Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Policy-as-Code: Across the Stack - OWASP AppSec...

Abhay Bhargav
November 06, 2023

Policy-as-Code: Across the Stack - OWASP AppSec DC 2023 | Abhay Bhargav

In today's world of rapidly evolving technology and the increasing complexity of software systems, ensuring the security and compliance of applications across the stack has become paramount. This talk will provide an in-depth exploration of Policy-as-Code (PaC) and how it can be employed to implement decoupled security practices across the stack. PaC serves as a unified framework that enables organizations to define, manage, and enforce policies in a consistent, transparent, and automated manner. This approach facilitates better security, compliance, and risk management, while also reducing the need for manual intervention.

The talk will focus on the use of Open-Source Policy-as-Code Frameworks to do policy composition, management and enforcement across the stack

Abhay Bhargav

November 06, 2023
Tweet

More Decks by Abhay Bhargav

Other Decks in Technology

Transcript

  1. abhaybhargav Yours Truly • Founder @ we45 • Founder @

    AppSecEngineer • AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A De fi nitive Guide
  2. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps • The need for “Policy-as-Code”
  3. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk
  4. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk • Application and API Gateway: Policy-as-Code
  5. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk • Application and API Gateway: Policy-as-Code • Cloud-Native Control Planes - Policy-as-Code
  6. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk • Application and API Gateway: Policy-as-Code • Cloud-Native Control Planes - Policy-as-Code • Conclusions
  7. abhaybhargav Why? • 88% troubled by problems due to API

    Authentication - Palo Alto API Security Report 2023 • Broken Object Level (and Property) Authorization - OWASP API Security Top 10 2023 • 40% - API Miscon fi gurations like Excessive Data Exposure, etc - Palo Alto API Security Report 2023
  8. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth • Scalability and Automation • Consistency and Reproducibility
  9. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth • Scalability and Automation • Consistency and Reproducibility • Continuous Improvement
  10. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth • Scalability and Automation • Consistency and Reproducibility • Continuous Improvement • High Fidelity
  11. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth • Scalability and Automation • Consistency and Reproducibility • Continuous Improvement • High Fidelity • Testable ??
  12. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam
  13. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam
  14. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam
  15. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code
  16. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code
  17. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code
  18. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code
  19. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code
  20. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code
  21. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code
  22. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code Detection Engineering
  23. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code Detection Engineering
  24. abhaybhargav Need and Motivation • The idea is to NOT

    hardcode security rules in app that have rapidly evolving and changing requirements
  25. abhaybhargav Need and Motivation • The idea is to NOT

    hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built
  26. abhaybhargav Need and Motivation • The idea is to NOT

    hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built • Testable
  27. abhaybhargav Need and Motivation • The idea is to NOT

    hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built • Testable • Scalable
  28. abhaybhargav Need and Motivation • The idea is to NOT

    hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built • Testable • Scalable • Create a “Paved Road” for Product Engineering Teams
  29. abhaybhargav Typical Use-Cases • Syscall Pro fi ling, Seccomp, AppArmor

    and eBPF for Runtime Security enforcement • Authorization, CORS, Rate-Limiting, mTLS and others on the API Gateway • Input Validation, Access Control with Policy-as-Code Frameworks
  30. abhaybhargav PaC - Applicability • Input Validation at Gateway •

    JWT Validation at Gateway + Claims • Function Level AuthZ at App + Gateway
  31. abhaybhargav PaC - Applicability • Input Validation at Gateway •

    JWT Validation at Gateway + Claims • Function Level AuthZ at App + Gateway • Object Level AuthZ at App + Gateway
  32. abhaybhargav Open-Policy-Agent • Policy Management Framework for “any” environment •

    Allows you to de fi ne policies that can be enforced based on generic json input and output parameters • Uses a DSL (domain speci fi c language) called “rego” that is used to de fi ne policies
  33. abhaybhargav OPA Use-Cases • Kubernetes Policy Management • API AuthZ

    and Policy Management • OS Policy Management - SSH and Access Control • Kafka Topic Authorization • Many more…
  34. abhaybhargav Let’s look at most AuthZ flaws • Inconsistent implementation

    of Object Level Authorization • Access Control code strewn across multiple services • Lack of standardization and expressive capability for AuthZ frameworks • Heavily design dependent - which gets complex at scale
  35. abhaybhargav PaC Applicability • PaC is already important for enforcing

    policies across Cloud and Cloud-Native Control-Planes • Can be leveraged for Access Control, Admission Control • Common Use-Cases: Network Policy, Service Policies, Admission Control Policies
  36. What is Kyverno? • Policy-Engine speci fi cally designed for

    Kubernetes • Policies are created and managed as native Kubernetes resources and authored in YAML • Validating and Mutating Policies and Webhooks are Supported by Kyverno
  37. Kyverno Concepts • Install Kyverno CRDs, Webhooks, Service Accounts and

    Namespaces • Policies => Validating or Mutating Policy De fi nitions • Selectors => Matches Resources in Request based on Policy
  38. Kyverno Benefits • No additional DSL required. • Mutate, Validate

    AND Generate • Background Capabilities • Audit/Enforce • Reporting - Out of the box
  39. abhaybhargav Conclusions • Policy-as-Code is a powerful way to create

    and enforce consistent Secure Defaults and Paved Roads for your AppSec use-cases • Policy-as-code helps bring in order to a complex world of distrubuted systems • Policy-as-code can be applied across the stack