Julie Tsai, profile picture
Uploaded byJulie Tsai
PPTX, PDF121 views

API Security: Assume Possible Interference

The document discusses security best practices for APIs and containers. It recommends establishing guardrails for authentication, data lifecycle, integration, deployment, changes, and testing. Guidelines should allow flexibility in tools and methods while ensuring consistency. Security must be integrated throughout the development process, and anomalies should be monitored to detect issues. While new technologies enable agility, responsibility is needed to ensure security is not compromised.

Embed presentation

Download to read offline
#RSAC SESSION ID: API Security: Assume Possible Interference ______ASD-R11___ Cybersecurity Leader & Advisor Julie Tsai
#RSAC A Protocol? 2 A FRAMEWORK FOR INTERACTION, EXCHANGING DATA AND SERVICES APIs - Application Programming Interfaces: How the 2019 World Wide Web Communicates
#RSAC Like Hilde 3 WHO WHAT WHERE WHEN WHY HOW Be a Journalist to Secure APIs
#RSAC 4 WHO WHAT WHERE WHEN WHY HOW Specifically… => aka AuthN (Authentication) via AuthID => aka AuthZ (Authorization) via OAuth => Are Sessions, Keys, Tokens Stored? => Does Access and Data Expire? => Our Purpose for Accessing This Data Least-Privilege, Explicit Trust, Implicit Deny
#RSAC 360-View on Exploitability 5 Do the services interact in a way that creates the least astonishment? Is the lifecycle and travel path of the data known? Is the data forgotten after use? Can this be proven? What if authorization models for different services get mixed? To different users, with different privileges?
#RSAC 6 PHOTO TITLE Wait, didn’t containers and service isolation solve this?
#RSAC B U T A P I I S J U S T T H E B E G I N N I N G … 7 There’s still some stuff beneath the hood
#RSAC 8 L 1 . P H Y S I C A L L 2 . D A T A L I N K L 3 . N E T W O R K L 4 . T R A N S P O R T L 5 . S E S S I O N L 6 . P R E S E N T A T I O N L 7 . A P P L I C A T I O N 8 ? E C O N O M I C 9 ? P O L I T I C A L 1 0 ? R E L I G I O U S Defense-in-Depth Matters S E C U R I T Y I S F U L L - S T A C K O S I P R O B L E M - L A Y E R S 1 - 7 , 8 , 9 … 1 0
#RSAC 9 Defense-in-Depth Matters What could happen?! L 1 . P H Y S I C A L - I N T R U D E R P L U G S I N C O N S O L E I R L L 2 . D A T A L I N K - P I N E A P P L E W I F I L 3 . N E T W O R K - C O M P R O M I S E D T R U S T E D I P L 4 . T R A N S P O R T - U D P D N S R E F L E C T I O N L 5 . S E S S I O N - C L E A R T E X T C O M M S C O M P R O M I S E D L 6 . P R E S E N T A T I O N - S S L W E A K C I P H E R / M I T M L 7 . A P P - C O D E A L L O W S W R O N G A C C E S S L 8 . E C O N O M I C - U N D E R R E S O U R C E D L 9 . P O L I T I C A L - M I S A L I G N M E N T S L 1 0 . R E L I G I O U S - L E A P S O F F A I T H + F U D
S H I F T L E F T & S H I F T R I G H T Upstream Secure Containers & End-State Monitoring
#RSAC Containers and Chroot Jails: Classic Tune, New Words 11 Dedicated namespaces and resources. Process isolation. Ephemerality. But shared kernel. Example threat model - https://www.twistlock.com/2016/12/06/protecting- containerized-apps/: Malicious container attacks underlying OS or other containers
#RSAC 12 (Skipping the pets - you know why you shouldn’t make pets) Container SRC as Workhorses, Not Just Cattle
#RSAC 13 Workhorse & Cattle Lifecycle 1. Born Instance created 2. Eat/Sleep Powered but no new changes to instance, or updates to image 3. Expire When deprecated or compromised/vuln erable, instance terminated with no feedback Container Lifecycle: Cattle v. Workhorse 1. Born Instance created 2. Trained Secured configs/images 3. Updated Config & Repos continuously updated 4. Corral Use cgroups to authorize. System calls whitelists. 5. Maintain or Expire Maintain by chef/puppet/cfeng ine/ansible/salt etc. Or expire.
#RSAC Container SRC as Workhorses, not Just Cattle (Skipping the pets - you know why you shouldn’t make pets) 14 Container images must be maintained, not just fire and forget or expiraton. Expiring the compromised container or service (i.e. shooting the cattle) only solves once. But the herd needs to be inoculated – to evolve – beyond issues to prevent recurrence. Or, think of baking a cake vs. stir-frying*. * C R E D I T ~ D A L V E S . —> So what? Well, upstream learned remediation drives down Rate of Defect Recurrence! In practical terms, you note and track the vuln, and incorporate the fix in the Dockerfile (or source code or secure patch repo) in source-controlled, change-managed config. So it scales beyond that one image. Example https://engineering.salesforce.com/open-sourcing-dockerfile-image-update- 6400121c1a75
