Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps

Strategies on How to Overcome
Security Challenges Unique to Cloud-
Native Apps
Zane Lackey
@ZaneLackey
Kamala Dasika
@DasikaKN

© Copyright 2017 Pivotal Software, Inc. All rights reserved.
Transform how the world builds software.
Modern Software Methodology | Modern Cloud-Native Platform
About Pivotal

76% 35%
100-
150
* April 2017 Internet Security Threat Report
+ Web Applications Security Statistics Report 2016
Websites with
Vulnerabilities*
Increase in
Ransomeware*
Days to Patch/Fix
in Enterprises+
Security Matters to All of Us

Bespoke Application Process Drives Complex,
Manual Deploys & Waterfall Release Cycles

The brittle stack.
The long accreditation cycle.
The culture of no.
The unpatched server.
The un-versioned application.
The inconsistent configuration
The leaked credential.
Security Tradition

Security Tradition Reduce risk by slowing down.

Reduce risk by going faster.Cloud Native Security

CORE
PILLARS
Turn-key
Compliance
Repair Repave Rotate
Starve Resources Needed for Attacks
Time/Delays, Misconfigured/Unpatched Software, Leaked
Credentials
Address vlnerabilities
caused by

Immutable consistent infrastructure
2-layer scheduler
Hardened container boundary
Constant, full-stack patching
Ephemeral servers
Fully encrypted network
Ubiquitous policy enforcement
Control of software supply chain
Monitoring and scanning integration
Turn-key compliance
Platform Security
Concepts

Everything to Deploy and Manage the App
4. Health
management
2. Metrics
3. Log
Aggregation
1. Roles and
Policy
5. Security
and
Isolation
7. Scaling
6. Blue-
Green
deploymentü  Consistent Contracts
ü  Fully Automated, Repeatable
platform managed DevOps
processes
ü  Developer + Ops + Security
Friendly Constructs
ü  Infrastructure Failure
Agnostic
Structured Automation

12
Deployment & Buildpacks
cf push
cf push –b <buildpack>
Deployed
Artifact
Detect
(Buildpack)
Compile
(Dependencies)
Release
(Execution config
& command)
Community
Buildpacks
Custom
Buildpacks
Partner
Buildpacks
Built-In
Code
Artifacts

13
Deployment & Buildpacks
cf push
cf push –b <buildpack>
Deployed
Artifact
Detect
(Buildpack)
Compile
(Dependencies)
Release
(Execution config
& command)
Community
Buildpacks
Custom
Buildpacks
Partner
Buildpacks
Built-In
Code
Artifacts
Detect
Compile
Release

Stemcell Hardening
•  Stemcell = Bare minimal OS +
PCF specific utilities and
configuration files
•  Hardening guidance from
commercial and govt. sources
•  BOSH Add Ons
–  Ensure certain software runs
on all VMs managed by the
Director.
–  E.g. security agents like
Tripwire, IPsec, etc., anti-
viruses like McAfee, health
monitoring agents l and
logging agents
BOSH/
Ops
Manager
Stemcell
VM
VMVM
VM
VM
VM
Release
Manifest
(simplified to illustrate the point)

Each Layer Upgradable with No Downtime
App Runtime*
File system mapping
Application
Linux host & kernel
Blue-Green deploy
Canary style deploy
* e.g. Embedded webserver, app configurations, JRE, agents for services packaged as buildpacks
C
o
n
t
a
i
n
e
r

Upgrade and patch with rolling “canary” deploys
X YM NA B Update introduced. If the tests
pass, keep going
X YM NA B
X YM NA B
Apps redeployed to clear VMs
A,B,M,N,X,Y - Application instances
- VM prior to update

Upgrade and patch with rolling “canary” deploys
X YM NA B
X YM NA B
X YM N
X YM NA B
X YM NA B
Automated, No downtime
Atomic rolling update
X YM NA B A B

19
“The first time ever we fully upgraded Cloud
Infrastructure with Zero Impact.
In Production.
During Business Hours.
During Peak Business Hours.”
Source: Internal Feedback Shown by Greg Otto, Executive Director@Comcast at Cloud Foundry Summit 2016

Guest Speaker: Zane Lackey
•  Started out in offense
–  iSEC Partners / NCC Group
•  Moved to defense
–  First head of security at Etsy, built and
lead the four security groups
•  Now scaling defense for many orgs
–  Co-founder / CSO at Signal Sciences,
delivering a product that defends web
applications in the DevOps/Cloud world

Lessons learned being at the forefront of the shift
to DevOps/Cloud

Spoiler: Security shifts from being a gatekeeper
to enabling teams to be secure by default

The new realities in a DevSecOps world:
1.  Changes happen multiple orders of magnitude faster
than previously
2.  Security only becomes successful if it can bake in to
the Development/DevOps process
3.  For many apps, cost of attack is so low you will be
attacked even if you’re not a brand name

What new concepts should security focus on?

What new concepts should security focus on?
Visibility + Feedback

Except… These aren’t new concepts!

Performance monitoring, data analytics,
A/B testing are all about visibility + feedback

The same hard lessons are slowly shifting to
security

First, a story from the old days…

Ex: Which of these is a quicker way to spot an
attack?

Surface security visibility for everyone, not just
the security team
(if the security team even exists)

Three keys to modern feedback loops:
1.  Combination of bug bounty + pentests
2.  Bounty is not a replacement for pentest, it augments
pentest
3.  Bounty gives general but more real time feedback,
pentest shifts to giving more directed but less
frequent feedback

Visibility + Feedback success story:
“I discovered the vulnerability late Friday afternoon and
wasn't quite ready to email it to them … [Etsy] had
detected my requests and pushed a patch Saturday
morning before I could email them. This was by far the
fastest response time by any company I've reported to.”
- Source: https://www.reddit.com/r/netsec/comments/vbrzg/
etsy_has_been_one_of_the_best_companies_ive

Embrace DevOps, Cloud, and other means of
increasing velocity. But do safely by obtaining:
Visibility + Feedback

Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps

More Related Content

What's hot

Similar to Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps

More from VMware Tanzu

Recently uploaded

Strategies on How to Overcome Security Challenges Unique to Cloud-Native Apps