Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Policy-as-Code: Across the Stack - OWASP AppSec...

Abhay Bhargav
November 06, 2023
Technology
0
610

Policy-as-Code: Across the Stack - OWASP AppSec DC 2023 | Abhay Bhargav

In today's world of rapidly evolving technology and the increasing complexity of software systems, ensuring the security and compliance of applications across the stack has become paramount. This talk will provide an in-depth exploration of Policy-as-Code (PaC) and how it can be employed to implement decoupled security practices across the stack. PaC serves as a unified framework that enables organizations to define, manage, and enforce policies in a consistent, transparent, and automated manner. This approach facilitates better security, compliance, and risk management, while also reducing the need for manual intervention.

The talk will focus on the use of Open-Source Policy-as-Code Frameworks to do policy composition, management and enforcement across the stack

Abhay Bhargav

November 06, 2023
Tweet

More Decks by Abhay Bhargav

See All by Abhay Bhargav
Secure by Design - Across the Stack
abhaybhargav
0
140
Flaming Hot SLSA!
abhaybhargav
1
620
SecAppDev - Fantastic API Security Vulnerabilities and where to find them
abhaybhargav
1
100
SecAppDev 2022 - Everything as code
abhaybhargav
0
130
Hook, Line and Sinker - Pillaging API Webhooks
abhaybhargav
0
810
DevSecOops - Stories of DevSecOps Failures and Success
abhaybhargav
0
1.6k
Practical DevSecOps Pipelines
abhaybhargav
1
350
A Hitchhikers Guide to Secrets Management in the Cloud - OWASP Seattle
abhaybhargav
0
300
Agile Threat Modeling-as-Code
abhaybhargav
2
730

Other Decks in Technology

See All in Technology
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
390
Lambdaと地方とコミュニティ
miu_crescent
2
370
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
9
1.1k
OTelCol_TailSampling_and_SpanMetrics
gumamon
1
190
いざ、BSC討伐の旅
nikinusu
2
780
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
6
660
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
540
Terraform Stacks入門 #HashiTalks
msato
0
360
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
140
飲食店データの分析事例とそれを支えるデータ基盤
kimujun
0
150
心が動くエンジニアリング ── 私が夢中になる理由
16bitidol
0
100
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
230

Featured

See All Featured
Embracing the Ebb and Flow
colly
84
4.5k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Six Lessons from altMBA
skipperchong
27
3.5k
Thoughts on Productivity
jonyablonski
67
4.3k
Docker and Python
trallard
40
3.1k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Automating Front-end Workflow
addyosmani
1366
200k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Designing Experiences People Love
moore
138
23k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Teambox: Starting and Learning
jrom
133
8.8k

Transcript

  1. abhaybhargav Policy-as-Code: Across the Stack Abhay Bhargav

  2. abhaybhargav Yours Truly • Founder @ we45 • Founder @

    AppSecEngineer • AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A De fi nitive Guide

  3. abhaybhargav My talk…

  4. abhaybhargav My talk…

  5. abhaybhargav Agenda

  6. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps

  7. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps • The need for “Policy-as-Code”

  8. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk

  9. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk • Application and API Gateway: Policy-as-Code

  10. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk • Application and API Gateway: Policy-as-Code • Cloud-Native Control Planes - Policy-as-Code

  11. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk • Application and API Gateway: Policy-as-Code • Cloud-Native Control Planes - Policy-as-Code • Conclusions

  12. abhaybhargav The Promise of DevSecOps

  13. abhaybhargav The Promise of DevSecOps

  14. abhaybhargav The Promise of DevSecOps

  15. abhaybhargav The Promise of DevSecOps

  16. abhaybhargav The Reality

  17. abhaybhargav The Reality

  18. abhaybhargav The Paved Road

  19. abhaybhargav Why? • 88% troubled by problems due to API

    Authentication - Palo Alto API Security Report 2023 • Broken Object Level (and Property) Authorization - OWASP API Security Top 10 2023 • 40% - API Miscon fi gurations like Excessive Data Exposure, etc - Palo Alto API Security Report 2023

  20. abhaybhargav The “As-Code” Movement

  21. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth

  22. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth • Scalability and Automation

  23. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth • Scalability and Automation • Consistency and Reproducibility

  24. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth • Scalability and Automation • Consistency and Reproducibility • Continuous Improvement

  25. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth • Scalability and Automation • Consistency and Reproducibility • Continuous Improvement • High Fidelity

  26. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth • Scalability and Automation • Consistency and Reproducibility • Continuous Improvement • High Fidelity • Testable ??