#RSAC Workhorse Communication: Service Mesh 15 From https://dotnetvibes.com/2018/07/23/sidecar-design-pattern-in-your-microservices-ecosystem/
#RSAC Less Is More in Containers W H A T ’ S A H A R D E N E D C O N T A I N E R ? 16 L E T ’ S W A L K T H R O U G H T H I S : 1. strip down packages, especially easily exploitable ones useful to hackers (telnet, ftp, make, gdb, nmap, strace, legacy daemons) 2. minimize host/network services and daemons 3. ssh and account enforcement 4. logs 5. key file/config alerting 6. vulns + patching scanning 7. and… scrap anything in there you don’t need.
#RSAC Monitoring the End-State Abuse, Anomalies, and Access 17 What’s Normal? Anomalies in conjunction tell the story. We don’t know - and can’t comprehensively predict - what we don’t know. Root cause and security incidents don’t present themselves as such upfront. What to do? Flag + Correlate for simple indicators of what shouldn’t be happening. i.e. Resources volume or ways that shouldn’t be used. Things that shouldn’t be accessed. Non-cyclical transaction trends.
#RSAC Post-Flight Gut-Check DevSecOps A K A A R E W E S E C - I N G A N D O P S - I N G W I T H O U R D E V - I N G ? 18 1. Security, Compliance, Privacy When are your S-C-P pros leveraged in the process for the product? Customer development, inception or design, dev or testing, alpha – or when an “event” happens? 2. Uptime and Performance Do we truly know it better than our end-users? 3. Scale Complexity and Change Is there the necessary speed in deployments/change across all of your teams? Can you accommodate (or tolerate) diverse deployment & build methods across teams? Do you get the same level of visibility, health, and security from each of them?
T H E R I G H T A M O U N T O F S T R U C T U R E Guidelines & Guardrails
#RSAC 20 The Right Amount of Structure The Right Amount of Structure - a Score
#RSAC Where To Use Guardrails 1 21 1. AuthN/AuthZ (AutheNtication/AuthoriZation)
#RSAC Where To Use Guardrails 2 22 1. AuthN/AuthZ 2. Lifecycle of the Data
#RSAC Where To Use Guardrails 3 23 1. AuthN/AuthZ 2. Lifecycle of the Data 3. Build Integration
#RSAC Where To Use Guardrails 4 24 1. AuthN/AuthZ 2. Lifecycle of the Data 3. Build Integration 4. Production Deployment
#RSAC Where To Use Guardrails 5 25 1. AuthN/AuthZ 2. Lifecycle of the Data 3. Build Integration 4. Production Deployment 5. Change - Code, Configs, Dependencies
#RSAC Where To Use Guardrails 6 26 1. AuthN/AuthZ 2. Lifecycle of the Data 3. Build Integration 4. Production Deployment 5. Change - Code, Configs, Dependencies 6. Regression Test - Catch the Ripple
#RSAC Where To Use Guardrails 7 27 1. AuthN/AuthZ 2. Lifecycle of the Data 3. Build Integration 4. Production Deployment 5. Change - Code, Configs, Dependencies 6. Regression Test - Catch the Ripple 7. Security & Compliance Requirements
#RSAC Where To Use Guidelines 1 … W I T H I N T E R N A L C O N S I S T E N C Y I N R E L E V A N T S C O P E 28 1. Develop/Build in the OS/Language You Will
#RSAC Where To Use Guidelines 2 … W I T H I N T E R N A L C O N S I S T E N C Y I N R E L E V A N T S C O P E 29 1. Develop/Build in the OS/Language You Will 2. Use the Tools That Work for You, without Significantly Hampering Others
#RSAC Where To Use Guidelines 3 … W I T H I N T E R N A L C O N S I S T E N C Y I N R E L E V A N T S C O P E 30 1. Develop/Build in the OS/Language You Will 2. Use the Tools That Work for You, without Significantly Hampering Others 3. Deployment Methods. CI/CD Innovation. Private or Public Cloud. Bare Metal. Multi-cloud or Single.
#RSAC Where To Use Guidelines 4 … W I T H I N T E R N A L C O N S I S T E N C Y I N R E L E V A N T S C O P E 31 1. Develop/Build in the OS/Language You Will 2. Use the Tools That Work for You, without Significantly Hampering Others 3. Deployment Methods. CI/CD Innovation. Private or Public Cloud. Bare Metal. Multi-cloud or Single. 4. How DevSecOps Manifests in Your Org
#RSAC Where To Use Guidelines 5 … W I T H I N T E R N A L C O N S I S T E N C Y I N R E L E V A N T S C O P E 32 1. Develop/Build in the OS/Language You Will 2. Use the Tools That Work for You, without Significantly Hampering Others 3. Deployment Methods. CI/CD Innovation. Private or Public Cloud. Bare Metal. Multi-cloud or Single. 4. How DevSecOps Manifests in Your Org 5. Culture — Congruence of the Walk with the Talk
#RSAC Are We There Yet? 33 From monolith to microservices… Decoupling dependencies… Agile, independent teams… Continuous Deployment of epheremal containers… Open, networked world…
#RSAC Are We There Yet? 34 …with Great Power Comes Great Responsibility.
#RSAC References & Image Credits 35

