Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Policy-as-Code: Across the Stack - OWASP AppSec DC 2023 | Abhay Bhargav

Abhay Bhargav
November 06, 2023

Policy-as-Code: Across the Stack - OWASP AppSec DC 2023 | Abhay Bhargav

In today's world of rapidly evolving technology and the increasing complexity of software systems, ensuring the security and compliance of applications across the stack has become paramount. This talk will provide an in-depth exploration of Policy-as-Code (PaC) and how it can be employed to implement decoupled security practices across the stack. PaC serves as a unified framework that enables organizations to define, manage, and enforce policies in a consistent, transparent, and automated manner. This approach facilitates better security, compliance, and risk management, while also reducing the need for manual intervention.

The talk will focus on the use of Open-Source Policy-as-Code Frameworks to do policy composition, management and enforcement across the stack

Abhay Bhargav

November 06, 2023
Tweet

More Decks by Abhay Bhargav

Other Decks in Technology

Transcript

  1. abhaybhargav
    Policy-as-Code: Across the
    Stack
    Abhay Bhargav

    View full-size slide

  2. abhaybhargav
    Yours Truly
    • Founder @ we45


    • Founder @ AppSecEngineer


    • AppSec Automation Junkie


    • Trainer/Speaker at DEF CON, BlackHat, OWASP
    Events, etc world-wide


    • Co-author of Secure Java For Web Application
    Development


    • Author of PCI Compliance: A De
    fi
    nitive Guide

    View full-size slide

  3. abhaybhargav
    My talk…

    View full-size slide

  4. abhaybhargav
    My talk…

    View full-size slide

  5. abhaybhargav
    Agenda

    View full-size slide

  6. abhaybhargav
    Agenda
    • Success Factors and Problems on the road to DevSecOps

    View full-size slide

  7. abhaybhargav
    Agenda
    • Success Factors and Problems on the road to DevSecOps
    • The need for “Policy-as-Code”

    View full-size slide

  8. abhaybhargav
    Agenda
    • Success Factors and Problems on the road to DevSecOps
    • The need for “Policy-as-Code”
    • PaC across the StaCk

    View full-size slide

  9. abhaybhargav
    Agenda
    • Success Factors and Problems on the road to DevSecOps
    • The need for “Policy-as-Code”
    • PaC across the StaCk
    • Application and API Gateway: Policy-as-Code

    View full-size slide

  10. abhaybhargav
    Agenda
    • Success Factors and Problems on the road to DevSecOps
    • The need for “Policy-as-Code”
    • PaC across the StaCk
    • Application and API Gateway: Policy-as-Code
    • Cloud-Native Control Planes - Policy-as-Code

    View full-size slide

  11. abhaybhargav
    Agenda
    • Success Factors and Problems on the road to DevSecOps
    • The need for “Policy-as-Code”
    • PaC across the StaCk
    • Application and API Gateway: Policy-as-Code
    • Cloud-Native Control Planes - Policy-as-Code
    • Conclusions

    View full-size slide

  12. abhaybhargav
    The Promise of DevSecOps

    View full-size slide

  13. abhaybhargav
    The Promise of DevSecOps

    View full-size slide

  14. abhaybhargav
    The Promise of DevSecOps

    View full-size slide

  15. abhaybhargav
    The Promise of DevSecOps

    View full-size slide

  16. abhaybhargav
    The Reality

    View full-size slide

  17. abhaybhargav
    The Reality

    View full-size slide

  18. abhaybhargav
    The Paved Road

    View full-size slide

  19. abhaybhargav
    Why?
    • 88% troubled by problems due to API Authentication - Palo Alto API Security
    Report 2023


    • Broken Object Level (and Property) Authorization - OWASP API Security Top
    10 2023


    • 40% - API Miscon
    fi
    gurations like Excessive Data Exposure, etc - Palo Alto API
    Security Report 2023

    View full-size slide

  20. abhaybhargav
    The “As-Code” Movement

    View full-size slide

  21. abhaybhargav
    The “As-Code” Movement
    • Version Control and Single source of truth

