Application Security: Web Apps, APIs & Microservices | #Replay

SANS Institute · Intermediate ·🔐 Cybersecurity ·4y ago

Key Takeaways

The video discusses application security for web apps, APIs, and microservices, covering topics such as CI/CD pipeline security, authentication, and API gateways. It highlights the importance of securing sensitive information and demonstrates tools like Kong, Keycloak, and JWT.

Full Transcript

approachable accessible open and very aware of what's going on and they're very open feedback with their students so they actually every time they teach a class they also learn and bring that knowledge on to the next class that they teach which i found immensely important and helpful [Music] hello and thanks for joining us today here for this live stream with jason and myself now today's a little bit of a difficult day to uh to do this kind of live stream uh you may have heard uh we are twitter feeds and other news uh today that earlier this week ellen pauler the founder of sans passed away alan personally hired me about 20 years ago to join sans and so before we just jump in into our jason and johannes show here i just would like to acknowledge the huge contribution that alan had to the field and in part things like this live stream webcast and things like this where we are giving back to the community that's very much sort of what he always wanted us to do and and what he really uh very strongly uh supported so um with that let me just give it a couple of seconds here of silence and then uh we'll we'll start our uh our live stream here so again thank you for joining us here my name is johannes over here i am the dean of research for the sans technology institute and uh with today is jason hill introduced himself in a second but uh what i've been doing basically over the last 20 or so years is look at all the different security threats and how things are changing as part of the united storm center and one thing that we sort of saw these last couple years is that with the move of web applications into the cloud where the nature of the applications change that's a little bit what i want to talk about here uh part of what we're talking about is sort of no data and such a bill got from english storms and the current threats uh also part about the class that we are teaching and uh with that uh let me hand it over uh to jason hello everyone uh it's jason lamb here as johannes mentioned uh we uh we're both in the security world heavily uh into the application area um we both teach a class uh in this area it's the sac 522 which is actually undergoing quite a few changes um we're also modernizing it and you know even name changing it you know into securing web applications uh api and microservices um in my day job uh just a little bit of brief briefing about myself i am in the financial world for the last roughly 20 years uh ranging from all the technical roles into the cso role so yeah that's my uh background during the day when i'm not doing my day job i write courses and teach for sans that's what i do and hopefully we'll have a very good conversation about things that we have been observing um you know recently about the industry trends because hey a lot of things are changing and we wanted to you know use this session to talk a little bit about what johannes and i have been seeing recently uh and at the same time you know demonstrate a little bit on uh some of the course material that we've been researching and you know just give a little bit of breathing about you know what we've been seeing and just want to share with the community um with that um johannes hey you know why don't we start with some of the trends that you're seeing first i have heard that you know you've been very active at looking at people's password and maybe not just people's password maybe also you know machine's password as well you want to tell us a little bit about that yeah one thing we're seeing here and maybe you can show the screen i'm shania thanks actually so um one of the issues that we are seeing is in order to authenticate these different apis these different web services to each other of course no one way of doing this is api keys credentials that you're presenting and what we really are seeing is that attackers are more and more hunting down these these api keys so this is a data from our honeypot let me just zoom in here a little bit so you can see this a little bit better but what you're seeing here is sort of one of those requests uh twilio we're all familiar with twilio it's really a great service so i'm not really disclosing any vulnerability in any service like this but um yeah you have to keep those credentials somewhere and if you actually are reading a twilio's documentation how to do this they recommend environment variables environment variables not the worst way of doing this probably not the best one and i'll let jason maybe elaborate a little bit on that later but the nice thing about environment variables is it pretty much works anywhere a lot of the better methods like you know some kind of credential wallets or whatever you have they're fairly specific to whatever cloud environment you're using environment variables work everywhere and that's sort of why they are they're being used and then of course attackers are hunting for the files that define these environment variables and that's exactly what you're seeing here with twilio i think i have a couple more down here um yeah here's some other file names that attackers are hunting for like dot env unix people like myself um like to have sort of these credential files now start with dot because then they're hidden in the operating system uh of course not hidden from someone who knows drl or guesses the url and then just hits it via a browser here via a tool and it retrieves those credentials also note how they're sort of looking for dev broad stage so for for different credentials that you may have set up maybe with different permissions sometimes people may be a little bit more liberal in the permissions they're assigning to development credentials now that i say you should do that but we shouldn't do that but i've seen people do exactly that so these are some of the issues that run into and then of course uh you do have uh breaches based on that let me just just switch over here so give me a second i should have probably staged that uh as you're switching on on that maybe one thing that we can mention here as well right sometimes i get into this discussion with the uh you know security team development team and so on about credentials right um you know i once in a while here people saying that hey credentials are bad right if they ever see credentials in an application is a bad thing why would you have credential well unfortunately that's how it works right like applications