More Related Content

PDF
Fighting malware - keeping your Intellectual Property safe
byPrayukth K V
 
ODP
Super Effective Denial of Service Attacks
byJan Seidl
 
PDF
Make it Fixable (CppCon 2018)
byPatricia Aas
 
PDF
How nation-states and criminal syndicates use exploits to bypass security
byPriyanka Aash
 
PDF
Aspirin as a Service: Using the Cloud to Cure Security Headaches
byPriyanka Aash
 
PDF
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
PDF
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
PPTX
Cloud Security Essentials 2.0 at RSA
byShannon Lietz
 
Fighting malware - keeping your Intellectual Property safe
byPrayukth K V
 
Super Effective Denial of Service Attacks
byJan Seidl
 
Make it Fixable (CppCon 2018)
byPatricia Aas
 
How nation-states and criminal syndicates use exploits to bypass security
byPriyanka Aash
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
byPriyanka Aash
 
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
Cloud Security Essentials 2.0 at RSA
byShannon Lietz
 

Similar to API Security: Assume Possible Interference

PDF
Cloud security : Automate or die
byPriyanka Aash
 
PDF
Building and Adopting a Cloud-Native Security Program
byPriyanka Aash
 
PDF
RSA 2015 Realities of Private Cloud Security
byScott Carlson
 
PDF
Practical appsec lessons learned in the age of agile and DevOps
byPriyanka Aash
 
PDF
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
byPriyanka Aash
 
PDF
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
byPriyanka Aash
 
PDF
Secure Cloud Development Resources with DevOps
byCloudPassage
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PPTX
Building an Enterprise-scale DevSecOps Infrastructure: Lessons Learned
byPrateek Mishra
 
PDF
Open Source in Security-Critical Environments
byPriyanka Aash
 
PDF
Open source-in-security-critical-environments
byDESMOND YUEN
 
PDF
A Pragmatic Union: Security and SRE
byJames Wickett
 
PDF
Introducing a Security Program to Large Scale Legacy Products
byPriyanka Aash
 
PDF
Pragmatic Security Automation for Cloud
byPriyanka Aash
 
PPTX
Cybersecurity model and top cloud security controls for product development e...
byJames DeLuccia IV
 
PPTX
Practical Approaches to Cloud Native Security
byKarthik Gaekwad
 
PDF
Collaborative security : Securing open source software
byPriyanka Aash
 
PDF
2024_USA24_CLS-W08_01_Breaking-the-Cloud-to-Rebuild-it-A-Tale-of-3-☁️-Breache...
byArvind Yadav
 
Cloud security : Automate or die
byPriyanka Aash
 
Building and Adopting a Cloud-Native Security Program
byPriyanka Aash
 
RSA 2015 Realities of Private Cloud Security
byScott Carlson
 
Practical appsec lessons learned in the age of agile and DevOps
byPriyanka Aash
 
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
byPriyanka Aash
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
byPriyanka Aash
 
