1 of 19

The Essentials of Cloud Native Software Security

Part #1: Shift Left

Daniel Drack | Senior DevOps Engineer | CNCF Chapter Host Graz

2 of 19

Towards Security..

Security for information technology (IT) refers to the methods, tools and personnel used to defend an organization's digital assets. The goal of IT security is to protect these assets, devices and services from being disrupted, stolen or exploited by unauthorized users, otherwise known as threat actors. These threats can be external or internal and malicious or accidental in both origin and nature.

  • https://www.techtarget.com/searchsecurity/definition/security

3 of 19

Top 5 Current Security Threats

Risk introduced early in application development

Workload images with vulnerabilities or malware

Vulnerable web applications and APIs

Unrestricted network access between workloads

Downtime due to misconfiguration

https://campustechnology.com/whitepapers/2023/03/palo-alto-state-of-cloud-native-security/asset.aspx

4 of 19

… and where they occur

App

Publishing

App

App

Infrastructure / Platform

Risk introduced early in application development

Workload images with vulnerabilities or malware

Vulnerable web applications and APIs

Unrestricted network access between workloads

Downtime due to misconfiguration

5 of 19

Security Implementation Paradigms

Layer N

Layer 4

Layer 3

Layer 2

Layer 1

  1. Multilayer Security

  • Zero Trust

  • Shift Left

  • Automate & Enforce

6 of 19

The Four Pillars of Security a Security Layer

Policies

Tests

Scans

Processes

Code

(IaC)

7 of 19

SSDLC Workshop - Layers & Best-Practices

8 of 19

Basic Cloud App Architecture

→ the vertical dimension

Compute 1

Compute N

Network

Storage

Platform

OS

App

OS

App

OS

App

Publishing

Management

Identity

App

9 of 19

Application Lifecycle in a Nutshell

→ the horizontal dimension

Architecture

Governance & Processes

Sales, Project Mgmt, Requirements,..

Code

Integration

Deployment

Ops

10 of 19

…possible threats everywhere! D:

Compute 1

Compute N

Network

Storage

Platform

OS

App

OS

App

OS

App

Publishing

Management

Identity

11 of 19

Security Layers to Consider

Architecture

Governance & Processes

Code

Integration

Deployment

Ops

Infrastructure & Platform

12 of 19

Layers & Threats - Code

Code

  • SAST - Static Application Security Testing
  • Identity & Access Management
  • (Unit-)Testing
  • Policies & Guidelines
  • Bugs & already known errors
  • Code Repo Access
  • Wrong (architectural) decisions

13 of 19

Layers & Threats - Integration

Integration

  • SCA - Software Composition Analysis
  • Image Scanning
  • SBOM & Artifact Signatures
  • Dedicated build Environments
  • Compromised 3rd party libraries
  • Insecure Base Images
  • Insecure Build Environment
  • Non-compliant 3rd party licenses

14 of 19

Layers & Threats - Deployment

Deployment

  • Testing & Monitoring
  • Deployment Strategies
  • Release Process & Approval Policies
  • Built-In Governance System
  • Service Outages (change related)

15 of 19

Layers & Threats - Ops

Ops

  • Identity & Access Management
  • Process, File and Network Activity based Runtime Security
  • Anomaly Detection & SIEM
  • Full Stack Observability
  • Social Engineering
  • Brute Force Attacks
  • Valid Stolen Credential Attacks
  • Service Outage (load related)

16 of 19

Layers & Threats - Infrastructure & Platform

Infrastructure & Platform

  • Firewalls, Microsegmentation & Network Policies
  • Automation & Infrastructure as Code
  • Policies & Scans (eg CIS Benchmarks)
  • Misconfiguration
  • Connectivity
  • Outdated Tools, Protocols & Services

17 of 19

Demo - Code Security

Code

Preventing bad code from getting into the remote: Snyk, pre-commit, unit-tests

  • Shift Left
  • Multi-Layer Security
    • Code
    • Tests
    • Artefact
    • Deployment
  • 4 Pillars in Action

Policies

Tests

Scans

18 of 19

Wrap Up

  • Security is a multi-layer topic
    • Consider Infrastructure Levels and Application Lifecycle

  • Automate/Enforce what’s possible..
    • Tests, Scans, Policies, Process
    • “security baked in” approach

  • Transparency is key!
    • Dashboards, Reports, Policies, Best-Practices, Processes

  • “implement fast first, perfect second”
    • Better to start small but quick, than to wait for the perfect system forever!

Infrastructure

Platform

App

Publishing

19 of 19

Daniel Drack

Business: daniel.drack@fullstacks.eu

Private: daniel@drackthor.me

Website: https://www.drackthor.me