Environments
Phillip Marlow
2 views
16 slides
Finding Secrets in Source Code the DevOps Way
Phillip Marlow
63 views
14 slides
Does your motivation need a kick start?
University of Southern Queensland
19k views
29 slides
Better than a New Year's Resolution: A New Mindset
Deepak Chopra MD (official)
307k views
7 slides
Advertisement

More Related Content

Recently uploaded (20)

Container Patching: Cloud Native Security Con 2023
Greg Castle
0 views
SDNImpactonMPLS_AdrianFarrel_MPLS2012.ppt
MuhammadWaqasArshad10
0 views
Advance Website Helpdesk In odoo
Aagam infotech
0 views
GROUP 6 - MI.pptx
ReynanZamora2
0 views
DNS and BIND, 5th Edition.pdf
viditsir
0 views
CEPAR Conference _20230204.pdf
Nanda Mohan Shenoy
0 views
IOT In Home Automation.pptx
dtdsfg
0 views
ISV Email content.pptx
Ankur829275
0 views
Chamber furnace Borel Swiss 1400°C
Borel Swiss
0 views
Best wrist watches for Men.pdf
samiaamin9
0 views
Industrial oven Borel Swiss 150°C
Borel Swiss
0 views
Rice Space Frontiers Talk-Rader-2.2.23.pdf
Steve Rader
0 views
Spesifikasi dan harga ASUS VivoBook Pro 14X OLED (N7401).pdf
Dot Semarang
0 views
cryptocurrency-security-standard-auditor-ccssa-guide.pdf
ssuser66b5d61
0 views
Chamber Furnaces Borel Swiss 1600°C
Borel Swiss
0 views
Thermoconvect Furnace 600°C
Borel Swiss
0 views
Cracked ammonia generator 950°C
Borel Swiss
0 views
S/4 HANA Hand Written Notes
Soumya De
0 views
New Company Slides.pptx
Ankur829275
0 views
Python Programming1.ppt
Rehnawilson1
0 views
Container Patching: Cloud Native Security Con 2023
Greg Castle
0 views
51 slides
SDNImpactonMPLS_AdrianFarrel_MPLS2012.ppt
MuhammadWaqasArshad10
0 views
20 slides
Advance Website Helpdesk In odoo
Aagam infotech
0 views
29 slides
GROUP 6 - MI.pptx
ReynanZamora2
0 views
47 slides
DNS and BIND, 5th Edition.pdf
viditsir
0 views
642 slides
CEPAR Conference _20230204.pdf
Nanda Mohan Shenoy
0 views
14 slides

Featured (20)

How to Plan and Set Financial Goals
Experian_US
23.6k views
Choose Your Own (Career) Adventure
Lauren Galanter
27.5k views
chatgpt dalle.pptx
Ellen Edmands
2.8k views
25 Mission Statements From the World's Most Valuable Brands
Palo Alto Software
2.1M views
Trying To Change A Habit? Beware These 5 Traps.
Gretchen Rubin
9.7k views
Statistics On The Importance Of Employee Feedback
Officevibe
32.4k views
25 Time Management Hacks to Kickstart the New Year
Étienne Garbugli
219.7k views
The 3 Secrets of Highly Successful Graduates
Reid Hoffman
828.4k views
12 Days of Productivity
Redbooth
92.3k views
Data Design: Where Math and Art Collide
Trina Chiasson
89.2k views
How a Smart Leader Sets SMART Goals
Weekdone.com
86.7k views
Getting Started With OKRs (Objective Key Results)
The Moonshot Planner
3k views
A Guide to the Holiday Job Search
Noelle Gross, Career Strategy Coach
5k views
How to Have Difficult Conversations
Mattan Griffel
485.5k views
How to pretend you know soccer
Devesh Khanal
19.4k views
10 Productivity Hacks Backed By Science
When I Work
52k views
5 Ways to Give Feedback that Elicits Real Change
BambooHR
380.7k views
The Best Study Tips Revealed
LinkedIn
47.6k views
Understanding Artificial Intelligence - Major concepts for enterprise applica...
APPANION
30.2k views
Four Public Speaking Tips From Standup Comedians
Ross Simmonds
100.7k views
How to Plan and Set Financial Goals
Experian_US
23.6k views
39 slides
Choose Your Own (Career) Adventure
Lauren Galanter
27.5k views
19 slides
chatgpt dalle.pptx
Ellen Edmands
2.8k views
20 slides
25 Mission Statements From the World's Most Valuable Brands
Palo Alto Software
2.1M views
32 slides
Trying To Change A Habit? Beware These 5 Traps.
Gretchen Rubin
9.7k views
7 slides
Statistics On The Importance Of Employee Feedback
Officevibe
32.4k views
17 slides
Advertisement