Secure Cloud Development Resources with DevOps
byCloudPassage
 
The Future of DevSecOps
byStefan Streichsbier
 
DevSecOps in Baby Steps
byPriyanka Aash
 
DevSecOps in Baby Steps
byPriyanka Aash
 
Building an Enterprise-scale DevSecOps Infrastructure: Lessons Learned
byPrateek Mishra
 
Open Source in Security-Critical Environments
byPriyanka Aash
 
Open source-in-security-critical-environments
byDESMOND YUEN
 
A Pragmatic Union: Security and SRE
byJames Wickett
 
Introducing a Security Program to Large Scale Legacy Products
byPriyanka Aash
 
Pragmatic Security Automation for Cloud
byPriyanka Aash
 
Cybersecurity model and top cloud security controls for product development e...
byJames DeLuccia IV
 
Practical Approaches to Cloud Native Security
byKarthik Gaekwad
 
Collaborative security : Securing open source software
byPriyanka Aash
 
2024_USA24_CLS-W08_01_Breaking-the-Cloud-to-Rebuild-it-A-Tale-of-3-☁️-Breache...
byArvind Yadav
 

More from Julie Tsai

PPTX
pbc_devsecops_eastereggs.2022oct06.jt.pptx
byJulie Tsai
 
PPTX
Building Towards the New Security & Privacy Landscape: Where Do We Go From Here?
byJulie Tsai
 
PPTX
Everything you know is wrong: How Computer-Ing While Leading People Will Be Y...
byJulie Tsai
 
PPTX
Carrot hammer olivebranch.devopseast.20.2019nov08
byJulie Tsai
 
PPTX
Build It and They Will Come-Pliant
byJulie Tsai
 
PPTX
Why the org_matters_shorter.jzt.2018sept25
byJulie Tsai
 
PPTX
Dev ops and_infrastructure_immunology_v0.4
byJulie Tsai
 
PDF
Puppet HackDay/BarCamp New Delhi Exercises
byJulie Tsai
 
PPT
Automate your systems with puppet, and change your life
byJulie Tsai
 
pbc_devsecops_eastereggs.2022oct06.jt.pptx
byJulie Tsai
 
Building Towards the New Security & Privacy Landscape: Where Do We Go From Here?
byJulie Tsai
 
Everything you know is wrong: How Computer-Ing While Leading People Will Be Y...
byJulie Tsai
 
Carrot hammer olivebranch.devopseast.20.2019nov08
byJulie Tsai
 
Build It and They Will Come-Pliant
byJulie Tsai
 
Why the org_matters_shorter.jzt.2018sept25
byJulie Tsai
 
Dev ops and_infrastructure_immunology_v0.4
byJulie Tsai
 
Puppet HackDay/BarCamp New Delhi Exercises
byJulie Tsai
 
Automate your systems with puppet, and change your life
byJulie Tsai
 

Recently uploaded

PPTX
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PPTX
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
Agentic AI with Google ADK GDG On Campus Netaji Subhash Engineering College
bydscnsecorg
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
Agentic AI with Google ADK GDG On Campus Netaji Subhash Engineering College
bydscnsecorg
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 