require credentials to run think about your web server your application server how is it going to access your data it needs credential to run and that's that present a little bit of a challenge right okay percent percent of challenge in that if you have credentials people may steal it but at the same time you need the credential to securely authenticate between your application server and database and all the other components so that is you know why you need a little bit of balance approach to make sure that you have the credential in a secure location and johannes i think you're ready yeah so i yeah i just pulled it up uh news broke yesterday uh so i had to guess it on the podcast that's why i remember it and aruba you know aruba you may know them they make wireless access points they're not part of hp enterprise and uh well you know like anything is better uh fancier in the cloud so uh you control your wireless access points by connecting uh to a cloud system that aruba is putting up for you and of course that system is collecting all kinds of uh metrics about it's not necessarily spying on you but performance metrics and the like and well uh aruba apparently lost track of one of the keys they're using to access that data uh someone found it and then of course stole the data also states here i think if they had access for something like 18 days or so the other problem is that this often does go undetected for a while because the attacker is using valid credentials here to access the data so it's not that an attacker is necessarily bypassing some kind of authentication controls or anything like this they're authenticating they're authenticating as a valid user um just using credentials they're not supposed to have then jason i think uh one thing we saw there also with these credentials was uh that sort of development stage and so of course the way these applications are often created is uh you know fairly quickly we want to we want to kick these out these applications out there and uh one way how these credentials are often exposed is uh during your devops pipeline and jason do you want to talk a little bit more about that sure thing hey you're honest yeah that that's a good intro to that topic about the ci cd pipeline and so on hey everybody you know every organization that i know of that i talk to um they are really you know into this depth of steps like ops you know psycho uh accelerating um the pace of development is a good thing i i am definitely not against it i'm definitely supportive of it and integrating security into it that's awesome what we're seeing a lot of times these days is that you know we're seeing big big big incidents that happens related to this is that you know attackers also know right as you need to transform yourself right like death ops a big portion of it is about automation and automation is about you know from the moment you write a line of code all the way to pushing it out to the production environment there are a lot of automation that happens and a lot of different software involved in uh giving you that experience of automation acceleration and so on uh the bad guys are really honing into that environment towards the end of last year i mean one of the banner event that happened was about the solar winds essentially the attacker broke into uh solarwinds you know cicd pipeline and they were able to inject additional code that were not you know authorized that were not good well obviously you know needless to say that unauthorized code lead to other organizations down the link being compromised but the highlight of that is that you know if we look at the incident from what we know the bad guys were very very very smart right they're not altering your source code because at some point if you look at the source code you will see hey what is this line of code right they're not ordering it there they got right inside the automation just before the code get compiled in the binary they insert their stuff there right and they are checking hey did anyone know this if nobody noticed then yeah put it in right that's what's happening there um so you know the whole point here is that as we automate as we get into this icd pipeline we need to secure those software components uh the configurations of those and and make sure that they're all secure and locked down as well and together with that right like i think a lot of people know about um the solo win incident there's also you know i think it happened in january this year and it was it unfolded in about april of this year which is a cold cove they have this bash uploader software coco is a vendor in you know they are actually selling software and subscription inside the um ci cd pipeline they deal with like code coverage and so on so their inside of the icd backline they got compromised their network got compromised it has something to do with their docker setup um and as soon as you know the mad guys got in and you can just imagine right like they alter some of their code inside that batch uploader that software in turn get into many different organizations and the whole life cycle starts the point here is that you know if you haven't been planning about your ci cd pipeline now is a good time to take a look at how you're securing that infrastructure how you're securing the workflow what validation steps you have that would keep yourself safe and a big chunk of it is also how do you configure it securely right like the configuration is paramount and i think johannes and i have been looking at this configuration aspect hugely in reason i would say you know 18 months or so like there has been so much configuration johannes you have any uh specific things you want to see i think there are a couple things i just want to add here uh so first of all you know ci cd also what components you're using i think that bash script is like a huge example very we're including code sort of dynamically from all kinds of external sources of course supply chain is always of the key word here that people go by that never-ending dumpster fire of malicious npm modules i think is a big example here uh i don't think anybody i've seen has really sort of a good handle on that necessarily how do you distinguish a malicious from a non-malicious npm library well then we want to make life easy for developers and i consider myself a developer and i kind of don't like that when it comes to application security developers are usually playing for everything uh but a lot of it is a configuration of the application as well like how are we configuring authentication for for example a backend data store and there are many examples in particular with these sort of more modern no sql databases which do have in the most cases authentication but you have to enable it you have to go through the motion and cvs for example lost