How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?

•Download as PPTX, PDF•

0 likes•133 views

Lorenzo Barbieri

Slides from the presentation I made during Global Azure Bootcamp 2018 in Zurich, about Azure Security

EVERYTHING STARTS WITH A “GOOD”
ARCHITECTURE
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
RG for
- Dev-Test
- Production

1ST STRIKE
The case of
disappearing
resourcesAttack
one!
Destro
y ‘em
all!
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
RG for
- Dev-Test
- Production

MITIGATION
Infrastructure as
Code:
• Script everything
• Backup everything
DevOps
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
RG for
- Dev-Test
- Production

REMEDIATION
Subscription role
protection
o RBAC
Azure AD could be
protected with MFA
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
RG for
- Dev-Test
- Production

2ND STRIKE
The case of
unexpected
load
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
Attack
two…o…o…
oooo!
$$$
$RG for
- Dev-Test
- Production

MITIGATION
o Alert rules and
monitoring
o web.config based
IP restriction
o Functions in App
Service Plan
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
RG for
- Dev-Test
- Production

REMEDIATION
o Web App Firewall
o API Management
o <NEW> Azure
DDOS Protections
for VNET
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
RG for
- Dev-Test
- Production

3RD STRIKE
The case of
data and
storage loss
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Attack
three!
I know
your
secrets!
Photo resize
+web.config
RG for
- Dev-Test
- Production

MITIGATION
o Key rotation
o Least user
privilege (DB)
o Alert
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
RG for
- Dev-Test
- Production

REMEDIATION
o SQL DB Firewall
o VNET Storage
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
o Handle Disconnect
RG for
- Dev-Test
- Production

4TH STRIKE
The case of
being Gitted
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Fourth
Attack!
Keys
from the
octocat!
Photo resize
+web.config
RG for
- Dev-Test
- Production

REMEDIATION
o Move all the keys to
a secure path
o Use Team Build to set
them before
deployment
o Azure Key Vault
o Managed Service
Identity (preview)
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
?
RG for
- Dev-Test
- Production

>_
SSH
5TH STRIKE
The case of
remote
connections
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Remote
Attack!
Photo resize
+web.config
>_
SSH
RG for
- Dev-Test
- Production

REMEDIATION
o Network Security
Groups
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
>_
SSH
RG for
- Dev-Test
- Production

A BETTER ARCHITECTURE
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
RG for
- Dev-Test
- Production

RECAP – THE 7 GOLDEN RULES
• Script everything
• Backup everything
• Least user privilege
• Trust no one
• Monitor everything
• Assume cloud failure
• Protect your secrets

RESOURCES
• “Parts Unlimited” sample site with telemetry and fault injection:
– https://microsoft.github.io/PartsUnlimited/
• The “bible of Chaos Engineering”: http://principlesofchaos.org/
• Only for the “Brave”, Netflix Chaos Monkey integrated with Spinnaker:
https://github.com/Netflix/chaosmonkey
• Cloud Bedlam: https://github.com/GitTorre/CloudBedlamLinux/tree/dotnet-core

THANK YOU VERY MUCH!
• Feedbacks are important!
• Tweet: @_geniodelmale #GlobalAzure #AzureZurich
or send me an email 
lorenzo.barbieri@microsoft.com
@_geniodelmale

This document summarizes Microsoft Silverlight 2, a web application framework for building rich interactive applications. Key points include: - Silverlight 2 provides enhanced graphics, interactivity, and media capabilities compared to Silverlight 1. - It supports cross-platform delivery across browsers, operating systems, and devices. - Silverlight 2 allows for high-quality, low-cost media delivery with standards like VC-1 HD video and digital rights management. - It features a .NET runtime environment with support for multiple programming languages and rich frameworks for UI, data binding, networking, and more.

Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020

Matt Raible

Matt Raible compares the Java web frameworks Micronaut, Quarkus, and Spring Boot for building REST APIs. He demonstrates how to quickly get started with each framework, secure APIs with OAuth 2.1 and JWTs, build Docker images, and go native with GraalVM. Performance tests show Quarkus has the fastest startup time while Spring Boot has the largest community support in areas like Stack Overflow questions, GitHub stars, and jobs on Indeed.

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...

Matt Raible

In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps. The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open-source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them? If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more! Delivered at JokerConf on October 28, 2021 at 11am MDT: https://jokerconf.com/en/talks/lock-that-sh*t-down-auth-security-patterns-for-apps-apis-and-infra/

Building Rich Applications with Appcelerator

Matt Raible

A First Look at Windows Presentation Foundation Everywhere (WPF/E): a Cross …

goodfriday

WPF/E is a cross platform runtime enabling a subset of Windows Presentation Foundation (WPF) XAML to reach beyond the latest Windows PC platforms. With WPF/E you'll be able to build rich, interactive experiences that run in major Web browsers on major platforms as well as on mobile devices. The combination of WPF/E and WPF will enable designers and developers to have a consistent development experience across smart clients, Web-based applications, and mobile devices. Join us to discuss the WPF/E feature set, targeted platforms and browsers, the developer experience, and to see a preview of the technology.

