Operations seeking to make their apps and APIs both performant and available to their users must bake effective application security tooling into their processes and infrastructure configurations. How can development and operations teams release at increasing velocity with app protection built into their CI/CD pipeline?
A true next-generation, holistic web application and API protection platform does just that: operations teams can integrate security into their workflows and ensure new infrastructure and app code released to production is both effective and secure in any environment from cloud using containers to datacenters to a hybrid of these.
Join application security expert Aneel Dadani from Signal Sciences to learn how your team can automate, deploy at scale safely while gaining layer 7 visibility in production environments.
Attendees will learn:
What constitutes effective application security within the context of cloud adoption and an ever expanding threat landscape
How development teams can gain visibility into how their apps and APIs are being used in production and what vulnerabilities may exist that they overlooked
How DevOps teams can scale their application footprint to meet demand while securing your codebase in production
How to inspect request traffic at the API gateway or the ingress
4. Signal Sciences Architecture
Real-time web app protection that scales without impacting performance
Load Balancer
Web Servers
Application
Containers
PaaS
Service
Mesh
API Gateway
Hosted Cloud WAF
Reverse Proxy
Architecture
6. IMAGE GOES HERE
Web Usage Trend
Business conducted on the web:
● Online Shopping
● Online Gaming
● On-Demand Services
● Financial Services
● Media Streaming
● Video Conferencing
Market Trend
11. Examples of Application Layer Attacks
● Remote Code Execution (RCE)
○ CVE-2017-5638 - Apache Struts Vulnerability
● Server Side Request Forgery (SSRF)
○ SSRF used to retrieve AWS credentials
App Layer Attack Examples
12. Defense In Depth
6 - Public Cloud
5 - Cluster
4 - Node
3 - Network
2 - Pod
1 - Container
0 - Kernel
Defense in Depth
13. ● Ensure kernel versions are patched and
contain no existing vulnerabilities
● Review allowed system calls and remove
unnecessary / unwanted calls
● Consider utilizing further container
sandboxing such as gVisor or kata containers
to restrict system calls
0 - Kernel
Layer 0 - Kernel
Defense in Depth
14. Layer 1 - Container (Build)
● Remove unnecessary components, packages, and
network utilities
● Minimal base images
● Scan images for vulnerabilities and misconfigurations
● Pull images from known-good sources
● Check for integrity of images throughout the CI/CD
pipeline and build process 1 - Container
0 - Kernel
Defense in Depth
15. Layer 1 - Container (Runtime)
● Ephemeral containers for live debugging
● Watch for anomalies and suspicious events
○ Unexpected child processes
○ Shell run inside a container
○ Sensitive file is unexpectedly read
1 - Container
0 - Kernel
Defense in Depth
16. Layer 2 - Pod
● Pod Security Context
○ Privileged containers
○ Group and User IDs for processes and volumes
○ Granular Linux capabilities (drop or add)
○ Sandboxing and Mandatory Access Controls
(seccomp, AppArmor, SELinux)
○ Filesystem permissions
○ Privilege escalation program privileges
● Pod Security Policy
○ Principle of Least Privilege
2 - Pod
1 - Container
0 - Kernel
Defense in Depth
17. 3 - Network
Layer 3 - Network
● By default, all pods can talk to other pods
● Network Policies to segment communication
● The Kubernetes API is accessible from the inside
● Egress traffic to malicious IPs
● Service mesh to control traffic between workloads
and ingress / egress 2 - Pod
1 - Container
0 - Kernel
Defense in Depth
18. 4 - Node
3 - Network
Layer 4 - Node
● Check open ports and services
● Limit external administrative access to
nodes and control plane
● Minimal base OS and harden according
to CIS Benchmarks
● Scan and patch like any other asset 2 - Pod
1 - Container
0 - Kernel
Defense in Depth
20. 6 - Public Cloud
5 - Cluster
4 - Node
3 - Network
Layer 6 - Public Cloud
● Cloud networking
● Build systems
● Access control
● Logging and monitoring
● Encryption
● The list goes on and on...
2 - Pod
1 - Container
0 - Kernel
Defense in Depth
21. Security in Layers
The Mega Security Checklist
● Can containers run as root?
● Can containers mount sensitive volumes /
directories? Read or Read / Write?
● Can Pods run in “Privileged” mode?
● What policies (PSP, custom, OPA) are in
place and for who?
● Is RBAC enforcing the principle of least
privilege?
● How are secrets being stored and
retrieved? Rotated? Revoked?
● Where do container images come from?
Are images being validated?
These are just a few questions to consider
when building out a Kubernetes AppSec
strategy. Get the full checklist at:
signalsciences.com/resources
22. Kubernetes Security Tooling
Protect Any App
Cloud Containers, PaaS,
& Serverless
Against Any Attack
● OWASP Injection Attacks
● Business Logic Attacks
● Brute Force Attacks
● Application Abuse & Misuse
● Request Rate Limiting
● Account Takeover
● Bad Bots
● Virtual Patching
Any DevOps Toolchain
Generic Webhooks & Any Custom
Tools via Full RESTFul/JSON API
Layer 7 Visibility, Flexible Deployment, Scalable Protection
Web Servers & Languages
Gateways & Proxies
Kubernetes Security Tooling