a bunch of records uh just by basically not doing authentication and this you could get away with it was not a good idea but you could get away with with your self-contained on-premise application because you had that parameter that really protected you uh once you move this application to cloud once you're moving it in particular sort of cloud native components you can't get away with this anymore it will be found it will be exposed then we had the big case recently where uh you know it was considered uh a crime to do a view source but um that um that is probably the least you can do with an application like this and actually show you a little demo here that someone is doing class and see if you can just quickly switch to the shared screen again thank you so um this is an application i really like um it's close to home and i'm not showing any vulnerabilities here but just how you're basically seeing um how the application works you know in these more modern distributed applications so this is kind of here i'm living in jacksonville florida and the city has this real neat sort of mapping application where you can dive in and basically get information about specific properties here so you can look up uh hey who owns this particular property here and but but how does it work in the back end and um in a modern browser i'm not going for view source here i'm going straight for the developer tools so and then looking at all the requests being sent back and you kind of see now how the application how javascript within the application is reaching out to different backend apis now here in this case they do it sort of neat and i think actually not bad where this request is going to this let me zoom in a little bit again so you can see that uh to this back-end url here uh some kind of proxy or so with this artificial host name so at least it's not easy for me as an attacker to directly go in there and and figure out where the data is coming from and maybe bypass any kind of uh authentication or access control rules that this front end exp imposes on me let me show you a different version of an application like this and i'm just showing you the request that was sent by that application so let me just zoom in here a bit again so people can see it and so this is just a snippet of xml that you would send back if you're clicked on a map like this and in this case you have like no obscurity even like in the application i just showed you what actually happened back and at least was a little bit obscured from you with these uh artificial host names and things like that that you couldn't sort of hit directly without sort of going through the application that essentially sort of implements kind of a proxy here but you see where we basically send a sql query back we send a list of field names that we would like to retrieve and then we send a where clause and where it gets really interesting is oops sorry if you're looking at what this where clause looks like so last name owner not like confidential apparently i'm as a user telling the application please please don't tell don't tell me anything confidential um and things like this of course is trivial to bypass foreign attacker now it is like being able to directly connect to the database itself you don't really need sql injection if you are able to send sql queries back i don't see it a lot for sort of sql-like databases looks very much sql-like but where you're seeing this a lot is where you're exposing back-end components uh like you know elasticsearch and things like this where or a mongodb in particular uh where they're really built to sort of you know receive requests from javascript that's of the architecture that you're kind of going for with this here low friction low latency real high speed for the attacker as well as for the defender and for the good guy so that's so some of these misconfiguration that you run into but you offer sudden exposed back-end components that were not necessarily you know reachable uh in the past if you sort of had your nice little perimeter around it your hard shell yes you had the soft core but um that our child protected quite a few attacks so uh now you're removing that shell on your left with the soft core without even the the hard shell around it and i don't know we do have a little uh demo application you actually want to play with and let me just put up our architecture and then jason you can uh maybe talk a little bit about that architecture what we put together here so give me a sure and i'm very curious if you say you know take out that confidential portion what would happen have you tried yeah i i never attempted it uh i i talked i don't like to be part of the news um i actually talked to and i reported this and i said the application no longer exists so that's one way how this was fixed but um the the problem here was that again for jacksonville here florida in florida cities are required to make this data public uh there are a few exceptions like no i think law enforcement officers judges and such whose data is not public the um the problem here was is that they had an internal application that they used sort of in their office and they basically now expose that application to the public now that application of course was created with a different threat in mind if you're using internal i don't say do stuff like this internally but that's kind of you know what what happened like that you can get away with that um the what they told me is that the database actually used as a backend here to store the data did not contain any confidential data that's actually i think a valid and good thing to do so uh very either the user that you're using to connect back does not have access to that data or you just don't have to get in the database and that's i think a a real nice thing yeah that's not there can't be stolen so i would still not expose any data where there is no real business need to have the data actually exposed and that's sort of how they how they solve the problem here like i said the newer application actually looks i didn't really dig into it too deep i don't want to become one of those you know people who looks at the source of a web page and comes in the news later so but um it looks like they did it in the newer version quite a bit better but anyway jason tell us a little bit about the uh before we get to that i think uh the illustration that you made earlier definitely reminded me of uh the latest and greatest like sometimes these things run in circle motion right like you know we we're going back in the same themes of his mistakes that were made in the past so earlier when you show up so what you showed probably isn't you know you know in the grand scheme of things like latest and greatest architecture i am seeing a lot of um for example the graphql interface