  27. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam

  28. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam

  29. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam

  30. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code

  31. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code

  32. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code

  33. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code

  34. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code

  35. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code

  36. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code

  37. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code Detection Engineering

  38. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code Detection Engineering

  39. abhaybhargav “PaC ‘cross the stack”

  40. abhaybhargav Policy as Code

  41. abhaybhargav Need and Motivation

  42. abhaybhargav Need and Motivation • The idea is to NOT

    hardcode security rules in app that have rapidly evolving and changing requirements

  43. abhaybhargav Need and Motivation • The idea is to NOT

    hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built

  44. abhaybhargav Need and Motivation • The idea is to NOT

    hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built • Testable

  45. abhaybhargav Need and Motivation • The idea is to NOT

    hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built • Testable • Scalable

  46. abhaybhargav Need and Motivation • The idea is to NOT

    hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built • Testable • Scalable • Create a “Paved Road” for Product Engineering Teams

  47. abhaybhargav Typical Use-Cases • Syscall Pro fi ling, Seccomp, AppArmor

    and eBPF for Runtime Security enforcement • Authorization, CORS, Rate-Limiting, mTLS and others on the API Gateway • Input Validation, Access Control with Policy-as-Code Frameworks

  48. abhaybhargav Across the Stack

  49. abhaybhargav Security Model - An Example

  50. abhaybhargav Dynamic PaC Stack at the Gateway

  51. abhaybhargav Imagine…

  52. abhaybhargav Imagine…

  53. abhaybhargav Imagine…

  54. abhaybhargav Imagine…

  55. abhaybhargav Imagine…

  56. abhaybhargav Imagine…

  57. abhaybhargav Imagine…

  58. abhaybhargav Imagine… Your Service Business Logic

  59. abhaybhargav Imagine… Your Service Business Logic JWT Authorization

  60. abhaybhargav Imagine… Your Service Business Logic JWT Authorization Input Validation

  61. abhaybhargav Imagine… Your Service Business Logic JWT Authorization Input Validation

    Object Access Control

  62. abhaybhargav Imagine… Your Service Business Logic JWT Authorization Input Validation

    Object Access Control Authentication

  63. abhaybhargav Imagine… Your Service Business Logic JWT Authorization Input Validation

    Object Access Control Authentication Logging

  64. abhaybhargav The Proposed Solution

  65. abhaybhargav PaC - Applicability

  66. abhaybhargav PaC - Applicability • Input Validation at Gateway

  67. abhaybhargav PaC - Applicability • Input Validation at Gateway •

    JWT Validation at Gateway + Claims

  68. abhaybhargav PaC - Applicability • Input Validation at Gateway •

    JWT Validation at Gateway + Claims • Function Level AuthZ at App + Gateway

  69. abhaybhargav PaC - Applicability • Input Validation at Gateway •

    JWT Validation at Gateway + Claims • Function Level AuthZ at App + Gateway • Object Level AuthZ at App + Gateway

  70. abhaybhargav Frameworks we’ll use • Open Policy Agent and Rego

    • Casbin/Oso, etc

  71. abhaybhargav Open-Policy-Agent • Policy Management Framework for “any” environment •

    Allows you to de fi ne policies that can be enforced based on generic json input and output parameters • Uses a DSL (domain speci fi c language) called “rego” that is used to de fi ne policies