Seven Simple Reasons to Use AppFuse

Matt Raible

AppFuse is an open source project/application that uses best-of-breed Java open source tools to help you develop web applications quickly and efficiently. Not only does it provide documentation on how to develop light-weight POJO-based applications, it includes features that many applications need out-of-the-box: authentication and authorization, remember me, password hint, skinnability, file upload, Ajax libraries, signup and SSL switching. This is one of the main features in AppFuse that separates it from the other "CRUD Generation" frameworks like Ruby on Rails, Trails and Grails. AppFuse is already an application when you start using it, which means code examples are already in your project. Furthermore, because features already exist, the amount of boiler-plate code that most projects need will be eliminated. In this session, you will learn Seven Simple Reasons to Use AppFuse. If you don't use it to start your own projects, hopefully you will see that it provides much of the boiler-plate code that can be used in Java-based web applications. Since it's Apache Licensed, you're more than welcome to copy/paste any code from it into your own applications. Also see article published at: http://www.ibm.com/developerworks/java/library/j-appfuse/index.html

GROOVY ON GRAILS

ziyaaskerov

This document summarizes a presentation about the Grails framework. It discusses how Grails allows building modern Java web applications quickly using Groovy and conventions over configuration. Key features highlighted include GORM for object-relational mapping, GSP for views, and integration with Spring and other Java technologies. The document also provides overviews of Grails tags, plugins including Spring Security, and configuration options.

Microservices for the Masses with Spring Boot, JHipster, and JWT - J-Spring 2017

Matt Raible

Microservices are all the rage and being deployed by many Java Hipsters. If you’re working on a large team that needs different release cycles for product components, microservices can be a blessing. If you’re working at your VW Restoration Shop and running its online store with your own software, having five services to manage and deploy can be a real pain. Share your knowledge and experience about microservices in this informative and code-heavy talk. We’ll use JHipster (a Yeoman generator) to create Angular + Spring Boot apps on separate instances with a unified front-end. I’ll also show you options for securing your API gateway and individual applications using JWT. Docker, ELK, Spring Cloud, Okta; there will be plenty of interesting demos to see!

This document outlines Jenkins best practices, including using plugins to simplify the UI, manage configuration history, mask passwords, use folders to organize jobs, implement jobs with DSL for easier maintenance, run parallel tests with the multijob plugin, integrate branches with pretested integration, and implement pipelines for continuous integration with Jenkins 2.0. Advanced techniques include using Packer, Vagrant, Docker and load balancing for build slaves.

Playframework + Twitter Bootstrap

Kevingo Tsai

This document discusses Playframework, a Java web framework. It provides an overview of Playframework's features including being a full Java stack, RESTful and SEO friendly design, stateless architecture, and easy scalability. It also covers Playframework's project structure including the model, controller, and view layers. The document mentions Playframework works with common application servers and cloud hosting platforms. It also discusses using Twitter Bootstrap, a popular front-end framework for responsive design and UI components.

Microservices for the Masses with Spring Boot, JHipster, and JWT - Devoxx UK...

Matt Raible

Microservices are all the rage and being deployed by many Java Hipsters. If you’re working on a large team that needs different release cycles for product components, microservices can be a blessing. If you’re working at your VW Restoration Shop and running its online store with your own software, having five services to manage and deploy can be a real pain. Share your knowledge and experience about microservices in this informative and code-heavy talk. You'll see how to use JHipster (a Yeoman generator) to create Angular + Spring Boot apps on separate instances with a unified front-end. I’ll also show you options for securing your API gateway and individual applications using JWT. Heroku, Kubernetes, Docker, ELK, Spring Cloud, Okta; there will be plenty of interesting demos to see!

Jenkins Best Practices

Gergely Brautigam

This document discusses Jenkins best practices, including using plugins to simplify the UI, manage configuration history, rebuild jobs, and mask passwords. It also covers using folders to organize jobs by branch, the job DSL plugin to define jobs programmatically, and artifact repositories to share artifacts between Jenkins instances. More advanced topics include using the multijob plugin for parallel test runs, the pretested integration plugin for branch setup, and integrating pipelines in Jenkins 2.0. The document concludes with bonus techniques like provisioning build slaves with Packer/Vagrant/Docker and load balancing Jenkins slaves.

