Securing Applications in the Cloud

@RADUVUNVULEA
Secure Application Development

3
Agenda
1. WHY CLOUD SECURITY
2. SECRETS MANAGEMENT
3. ACCESS CONTROL
4. OPEN-SOURCE LIBRARIES
5. CODE VULNERABILITIES
6. OVER THE WEB

SECURE APPLICATION DEVELOPMENT // INFOSHARE.PL // © COPYRIGHT 2020 ENDAVA // CONFIDENTIAL AND PROPRIETARY // VERSION 1.0 4
Integrated with Home
Automation
10+ Coffee Machines
ESP8266 & Home
Assistant
110+ smart devices
integrated
Microsoft Regional
Director
Microsoft Azure MVP
Coffee Lover
Home Automation DIY
1st Azure Project
2010
Radu Vunvulea
(Endava)
Cloud Lover

INCREASES IN CLOUD WORKLOADS PER REGION
INCREASES IN CLOUD WORKLOADS BY INDUSTRY
H T T P S : / / W W W . P A L O A L T O N E T W O R K S . C O M / R E S O U R C E S / I N F O G R A P H I C S / U N I T 4 2 - C O V I D - 1 9 - A M P L I F I E S - C L O U D - S E C U R I T Y - C H A L L E N G E S

H T T P S : / / W W W 2 . D E L O I T T E . C O M / C H / E N / P A G E S / R I S K / A R T I C L E S / I M P A C T - C O V I D - C Y B E R S E C U R I T Y . H T M L
47% of individuals fall for phishing
scams while working at home
Phishing attacks increased by 350%

79% of organizations experienced a security
incident in their cloud in the last 1.5 years. Of these,
23% were caused by security misconfigurations in
cloud infrastructure. Other significant contributors
to cloud breaches included improper data sharing
(15%), compromised accounts (15%), and
vulnerability exploitation (14%).
H T T P S : / / W W W . C H E C K P O I N T . C O M / C Y B E R - H U B / C L O U D - S E C U R I T Y / W H A T - I S - C L O U D - S E C U R I T Y / T H E - B I G G E S T - C L O U D - S E C U R I T Y - C H A L L E N G E S - I N - 2 0 2 2 /

When 92% of organizations are currently hosting at
least some of their IT environment in the cloud, that
means most of all businesses today have
experienced a breach.
H T T P S : / / W W W . C H E C K P O I N T . C O M / C Y B E R - H U B / C L O U D - S E C U R I T Y / W H A T - I S - C L O U D - S E C U R I T Y / T H E - B I G G E S T - C L O U D - S E C U R I T Y - C H A L L E N G E S - I N - 2 0 2 2 /

Git-Secrets
Easy integration with CI/CD pipeline
Capable to force secrets to not show in the commit (Secret Providers)
Strong support for Microsoft Azure, AWS and Google Cloud
git secrets install | Install the tool
git secrets -register-azure | Register the Azure plugin
Analyze
Secure
Verify
Defend

Secret Scanning Tools for Dev(Sec)Ops
Protectingyoursecrets,dataandyourclouds
gitLeaks Open source | free of use | Cloning, Audit and Integration
capability
No UI | Limited integration options | Goof for niche
development projects
SpectralOps Intuitive UI | Easy to manage | Strong ML mechanism that
reduce the false positive rates
Complex | Not easy to use for small projects | Build to be used
to large codebase with a high no. of people
Git-Secrets Easy integration with CI/CD pipeline | Capable to force
secrets to not show in the commit (Secret Providers)
Simple algorithms | Based on regular expressions like formula |
Not maintained anymore | Not suitable for corporate
environment
Whispers Works out of the box | Wide range of secrets formats |
Easy to extend to support new formats
Focus on text file | Is not able to do deep scans without
integration with other solutions | Rules based on regs,Ascii and
Base64
GitHub Secret
scanning
Easy to integrate in GitHub | UI and nice visualization for
scanning, integration and configuration | Strong support
for a high number of popular services
Main target is string structures (keys, tokens) | Does not covers
password, emails, URLs
Gittyleaks Simple to use and configure | Easy to integrate in small
projects and add the secrets scanning concept
Fixed rules | Limited on the formats that can be detected | Not
suitable for non-education purposes
Scan Open source | Well integration with Azure, GitHub, GitLab,
Team City and so on | The most powerful free tool 4 DSO
Setup is complex | Limited user interface | Hard to process the
results
Git-all-secrets Integration Hub | Does not rely only on a single algorithm Default configuration is basic | Looks like a MVP and less as a
ready for production solution
Detect-secrets High no. of plugins (including Azure, AWS) Pre-commit hook is basic and does not covers all base secrets
| Output split across multiple lines
H T T P S : / / S P E C T R A L O P S . I O / B L O G / T O P - 9 - G I T - S E C R E T - S C A N N I N G - T O O L S /