    View full-size slide

  22. abhaybhargav
    The “As-Code” Movement
    • Version Control and Single source of truth
    • Scalability and Automation

    View full-size slide

  23. abhaybhargav
    The “As-Code” Movement
    • Version Control and Single source of truth
    • Scalability and Automation
    • Consistency and Reproducibility

    View full-size slide

  24. abhaybhargav
    The “As-Code” Movement
    • Version Control and Single source of truth
    • Scalability and Automation
    • Consistency and Reproducibility
    • Continuous Improvement

    View full-size slide

  25. abhaybhargav
    The “As-Code” Movement
    • Version Control and Single source of truth
    • Scalability and Automation
    • Consistency and Reproducibility
    • Continuous Improvement
    • High Fidelity

    View full-size slide

  26. abhaybhargav
    The “As-Code” Movement
    • Version Control and Single source of truth
    • Scalability and Automation
    • Consistency and Reproducibility
    • Continuous Improvement
    • High Fidelity
    • Testable ??

    View full-size slide

  27. abhaybhargav
    DevSecOps
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling,
    Training,
    Baselines
    SAST
    Source Composition Analysis
    Secure Defaults
    Build Security Processes
    DAST
    IAST,
    InfraSec,
    Sec Regression
    Infrastructure Security,
    Cloud Hardening,
    Secrets Management
    Security monitoring
    & attack detection,
    Threat Hunting,
    Attack Simulation/RedTeam

    View full-size slide

  28. abhaybhargav
    DevSecOps
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling,
    Training,
    Baselines
    SAST
    Source Composition Analysis
    Secure Defaults
    Build Security Processes
    DAST
    IAST,
    InfraSec,
    Sec Regression
    Infrastructure Security,
    Cloud Hardening,
    Secrets Management
    Security monitoring
    & attack detection,
    Threat Hunting,
    Attack Simulation/RedTeam

    View full-size slide

  29. abhaybhargav
    DevSecOps
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling,
    Training,
    Baselines
    SAST
    Source Composition Analysis
    Secure Defaults
    Build Security Processes
    DAST
    IAST,
    InfraSec,
    Sec Regression
    Infrastructure Security,
    Cloud Hardening,
    Secrets Management
    Security monitoring
    & attack detection,
    Threat Hunting,
    Attack Simulation/RedTeam

    View full-size slide

  30. abhaybhargav
    DevSecOps
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling,
    Training,
    Baselines
    SAST
    Source Composition Analysis
    Secure Defaults
    Build Security Processes
    DAST
    IAST,
    InfraSec,
    Sec Regression
    Infrastructure Security,
    Cloud Hardening,
    Secrets Management
    Security monitoring
    & attack detection,
    Threat Hunting,
    Attack Simulation/RedTeam
    SAST as Code

    View full-size slide

  31. abhaybhargav
    DevSecOps
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling,
    Training,
    Baselines
    SAST
    Source Composition Analysis
    Secure Defaults
    Build Security Processes
    DAST
    IAST,
    InfraSec,
    Sec Regression
    Infrastructure Security,
    Cloud Hardening,
    Secrets Management
    Security monitoring
    & attack detection,
    Threat Hunting,
    Attack Simulation/RedTeam
    SAST as Code

    View full-size slide

  32. abhaybhargav
    DevSecOps
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling,
    Training,
    Baselines
    SAST
    Source Composition Analysis
    Secure Defaults
    Build Security Processes
    DAST
    IAST,
    InfraSec,
    Sec Regression
    Infrastructure Security,
    Cloud Hardening,
    Secrets Management
    Security monitoring
    & attack detection,
    Threat Hunting,
    Attack Simulation/RedTeam
    SAST as Code DAST/Regression as Code

    View full-size slide

  33. abhaybhargav
    DevSecOps
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling,
    Training,
    Baselines
    SAST
    Source Composition Analysis
    Secure Defaults
    Build Security Processes
    DAST
    IAST,
    InfraSec,
    Sec Regression
    Infrastructure Security,
    Cloud Hardening,
    Secrets Management
    Security monitoring
    & attack detection,
    Threat Hunting,
    Attack Simulation/RedTeam
    SAST as Code DAST/Regression as Code