API Security: Assume Possible Interference

  • 1.
    #RSAC SESSION ID: API Security: AssumePossible Interference ______ASD-R11___ Cybersecurity Leader & Advisor Julie Tsai
  • 2.
    #RSAC A Protocol? 2 A FRAMEWORKFOR INTERACTION, EXCHANGING DATA AND SERVICES APIs - Application Programming Interfaces: How the 2019 World Wide Web Communicates
  • 3.
  • 4.
    #RSAC 4 WHO WHAT WHERE WHEN WHY HOW Specifically… => aka AuthN(Authentication) via AuthID => aka AuthZ (Authorization) via OAuth => Are Sessions, Keys, Tokens Stored? => Does Access and Data Expire? => Our Purpose for Accessing This Data Least-Privilege, Explicit Trust, Implicit Deny
  • 5.
    #RSAC 360-View on Exploitability 5 Dothe services interact in a way that creates the least astonishment? Is the lifecycle and travel path of the data known? Is the data forgotten after use? Can this be proven? What if authorization models for different services get mixed? To different users, with different privileges?
  • 6.
    #RSAC 6 PHOTO TITLE Wait, didn’tcontainers and service isolation solve this?
  • 7.
    #RSAC B U TA P I I S J U S T T H E B E G I N N I N G … 7 There’s still some stuff beneath the hood
  • 8.
    #RSAC 8 L 1 .P H Y S I C A L L 2 . D A T A L I N K L 3 . N E T W O R K L 4 . T R A N S P O R T L 5 . S E S S I O N L 6 . P R E S E N T A T I O N L 7 . A P P L I C A T I O N 8 ? E C O N O M I C 9 ? P O L I T I C A L 1 0 ? R E L I G I O U S Defense-in-Depth Matters S E C U R I T Y I S F U L L - S T A C K O S I P R O B L E M - L A Y E R S 1 - 7 , 8 , 9 … 1 0
  • 9.
    #RSAC 9 Defense-in-Depth Matters What couldhappen?! L 1 . P H Y S I C A L - I N T R U D E R P L U G S I N C O N S O L E I R L L 2 . D A T A L I N K - P I N E A P P L E W I F I L 3 . N E T W O R K - C O M P R O M I S E D T R U S T E D I P L 4 . T R A N S P O R T - U D P D N S R E F L E C T I O N L 5 . S E S S I O N - C L E A R T E X T C O M M S C O M P R O M I S E D L 6 . P R E S E N T A T I O N - S S L W E A K C I P H E R / M I T M L 7 . A P P - C O D E A L L O W S W R O N G A C C E S S L 8 . E C O N O M I C - U N D E R R E S O U R C E D L 9 . P O L I T I C A L - M I S A L I G N M E N T S L 1 0 . R E L I G I O U S - L E A P S O F F A I T H + F U D
  • 10.
    S H IF T L E F T & S H I F T R I G H T Upstream Secure Containers & End-State Monitoring
  • 11.
    #RSAC Containers and ChrootJails: Classic Tune, New Words 11 Dedicated namespaces and resources. Process isolation. Ephemerality. But shared kernel. Example threat model - https://www.twistlock.com/2016/12/06/protecting- containerized-apps/: Malicious container attacks underlying OS or other containers
  • 12.
    #RSAC 12 (Skipping the pets- you know why you shouldn’t make pets) Container SRC as Workhorses, Not Just Cattle
  • 13.
    #RSAC 13 Workhorse & CattleLifecycle 1. Born Instance created 2. Eat/Sleep Powered but no new changes to instance, or updates to image 3. Expire When deprecated or compromised/vuln erable, instance terminated with no feedback Container Lifecycle: Cattle v. Workhorse 1. Born Instance created 2. Trained Secured configs/images 3. Updated Config & Repos continuously updated 4. Corral Use cgroups to authorize. System calls whitelists. 5. Maintain or Expire Maintain by chef/puppet/cfeng ine/ansible/salt etc. Or expire.
  • 14.
    #RSAC Container SRC asWorkhorses, not Just Cattle (Skipping the pets - you know why you shouldn’t make pets) 14 Container images must be maintained, not just fire and forget or expiraton. Expiring the compromised container or service (i.e. shooting the cattle) only solves once. But the herd needs to be inoculated – to evolve – beyond issues to prevent recurrence. Or, think of baking a cake vs. stir-frying*. * C R E D I T ~ D A L V E S . —> So what? Well, upstream learned remediation drives down Rate of Defect Recurrence! In practical terms, you note and track the vuln, and incorporate the fix in the Dockerfile (or source code or secure patch repo) in source-controlled, change-managed config. So it scales beyond that one image. Example https://engineering.salesforce.com/open-sourcing-dockerfile-image-update- 6400121c1a75
  • 15.
    #RSAC Workhorse Communication: ServiceMesh 15 From https://dotnetvibes.com/2018/07/23/sidecar-design-pattern-in-your-microservices-ecosystem/
  • 16.