graphql is you know sort of new uh model right and being able to as opposed to rest right like graphql essentially allows you to run current language directly from the browser to one single endpoint uh to the web to the web application and then let you create data right there and what we're seeing a lot is that there are a lot of mistakes being made particularly with access control and thereby exactly as that right like you are able to see all that query run from the browser and once it reaches the back end if you're not careful i'm not doing the right access control and it leaks a lot of data um so yeah good good good thing to show there and on this uh on the screen right now what we're showing is one of the architecture or one of the model that we have been playing around with obviously super simplified uh level of modern base architecture modern based uh application so you know think about modern day application i i like to use the analogy of like maps.google.com google maps when you go to google maps right what happens when you load google maps you download not just maps you download a whole chunk of javascript code and then subsequent time right once you start interacting with google maps you know then the javascript code runs and goes to the uh your browser to figure out where you are right um using geolocation and then determine okay so you're sitting here for example your harness case you're sitting in jacksonville it will say okay let me download the maps in jacksonville and then at that point it actually does a bunch of rest api call graphql call and so on so the javascript in this architecture are stored at the static file location right so that could be you know in the real sense of s3 bucket assure blob storage and things like that right so these are static file storage that just let you download your javascript once it loads then your browser has a brain as i would call it because the javascript gives it a lot of super power right computing power and is able to do its own thing right it becomes an application that runs inside your browser then what it would do is that it would then be able to make api calls right the api could be a few different flavor but it generally lands on you know some kind of you know in modern architecture api gateways why do you need api gateways well you know what you want to do is from an enterprise standpoint from being able to keep track of logging from being able to you know maintain certain level of security you want a gateway and then behind the gateway what's there well this is where you know if you're like the netflix the facebook the amazon then that's a wonderful and colorful world behind the scene in the gateway because you know a lot of organizations are running uh the micro surfaces so that's on the right hand side you know the the blue icons over there that you can think of it like you know it could be 2 000 different services over there right like the api gateways just front all those things um and you may question hey you know why do you have so many well because hey microservice architecture you want it to align with very finite and small sections of your business logic into each service just also from a developer point of view uh one nice thing about these microservices they really behave like functions so as a developer i may approach these microservices with the same way that i used to create like a function or or a little library in the past or so that's i think also what uh what leads to the growth and sometimes a little bit uncontrolled growth of these these libraries yeah have microservices yeah i personally like microservice you know from a development standpoint because hey you know in the old monolith there's nothing wrong with it number one right but in terms of efficiency and promoting when you have a big organization i work in a large development organization um yeah it gets a little crazy right like so you want um you know some of the teams to be able to independently update their component so you know who wants to wait till the end of the year they will just release one software release you know once a year you want to be able to update it you know very frequently and so on so that that allows you to do that when you segregate and break components down into microservice one component that we also want to talk about is that i am service some people call it idp like identity provider that's important because that ties in all the services together you may only have one user on the left right when they get through to the api gateway you want the ability to track the user all the way to i don't care how many microservices you have it could be two but it needs to be the same user and you should have visibility about what the user is doing so the idp is very very very crucial to securing application data in this model and this is where you know some of the protocol like oauth which is rather complicated plays a big role in securing these applications so that's what the modern base architecture generally looks like you know we're just doing a very high level intro here in your house i think you have some you know wicked stuff to show here yeah uh let's actually see if the application works that's what is the developers uh problem here yeah whoever whoever developed this my call right let's see if it works first and we're doing it live and live doing it live of course [Music] yeah sometimes we record these things but today we decided we'll uh we'll live dangerous and um so um here we do you have a very simple application i'm logging in and of course the first thing i have to do is i have to remember my username and password and actually what you are seeing here uh is uh be using a couple of open source components for these elements that you saw earlier let me just go back here quickly the api gateway gateway we're using here is kong yeah uh calling an open source api gateway and for all vacation we're using again open source software called key cloak and i just want to point out we're not showing any vulnerabilities in these applications these are solid applications we're only more talking about how you may misconfigure them so what we're talking about here really applies not to to uh if you're doing this like the in in aws with their respective api gateways and uh was it cognito i think is what they're what they're calling their uh their authentication service so um the same things apply to other pieces of software as well so here i'm logging in i'm actually logging in now into key cloak so that's what i'm logging into and a lot of this of course then always involves lots of redirects and you see here like these authentication tokens and such that are being uh passed forth and back so okay let's just uh oops not my password we have a i think it was student and i'll tell just you the password