Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Application Security in the time of Containers

Akash Mahajan
April 10, 2017
Technology
0
71

Application Security in the time of Containers

OWASP, Application Security and other security considerations in a world of containers, CI/CD and DevOps

Akash Mahajan

April 10, 2017
Tweet

More Decks by Akash Mahajan

See All by Akash Mahajan
Getting Started with Cloud Native Security for Security Pros
makash
0
100
Secure Software Development For Cloud (AWS) Teams
makash
1
390
On Writing Well
makash
0
160
Minimum Viable Security for Startups
makash
1
79
Reliable Automated Cloud Native Security Operations
makash
0
180
Doing SecOps for the Cloud using CloudNative
makash
1
320
OSINT Techniques for Pwning FinTech
makash
1
320
Secrets In Our Clouds
makash
0
180
It's The Threat Model Silly
makash
0
260

Other Decks in Technology

See All in Technology
DynamoDB でスロットリングが発生したとき_大盛りver/when_throttling_occurs_in_dynamodb_long
emiki
1
420
生成AIが変えるデータ分析の全体像
ishikawa_satoru
0
160
プロダクト活用度で見えた真実 ホリゾンタルSaaSでの顧客解像度の高め方
tadaken3
0
140
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
180
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
370
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
130
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.4k
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
190
社内で最大の技術的負債のリファクタリングに取り組んだお話し
kidooonn
1
550
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
760
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
130

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
243
12k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
97
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
RailsConf 2023
tenderlove
29
900
Building Applications with DynamoDB
mza
90
6.1k
Designing the Hi-DPI Web
ddemaree
280
34k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k
What's new in Ruby 2.0
geeforr
343
31k
The Invisible Side of Design
smashingmag
298
50k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k

Transcript

  1. APPSEC IN A CONTAINER WORLD AKASH MAHAJAN - DIRECTOR APPSECCO

  2. WE NOW LIVE IN A CONTAINER WORLD # Container(Camp|Conf|World)

  3. IT/OPS AND DEVS ARE COMING TOGETHER # devops

  4. THERE IS A MAJOR SHIFT IN SECURITY #SHIFTLEFT Shannon Lietz

    (Keynote at DevSecCon Asia 2017)

  5. APPSEC TESTING HAS TO BECOME PART OF THE DEVOPS OR

    BE LEFT BEHIND The reality is, Microsoft Security Dev Lifecycle is about 17 Years Old!

  6. CONTAINERS ENABLE SELF-SERVICE AN IMPORTANT ASPECT OF DEVOPS

  7. CONTINUOUS * PIPELINE MODE ON CONTAINERS ENABLE INTEGRATION AND DEPLOYMENT

    ON TAP

  8. From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment CHECK FOR SECURITY 1 2 3 4

  9. CONTAINERS, APP SEC & OWASP

  10. RELEVANT APPSEC RISKS FROM THE POINT OF VIEW OF CONTAINERS

    OWASP Top 10 Issue What is that? A1 Injection Stuff that harms the server A2 Broken AuthN Stuff that lets attackers access parts of the application, which allows them to upload stuff that harms the server A4 Insecure Direct Object Reference A5 Security Misconfiguration Stuff that makes the infra supporting the app insecure A9 Using components with Known Vulnerabilities Stuff that possibly enables any or all of the above, due to using 3rd party stuff

  11. A5 IS A SOLVED PROBLEM, MAYBE!! OWASP A5 - SECURITY

    MISCONFIGURATION

  12. PATCHED UN-PATCHED

  13. IMMUTABLE INFRASTRUCTURE FTW!!! Akash Mahajan THERE IS NO REASON TO

    HARDEN EVERY TIME, WE JUST START FROM SCRATCH AND TAKE THE LATEST PATCHED VERSION EVERY SINGLE TIME

  14. A9 CAN BE SOLVED WITH PRIVATE REPOS & REGISTRIES MAYBE

    OWASP A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES

  15. SO WHAT IS YOUR SECURITY NIGHTMARE, KEEPING YOU AWAKE?

  16. WHAT ABOUT APPLICATION’S SECURITY?

  17. WHAT IS THIS THAT IS GOING TO BURST OUR BUBBLE?

    15,000,000 RECORDS FOUND BECAUSE MANAGEMENT HAD WEAK PASSWORD ON APPLICATION 3000 PASSPORTS AND DRIVER’S LICENSES LEAKED BECAUSE THE CONTRACTOR DIDN’T RESET THE CEO’S WEAK PASSWORD ROOT ON RETAIL E-COMMERCE SERVER BECAUSE OUTSOURCED VENDOR ALWAYS USES COMPANY NAME AS CMS ADMIN PASSWORD

  18. TYPICALLY AT THIS POINT PEOPLE TRY TO SOLVE SECURITY BY

  19. MONITORING IS NOT SECURITY MONITORING IS NOT SECURITY MONITORING IS

    NOT SECURITY

  20. WHILE AUTHN AND AUTHZ GO A LONG WAY IN ENSURING

    SECURITY OF ACCESS

  21. NO AMOUNT OF AUTOMATION CAN SOLVE BIZ LOGIC ISSUES

  22. IF ALL YOUR PROCESS ALLOWS FOR IS A FINAL SECURITY

    REVIEW, THEN

  23. From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment CHECK FOR SECURITY 1 2 3 4 AUTOMATED

    AUTOMATED AUTOMATED NOT-AUTOMATED

  24. WHAT CAN THIS NON-AUTOMATED APPROACH LOOK LIKE? IS THERE A

    CHECKLIST WE CAN FOLLOW?

  25. Issues OWASP Top 10 Input based A1, A3, A4, A8,

    A10 Logic & Design based A2, A5, A6, A7 Access Control A2, A5, A6, A7 Any other A9 API Testing Can span multiple TAKEAWAY

  26. THAT APPLICATION SECURITY GUY

  27. None

  28. QUESTIONS @makash | https://linkd.in/webappsecguy | [email protected]