    #RSAC Less Is Morein Containers W H A T ’ S A H A R D E N E D C O N T A I N E R ? 16 L E T ’ S W A L K T H R O U G H T H I S : 1. strip down packages, especially easily exploitable ones useful to hackers (telnet, ftp, make, gdb, nmap, strace, legacy daemons) 2. minimize host/network services and daemons 3. ssh and account enforcement 4. logs 5. key file/config alerting 6. vulns + patching scanning 7. and… scrap anything in there you don’t need.
  • 17.
    #RSAC Monitoring the End-State Abuse,Anomalies, and Access 17 What’s Normal? Anomalies in conjunction tell the story. We don’t know - and can’t comprehensively predict - what we don’t know. Root cause and security incidents don’t present themselves as such upfront. What to do? Flag + Correlate for simple indicators of what shouldn’t be happening. i.e. Resources volume or ways that shouldn’t be used. Things that shouldn’t be accessed. Non-cyclical transaction trends.
  • 18.
    #RSAC Post-Flight Gut-Check DevSecOps AK A A R E W E S E C - I N G A N D O P S - I N G W I T H O U R D E V - I N G ? 18 1. Security, Compliance, Privacy When are your S-C-P pros leveraged in the process for the product? Customer development, inception or design, dev or testing, alpha – or when an “event” happens? 2. Uptime and Performance Do we truly know it better than our end-users? 3. Scale Complexity and Change Is there the necessary speed in deployments/change across all of your teams? Can you accommodate (or tolerate) diverse deployment & build methods across teams? Do you get the same level of visibility, health, and security from each of them?
  • 19.
    T H ER I G H T A M O U N T O F S T R U C T U R E Guidelines & Guardrails
  • 20.
    #RSAC 20 The Right Amountof Structure The Right Amount of Structure - a Score
  • 21.
    #RSAC Where To UseGuardrails 1 21 1. AuthN/AuthZ (AutheNtication/AuthoriZation)
  • 22.
    #RSAC Where To UseGuardrails 2 22 1. AuthN/AuthZ 2. Lifecycle of the Data
  • 23.
    #RSAC Where To UseGuardrails 3 23 1. AuthN/AuthZ 2. Lifecycle of the Data 3. Build Integration
  • 24.
    #RSAC Where To UseGuardrails 4 24 1. AuthN/AuthZ 2. Lifecycle of the Data 3. Build Integration 4. Production Deployment
  • 25.
    #RSAC Where To UseGuardrails 5 25 1. AuthN/AuthZ 2. Lifecycle of the Data 3. Build Integration 4. Production Deployment 5. Change - Code, Configs, Dependencies
  • 26.
    #RSAC Where To UseGuardrails 6 26 1. AuthN/AuthZ 2. Lifecycle of the Data 3. Build Integration 4. Production Deployment 5. Change - Code, Configs, Dependencies 6. Regression Test - Catch the Ripple
  • 27.
    #RSAC Where To UseGuardrails 7 27 1. AuthN/AuthZ 2. Lifecycle of the Data 3. Build Integration 4. Production Deployment 5. Change - Code, Configs, Dependencies 6. Regression Test - Catch the Ripple 7. Security & Compliance Requirements
  • 28.
    #RSAC Where To UseGuidelines 1 … W I T H I N T E R N A L C O N S I S T E N C Y I N R E L E V A N T S C O P E 28 1. Develop/Build in the OS/Language You Will
  • 29.
    #RSAC Where To UseGuidelines 2 … W I T H I N T E R N A L C O N S I S T E N C Y I N R E L E V A N T S C O P E 29 1. Develop/Build in the OS/Language You Will 2. Use the Tools That Work for You, without Significantly Hampering Others
  • 30.
    #RSAC Where To UseGuidelines 3 … W I T H I N T E R N A L C O N S I S T E N C Y I N R E L E V A N T S C O P E 30 1. Develop/Build in the OS/Language You Will 2. Use the Tools That Work for You, without Significantly Hampering Others 3. Deployment Methods. CI/CD Innovation. Private or Public Cloud. Bare Metal. Multi-cloud or Single.
  • 31.
    #RSAC Where To UseGuidelines 4 … W I T H I N T E R N A L C O N S I S T E N C Y I N R E L E V A N T S C O P E 31 1. Develop/Build in the OS/Language You Will 2. Use the Tools That Work for You, without Significantly Hampering Others 3. Deployment Methods. CI/CD Innovation. Private or Public Cloud. Bare Metal. Multi-cloud or Single. 4. How DevSecOps Manifests in Your Org
  • 32.
    #RSAC Where To UseGuidelines 5 … W I T H I N T E R N A L C O N S I S T E N C Y I N R E L E V A N T S C O P E 32 1. Develop/Build in the OS/Language You Will 2. Use the Tools That Work for You, without Significantly Hampering Others 3. Deployment Methods. CI/CD Innovation. Private or Public Cloud. Bare Metal. Multi-cloud or Single. 4. How DevSecOps Manifests in Your Org 5. Culture — Congruence of the Walk with the Talk
  • 33.
    #RSAC Are We ThereYet? 33 From monolith to microservices… Decoupling dependencies… Agile, independent teams… Continuous Deployment of epheremal containers… Open, networked world…
  • 34.
    #RSAC Are We ThereYet? 34 …with Great Power Comes Great Responsibility.
  • 35.