is training but um anyway so now i'm logged in so now i got logged into the application and i have this simple um window here that i can use to look up basically some ticket numbers so a very simple and i get the pop-up here uh with the with the update on my on my service ticket uh let me do the same thing that i did earlier with the map application and invoke the super secret hacker developer mode um jason i think there was actually something about turning off uh view source in firefox i think wasn't there yesterday i saw something about a change ticket being released um and i think actually in the um any sort of enterprise deployments of this browser sometimes able to turn off things like developer mode but don't take that as a security feature you know it's um it's of course you don't want users in your organization waste time uh attacking your web app they're supposed to you to get work done but uh anyway so let's just look up another ticket here okay so here we have this request and then we have this other super secret feature we can copy the request as curl and if you're not familiar with curl a curl is a command line utility that allows you to basically play browser and so let me just pull this up here yes you're doing that and one thing to also mention here is that you know i know a lot of you out there like you know using postman and things like that what johannes just did you can copy it as curl and fire postman and import it back into postman and use that you know as a graphical interface as well that would work really nicely as well if you're less comfortable with text that's what i do johannes and i often disagree on that principle but yeah i hate gui's but they just get in my way and uh and and we really see what's happening so how is authorization done in this case or authentication it's done via this bearer token and this gobbledygook here that you're seeing is actually a jwt so a json not json a json web token so notice how there are dots dots are and the rest is of base64 encoded um we can actually just take this text here and then base64 decoded so paste base64 oops more ksd and here we sort of get you know that that json you know we have a sha 256 for our uh for for our altercation for our signature it's a jwt or how jason likes to call them jot i don't really like that but uh anyway and that then sort of an id here now let's stick with uh jason's advice here and go gui on this that's actually a nice website that can decode that for us just need to extract this copy it jwt.io and that website is amazing basically it does the javascript decoding of the jade of the job content and basically tells you what does it actually decode to and johannes is about to show it to us you just copy it sorry you just paste it right there and then it automatically decoded for us and then allegedly right like if everything is done on the client side nothing is sent on the server so no token is hurt in this process yeah and that's kind of one of the nice things with these jwts because we we do have to authenticate against all of these different backend services now typically i would have told you don't store data that authenticates user on decline like if you had the good old user equals admin cookies and things like this this works because it's digitally signed it's officially signed and then the recipient whatever web service we authenticate for is able to verify that signature and the user is not able to change that token if it's formed correctly and if you're using a relatively modern library then that's usually not a big issue in the past sort of issues for example have been notice how the user also tells you how to verify the token so the user presents the token and tells you hey this signature was created with this algorithm as an attacker i could swap that to a much simpler algorithm maybe an md4 or something like this i think there was even a none option or json wasn't there like an option not to have any signature and the receiving library would just accept that that was sort of one little issue there but um one thing we really want to focus on let me zoom in here a little bit on this token is so they're different ways to use jwt uh sometimes it could just communicate my user id there's sort of various ways to log in essentially uh with a jwt but what we really want to do is authorization so the token here also tells the recipient what we have access to and this is giving the this giving out the attacker who is looking at the token more insight into what this token could be good for or jason any problems here with this well i see that you can take over the world i see covet vaccine formula so i don't know maybe there is some very sensitive information there and that's and that's of the next step then yeah so what we can do now is we can explore what other apis are accessible using this token and um yeah i think some of these coincide with what we were talking about earlier so what you saw there the rom and the scope basically what it tells you is that hey what this token allows you or entitles you to be able to perform with the application and it is that you know basically you hand this piece of information that is signed by the idp so that nobody should be able to change it right so altering it yeah it's very difficult if at all possible right but then it also potentially leaked a lot of information to the user as to what the token allows you to do then you go after those services right as an attacker yeah let me just actually go back one second here if you're looking at this so now we had like the these different roles yeah that we have access to uh let me and in the and we see that our token was sent or our request went to this url here so next thing we can do is let's just go to the url directly and see what we get back so okay okay live demo everyone [Laughter] we're praying yeah i need i of course need to talk and so let me just yeah i think you yeah go this way yeah so what we're getting is a little bit hard to read because we're not looking at in a browser but we're getting like a little message here that tells us what the available operations are uh for this particular api and this is not unusual uh yes so this is an application that we created usually you don't get the covert vaccine formula or the cat's plan to take over the world um let me show you let me show you a real application and let me go back to the map application again here for a second yeah let me talk while you're loading it up yeah i just want to talk a little bit about the um some of those token job token well you know there are a lot of questions about these token you know when i talk to developers the question always is like hey are these things actually secure yes it can be secure um but you know only if you make it so right some of the tips and tricks over there