Successfully reported this slideshow.
Your SlideShare is downloading. ×

Using Cloud to Improve AppSec

Dec. 06, 2022
0 likes 3 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Testing 12-Factor Apps
Testing 12-Factor Apps
Loading in …3
×

Check these out next

Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
DevOps.com
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Amazon Web Services
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
Microservices
AxEdge Consulting
2022: 6 Cloud-Native App Development Trends to Transform Your Business
WeCode Inc
Diving Into Docker
XebiaLabs
Infrastructure as Code in Large Scale Organizations
XebiaLabs
Shift Left for More Secure Apps with F5 NGINX
NGINX, Inc.
1 of 18 Ad

Using Cloud to Improve AppSec

Dec. 06, 2022
0 likes 3 views
Technology

A lot of focus has been placed on securing the cloud, but the cloud can also be used to help secure applications. Find out how the same principles that apply to building cloud scale applications can also be used to deploy test environments in the cloud that support application security testing. Never again fear that your automated security testing, penetration testing, and customer A/B testing will collide. This talk will cover how applications that abide by the 12 Factors (https://12factor.net/) are easier to test. It will also discuss how the extreme flexibility of cloud resources allows easy separation of different types of application testing, ensuring that security tests can be run without interfering with business objectives.

A lot of focus has been placed on securing the cloud, but the cloud can also be used to help secure applications. Find out how the same principles that apply to building cloud scale applications can also be used to deploy test environments in the cloud that support application security testing. Never again fear that your automated security testing, penetration testing, and customer A/B testing will collide. This talk will cover how applications that abide by the 12 Factors (https://12factor.net/) are easier to test. It will also discuss how the extreme flexibility of cloud resources allows easy separation of different types of application testing, ensuring that security tests can be run without interfering with business objectives.

Technology
Advertisement

Recommended

Testing 12-Factor Apps
Phillip Marlow
5 views
17 slides
Application Darwinism - Why Most Enterprise Apps Will Evolve to the Cloud
Skytap Cloud
497 views
28 slides
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
Daniel Berg
733 views
32 slides
Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...
Michael Elder
1.2k views
32 slides
Accelarting Hybrid Cloud Adoption through Use Cases in vCloud Air
Nitin Saxena
505 views
43 slides
ThatConference 2016 - Highly Available Node.js
Brad Williams
226 views
27 slides
End to-End Monitoring for ITSM and DevOps
eG Innovations
766 views
45 slides
Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...
DigitalOcean
21 views
42 slides
Advertisement

More Related Content

Similar to Using Cloud to Improve AppSec (20)

Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
DevOps.com
415 views
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Amazon Web Services
1.4k views
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
44 views
Microservices
AxEdge Consulting
50 views
2022: 6 Cloud-Native App Development Trends to Transform Your Business
WeCode Inc
7 views
Diving Into Docker
XebiaLabs
817 views
Infrastructure as Code in Large Scale Organizations
XebiaLabs
224 views
Shift Left for More Secure Apps with F5 NGINX
NGINX, Inc.
97 views
Cloud Infrastructure Modernisation Guide
Montel Intergalactic
84 views
Mendix Platform
SAKTHIVEL PERIYASAMY
631 views
VMworld 2015: No App is An Island
VMworld
257 views
Enabling multicloud in the enterprise with DevSecOps
Josh Boyd
441 views
Continuous Delivery for cloud - scenarios and scope
Sanjeev Sharma
2.4k views
What is Cloud Native Explained?
jeetendra mandal
10 views
Azure Application Modernization
Karina Matos
504 views
Secured APIM-as-a-Service
NGINX, Inc.
130 views
The Advent of Serverless Technologies
Cloudflare
1.5k views
Dev ops for mainframe innovate session 2402
Rosalind Radcliffe
1.4k views
Cloud Native Ninja - kickoff.pdf
Nilesh Gule
12 views
Ms.azure in detail
Neethu Kuruvilla
206 views
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
DevOps.com
415 views
37 slides
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Amazon Web Services
1.4k views
32 slides
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
44 views
61 slides
Microservices
AxEdge Consulting
50 views
16 slides
2022: 6 Cloud-Native App Development Trends to Transform Your Business
WeCode Inc
7 views
17 slides
Diving Into Docker
XebiaLabs
817 views
38 slides

Recently uploaded (20)

