Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Discovery of the Cloud Native applications from...

Discovery of the Cloud Native applications from an application security perspective.

Slides of my talk to the conference RENCONTRES DE LA SECURITE at Luxemburg in 2023.

https://rencontres-securite.lu/

Dominique RIGHETTO

June 15, 2023
Tweet

More Decks by Dominique RIGHETTO

Other Decks in Programming

Transcript

  1. CYBERSECURITY YOU CAN TRUST CYBERSECURITY YOU CAN TRUST Discovery of

    the Cloud Native applications from an application security perspective. Dominique Righetto Intrusion & Application Security team Excellium Luxembourg entity
  2. Copyright © 2023 - Excellium Services SA. All rights reserved.

    📝 Convention: Cloud Native Application will be called CNA.
  3. Copyright © 2023 - Excellium Services SA. All rights reserved.

    🤔 Question: Which aspects of the security of an application will change, when an application will be intended to be a Cloud Native one?
  4. Copyright © 2023 - Excellium Services SA. All rights reserved.

    • Leverage a maximum of services provided by a Cloud provider to focus on the added value aspect of the application. • It is a distributed system by design. • It is stateless to facilitate easy horizontal scaling in and out. 📋Properties of a CNA?
  5. Copyright © 2023 - Excellium Services SA. All rights reserved.

    • It is composed of several dedicated parts: • Each one leveraging the more effective Cloud feature according to his business/technical objective. • A part can be a serverless function or a collection of microservices hosted in a container managed by a container orchestrator. 📋Properties of a CNA?
  6. Copyright © 2023 - Excellium Services SA. All rights reserved.

    • Its design and implementation anticipated a kind of issues that can occur in Cloud-based environment. 💡Example: Short network disruption, so they have built-in “retry” mechanisms. 📋Properties of a CNA?
  7. Copyright © 2023 - Excellium Services SA. All rights reserved.

    📋Properties of a CNA? Part 1 Part 2 Part 3 Part 4
  8. Copyright © 2023 - Excellium Services SA. All rights reserved.

    • Global security posture of the CNA is defined by the sum of the security posture of each part. • Each part must has the same security level. • Security cannot be handled anymore by a single app layer (ex: service layer). 📍Challenges brought by a CNA?
  9. Copyright © 2023 - Excellium Services SA. All rights reserved.

    • Logging must be unified across all parts in terms of information used and format. • User triggered events need to be correlated across all parts. 📍Challenges brought by a CNA?
  10. Copyright © 2023 - Excellium Services SA. All rights reserved.

    • Each part will be developed and operated by a separated DevOps team. • Each DevOps team has its own: • Maturity and knowledge in terms of application security. • Development velocity and timeline. • Development methodology and process. • Technology stack. 📍Challenges brought by a CNA?
  11. Copyright © 2023 - Excellium Services SA. All rights reserved.

    • Each part will evolve in a different timeline or velocity. • It requires to manage different versions of a part to ensure a correct running of the whole CNA. 🧭Cartography in a CNA?
  12. Copyright © 2023 - Excellium Services SA. All rights reserved.

    • A common property of all parts of a CNA is the following: • Almost all microservices will run in a container managed by a container orchestrator. • Almost all serverless functions will run in a context in which processing can be applied to in/out flow. 🏡CNA & the common layer
  13. Copyright © 2023 - Excellium Services SA. All rights reserved.

    • 💡 Idea n°1: Leverage the execution environment, when it is possible. • 💡 Idea n°2: Add security aspects at execution environment level instead to ask to a DevOps team to add them at part level itself. • 💡 Idea n°3: Leverage a maximum of built-in security features provided by the web framework used. 🏡CNA & the common layer
  14. Copyright © 2023 - Excellium Services SA. All rights reserved.

    • DevOps team can continue to focus on the business purpose of its part of the CNA. • DevOps team is not (or the most minimally possible) disturbed with security-related additional works and tasks. 🏡CNA & the common layer
  15. Copyright © 2023 - Excellium Services SA. All rights reserved.