is that you know if you're on the internet side right like earlier in our diagram on the left-hand side you're dealing with the internet the left-hand side of the api gateway then you would want to make sure that that job token jwt token is not like exposing all those like hey i can do this i can do that right um you would want that to be stream slimmed down and you know expose as little information as possible but you know nonetheless like you know the job token is necessary to respond itself for some service to present itself to other services to say hey look here the idp said i can do this so you know at some point you need to be able to present that job token with the idp signature on it uh to acquire access so what that means is that you know here is a hint that will give you your api gateway in the modern architecture that's actually a lot right like earlier your harness was actually showing some of that um the tong set up you're able to call is able to strip out stuff you know as the data goes from the right hand side in the side to the outer side and strip out some of the content um you know within that token so that that's how some of the modern architecture keep itself safe be honest i think you're ready i'll let you take it back oh you're new yeah just want to show you here quickly this is again that mapping application and here for example requests go to this service here arc js online let me copy that go up here and you basically just experiment how much you have to strip off from the url to sort of get again uh this basically manulin that tells you how to use uh this particular web service um and like i said this is not unusual there's actually a little bit sort of best practice with soap and such we often have more standardized versions of this like whistles rest whistles never really sort of caught on with rest but some form of documentation is what you typically find them with a rest service like this yeah it's more like the swagger open api i think that's what you're referring to sort of you know standard full rest right like and even then is not well there are semi-automatic way to generate that you know it's not quite as automatic as uh you know in for rest than in the uh in the old xml world yeah and now let me just change this here let's try the um take over the world service we are evil we're going to take over the world do you remember if there was a slash in the end or not well we'll try it we'll see how what happens yeah and here we get now you know that plan to take over the world and we get access not because of a failure to authenticate because we did have a valid token that authenticated us for this particular service but part of it was someone was too lazy gave us a token that had way more privileges than we probably should have had and sort of again relied on the good old security through obfuscation or obscurity where in the old days we sort of had the hidden url that you couldn't access unless you knew the url even though the url did not really require any authentication in the modern api world well we have the api endpoint that we have access to without really knowing that we have access to because we don't really see that anywhere used in the application anything from you about this jason um i think you covered quite well and i'm glad that i'm glad it all worked out and uh so far so far it works now with your application a couple ways how these tokens can be authenticated in our example here everything went through a kong went through the gateway the gateway then is able to check whether or not we have access to a particular service the problem here now can become let me go back to our infrastructure actually jason while i'm doing this but you want to take that question from i do i'm just reading it over here a second sans fanboy yay thank you um so okay the question really is about why would uh application development choose uh microservice over serverless uh maybe i'm wrong but it seems a tax service with a function as a service is limited ah okay a couple of things here right like when you deal with a little bit of architecture context here um it's not mutually exclusive that you would do microservice in you know serverless they could be all existing the same right uh a lot of times in modern day actual real world implementation a lot of uh microservices actually tie in with container uh just because it's easier to organize that way hey one microservice one type of container image that's how people associate things but there's no nothing against okay so you know some of these microservices actually live on the function as a service like your lambda and and you know uh uh the azure functions you know there's nothing wrong with doing that either you could do both ways um and and i think that that may help you a little bit so it's not like people are like okay microservice and we won't go serverless you can go microsoft and serverless all at the same time uh i hope that that makes sense to you yeah we'll see yeah so really serverless is sort of a way to implement microservices too so it's not that it's either or absolutely yeah yeah yeah i just want to go back here to the um to the architecture diagram so the way we threw it here was that as a user you're connecting to the gateway the gateway will authenticate you and then forward your request to the appropriate service well um what prevents me from going to the service directly in in some cases nothing other than well a firewall ruler so that may or may not exist or a configuration in your in your aws setup or whatever you're using for a cloud that would restrict where you can access these services from but as an attacker if i'm able to find these services directly i may be able to access those services directly and with that bypass any kind of authentication this is sort of you know when we're talking about exposed s3 buckets and things like this where maybe you have an application that requests data from the s3 bucket the application does proper authentication but if the attacker finds the bucket directly then all of that authentication is going out of the window and these the location of these services can leak it's not always that easy to find them that depends again on where you have them located but if you have your main service your gateway in aws well the the web service the backend is probably in aws too or json any hints on how to find these or yeah well a couple of things i want to address here like you know finding those uh um expose pass-based services or one thing but then you know i think a lot of people assume that oh yeah i throw it on onto the cloud platform particularly with microservice you know a lot of people are running the blue icon stuff on the cloud which is good nothing against the cloud hey if you know know me you know that i also