SlideShare une entreprise Scribd logo

Using Cloud to Improve AppSec

Phillip Marlow
Phillip Marlow

A lot of focus has been placed on securing the cloud, but the cloud can also be used to help secure applications. Find out how the same principles that apply to building cloud scale applications can also be used to deploy test environments in the cloud that support application security testing. Never again fear that your automated security testing, penetration testing, and customer A/B testing will collide. This talk will cover how applications that abide by the 12 Factors (https://12factor.net/) are easier to test. It will also discuss how the extreme flexibility of cloud resources allows easy separation of different types of application testing, ensuring that security tests can be run without interfering with business objectives.

Technologie
1  sur  18
Using the Cloud to Improve AppSec Phillip Marlow SANS CloudSecNext Summit 2021 Approved for Public Release; Distribution Unlimited. Case Number 21-1574
Disclaimers Approved for Public Release; Distribution Unlimited. Case Number 21-1574 ©2021 The MITRE Corporation. ALL RIGHTS RESERVED. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.
Too Long; Didn’t Listen • Designing applications and services for the cloud helps achieve security improvements – even if the application is never deployed to the cloud • This makes applications more resilient against technical and environmental failures as well as attacks • It also improves the business’ ability to deliver on their mission
> iam list-roles • Developer • Systems Engineer • DevOps Engineer • Cloud Engineer • Security Engineer • Advisor • Manager • Architect • Hacker • Builder of Things
Why AppSec? • Everything is an application • Applications are core to the business, so their security should be too • Bad application security beats good add-on defenses
Typical Application Promotion Process Development.env Test.env Production.env Application v1.0 Application v1.0 Application v1.0
Application Development Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.1
Mature Application Deployment Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 – instance 1 Application v1.1 Application v1.1 – instance N Test App2 v2.1 App2 v2.1 App2 v2.1
The Big Problem • Can multiple versions of an application be hosted in each environment? • This design creates choke points on work at each environment
Designing for the Cloud is Better • The Twelve-Factor App, developed by Adam Wiggins & Heroku • https://12factor.net/ Apps that: • Use declarative formats for setup automation, to minimize time and cost for new developers joining the project; • Have a clean contract with the underlying operating system, offering maximum portability between execution environments; • Are suitable for deployment on modern cloud platforms, obviating the need for servers and systems administration; • Minimize divergence between development and production, enabling continuous deployment for maximum agility; • And can scale up without significant changes to tooling, architecture, or development practices.
Twelve-Factor Alternatives • Microservices Reference Architecture from NGINX • https://www.nginx.com/blog/introducing-the-nginx- microservices-reference-architecture/ • Beyond the Twelve-Factor App by Kevin Hoffman • https://www.oreilly.com/library/view/beyond-the-twelve- factor/9781492042631/
I. Codebase • Partially solves the big problem of multiple deploys in an environment One codebase tracked in revision control, many deploys
II. Dependencies • Known dependencies are a start to supply chain risk management • No reliance on dependencies installed in the deployment environment makes it possible to scale the number of deployments and environments as needed Explicitly declare and isolate dependencies
X. Dev/Prod Parity • Independent tests results are applicable to the final deployment Keep development, staging, and production as similar as possible
XI. Logs • Integrate with cloud logging (e.g., CloudWatch) and SIEMs Treat logs as event streams
XII. Admin Processes • Reduced attack surface • Easier to monitor these risky events Run admin/management tasks as one-off processes
Wins • Tests can be run simultaneously AND independently • It’s easy to add another instance of an app or a whole environment • Applications are designed for easy integration with other tools, including cloud security platforms • Common operational patterns can be used to make the application more resilient against a variety of failures and attacks
Thank You! Phillip Marlow @wolramp

Recommandé

Testing 12-Factor Apps
Testing 12-Factor AppsTesting 12-Factor Apps
Testing 12-Factor Apps
Phillip Marlow
 
Application Darwinism - Why Most Enterprise Apps Will Evolve to the Cloud
Application Darwinism - Why Most Enterprise Apps Will Evolve to the CloudApplication Darwinism - Why Most Enterprise Apps Will Evolve to the Cloud
Application Darwinism - Why Most Enterprise Apps Will Evolve to the Cloud
Skytap Cloud
 
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
Daniel Berg
 
Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...
Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...
Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...
Michael Elder
 
Accelarting Hybrid Cloud Adoption through Use Cases in vCloud Air
Accelarting Hybrid Cloud Adoption through Use Cases in vCloud AirAccelarting Hybrid Cloud Adoption through Use Cases in vCloud Air
Accelarting Hybrid Cloud Adoption through Use Cases in vCloud Air
Nitin Saxena
 
ThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.jsThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.js
Brad Williams
 
