protecting cloud-native applications · when developing cloud applications. cloud-native...
TRANSCRIPT
![Page 1: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/1.jpg)
![Page 2: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/2.jpg)
PRESENTED BY:
![Page 3: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/3.jpg)
![Page 4: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/4.jpg)
Datacenter
Web App Database Web App
![Page 5: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/5.jpg)
![Page 6: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/6.jpg)
There was an executive decision
to move some apps to the cloud.
We need to change how we
develop new applications!
![Page 7: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/7.jpg)
But if we are starting an
application from scratch and
using the public cloud, it makes
sense to do it in the new way.
![Page 8: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/8.jpg)
![Page 9: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/9.jpg)
I’m responsible for the application’s security.
But what are cloud-native applications?
You have a car, right?
![Page 10: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/10.jpg)
Acquisition $$$$
Maintenance
Per-Mile Cost
$$ + Overhead
$ $$
Fixed Cost No
Matter the Usage
Passengers Unlimited4
![Page 11: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/11.jpg)
To own a server is like owning a car.
So people start using services based
in the cloud instead of servers.
This architecture is called Serverless.
![Page 12: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/12.jpg)
WEBSERVERS
APPSERVERS
DBSERVERS
![Page 13: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/13.jpg)
COST
USAGE
Traditional
Serverless
Cost Savings
![Page 14: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/14.jpg)
Administrative
Overhead
Users
Serverless
Traditional
![Page 15: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/15.jpg)
Now I get it! The application is cloud native, using
services, and not based in legacy architecture!
Correct!
![Page 16: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/16.jpg)
API Gateway Other Services
![Page 17: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/17.jpg)
No, we are still responsible for
the cloud security. Remember
the Shared Responsibility Model?
Your work will be easy, right? If we
are using cloud services, they will
be responsible for the security.
![Page 18: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/18.jpg)
![Page 19: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/19.jpg)
OWASP Top 10 Application Security Risks - 2017
A1: Injection
A2: Broken Authentication
A3: Sensitive Data Exposure
A4: XML External Entities (XXE)
A5: Broken Access Control
A6: Security Misconfiguration
A7: Cross-Site Scripting (XSS)
A8: Insecure Deserialization
A9: Using Components with Known Vulnerabilities
A10: Insufficient Logging & Monitoring
![Page 20: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/20.jpg)
Let me show you an example.
![Page 21: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/21.jpg)
![Page 22: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/22.jpg)
API Gateway
Known AttacksXSS, CSRF, Injection, etc...
![Page 23: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/23.jpg)
![Page 24: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/24.jpg)
![Page 25: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/25.jpg)
API Gateway Other Services
![Page 26: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/26.jpg)
IP Intelligence
Services
Updates
every 5 min.
Geolocation database
= Botnet
Anonymous
requests
Anonymous
proxies
Scanner
Restricted
region or
country
Attacker
API Gateway
![Page 27: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/27.jpg)
API Gateway
Known AttacksXSS, CSRF, Injection, etc...
Signatures
Update
![Page 28: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/28.jpg)
API Gateway
Legitimate TrafficCheck Parameters, URIs,
Methods, Size, Pattern, etc...
Unknown
Behavior
![Page 29: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/29.jpg)
API Gateway
Credit Card Number
4321-1234-4321-1234
![Page 30: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/30.jpg)
API Gateway
Credit Card Number
4321-1234-4321-1234
Credit Card Number
XXXXXXXXXXXXXXXXXXXX
![Page 31: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/31.jpg)
![Page 32: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/32.jpg)
API Gateway
![Page 33: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/33.jpg)
![Page 34: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/34.jpg)
It was a challenge, but we finally have
our cloud-native application deployed!And also protected!
![Page 35: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/35.jpg)
BIG-IP VE Advanced Web Application Firewall
![Page 36: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/36.jpg)
•
•
•
![Page 37: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/37.jpg)
PROBLEMWhen moving applications to public cloud,
security is still the #1 concern. Who is
responsible when data is leaked or the
application compromised?
That is why cloud providers use a Shared
Responsibility Model. That means that the
customer is responsible for security IN the
cloud, while the provider is responsible for
the security OF the Cloud.
In other words, companies are still
responsible for the security of their
applications, including cloud-native ones that
leverage serverless architecture.
These applications are still vulnerable to
XSS, data exfiltration, DDoS attacks, etc.
ALTERNATIVES
Code reviews and a rigid security posture
when developing cloud applications.
Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5
Application Security Manager protects all calls made to the API Gateway, validating all requests
before sending them to be processed by the application itself.
F5 has been protecting applications and APIs for a long time and is recognized as a leader in this
market. As a full-proxy solution, caching requests that would consume cloud resources, F5 can
also improve performance and reduce usage bills.
SOLUTION
API Protection
Application
Attacker
Users
API Gateway
![Page 38: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/38.jpg)
![Page 39: Protecting Cloud-Native Applications · when developing cloud applications. Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5 Application](https://reader030.vdocuments.net/reader030/viewer/2022040110/5ed8b1246714ca7f47686516/html5/thumbnails/39.jpg)