As organizations shift control of their infrastructure and data to the cloud, it is critical that they rethink their application security efforts. This can be accomplished by ensuring applications are designed to take advantage of built-in cloud security controls and configured properly in deployment. Attend this webcast to gain insight into the security nuances of the cloud platform and risk mitigation techniques. Topics include: • Common cloud threats and vulnerabilities • Exposing data with insufficient Authorization and Authentication • The danger of relying on untrusted components • Distributed Denial of Service (DDoS) and other application attacks • Securing APIs and other defensive measures

1. Securing Applications
in the Cloud

2. About Ed Adams, CEO
• Helping companies secure software
• Research Fellow, Ponemon Institute
• Privacy by Design Ambassador, Canada
• Mechanical Engineer, Software Engineer
• In younger days, built non-lethal weapons
systems for government & law enforcement
www.edtalks.io

3. Agenda
• Cloud threats and vulnerabilities
• Authorization & Authentication
• DDoS and other application attacks
• Application Code & Untrusted Components

4. Cloud Threats and Vulnerabilities

5. Cloud Feature or Risk?
1. On-demand self-service: anyone can stand up infrastructure
quickly…. Authorized IT staff, Developer, Hacker
2. Broad network access: 24x7 access with any connected device
3. Resource pooling: shared computing resources
4. Rapid elasticity: manual or set with application logic parameters
5. Measured service: metering automatically optimizes usage
*NIST Special Publication (SP) 800-145 Definition of Cloud Computing

6. Myth Busting
* “Securing Applications in the Cloud” whitepaper – Security Innovation

7. Defend
• Rigorous registration
requirements
• Network &
communication
monitoring for potential
exploits
• Strong authentication
• Cryptography
Attacks
• Botnets
• Distributed DoS
• Downloadable Malware
• Session Hijacking
• Theft Credentials
• Fake Messages
• Automated Click Fraud
• Hosting Malicious Content
Vulnerabilities
• Data Exposure
• Insufficient IAM
• Application Code &APIs
• 3rd-party components (use
& disclosure)
• Misconfiguration of CSP
services
• Misuse of distributed
programming frameworks
Common Cloud-based Attacks &Vulnerabilities

8. Authorization & Authentication

9. Identity & Access Management
• It’s harder than you think!
• Broadly-scoped permissions  overprivileged users and services
• Avoid wildcard access
• Reduce scope of permissions to specific business cases
• Cross-account access configuration is scoped to specific use
cases
• Access keys rotated on a regular basis
• Users with multiple keypairs flagged for business use case
review
CSPs offer some turnkey IAM solutions; however, YOU still
have to configure & deploy them correctly

10. Weak Authentication
• Unauthorized modification of device settings
• Disruption of service
• Access to critical data and control
An attacker’s gateway to system control
• Multiple types of authenticators (something you know, have, and/or are)
• Client-side authentication duplicated on server side
• Protect authentication tokens, e.g., OAuth 2.0,TLS, etc.
• Define roles: anonymous, normal, privileged, administrative. How should each
be authenticated? What service(s) do each have access to?
• Consider attribute-based access control vs. role-based
Strengthening authentication

11. Role- vs. Attribute-Based Access Control
*source: Okta
Role-Based
(RBAC)
Attribute-Based (ABAC)

12. Managed Access Control
• Dave needs to be able to write to a web content directory
• Sally needs to be able to modify a database table
Grant role-based access that allows access to different resources:
• Computing, Networking, Storage, Management services, Others
These resources fall under the following categories:
• Centrally managed permissions
• Software-defined configurations
• Reporting to easily audit resource access
By using a managed access approach, you get:

13. Tags
• Similar to metadata for cloud resources
• These key or value pairs are useful for searching, reporting, and
tracking costs, but also helpful for security
• By matching up users or policies to specific tags, you can create
dynamic security groups for controlling permissions
• When using CSP IAM features, you can focus on defining roles
and policies vs. who can/cannot administer which server

14. Data Provenance
• Similar to a historical data record – documents inputs, entities,
systems, and processes that influence data of interest
• Tied to Big Data applications that have an enhanced degree of data
classification for which additional metadata must be incorporated
• Given privacy laws, it’s imperative teams implement proper capture
techniques and enhanced logging to execute granular access controls

15. Secure Key Management
Whichever applies to your enterprise, controlling the
encryption keys is critical to controlling data
• Some CSPs permit "bring your own" encryption; others offer natively
• While encryption may occur in the in CSPs environment, customers must
maintain control of the keys that secure their data.
Traditional
Cloud Data
• While some providers offer encryption, securing data is the customer's
responsibility, including compliance with data security & privacy mandates
SaaS Data
• When using public cloud services, some enterprises send encrypted data
cloud, while others utilize the the CSPs encryption functionality
Public
Data

16.  Don’t Store Your Lock and Key Together
 You may be giving the cloud provider access to your keys
 Separate them and back them up in offline and secured locations
 Centralize Your Key Management Infrastructure
 You may be using multiple key management servers and protocols across different services
 This complicates your data infrastructure, increasing cost and risk while decreasing efficiency
 Never hard-code encryption keys
 Carefully plan file system permissions
 Store encryption keys outside the web content directories
 Build apps to support periodic key changes and establish a regular schedule
 Do not include encryption keys in backups
Secure Key Management Tips

