@DanielDeogun @DanielSawano #DevoxxPL Platinum Sponsor: Creating Secure Software Benefits from Cloud Thinking Daniel Deogun & Daniel Sawano

@DanielDeogun @DanielSawano #DevoxxPL Daniel Deogun Daniel Sawano

@DanielDeogun @DanielSawano #DevoxxPL Security benefits from cloud thinking?

@DanielDeogun @DanielSawano #DevoxxPL Cloud concepts • Codebase 
 One codebase tracked in revision control, many deploys

• Dependencies 
 Explicitly declare and isolate dependencies

• Config 
 Store configuration in the environment

• Backing services 
 Treat backing services as attached resources

• Build, release, run 
 Strictly separate build and run stages

• Processes 
 Execute the app as one or more stateless processes

• Port binding 
 Export services via port binding

• Concurrency 
 Scale out via the process model

• Disposability 
 Maximize robustness with fast startup and graceful shutdown

• Dev/prod parity 
 Keep development, staging, and production as similar as possible

• Logs 
 Treat logs as event streams

• Admin processes 
 Run admin/management tasks as one-off processes Twelve-factor app https://12factor.net A cloud-native application is an application that has been designed and implemented to run on a Platform-as-a-Service

installation and to embrace horizontal elastic scaling . Cloud-native Kevin Hoffman, Beyond the Twelve-Factor App

@DanielDeogun @DanielSawano #DevoxxPL What we’ll cover today • Configuration • Separate processes • Logging • The three R’s of enterprise security

@DanielDeogun @DanielSawano #DevoxxPL Configuration “Store configuration in the environment”

@DanielDeogun @DanielSawano #DevoxxPL Configuration public class ServiceConfiguration {

private static final int PORT_NUMBER

1023 ;

private static final Duration CONNECTION_TIMEOUT

ofSeconds ( 5 );

// ... } Configuration in code

@DanielDeogun @DanielSawano #DevoxxPL Configuration public class ServiceConfiguration {

private static final int PORT_NUMBER

1023 ;

private static final Duration CONNECTION_TIMEOUT

ofSeconds ( 5 );

private static final String USERNAME

“client-app” ;

private static final String PASSWORD

"yC6@SX5O" ;

// ... } Configuration in code

@DanielDeogun @DanielSawano #DevoxxPL Configuration Configuration in code — challenges

• Anyone with access to the code can read the secrets • No audit trail

@DanielDeogun @DanielSawano #DevoxxPL Configuration environments: dev: service: port: 2864

connection-timeout: 5000

username: dev-client-app

password: spring2019

prod: service: port: 1023

connection-timeout: 1000

username: client-app

password: yC6@SX5O Configuration in 
 resource files

@DanielDeogun @DanielSawano #DevoxxPL Configuration Configuration in resource files — challenges

• Anyone with access to the conf can read the secrets • No, or very limited, audit trail • Encrypting values creates new problems

@DanielDeogun @DanielSawano #DevoxxPL Configuration environment port=1023 username=client-app password=yC6@SX5O Application injected by platform Configuration in 
 the environment

@DanielDeogun @DanielSawano #DevoxxPL Configuration Configuration in the environment - solved security challenges

• Audit trail 
 Responsibility put on the platform. Some aspects can be solved with IAM .

• Sharing secrets 
 Minimized. Only managed by platform admins.

• Encryption 
 Not completely solved. Can be solved with ephemeral secrets.

@DanielDeogun @DanielSawano #DevoxxPL What we’ll cover today ✓ Configuration • Separate processes • Logging • The three R’s of enterprise security

@DanielDeogun @DanielSawano #DevoxxPL Separate processes Run apps as separate stateless processes

@DanielDeogun @DanielSawano #DevoxxPL Separate processes • Run the app as multiple stateless processes

• Separate the deployment and running of the application • Only communicate via backing services

@DanielDeogun @DanielSawano #DevoxxPL Separate processes Run the app as multiple stateless processes • Security benefit: increased availability and integrity

@DanielDeogun @DanielSawano #DevoxxPL CIA • Confidentiality — data must only be disclosed to authorized users

• Integrity — data modification is only allowed in an authorized manner

• Availability — data must be available when needed

@DanielDeogun @DanielSawano #DevoxxPL Separate processes Run the app as multiple stateless processes • Security benefit: increased availability and integrity