End to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOpsEnd to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOps
eG Innovations
 
Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...
Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...
Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...
DigitalOcean
 

Recommandé

Testing 12-Factor Apps
Testing 12-Factor AppsTesting 12-Factor Apps
Testing 12-Factor Apps
Phillip Marlow
 
Application Darwinism - Why Most Enterprise Apps Will Evolve to the Cloud
Application Darwinism - Why Most Enterprise Apps Will Evolve to the CloudApplication Darwinism - Why Most Enterprise Apps Will Evolve to the Cloud
Application Darwinism - Why Most Enterprise Apps Will Evolve to the Cloud
Skytap Cloud
 
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
Daniel Berg
 
Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...
Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...
Hybrid Cloud: How to Get a Return from an Investment Made Three Decades Ago (...
Michael Elder
 
Accelarting Hybrid Cloud Adoption through Use Cases in vCloud Air
Accelarting Hybrid Cloud Adoption through Use Cases in vCloud AirAccelarting Hybrid Cloud Adoption through Use Cases in vCloud Air
Accelarting Hybrid Cloud Adoption through Use Cases in vCloud Air
Nitin Saxena
 
ThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.jsThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.js
Brad Williams
 
End to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOpsEnd to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOps
eG Innovations
 
Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...
Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...
Combining Cloud Native & PaaS: Building a Fully Managed Application Platform ...
DigitalOcean
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
DevOps.com
 
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Amazon Web Services
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
Microservices
MicroservicesMicroservices
Microservices
AxEdge Consulting
 
2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business
WeCode Inc
 
Diving Into Docker
Diving Into Docker Diving Into Docker
Diving Into Docker
XebiaLabs
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale Organizations
XebiaLabs
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINX
NGINX, Inc.
 
Cloud Infrastructure Modernisation Guide
Cloud Infrastructure Modernisation GuideCloud Infrastructure Modernisation Guide
Cloud Infrastructure Modernisation Guide
Montel Intergalactic
 
Mendix Platform
Mendix PlatformMendix Platform
Mendix Platform
SAKTHIVEL PERIYASAMY
 
VMworld 2015: No App is An Island
VMworld 2015: No App is An IslandVMworld 2015: No App is An Island
VMworld 2015: No App is An Island
VMworld
 
Enabling multicloud in the enterprise with DevSecOps
Enabling multicloud in the enterprise with DevSecOpsEnabling multicloud in the enterprise with DevSecOps
Enabling multicloud in the enterprise with DevSecOps
Josh Boyd
 
Continuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scopeContinuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scope
Sanjeev Sharma
 
What is Cloud Native Explained?
What is Cloud Native Explained?What is Cloud Native Explained?
What is Cloud Native Explained?
jeetendra mandal
 
Azure Application Modernization
Azure Application ModernizationAzure Application Modernization
Azure Application Modernization
Karina Matos
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-Service
NGINX, Inc.
 
The Advent of Serverless Technologies
The Advent of Serverless TechnologiesThe Advent of Serverless Technologies
The Advent of Serverless Technologies
Cloudflare
 
Dev ops for mainframe innovate session 2402
Dev ops for mainframe innovate session 2402Dev ops for mainframe innovate session 2402
Dev ops for mainframe innovate session 2402
Rosalind Radcliffe
 
Cloud Native Ninja - kickoff.pdf
Cloud Native Ninja - kickoff.pdfCloud Native Ninja - kickoff.pdf
Cloud Native Ninja - kickoff.pdf
Nilesh Gule
 
Ms.azure in detail
Ms.azure in detailMs.azure in detail
Ms.azure in detail
Neethu Kuruvilla
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
johnbeverley2021
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 

Contenu connexe

Similaire à Using Cloud to Improve AppSec

Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
DevOps.com
 
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Amazon Web Services
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale Organizations
XebiaLabs
 
Dev ops for mainframe innovate session 2402
Dev ops for mainframe innovate session 2402Dev ops for mainframe innovate session 2402
Dev ops for mainframe innovate session 2402
Rosalind Radcliffe
 

Similaire à Using Cloud to Improve AppSec (20)

Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
 
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
Application Darwinism: Why Most Enterprise Apps Will Move to the Cloud (SVC20...
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 
Microservices
MicroservicesMicroservices
Microservices
 
2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business
 
Diving Into Docker
Diving Into Docker Diving Into Docker
Diving Into Docker
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale Organizations
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINX
 
Cloud Infrastructure Modernisation Guide
Cloud Infrastructure Modernisation GuideCloud Infrastructure Modernisation Guide
Cloud Infrastructure Modernisation Guide
 
Mendix Platform
Mendix PlatformMendix Platform
Mendix Platform
 
VMworld 2015: No App is An Island
VMworld 2015: No App is An IslandVMworld 2015: No App is An Island
VMworld 2015: No App is An Island
 
Enabling multicloud in the enterprise with DevSecOps
Enabling multicloud in the enterprise with DevSecOpsEnabling multicloud in the enterprise with DevSecOps
Enabling multicloud in the enterprise with DevSecOps
 
Continuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scopeContinuous Delivery for cloud - scenarios and scope
Continuous Delivery for cloud - scenarios and scope
 
What is Cloud Native Explained?
What is Cloud Native Explained?What is Cloud Native Explained?
What is Cloud Native Explained?
 