Choosing a Java Web Framework

Will Iverson

Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020

Matt Raible

Mobile development offers a lot of options. To develop native apps, you can use Java or Kotlin on Android. On iOS, you can use Objective C or Swift. There are other options, too. You can build hybrid mobile apps and Progressive Web Apps (PWAs). Hybrid mobile apps are those created with web technologies (HTML, JavaScript, and CSS) that look like native apps. PWAs have the ability to work offline and act like mobile apps. In this talk, we'll explore a few different mobile technologies: Ionic 4 (with Angular), React Native, and PWAs. You'll walk away with knowledge of how to build mobile + Spring Boot apps in minutes with JHipster. * GitHub repo: https://github.com/mraible/mobile-jhipster * Demo script: https://github.com/mraible/mobile-jhipster/blob/master/demo.adoc

Frameworks in java

Darshan Patel

The document provides an overview of the Hibernate framework. It discusses some of the drawbacks of using JDBC for database access, such as needing to manually open and close connections. Hibernate aims to address these issues by providing object-relational mapping and allowing data to flow through an application as objects rather than being converted to text for storage. Some key advantages of Hibernate mentioned are that it supports inheritance, associations and collections, and allows saving derived class objects while also persisting base class data.

Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...

Matt Raible

Mobile development offers a lot of options. To develop native apps, you can use Java or Kotlin on Android. On iOS, you can use Objective C or Swift. There are other options, too. You can build hybrid mobile apps and Progressive Web Apps (PWAs). Hybrid mobile apps are those created with web technologies (HTML, JavaScript, and CSS) that look like native apps. PWAs have the ability to work offline and act like mobile apps. In this talk, we'll explore a few different mobile technologies: PWAs, React Native, and Ionic (with Angular). You'll walk away with knowledge of how to build mobile + Spring Boot apps in minutes with JHipster. * GitHub repo: https://github.com/mraible/mobile-jhipster * Demo script: https://github.com/mraible/mobile-jhipster/blob/main/demo.adoc

4Developers 2015: Do you think you're doing microservice architecture? - Marc...

PROIDEA

This document discusses deploying and managing microservices. It covers topics like using Jenkins to standardize continuous delivery pipelines across services, service discovery with tools like Zookeeper and Consul, implementing consumer-driven contracts for testing service interactions, configuring environments with tools like Puppet and Ansible, and monitoring services through centralized logging and metrics collection. Potential pitfalls discussed include issues with code reuse, using too many technology stacks, and additional management overhead compared to monolithic applications.

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...

Matt Raible

In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps. The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them? If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!

Comparing JVM Web Frameworks - Rich Web Experience 2010

Matt Raible

What's New in JHipsterLand - Devoxx Poland 2017

Matt Raible

JHipster is an application generator that allows you to create monoliths or microservices, based on Spring Boot and Angular. It leverages Spring Cloud for microservices and contains best-of-breed JavaScript and CSS libraries for creating your UI. In this session, you’ll learn about what’s new in JHipster. Topics include Angular 4, Progressive Web Apps, HTTP/2, JUnit 5 and Spring 5. Monolith Demo: https://github.com/mraible/jhipster4-demo/blob/master/README.adoc Microservices Demo: https://developer.okta.com/blog/2017/06/20/develop-microservices-with-jhipster

Clojure Web Development

Hong Jiang

This document discusses Clojure web development and describes a web-based project management system called Trakr that was created using Clojure. Trakr uses a MongoDB database and has a modern friendly UI. The architecture involves a Clojure HTTP server with a Ring middleware pipeline and Compojure routing to map requests to handlers. Testing is done with clojure.test and clojure.contrib.mock. Performance is around 70ms average latency.

How to Win at UI Development in the World of Microservices - THAT Conference ...

Matt Raible

You've figured out how to split up your backend services into microservices and scale your teams to the moon! But what about the front-end? Are you still building monoliths for your UI? This session will talk about the history of web frameworks, the microservices explosion, and techniques + frameworks for complementing your microservices with micro frontends. It'll include developer stories from folks implementing micro frontends and recommendations for learning more about them.

Come Sail Away With Me (you guys): Node.js MVC Web API's Using Sails.js

Eric Nograles

5 best Java Frameworks

Aegis Softtech

Beginner's Guide to Angular 2.0

All Things Open

Front End Development for Back End Developers - Devoxx UK 2017

Matt Raible

Are you a backend developer that’s being pushed into front end development? Are you frustrated with all JavaScript frameworks and build tools you have to learn to be a good UI developer? If so, this session is for you! We’ll explore the tools of the trade for fronted development (npm, yarn, Gulp, Webpack, Yeoman) and learn the basics of HTML, CSS, and JavaScript. We’ll dive into the intricacies of Bootstrap, Material Design, ES6, and TypeScript. Finally, after getting you up to speed with all this new tech, we’ll show how it can all be found and integrated through the fine and dandy JHipster project.

From GitHub Source to GitHub Release: Free CICD Pipelines For JavaFX Apps

Bruno Borges

Streamline the building, testing, packaging, and release of your desktop JavaFX applications for all major platforms with simple to use CI/CD Pipelines and GitHub. This session will cover the details of combining GitHub for hosting source code and binaries for Mac OS, Windows and Linux of your application, and how to take advantage of Azure Pipelines plan for Open Source projects. We will learn about using a Maven archetype and a Gradle starter project for JavaFX apps, both ready for CI/CD and how they are configured. Join this talk and get ready to streamline your desktop apps just like your microservices.