App, Infra, Env
Configuration
Secrets
Azure App
Configuration
Azure Key Vault
Azure AD
& RBAC
Configuration and Secrets Management
End-to-endprotection

Project
Dev
Dev
Ops
Infrastructure
Architect
Project Manager
UI/UX

Azure
RBAC
Azure
role-based
access
control
User Group Service
Principal
Managed
Identity
Security Principal
Role
Operation type (R/W/C/D)
Scope
Management Group
Subscription
Resource Group
Resource
Role assignment
Assign a security principal
Assign a scope
Assign a role
Development Group
Contributor
Dev and Playground Resource Group

Black Duck
Free of open-source vulnerabilities
Comply with open-source license
Scan compiled application libraries
Azure App Services seeker
Analyze
Secure
Verify
Defend

Black Duck
Free of open-source vulnerabilities
Comply with open-source license
Scan compiled application libraries
Azure App Services seeker
Analyze
Secure
Verify
Defend
Synopsys Detect for
Azure DevOps
Code Sight for Visual
Studio
Azure Container Registry
Scanner

SonarQube
OWASP scanning
Security Compliance
Security Hotspots & Quality Gate
Critical security rules for vital languages
Security vulnerabilities & Taint analysis
Analyze
Secure
Verify
Defend

HostedScan Security
24/7 vulnerability scanning
Continuous monitoring of cloud infrastructure
Alerts and monitoring dashboard
Industry scanning and open source scans (e.g. OWASP, NMAP Port)
Analyze
Secure
Verify
Defend

37
Key Takeaways
With Cloud
Computing, a
security breach
is no longer a
question of If but
rather When and
How
AZURE ROLE-BASED ACCESS CONTROL
Helps you manage who has access to Azure
resources, what they can do with those resources,
and what areas they have access to
AZURE POLICIES
Helps to enforce organizational standards and to
assess compliance at scale. Evaluates resources in
Azure by comparing the properties of those
resources to business rules
SECRETS MANAGEMENT
Store, scan and secure your configuration and
secrets at all levels using Microsoft and 3rd parties
solutions.
BEST PRACTICES
Follow Microsoft Azure Well-Architecture
Framework and Cloud Adoption Framework. Use
tools like Microsoft Defender for Cloud to ensure
compliance and best practices are followed.

AZURE WELL-ARCHITECTED FRAMEWORK
The Azure Well-Architected Framework is a set of
guiding tenets that can be used to improve the
quality of a workload, including security (protecting
applications and data from threats.)
https://docs.microsoft.com/en-
us/azure/architecture/framework/
AZURE SECURITY DOCUMENTATION
Security best practices and recommendations
covering the full life cycle of an application (e.g.,
Development, Data, Thread Protection, Logging,
Monitoring)
https://docs.microsoft.com/en-us/azure/security/
DEVSECOPS IN AZURE
DevSecOps approaches using Microsoft Azure and
Azure DevOps Tools covering Azure, IaaS, rolling
main branch. Full list of tools is available for each
mechanism.
us/azure/architecture/solution-
ideas/articles/devsecops-in-azure
MICROSOFT CERTIFIED: AZURE SECURITY
ENGINEER ASSOCIATE
Core concepts required to build a secure cloud
application (e.g., IAM, platform, data and application
protection, manage security operations)
us/learn/certifications/azure-security-engineer/
MASTERING AZURE SECURITY
Learn about how to build secure application
gateways on Azure, how to protect your cloud from
DDoS attacks, securing PaaS deployments and
more.
https://www.amazon.com/Mastering-Azure-Security-
Safeguard-innovative/dp/1839218991
Best Practices
MICROSOFT CERTIFIED: AZURE
SOLUTIONS ARCHITECT EXPERT
Provides a solid overview on cloud services,
architecture approaches and security concerns
enabling teams to build reliable Azure solutions.
us/learn/certifications/azure-solutions-architect/
Upskilling & Educations

Securing Applications in the Cloud

Securing Applications in the Cloud

Recommandé

Recommandé

Contenu connexe

Similaire à Securing Applications in the Cloud

Similaire à Securing Applications in the Cloud (20)

Dernier

Dernier (20)

Securing Applications in the Cloud

Notes de l'éditeur