Azure Application Modernization
Azure Application ModernizationAzure Application Modernization
Azure Application Modernization
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-Service
 
The Advent of Serverless Technologies
The Advent of Serverless TechnologiesThe Advent of Serverless Technologies
The Advent of Serverless Technologies
 
Dev ops for mainframe innovate session 2402
Dev ops for mainframe innovate session 2402Dev ops for mainframe innovate session 2402
Dev ops for mainframe innovate session 2402
 
Cloud Native Ninja - kickoff.pdf
Cloud Native Ninja - kickoff.pdfCloud Native Ninja - kickoff.pdf
Cloud Native Ninja - kickoff.pdf
 
Ms.azure in detail
Ms.azure in detailMs.azure in detail
Ms.azure in detail
 

Dernier

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Dernier (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Using Cloud to Improve AppSec

  • 1. Using the Cloud to Improve AppSec Phillip Marlow SANS CloudSecNext Summit 2021 Approved for Public Release; Distribution Unlimited. Case Number 21-1574
  • 2. Disclaimers Approved for Public Release; Distribution Unlimited. Case Number 21-1574 ©2021 The MITRE Corporation. ALL RIGHTS RESERVED. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.
  • 3. Too Long; Didn’t Listen • Designing applications and services for the cloud helps achieve security improvements – even if the application is never deployed to the cloud • This makes applications more resilient against technical and environmental failures as well as attacks • It also improves the business’ ability to deliver on their mission
  • 4. > iam list-roles • Developer • Systems Engineer • DevOps Engineer • Cloud Engineer • Security Engineer • Advisor • Manager • Architect • Hacker • Builder of Things
  • 5. Why AppSec? • Everything is an application • Applications are core to the business, so their security should be too • Bad application security beats good add-on defenses
  • 6. Typical Application Promotion Process Development.env Test.env Production.env Application v1.0 Application v1.0 Application v1.0
  • 7. Application Development Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.1
  • 8. Mature Application Deployment Process Development Test Production Application v1.0-katherine Application v1.0-jenny Application v1.1 Application v1.0-katherine Application v1.0-jenny Application v1.1 – instance 1 Application v1.1 Application v1.1 – instance N Test App2 v2.1 App2 v2.1 App2 v2.1
  • 9. The Big Problem • Can multiple versions of an application be hosted in each environment? • This design creates choke points on work at each environment
  • 10. Designing for the Cloud is Better • The Twelve-Factor App, developed by Adam Wiggins & Heroku • https://12factor.net/ Apps that: • Use declarative formats for setup automation, to minimize time and cost for new developers joining the project; • Have a clean contract with the underlying operating system, offering maximum portability between execution environments; • Are suitable for deployment on modern cloud platforms, obviating the need for servers and systems administration; • Minimize divergence between development and production, enabling continuous deployment for maximum agility; • And can scale up without significant changes to tooling, architecture, or development practices.
  • 11. Twelve-Factor Alternatives • Microservices Reference Architecture from NGINX • https://www.nginx.com/blog/introducing-the-nginx- microservices-reference-architecture/ • Beyond the Twelve-Factor App by Kevin Hoffman • https://www.oreilly.com/library/view/beyond-the-twelve- factor/9781492042631/
  • 12. I. Codebase • Partially solves the big problem of multiple deploys in an environment One codebase tracked in revision control, many deploys
  • 13. II. Dependencies • Known dependencies are a start to supply chain risk management • No reliance on dependencies installed in the deployment environment makes it possible to scale the number of deployments and environments as needed Explicitly declare and isolate dependencies
  • 14. X. Dev/Prod Parity • Independent tests results are applicable to the final deployment Keep development, staging, and production as similar as possible
  • 15. XI. Logs • Integrate with cloud logging (e.g., CloudWatch) and SIEMs Treat logs as event streams
  • 16. XII. Admin Processes • Reduced attack surface • Easier to monitor these risky events Run admin/management tasks as one-off processes
  • 17. Wins • Tests can be run simultaneously AND independently • It’s easy to add another instance of an app or a whole environment • Applications are designed for easy integration with other tools, including cloud security platforms • Common operational patterns can be used to make the application more resilient against a variety of failures and attacks