  72. abhaybhargav Open Policy Agent - Operation

  73. abhaybhargav Rego Rule Syntax

  74. abhaybhargav Rego Rule Syntax

  75. abhaybhargav Rego Rule Syntax

  76. abhaybhargav Rego Rule Syntax

  77. abhaybhargav Rego Rule Syntax

  78. abhaybhargav Rego Rule Syntax

  79. abhaybhargav Rego Rule Syntax

  80. abhaybhargav Rego Rule Syntax

  81. abhaybhargav Rego Rule Syntax

  82. abhaybhargav Rego Rule Syntax

  83. abhaybhargav Rego Rule Syntax

  84. abhaybhargav Rego Rule Syntax

  85. abhaybhargav Rego Rule Syntax

  86. abhaybhargav Rego Rule Syntax

  87. abhaybhargav Rego Rule Syntax

  88. abhaybhargav OPA Use-Cases • Kubernetes Policy Management • API AuthZ

    and Policy Management • OS Policy Management - SSH and Access Control • Kafka Topic Authorization • Many more…

  89. Copyright © we45 2020 abhaybhargav AuthZ-as-Code

  90. abhaybhargav Let’s look at most AuthZ flaws • Inconsistent implementation

    of Object Level Authorization • Access Control code strewn across multiple services • Lack of standardization and expressive capability for AuthZ frameworks • Heavily design dependent - which gets complex at scale

  91. abhaybhargav AuthZ-as-Code Frameworks

  92. abhaybhargav Object Level AuthZ has access to to perform

  93. abhaybhargav Functional AuthZ has access to to perform

  94. abhaybhargav RBAC - Role Based Access Control

  95. abhaybhargav ABAC - Attribute Based Access Control

  96. abhaybhargav Google Zanzibar approach

  97. abhaybhargav Approach

  98. abhaybhargav Approach

  99. abhaybhargav Approach

  100. abhaybhargav Approach

  101. abhaybhargav Approach

  102. abhaybhargav Casbin

  103. abhaybhargav Casbin

  104. abhaybhargav Casbin

  105. abhaybhargav Casbin

  106. abhaybhargav Casbin

  107. abhaybhargav

  108. abhaybhargav PERM

  109. abhaybhargav PERM Policy, Effect, Request, Matchers

  110. abhaybhargav What is PERM?

  111. abhaybhargav What is PERM? Request Attributes must MATCH Policy Attributes

  112. abhaybhargav Lab: OPA, Traefik and Decentralized security Controls

  113. abhaybhargav PaC on Cloud Control-Planes

  114. abhaybhargav PaC Applicability • PaC is already important for enforcing

    policies across Cloud and Cloud-Native Control-Planes • Can be leveraged for Access Control, Admission Control • Common Use-Cases: Network Policy, Service Policies, Admission Control Policies

  115. abhaybhargav PaC - Cloud Control-Planes

  116. abhaybhargav PaC - Cloud Control-Planes

  117. abhaybhargav PaC - Cloud Control-Planes

  118. abhaybhargav PaC - Cloud Control-Planes

  119. abhaybhargav PaC - Cloud Control-Planes

  120. abhaybhargav PaC - Cloud Control-Planes

  121. abhaybhargav PaC - Cloud Control-Planes

  122. abhaybhargav PaC - Cloud Control-Planes

  123. abhaybhargav PaC - Cloud Control-Planes

  124. Policy Management with Kyverno

  125. What is Kyverno? • Policy-Engine speci fi cally designed for

    Kubernetes • Policies are created and managed as native Kubernetes resources and authored in YAML • Validating and Mutating Policies and Webhooks are Supported by Kyverno

  126. Kyverno Concepts • Install Kyverno CRDs, Webhooks, Service Accounts and

    Namespaces • Policies => Validating or Mutating Policy De fi nitions • Selectors => Matches Resources in Request based on Policy

  127. Kyverno Policy Structure

  128. Basic Kyverno Validate Policy

  129. Kyverno Mutate Policy

  130. Kyverno Generate Policy

  131. Kyverno Benefits • No additional DSL required. • Mutate, Validate

    AND Generate • Background Capabilities • Audit/Enforce • Reporting - Out of the box

  132. Lab: Kyverno

  133. abhaybhargav Conclusions • Policy-as-Code is a powerful way to create

    and enforce consistent Secure Defaults and Paved Roads for your AppSec use-cases • Policy-as-code helps bring in order to a complex world of distrubuted systems • Policy-as-code can be applied across the stack