@DanielDeogun @DanielSawano #DevoxxPL Separate processes Separate the deployment and running of the application • Security benefit: principle of least privilege

@DanielDeogun @DanielSawano #DevoxxPL Separate processes Only communicate via backing services • Security benefit: improves availability and integrity by allowing apps to be stateless

@DanielDeogun @DanielSawano #DevoxxPL What we’ll cover today ✓ Configuration ✓ Separate processes • Logging • The three R’s of enterprise security

@DanielDeogun @DanielSawano #DevoxxPL Logging Use logging as a service

@DanielDeogun @DanielSawano #DevoxxPL Logging Logging to disk - challenges

• Confidentiality • May contain sensitive information • Hard to control access • Hard to get a good audit trail • Hard prevent illegal access

@DanielDeogun @DanielSawano #DevoxxPL Logging Logging to disk - challenges

• Integrity • Maintaining integrity often overlooked • Write access to log files usually not restricted or audited

@DanielDeogun @DanielSawano #DevoxxPL Logging Logging to disk - challenges

• Availability • Log files are lost when servers are replaced • Disk space runs out

@DanielDeogun @DanielSawano #DevoxxPL Logging Logging as a service Application Log service

@DanielDeogun @DanielSawano #DevoxxPL Logging Logging as a service - solved security challenges

• Confidentiality 
 Easy to restrict access and prevent illegal access. 
 Audit trail.

• Integrity 
 Mutating operations not exposed/implemented. 
 Can even digitally sign log events

• Availability 
 Log storage is handled explicitly so no log files can go missing 
 Storage is a primary concern so no accidental shortage of disk space.

@DanielDeogun @DanielSawano #DevoxxPL What we’ll cover today ✓ Configuration ✓ Separate processes ✓ Logging • The three R’s of enterprise security

@DanielDeogun @DanielSawano #DevoxxPL The three R’s The three R’s of enterprise security Justin Smith, 2016

@DanielDeogun @DanielSawano #DevoxxPL The three R’s The three R’s of enterprise security • Rotate 
 Rotate secrets every few minutes or hours

• Repave 
 Repave servers and applications every few hours

• Repair 
 Repair vulnerable software a few hours after patch is available

@DanielDeogun @DanielSawano #DevoxxPL The three R’s Increase change to reduce risk

@DanielDeogun @DanielSawano #DevoxxPL The three R’s Rotate secrets every few minutes or hours environment password=yC6@SX5O
certificate=xyz Application ephemeral secrets injected by platform

@DanielDeogun @DanielSawano #DevoxxPL The three R’s Rotate secrets every few minutes or hours password=yC6@SX5O Application password? Secret Service

@DanielDeogun @DanielSawano #DevoxxPL The three R’s • Passwords • Certificates • Access tokens • … Rotate secrets every few minutes or hours

@DanielDeogun @DanielSawano #DevoxxPL The three R’s Repave servers and applications every few hours • Recreate servers and apps from a know good state • Use rolling deployments to eliminate downtime • Burn old instances to the ground • If running containers, consider also repaving the host

@DanielDeogun @DanielSawano #DevoxxPL The three R’s • Applies to both operating systems and applications • No incremental updates, repave instead Repair vulnerable software a few hours after patch is available

@DanielDeogun @DanielSawano #DevoxxPL The three R’s Repair vulnerable software a few hours after patch is available Patch available New known 
 good state Repave

@DanielDeogun @DanielSawano #DevoxxPL The three R’s • Applies to both operating systems and yo ur o w n applications • No incremental updates, repave instead • CI/CD enables you to repair your own applications • Don’t forget 3rd party dependencies Repair vulnerable software a few hours after patch is available

@DanielDeogun @DanielSawano #DevoxxPL The three R’s Ever-changing software is the nemesis of persistent threats

@DanielDeogun @DanielSawano #DevoxxPL Summary ✓ Configuration ✓ Separate processes ✓ Logging ✓ The three R’s of enterprise security

@DanielDeogun @DanielSawano #DevoxxPL bit.ly/secure-by-design Manning Publication 40% discount
ctwdevoxxpl18

@DanielDeogun @DanielSawano #DevoxxPL Q&A [2] 40% discount
ctwdevoxxpl18 bit.ly/secure-by-design

@DanielDeogun @DanielSawano #DevoxxPL Thanks!