Security is a tricky field – as developers, it doesn’t seem to matter how the software is designed. There’s always someone able to hack it. But as it turns out, software design can bring security benefits. Often when we hear the word ‘cloud’ we think it’s insecure, but in this talk you’ll learn how design patterns based on concepts such as 12-factor and cloud native apps not only yield great software, but also bring security benefits as an implicit side effect. These design patterns are applicable to legacy as well as green-field development, and regardless if you are running in the cloud or on-premise, you still get the same security benefits. And on top of this, you’ll see how it all comes together to create the foundation of modern software security – software that is secure by design. -------------- This presentation was presented by Daniel Deogun and Daniel Sawano

1. @DanielDeogun @DanielSawano#DevoxxPL
Platinum Sponsor:
Creating Secure Software
Benefits from Cloud Thinking
Daniel Deogun & Daniel Sawano

2. @DanielDeogun @DanielSawano#DevoxxPL
Daniel Deogun Daniel Sawano

3. @DanielDeogun @DanielSawano#DevoxxPL
Security benefits from cloud thinking?

4. @DanielDeogun @DanielSawano#DevoxxPL
Cloud concepts
• Codebase
One codebase tracked in revision control, many deploys
• Dependencies
Explicitly declare and isolate dependencies
• Config
Store configuration in the environment
• Backing services
Treat backing services as attached resources
• Build, release, run
Strictly separate build and run stages
• Processes
Execute the app as one or more stateless processes
• Port binding
Export services via port binding
• Concurrency
Scale out via the process model
• Disposability
Maximize robustness with fast startup and graceful shutdown
• Dev/prod parity
Keep development, staging, and production as similar as possible
• Logs
Treat logs as event streams
• Admin processes
Run admin/management tasks as one-off processes
Twelve-factor app
https://12factor.net
A cloud-native application is an application that has been
designed and implemented to run on a Platform-as-a-Service
installation and to embrace horizontal elastic scaling.
Cloud-native
Kevin Hoffman, Beyond the Twelve-Factor App

5. @DanielDeogun @DanielSawano#DevoxxPL
What we’ll cover today
• Configuration
• Separate processes
• Logging
• The three R’s of enterprise security

6. @DanielDeogun @DanielSawano#DevoxxPL
Configuration
“Store configuration in the environment”

7. @DanielDeogun @DanielSawano#DevoxxPL
Configuration
public class ServiceConfiguration {
private static final int PORT_NUMBER = 1023;
private static final Duration CONNECTION_TIMEOUT = ofSeconds(5);
// ...
}
Configuration in code

8. @DanielDeogun @DanielSawano#DevoxxPL
Configuration
public class ServiceConfiguration {
private static final int PORT_NUMBER = 1023;
private static final Duration CONNECTION_TIMEOUT = ofSeconds(5);
private static final String USERNAME = “client-app”;
private static final String PASSWORD = "yC6@SX5O";
// ...
}
Configuration in code

9. @DanielDeogun @DanielSawano#DevoxxPL
Configuration
Configuration in code — challenges
• Anyone with access to the code can read the secrets
• No audit trail

10. @DanielDeogun @DanielSawano#DevoxxPL
Configuration
environments:
dev:
service:
port: 2864
connection-timeout: 5000
username: dev-client-app
password: spring2019
prod:
service:
port: 1023
connection-timeout: 1000
username: client-app
password: yC6@SX5O
Configuration in
resource files

11. @DanielDeogun @DanielSawano#DevoxxPL
Configuration
Configuration in resource files — challenges
• Anyone with access to the conf can read the secrets
• No, or very limited, audit trail
• Encrypting values creates new problems

12. @DanielDeogun @DanielSawano#DevoxxPL
Configuration
environment
port=1023
username=client-app
password=yC6@SX5O
Application
injected by
platform
Configuration in
the environment

13. @DanielDeogun @DanielSawano#DevoxxPL
Configuration
Configuration in the environment - solved security challenges
• Audit trail
Responsibility put on the platform. Some aspects can be solved with IAM.
• Sharing secrets
Minimized. Only managed by platform admins.
• Encryption
Not completely solved. Can be solved with ephemeral secrets.