Using Cloud to Improve AppSec

  1. 1. Using the Cloud to Improve AppSec Phillip Marlow SANS CloudSecNext Summit 2021 Approved for Public Release; Distribution Unlimited. Case Number 21-1574
  2. 2. Disclaimers Approved for Public Release; Distribution Unlimited. Case Number 21-1574 ©2021 The MITRE Corporation. ALL RIGHTS RESERVED. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.
  3. 3. Too Long; Didn’t Listen • Designing applications and services for the cloud helps achieve security improvements – even if the application is never deployed to the cloud • This makes applications more resilient against technical and environmental failures as well as attacks • It also improves the business’ ability to deliver on their mission
  4. 4. > iam list-roles • Developer • Systems Engineer • DevOps Engineer • Cloud Engineer • Security Engineer • Advisor • Manager • Architect • Hacker • Builder of Things
  5. 5. Why AppSec? • Everything is an application • Applications are core to the business, so their security should be too • Bad application security beats good add-on defenses
  6. 6. Typical Application Promotion Process Development.env Test.env Production.env Application v1.0 Application v1.0 Application v1.0
  7. 7. Application Development Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.1
  8. 8. Mature Application Deployment Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 – instance 1 Application v1.1 Application v1.1 – instance N Test App2 v2.1 App2 v2.1 App2 v2.1
  9. 9. The Big Problem • Can multiple versions of an application be hosted in each environment? • This design creates choke points on work at each environment
  10. 10. Designing for the Cloud is Better • The Twelve-Factor App, developed by Adam Wiggins & Heroku • https://12factor.net/ Apps that: • Use declarative formats for setup automation, to minimize time and cost for new developers joining the project; • Have a clean contract with the underlying operating system, offering maximum portability between execution environments; • Are suitable for deployment on modern cloud platforms, obviating the need for servers and systems administration; • Minimize divergence between development and production, enabling continuous deployment for maximum agility; • And can scale up without significant changes to tooling, architecture, or development practices.
  11. 11. Twelve-Factor Alternatives • Microservices Reference Architecture from NGINX • https://www.nginx.com/blog/introducing-the-nginx- microservices-reference-architecture/ • Beyond the Twelve-Factor App by Kevin Hoffman • https://www.oreilly.com/library/view/beyond-the-twelve- factor/9781492042631/
  12. 12. I. Codebase • Partially solves the big problem of multiple deploys in an environment One codebase tracked in revision control, many deploys
  13. 13. II. Dependencies • Known dependencies are a start to supply chain risk management • No reliance on dependencies installed in the deployment environment makes it possible to scale the number of deployments and environments as needed Explicitly declare and isolate dependencies
  14. 14. X. Dev/Prod Parity • Independent tests results are applicable to the final deployment Keep development, staging, and production as similar as possible
  15. 15. XI. Logs • Integrate with cloud logging (e.g., CloudWatch) and SIEMs Treat logs as event streams
  16. 16. XII. Admin Processes • Reduced attack surface • Easier to monitor these risky events Run admin/management tasks as one-off processes
  17. 17. Wins • Tests can be run simultaneously AND independently • It’s easy to add another instance of an app or a whole environment • Applications are designed for easy integration with other tools, including cloud security platforms • Common operational patterns can be used to make the application more resilient against a variety of failures and attacks
  18. 18. Thank You! Phillip Marlow @wolramp

×