17. DDoS and other Application Attacks

18. DDoS: Available in 2 Flavors
• Botnets that flood your application with traffic
• Results in service or entire app becoming unavailable
• Reflected Attacks
• Exploits flaw in network protocol to amplify traffic

19. Distributed Denial of Service (DDoS)
via Botnet
• Allows a single attacker to send
commands to thousands of
controlled zombies to attack target
• Generates more traffic than the
system can handle; shuts down
service capabilities

20. Distributed Denial of Service (DDoS)
via flaws in protocols
• Also known as a reflected attack
• Amplifies a small amount of traffic
into larger amount
• Attacker sends a group of devices
a connection request that looks
like it’s from victim machine
• Computer sends acknowledgment
to the victim computer
Prank example: asking GrubHub to email all their menus to your friend’s address

21. Mitigating DDoS
• AWS Shield Standard is free
• Amazon CloudFront and Amazon Route 53 offer additional protections
• Elastic load balancing
• Automatic monitoring, notifications, and traffic ceilings
• Geographic isolation and dispersion of excess traffic
CSPs offer DDoS attack mitigations (both tech & best practices)
• Also help with SQL injection & cross-site request forgery
Use CSP DDoS protections withWebApplication Firewalls (WAF)
• Principle of least privilege regarding traffic/communication
Limit application access to ports, protocols, and services

22. Credential Stuffing
• Hackers leverage the power of APIs to initiate an account hijack
• Brute-force attack using leaked username/password combinations
• Proliferation of microservices and containers make this attack popular
• Exchanging info via APIs is standardized and well suited for automation
• Throttle for defense
• Set rate limiting for authentication attempts
• Practice “zero trust” – don’t trust any input without verification

23. Application Code & Untrusted Components

24. Application Hardening
• An insecure application deployed in the cloud is still insecure
• Most vulnerabilities exist at the application level
• Follow AppSec best practices
• Include security in requirements/use cases
• Use known good components in design
• Train build & deploy teams on security
• Regularly assess/test your application

25. API Insecurity
• Expose back-end systems, mobile apps, browsers, other systems
• Threats similar to web apps, but have special considerations
• Handling input, parsing data, authenticating users
• 83% of web traffic today is now API traffic*
• In 2019 Gartner** predicted:
• Within a year, 90% of web-enabled apps will be more
exposed to attack by API weaknesses than via the user interface
• Within two years APIs will be most targeted attack vector
*Akamai – Retail Attack & API traffic
** Gartner - How to Build an API Strategy

26. Insecure APIs
• CSP code modules introduce vulnerabilities similar to native code
• Common to exploit API keys to identify 3rd-party apps using those services
• Other application exposure points
• Anonymous access, reusable tokens, clear-text authentication, open transmission of
content, rigid access controls
• To protect against API attacks
 Use CSP APIs that help control access to resources, optimize delivery of workloads, and
provide insights around usage
 Audit managed API log files on a regular basis
 Enforce strict access control mechanisms (based on least-privilege and need-to-know)
 Segregate duties and responsibilities
 Implement lockouts for repeated incorrect password entry

27. Treat APIs More Like Products
• Have their own SDLC for designing, building, testing, managing
• API-specific testing
• Responses to invalid data types or formats, e.g., malformed
XML/JSON
• Attacks meant to elicit API failure (abuse cases)
• Attacks that induce “old school” flaws, e.g., buffer overflows
• API-specific security training
• OWASP API Security Top 10 is a great start*
* https://owasp.org/www-project-api-security/

28. 99%
Today’s Applications are more Assembled than Coded
3rd-party Components
91%
75% 60%
of codebases
contain at
least one OS
component
of apps contain
outdated or
abandonedOS
components
of apps have OSS
components with
known security
vulnerabilities
of breaches involved
vulnerabilities for
which a patch was
available but not
applied
70%
of application
code is comprised
of OSS
*souces: 2020 Open Source Security and Risk Analysis (OSSRA) report; CSO Online “9 key cybersecurity statistics at-a-glance”

29. Assessing 3rd party software
• Security audit and reviews
• Simple questionnaires vs. technical analyses
• Threat Model: know the critical assets the software will interact with
• Analyze entry and exit points
• Create risk profiles for each key asset
• Analyze and rate risks
• Dynamic Analysis / Penetration Testing
• Even if you can’t fix the problem identified, you can mitigate it
• Responsibly disclosing vulnerabilities can improve partnership with ”in this together” communication
• Red team & Attack Simulation
• Objective-based options: can you compromise/access asset X?
• Attackers often use a vulnerability in low-risk application to escalate privilege
• SCA (software composition analysis)
Not very different from assessing your own; same attack methods apply

30. Threat & Risk Identification
• Initial Threat Modeling
• Robust
• Business and Risk focused
• Can be done before any code bought/built
• Updates to Threat Model
• Significant system change
• Realization of new threats
• New security-related development
• e.g., authentication
Dataflow Model courtesy of OWASP

31. Questions?

32. How Security Innovation Can Help
Assessments
• Configuration review
• Penetration Test
• Attack Simulation
Training
• Software Security focus
• Online, role-based
• AWS, Azure, containers,
microservices, DevSecOps
Cyber Range
• AWS Infrastructure
• Automated Scoring
• Pinpoints Skill
Gaps

33. Thank You
www.edtalks.io
eadams@securityinnovation.co
m
Security Training Benchmarks
getsec.in/PonemonReport