teach the cloud courses as well um but the point about it is that you know it's one single line of code in today's world of iac right infrastructure as code and then you expose your whatever service onto the outside and you can't just say okay it's mine right i want to put a firewall with cloud setup there's not a whole lot of firewall right everything is about configuration you can configure these things called like private endpoint and so on in order to say yep hey my corner of this path based service is not exposed to the world you can do that but on if and only if you do that right then you have the security if not good luck right then you're exposed as your harness was saying and as opposed to us to the enumeration of it there are many different ways we talked about like swagger we talk about like open api if somebody get their hands on those information about your schema about where services are located and so on well it's a url people are just going to connect to it right so that's some of the you know very typical attack pattern that we've been seeing uh you know for the last 18 24 months a lot of you know bad people around are pivoting over to these services in um finding targets and attacking them um i think uh yeah we by the way we do welcome any questions you know um yeah there are some questions that are already flowing in um definitely appreciate that and yeah now it would be a good time if you want to ask us any questions in this live format okay you know we we will take questions and it helps us drive where you know the discussion is going so jason one question here in the architecture that we have on the screen right now with the api gateway authenticating all of these requests does not put a lot of strain on the im service what if that service goes down well that that's sort of the you know ho single sign-on type of you know concern right um i think um there are a lot of discussion about these you know and these days you know a lot of organizations are moving towards id as a service and those provider generally helps you to distribute the load you know some of these are multi-cloud providers as well that actually well you know some of the big names there is like the octer and the forge rock and those guys they cascade themselves so they distribute themselves around like all three big cloud service providers to help you you know with the availability but then you know hey if you are running it on your on-prem solution then you know the onus is on you to make sure that that's available um you know and and there are definitely a lot of hate the bad guys know that how important these things are and they are definitely launching a lot of ddos attacks and so on against these platforms so just be aware of it is ever forever going to be like good against evil fight on an ongoing basis and another issue that sort of came up is these back-end services how do you restrict access to them is it just by ip address or there are other ways to restrict access to them yeah i can i can take that one thanks johannes for asking that so at the back end services nowadays right um if you're on your on-prem setup more traditional hey network security i i call it castle in the moat some sort of solution then you're relying on your firewall hey all these you know sort of micro services back and stuff high behind the firewall right hey ho security model that is proven to work when you are actually running for example saki was asking the question about like you know if you're running that model under serverless right function as a service type of deal where you hand the source code over to aws and they run it for you then those things you need to look into like the endpoint um private endpoint configuration basically as i said earlier that helps you to narrow it down so that you're saying hey this piece of code are only available for example to my vpc only my internal virtual network and nobody else can get access to it even on the internet and that's how you lock it down in lieu of a firewall because you know firewall is an older lingo in the cloud world is getting less and less and less effective and and you know relevant so yeah i think that's that's where people need to gravitate towards uh the more cloud native land uh the private endpoint and those configuration are more important and then we have a nice final question here from scott we can close it with that uh classes we'll be teaching uh well sec 522 that's a class jason and i am teaching i think next time i'm teaching it is in december and um jason what's the other class you have another cloud class or yeah class that you're teaching yeah it's a it's a newer course that i wrote last year in 2019 uh or 2020 i think it all matched together and it's about management 520 is really about um you know helping the management team to navigate around the the whole thing what do i do to secure the cloud environment you know because these things all tie in together and you need a lot of management support to drive it towards the right direction so that's that's that and hey sac 522 is what your harness and i co-wrote and uh you know a lot of material that we presented today are more well-off into that course yeah so thanks everybody uh we are just out of time i think we just timed it perfectly here jason so uh thanks everybody for attending yeah thank you so much [Music] ah

Original Description

Modern Web based applications are increasing entrusted with sensitive and important information. Traditional network defenses such as firewalls fail to secure web applications. Web Applications are increasingly distributed. What used to be a complex monolithic application hosted on premise has become a distributed set of services incorporating on premise legacy applications with interfaces to cloud hosted and cloud native components. Johannes Ullrich and Jason Lam will discuss the recent best practices in this live stream on protecting web applications. #cloudsecurity #cybersecurity #informationsecurity #infosec #application #security #cyber
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from SANS Institute · SANS Institute · 0 of 60

← Previous Next →
1 SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS Institute
2 SANS Institute Cybersecurity Training Customer Stories
SANS Institute Cybersecurity Training Customer Stories
SANS Institute
3 SANS Institute UK Cyber Academy
SANS Institute UK Cyber Academy
SANS Institute
4 SANS Institute UK Cyber Academy
SANS Institute UK Cyber Academy
SANS Institute
5 CISSP® Prep Exam, MGT414, by SANS Institute
CISSP® Prep Exam, MGT414, by SANS Institute
SANS Institute
6 SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute
7 Information Security Training from SANS Institute - Student Testimonials
Information Security Training from SANS Institute - Student Testimonials