    🏡CNA & the common layer Legend: 🏭 Container orchestrator level. 📦 Service mesh level. 💻 Application level (code or CI/CD pipeline). 📍 Source for the area: OWASP Top 10 Proactive Controls 💭 Case of the containerized microservices managed by an orchestrator was taken here because it is available as “on- prem” or “cloud-service” mode. 🏭📦 For serverless case: The security related processing can be added via the “extensions” and “configuration” features.
  16. Copyright © 2023 - Excellium Services SA. All rights reserved.

    • 🎯 Achieve the following security aspects, only using the Kubernetes or Istio security features: • Authentication via a JWT (JSON Web Token). • Authorization via the claims of the JWT. • 🚨 Nothing implemented at application level! 👩‍💻POC to validate my proposal
  17. Copyright © 2023 - Excellium Services SA. All rights reserved.

    Authentication rules • For both apps, the JWT token provided must: ✓Been issued by “excellium-ias” issuer. ✓Been signed with the RSA private key associated with this public key. 👩‍💻POC to validate my proposal
  18. Copyright © 2023 - Excellium Services SA. All rights reserved.

    Authorization rules • For App1: ✓A valid JWT token must be provided. ✓The audience claim of the token must be intended for app1. • For App2: ✓A valid JWT token must be provided. ✓The audience claim of the token must be intended for app2. ✓The custom claim named ispartner must be set to Yes. 👩‍💻POC to validate my proposal
  19. Copyright © 2023 - Excellium Services SA. All rights reserved.

    👩‍💻POC to validate my proposal ❌ At this stage, both instances of the apps are deployed but without any authentication and authorization rules…
  20. Copyright © 2023 - Excellium Services SA. All rights reserved.

    👩‍💻POC to validate my proposal 🤔 At this stage, authentication and authorization rules were applied and seem effective… 🔬 I need to validate that they are really effective!
  21. Copyright © 2023 - Excellium Services SA. All rights reserved.

    👩‍💻POC to validate my proposal ✅ Authentication and authorization rules are effective for the app1.
  22. Copyright © 2023 - Excellium Services SA. All rights reserved.

    👩‍💻POC to validate my proposal ✅ Authentication and authorization rules are effective for the app2 too.
  23. Copyright © 2023 - Excellium Services SA. All rights reserved.

    • Cloud Native Applications change the core structure of what is an “application” by exploding it in several parts. • Each of them having its own lifecycle, technology stack, team, and security maturity. 👀 Conclusion
  24. Copyright © 2023 - Excellium Services SA. All rights reserved.

    • It is important to leverage the new security features provided by the common layer. • Make the security level consistent across all parts, and do it in the most transparent way for Dev and Ops teams. 👀 Conclusion
  25. Questions & answers Copyright © 2023 - Excellium Services SA.

    All rights reserved. We are open to any suggestions. Don’t hesitate if you have some questions 🌎 All sources used are mentioned on additional slides.
  26. Copyright © 2023 - Excellium Services SA. All rights reserved.

    https://www.amazon.fr/Cloud-Native-Containers-Next- generation-Applications/dp/1492053821/ref=sr_1_1 📚Sources & references
  27. Copyright © 2023 - Excellium Services SA. All rights reserved.

    https://www.amazon.fr/Understanding-Kubernetes-visual-way- sketchnotes/dp/B0BB619188/ https://twitter.com/aurelievache 📚Sources & references
  28. Copyright © 2023 - Excellium Services SA. All rights reserved.

    https://twitter.com/abhaybhargav 💡 https://twitter.com/abhaybhargav/status/1662146295962673153 📚Sources & references
  29. Copyright © 2023 - Excellium Services SA. All rights reserved.

    https://www.we45.com/ - https://www.appsecengineer.com/ 📚Sources & references
  30. Copyright © 2023 - Excellium Services SA. All rights reserved.

    • Why Kubernetes native instead of cloud native? • Serverless Containers in Kubernetes environments 📖Extra
  31. www.excellium-services.com https://ccp.excellium-services.com Excellium Services S.A. 5 rue Goell L-5326 Contern

    Excellium Services Belgium N.V. Orion Bldg, Belgicastraat 13 B-1930 Zaventem, Belgium Copyright © 2023 - Excellium Services SA. All rights reserved