14. @DanielDeogun @DanielSawano#DevoxxPL
What we’ll cover today
✓ Configuration
• Separate processes
• Logging
• The three R’s of enterprise security

15. @DanielDeogun @DanielSawano#DevoxxPL
Separate processes
Run apps as separate stateless processes

16. @DanielDeogun @DanielSawano#DevoxxPL
Separate processes
• Run the app as multiple stateless processes
• Separate the deployment and running of the application
• Only communicate via backing services

17. @DanielDeogun @DanielSawano#DevoxxPL
Separate processes
Run the app as multiple stateless processes
• Security benefit: increased availability and integrity

18. @DanielDeogun @DanielSawano#DevoxxPL
CIA
• Confidentiality — data must only be disclosed to authorized users
• Integrity — data modification is only allowed in an authorized manner
• Availability — data must be available when needed

19. @DanielDeogun @DanielSawano#DevoxxPL
Separate processes
Run the app as multiple stateless processes
• Security benefit: increased availability and integrity

20. @DanielDeogun @DanielSawano#DevoxxPL
Separate processes
Separate the deployment and running of the application
• Security benefit: principle of least privilege

21. @DanielDeogun @DanielSawano#DevoxxPL
Separate processes
Only communicate via backing services
• Security benefit: improves availability and integrity by allowing
apps to be stateless

22. @DanielDeogun @DanielSawano#DevoxxPL
What we’ll cover today
✓ Configuration
✓ Separate processes
• Logging
• The three R’s of enterprise security

23. @DanielDeogun @DanielSawano#DevoxxPL
Logging
Use logging as a service

24. @DanielDeogun @DanielSawano#DevoxxPL
Logging
Logging to disk - challenges
• Confidentiality
• May contain sensitive information
• Hard to control access
• Hard to get a good audit trail
• Hard prevent illegal access

25. @DanielDeogun @DanielSawano#DevoxxPL
Logging
Logging to disk - challenges
• Integrity
• Maintaining integrity often overlooked
• Write access to log files usually not restricted or audited

26. @DanielDeogun @DanielSawano#DevoxxPL
Logging
Logging to disk - challenges
• Availability
• Log files are lost when servers are replaced
• Disk space runs out

27. @DanielDeogun @DanielSawano#DevoxxPL
Logging
Logging as a service
Application
Log service

28. @DanielDeogun @DanielSawano#DevoxxPL
Logging
Logging as a service - solved security challenges
• Confidentiality
Easy to restrict access and prevent illegal access.
Audit trail.
• Integrity
Mutating operations not exposed/implemented.
Can even digitally sign log events
• Availability
Log storage is handled explicitly so no log files can go missing
Storage is a primary concern so no accidental shortage of disk space.

29. @DanielDeogun @DanielSawano#DevoxxPL
What we’ll cover today
✓ Configuration
✓ Separate processes
✓ Logging
• The three R’s of enterprise security

30. @DanielDeogun @DanielSawano#DevoxxPL
The three R’s
The three R’s of enterprise security
Justin Smith, 2016

31. @DanielDeogun @DanielSawano#DevoxxPL
The three R’s
The three R’s of enterprise security
• Rotate
Rotate secrets every few minutes or hours
• Repave
Repave servers and applications every few hours
• Repair
Repair vulnerable software a few hours after patch is available

32. @DanielDeogun @DanielSawano#DevoxxPL
The three R’s
Increase change to reduce risk

33. @DanielDeogun @DanielSawano#DevoxxPL
The three R’s
Rotate secrets every few minutes or hours
environment
password=yC6@SX5O
certificate=xyz
Applicationephemeral secrets
injected by platform

34. @DanielDeogun @DanielSawano#DevoxxPL
The three R’s
Rotate secrets every few minutes or hours
password=yC6@SX5O
Application
password?
Secret
Service

35. @DanielDeogun @DanielSawano#DevoxxPL
The three R’s
• Passwords
• Certificates
• Access tokens
• …
Rotate secrets every few minutes or hours

36. @DanielDeogun @DanielSawano#DevoxxPL
The three R’s
Repave servers and applications every few hours
• Recreate servers and apps from a know good state
• Use rolling deployments to eliminate downtime
• Burn old instances to the ground
• If running containers, consider also repaving the host

37. @DanielDeogun @DanielSawano#DevoxxPL
The three R’s
• Applies to both operating systems and applications
• No incremental updates, repave instead
Repair vulnerable software a few hours after patch is available

38. @DanielDeogun @DanielSawano#DevoxxPL
The three R’s
Repair vulnerable software a few hours after patch is available
Patch
available
New known
good state
Repave

39. @DanielDeogun @DanielSawano#DevoxxPL
The three R’s
• Applies to both operating systems and your own applications
• No incremental updates, repave instead
• CI/CD enables you to repair your own applications
• Don’t forget 3rd party dependencies
Repair vulnerable software a few hours after patch is available

40. @DanielDeogun @DanielSawano#DevoxxPL
The three R’s
Ever-changing software is the nemesis
of persistent threats

41. @DanielDeogun @DanielSawano#DevoxxPL
Summary
✓ Configuration
✓ Separate processes
✓ Logging
✓ The three R’s of enterprise security

42. @DanielDeogun @DanielSawano#DevoxxPL
bit.ly/secure-by-design
Manning Publication
40% discount
ctwdevoxxpl18

43. @DanielDeogun @DanielSawano#DevoxxPL
Q&A
[2]
40% discount
ctwdevoxxpl18
bit.ly/secure-by-design

44. @DanielDeogun @DanielSawano#DevoxxPL
Thanks!