How to assess value add of blockchain technology?
Koen Vingerhoets
0 views
Comparison Chat of PTFE By Rohit Damodaran
Rohit Damodaran
0 views
Operation Technology.docx
MuhammadKhalil502533
0 views
GDG Cloud Southlake #20:Stefano Doni: Kubernetes performance tuning dilemma: ...
James Anderson
0 views
Best Web Development Languages To Learn in 2023
Infowind Technologies (IT) Pvt Ltd
0 views
Presentation on Email phishing.pptx
AbdulHaseebKhan34
0 views
BA and data visualization.pdf
ssuser6aa125
0 views
Learn How to Turbocharge Your AI/ML Data Workflows with Data Enrichment
Precisely
0 views
Pervasive Computing Technology.docx
MuhammadKhalil502533
0 views
EOSC Association priorities and activities
Sarah Jones
0 views
shortcircuittemperature rating By Rohit Damodaran
Rohit Damodaran
0 views
Dell APEX Private Cloud can provide faster application response times in a VD...
Principled Technologies
0 views
Transcript: New from BookNet Canada for 2022: Loan Stars - Tech Forum 2023
BookNet Canada
0 views
Best Web Development Languages To Learn in 2023
Infowind Technologies (IT) Pvt Ltd
0 views
PTZOptics - 2023 Presentation.pdf
Paul Richards
0 views
Capacitance Calculation By Rohit Damodaran
Rohit Damodaran
0 views
Q2.pdf
Diego Armando Guzmán
0 views
Medical Oxygen Plant.pdf
MedicalOxygenPlant
0 views
TADIOSG_DMZ.pptx
GodwinTadios
0 views
TM Forum Open APIs: Enabling A Zero Intergration API economy.pdf
JuanLungA
0 views
How to assess value add of blockchain technology?
Koen Vingerhoets
0 views
20 slides
Comparison Chat of PTFE By Rohit Damodaran
Rohit Damodaran
0 views
2 slides
Operation Technology.docx
MuhammadKhalil502533
0 views
3 slides
GDG Cloud Southlake #20:Stefano Doni: Kubernetes performance tuning dilemma: ...
James Anderson
0 views
31 slides
Best Web Development Languages To Learn in 2023
Infowind Technologies (IT) Pvt Ltd
0 views
9 slides
Presentation on Email phishing.pptx
AbdulHaseebKhan34
0 views
31 slides
Advertisement

Using Cloud to Improve AppSec

  1. 1. Using the Cloud to Improve AppSec Phillip Marlow SANS CloudSecNext Summit 2021 Approved for Public Release; Distribution Unlimited. Case Number 21-1574
  2. 2. Disclaimers Approved for Public Release; Distribution Unlimited. Case Number 21-1574 ©2021 The MITRE Corporation. ALL RIGHTS RESERVED. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.
  3. 3. Too Long; Didn’t Listen • Designing applications and services for the cloud helps achieve security improvements – even if the application is never deployed to the cloud • This makes applications more resilient against technical and environmental failures as well as attacks • It also improves the business’ ability to deliver on their mission
  4. 4. > iam list-roles • Developer • Systems Engineer • DevOps Engineer • Cloud Engineer • Security Engineer • Advisor • Manager • Architect • Hacker • Builder of Things
  5. 5. Why AppSec? • Everything is an application • Applications are core to the business, so their security should be too • Bad application security beats good add-on defenses
  6. 6. Typical Application Promotion Process Development.env Test.env Production.env Application v1.0 Application v1.0 Application v1.0
  7. 7. Application Development Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.1
  8. 8. Mature Application Deployment Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 – instance 1 Application v1.1 Application v1.1 – instance N Test App2 v2.1 App2 v2.1 App2 v2.1
  9. 9. The Big Problem • Can multiple versions of an application be hosted in each environment? • This design creates choke points on work at each environment
  10. 10. Designing for the Cloud is Better • The Twelve-Factor App, developed by Adam Wiggins & Heroku • https://12factor.net/ Apps that: • Use declarative formats for setup automation, to minimize time and cost for new developers joining the project; • Have a clean contract with the underlying operating system, offering maximum portability between execution environments; • Are suitable for deployment on modern cloud platforms, obviating the need for servers and systems administration; • Minimize divergence between development and production, enabling continuous deployment for maximum agility; • And can scale up without significant changes to tooling, architecture, or development practices.
  11. 11. Twelve-Factor Alternatives • Microservices Reference Architecture from NGINX • https://www.nginx.com/blog/introducing-the-nginx- microservices-reference-architecture/ • Beyond the Twelve-Factor App by Kevin Hoffman • https://www.oreilly.com/library/view/beyond-the-twelve- factor/9781492042631/
  12. 12. I. Codebase • Partially solves the big problem of multiple deploys in an environment One codebase tracked in revision control, many deploys
  13. 13. II. Dependencies • Known dependencies are a start to supply chain risk management • No reliance on dependencies installed in the deployment environment makes it possible to scale the number of deployments and environments as needed Explicitly declare and isolate dependencies
  14. 14. X. Dev/Prod Parity • Independent tests results are applicable to the final deployment Keep development, staging, and production as similar as possible
  15. 15. XI. Logs • Integrate with cloud logging (e.g., CloudWatch) and SIEMs Treat logs as event streams
  16. 16. XII. Admin Processes • Reduced attack surface • Easier to monitor these risky events Run admin/management tasks as one-off processes
  17. 17. Wins • Tests can be run simultaneously AND independently • It’s easy to add another instance of an app or a whole environment • Applications are designed for easy integration with other tools, including cloud security platforms • Common operational patterns can be used to make the application more resilient against a variety of failures and attacks
  18. 18. Thank You! Phillip Marlow @wolramp

×