Erik Costlow discusses cloud migration strategies, application security risks, and methods to defend applications effectively, emphasizing the importance of built-in security within software. He highlights the six R's of migration and the significance of embedding security in the runtime of applications. Costlow also outlines automated tools that can enhance security throughout the development process, aiming for continuous compliance and rapid response to vulnerabilities.

2. Erik Costlow

3. Why is Erik talking
Java 8. From frequent exploits to a two-year shut-out of 0-days.
Managed Java root certificate program, breaking 7-year deadlock.
Contrast Security. Continuous self-defending software. Works inside of
applications and has actual context.
Turbonomic. Product management, IT performance assurance & cloud
migration. Crossed $100M revenue.
Developer course author. Graph analysis with Java, Hands-on
Cryptography, Basic Data analysis, etc. Packt Publishing.

4. Agenda
1. Cloud migration strategies
2. How applications are at risk
3. How to defend applications
I expect that WHY people go to the cloud is clear.
We will jump straight to doing it securely.

5. AWS Cloud Migration Whitepaper
https://d0.awsstatic.com/whitepapers/the-path-to-the-cloud-dec2015.pdf
The 2015 layout is cleaner than the 2018 version.

6. The layout in words:
The 6 Rs of Migration
1. Re-Host
2. Re-Platform
3. Re-factor / Re-architect
4. Re-Purchase
5. Retire
6. Retain
Bringing security along
1. Explode (no perimeter)
2. Offload (virtualize)
3. Reload (with things that work)
Arrrrrrrr, there be
six Rs in a cloud
migration.
https://www.lightreading.com/security/security-
strategies/new-security-mantra-explode-offload-
reload/d/d-id/736076

7. Lift & Shift
https://d0.awsstatic.com/whitepapers/the-path-to-the-cloud-dec2015.pdf
Move the application:
• Elastic Beanstalk
• Elastic Container
• Fargate
• EC2 instance
Move the infrastructure:
• Lightsail
• Elastic Container
• Fargate

8. Refactor for cloud or Rearchitect
https://d0.awsstatic.com/whitepapers/the-path-to-the-cloud-dec2015.pdf
Rewrite on cloud APIs
Leverage provider services
Etc.

9. A couple difficulties on both
• Which cloud provider?
• PCF, AWS, Azure?
• Cost difference can be significant.
• Lift and Shift: what does it talk to? Must migrate dependencies.
• Refactoring binds architecture to services, therefore provider.
• Crazy long bills
• Security still needs to be built in.
https://www.cnbc.com/2019/01/08/california-bill-would-
curb-use-of-paper-receipts-push-digital-option.html

10. Does cloud provide security?
• No.
• If the application is vulnerable, it is just vulnerable in the cloud.

11. Does cloud provide security?
• No.
• If the application was vulnerable, it is just vulnerable in the cloud.

12. What will still harm a cloud app?

13. How do people find my app to attack?
https://www.infoq.com/news/2019/02/eu-bug-bounty-tomcat-kafka
Similar to bug bounties, attackers learn to find
specific flaws.
They then hunt for these flaws.
Over time, they change what they look for.
Over time, apps rarely update defenses.

14. Where should I logically defend both on-prem and in cloud?
“Perimeter” disappears.
Cloud uses the same runtimes:
Java is Java
Node is Node
Python is Python
All code and dependencies need to run.
Therefore he logical place to apply security is the runtime.

15. Focus on what’s NOT changing
Here's Bezos:
I very frequently get the question: "What's going to change in the
next 10 years?" And that is a very interesting question; it's a very
common one. I almost never get the question: "What's not
going to change in the next 10 years?" And I submit to you that
that second question is actually the more important of the two --
because you can build a business strategy around the things that
are stable in time. ...
https://www.inc.com/jeff-haden/20-years-ago-jeff-bezos-said-this-1-thing-
separates-people-who-achieve-lasting-success-from-those-who-dont.html

16. Secure applications, top to bottom
Cloud-Native
Platform and Infrastructure
Security
Cloud-Native
Continuous Application
Security

17. How can I effectively secure myself anywhere?
On-premise
Runtime Application
Security Protection
Etc.

18. Who else suggests this embedded security model?
David Zendzian, Pivotal’s Information Security and
Compliance CTO (and also Jeff Williams, Contrast CTO)

19. What does the non-embedded model look like?

20. Pivotal’s Cloud Native Security Vision
Repair
Repair vulnerable
software as soon as
updates are available.
Continuous ComplianceRepave
Apps inherit controls
from the platform,
simplifying audits.
Automating compliance.
Repave servers and
applications from a
known good state. Do this
often.
Rotate user credentials
frequently, so they are
only useful for short
periods of time.
Rotate
Reduce Your MTTR | Resist Advanced Persistent Threats | Reduce the Threat of Leaked Credentials
Source: “Cloud Native Security Understanding the Why and How” by Pivotal & Contrast Security

21. Pivotal’s Cloud Native Security Vision
Repair
Repair vulnerable
software as soon as
updates are available.
Continuous ComplianceRepave
Apps inherit controls
from the platform,
simplifying audits.
Automating compliance.
Repave servers and
applications from a
known good state. Do this
often.
Rotate user credentials
frequently, so they are
only useful for short
periods of time.
Rotate
Reduce Your MTTR | Resist Advanced Persistent Threats | Reduce the Threat of Leaked Credentials
Source: “Cloud Native Security Understanding the Why and How” by Pivotal & Contrast Security

22. What does “continuous” look like?

23. The DevOps circle of test

24. Embedded security with everything

25. Tools you can use for free: which, where, and why
• SAP’s “vulnerability assessment tool,” during CI
• Dependabot, during CI
• Contrast Community Edition, during Test and Ops

26. SAP Vulnerability Assessment Tool
• For Java and Python apps.
• Detects dependencies with known
CVEs.
• Guards against deploying these CVEs.
• Scan during CI, before deployment.
https://github.com/SAP/vulnerability-assessment-tool

27. Dependabot
• For a number of build systems.
• Detects dependencies with known CVEs
and automatically updates them.
• Guards against deploying these CVEs.
• Simplifies updates through automation.
• Runs periodically, creating pull requests
that feed CI.
https://dependabot.com/

28. Contrast Community Edition
• For Java applications (more coming).
• Finds, reports, and defends
vulnerabilities in custom code.
• Does not require known CVE or list.
• Runs continuously alongside code.
• Everyone becomes a security tester.
• Application becomes self-defending.
https://www.contrastsecurity.com/contrast-community-edition

29. End Goal: Continuous Automated Security
Development CI/CD/QA Operations
IAST/RASP IAST/RASP IAST/RASP

30. Questions?
1. Cloud migration strategies
2. How applications are at risk
3. How to defend applications
Erik Costlow | @costlow | Contrast Security