SANS Institute
8 SANS NetWars
SANS NetWars
SANS Institute
9 SANS DFIR NetWars
SANS DFIR NetWars
SANS Institute
10 Hack The Drone - SANS Cyber Academy UK
Hack The Drone - SANS Cyber Academy UK
SANS Institute
11 SANS VetSuccess Immersion Academy
SANS VetSuccess Immersion Academy
SANS Institute
12 SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Institute
13 The 2015 SANS Holiday Hack Challenge
The 2015 SANS Holiday Hack Challenge
SANS Institute
14 SANS VetSuccess Academy: Hands-on Skills
SANS VetSuccess Academy: Hands-on Skills
SANS Institute
15 SANS VetSuccess Academy Overview
SANS VetSuccess Academy Overview
SANS Institute
16 SANS ICS Security Summit & Training 2017
SANS ICS Security Summit & Training 2017
SANS Institute
17 Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
SANS Institute
18 WannaCry recap, patches, and analysis
WannaCry recap, patches, and analysis
SANS Institute
19 If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
SANS Institute
20 Graduation Day - SANS HM Gov Cyber Retraining Academy
Graduation Day - SANS HM Gov Cyber Retraining Academy
SANS Institute
21 Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
SANS Institute
22 SANS Data Breach Summit & Training 2017
SANS Data Breach Summit & Training 2017
SANS Institute
23 SANS Secure DevOps Summit & Training 2017
SANS Secure DevOps Summit & Training 2017
SANS Institute
24 How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
SANS Institute
25 SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Institute
26 SANS Cybersecurity Programs for the Department of Defense
SANS Cybersecurity Programs for the Department of Defense
SANS Institute
27 SANS Pen Test HackFest Summit & Training 2017
SANS Pen Test HackFest Summit & Training 2017
SANS Institute
28 SANS SIEM & Tactical Analytics Summit & Training
SANS SIEM & Tactical Analytics Summit & Training
SANS Institute
29 If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
SANS Institute
30 SANS Institute
SANS Institute
SANS Institute
31 ICS515: ICS Active Defense and Incident Response
ICS515: ICS Active Defense and Incident Response
SANS Institute
32 SANS Institute
SANS Institute
SANS Institute
33 Introducing the NEW SANS Pen Test Poster
Introducing the NEW SANS Pen Test Poster
SANS Institute
34 SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute
35 SANS ICS Security Training, Munich, Germany
SANS ICS Security Training, Munich, Germany
SANS Institute
36 SANS Automotive Summit Webcast
SANS Automotive Summit Webcast
SANS Institute
37 Privesc Playground - SANS Pen Test HackFest Summit 2017
Privesc Playground - SANS Pen Test HackFest Summit 2017
SANS Institute
38 Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
SANS Institute
39 Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
SANS Institute
40 SANS Security Operations Summit & Training 2018
SANS Security Operations Summit & Training 2018
SANS Institute
41 Sh*t Happens!  (But You Still Need to Drink the Water) – SANS ICS Summit 2018
Sh*t Happens! (But You Still Need to Drink the Water) – SANS ICS Summit 2018
SANS Institute
42 ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
SANS Institute
43 You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
SANS Institute
44 A Sneak Peak at the New ICS410
A Sneak Peak at the New ICS410
SANS Institute
45 Jumping Air Gaps – SANS ICS Summit 2018
Jumping Air Gaps – SANS ICS Summit 2018
SANS Institute
46 Introduction to Linux
Introduction to Linux
SANS Institute
47 Introduction to Malware Analysis
Introduction to Malware Analysis
SANS Institute
48 You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
SANS Institute
49 Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
SANS Institute
50 Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
SANS Institute
51 Apples and Oranges?:  A CompariSIEM – SANS Security Operations Summit 2018
Apples and Oranges?: A CompariSIEM – SANS Security Operations Summit 2018
SANS Institute
52 SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Institute
53 SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Institute
54 The Science of Security: The Psychological Impacts of Security Awareness Programs
The Science of Security: The Psychological Impacts of Security Awareness Programs
SANS Institute
55 How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
SANS Institute
56 Practical Advice for Submitting to Speak at a Cybersecurity Conference
Practical Advice for Submitting to Speak at a Cybersecurity Conference
SANS Institute
57 SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Institute
58 SANS Webcast - Zero Trust Architecture
SANS Webcast - Zero Trust Architecture
SANS Institute
59 SANS STX Cyber Range
SANS STX Cyber Range
SANS Institute
60 Part 1 – SANS Institute and Tenable talk about cloud security
Part 1 – SANS Institute and Tenable talk about cloud security
SANS Institute

This video teaches viewers about application security for web apps, APIs, and microservices, covering topics such as CI/CD pipeline security, authentication, and API gateways. It highlights the importance of securing sensitive information and demonstrates tools like Kong, Keycloak, and JWT. Viewers will learn how to implement secure authentication and authorization, protect against CI/CD pipeline attacks, and use API gateways to secure their applications.

Key Takeaways
  1. Implement CI/CD pipeline security
  2. Use API gateways for authentication and authorization
  3. Configure private endpoints to restrict access to services
  4. Use Swagger and OpenAPI to document REST services
  5. Generate documentation for REST services semi-automatically
  6. Strip out content from tokens to keep it safe
  7. Use JWT for authentication
💡 API gateways can be used to secure web applications and microservices by implementing authentication and authorization, and restricting access to sensitive information.

Related Reads

📰
How to PASS CISSP exam in one-go for REAL
Learn how to pass the CISSP exam in one attempt with tips from a personal experience, focusing on careful question reading and technique application.
Medium · Cybersecurity
📰
The $25 Million Trust Boundary: A Technical Post-Mortem of the Peraire-Bueno MEV-Boost Exploit
Learn from the $25 million Peraire-Bueno MEV-Boost exploit and understand the technical post-mortem to improve cybersecurity
Medium · Cybersecurity
📰
x402 Just Got a Standards Home. Who Conformance-Tests the Authority?
The Linux Foundation launched the x402 Foundation to standardize payments, but lacks conformance testing, sparking concerns about security and validation
Dev.to · Michael "Mike" K. Saleme
📰
When a Low Detection Score Means the Opposite of Safe
A low detection score in cybersecurity can be misleading and actually indicate a higher risk of malware or attacks, rather than safety
Medium · Cybersecurity
Up next
Best VPN For China 2026 — Which One Actually Works?
Tutorial Stack
Watch →