    View full-size slide

  34. abhaybhargav
    DevSecOps
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling,
    Training,
    Baselines
    SAST
    Source Composition Analysis
    Secure Defaults
    Build Security Processes
    DAST
    IAST,
    InfraSec,
    Sec Regression
    Infrastructure Security,
    Cloud Hardening,
    Secrets Management
    Security monitoring
    & attack detection,
    Threat Hunting,
    Attack Simulation/RedTeam
    SAST as Code DAST/Regression as Code Decoupled Security Controls


    /Policy-As-Code

    View full-size slide

  35. abhaybhargav
    DevSecOps
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling,
    Training,
    Baselines
    SAST
    Source Composition Analysis
    Secure Defaults
    Build Security Processes
    DAST
    IAST,
    InfraSec,
    Sec Regression
    Infrastructure Security,
    Cloud Hardening,
    Secrets Management
    Security monitoring
    & attack detection,
    Threat Hunting,
    Attack Simulation/RedTeam
    SAST as Code DAST/Regression as Code Decoupled Security Controls


    /Policy-As-Code
    Threat Models as Code

    View full-size slide

  36. abhaybhargav
    DevSecOps
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling,
    Training,
    Baselines
    SAST
    Source Composition Analysis
    Secure Defaults
    Build Security Processes
    DAST
    IAST,
    InfraSec,
    Sec Regression
    Infrastructure Security,
    Cloud Hardening,
    Secrets Management
    Security monitoring
    & attack detection,
    Threat Hunting,
    Attack Simulation/RedTeam
    SAST as Code DAST/Regression as Code Decoupled Security Controls


    /Policy-As-Code
    Threat Models as Code

    View full-size slide

  37. abhaybhargav
    DevSecOps
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling,
    Training,
    Baselines
    SAST
    Source Composition Analysis
    Secure Defaults
    Build Security Processes
    DAST
    IAST,
    InfraSec,
    Sec Regression
    Infrastructure Security,
    Cloud Hardening,
    Secrets Management
    Security monitoring
    & attack detection,
    Threat Hunting,
    Attack Simulation/RedTeam
    SAST as Code DAST/Regression as Code Decoupled Security Controls


    /Policy-As-Code
    Threat Models as Code
    Detection Engineering

    View full-size slide

  38. abhaybhargav
    DevSecOps
    Plan
    Code
    Build
    Test
    Release
    Deploy
    Operate
    Monitor
    Threat
    modeling,
    Training,
    Baselines
    SAST
    Source Composition Analysis
    Secure Defaults
    Build Security Processes
    DAST
    IAST,
    InfraSec,
    Sec Regression
    Infrastructure Security,
    Cloud Hardening,
    Secrets Management
    Security monitoring
    & attack detection,
    Threat Hunting,
    Attack Simulation/RedTeam
    SAST as Code DAST/Regression as Code Decoupled Security Controls


    /Policy-As-Code
    Threat Models as Code
    Detection Engineering

    View full-size slide

  39. abhaybhargav
    “PaC ‘cross the stack”

    View full-size slide

  40. abhaybhargav
    Policy as Code

    View full-size slide

  41. abhaybhargav
    Need and Motivation

    View full-size slide

  42. abhaybhargav
    Need and Motivation
    • The idea is to NOT hardcode security rules in app that have rapidly evolving
    and changing requirements

    View full-size slide

  43. abhaybhargav
    Need and Motivation
    • The idea is to NOT hardcode security rules in app that have rapidly evolving
    and changing requirements
    • Customisable and Purpose-Built

    View full-size slide

  44. abhaybhargav
    Need and Motivation
    • The idea is to NOT hardcode security rules in app that have rapidly evolving
    and changing requirements
    • Customisable and Purpose-Built
    • Testable

    View full-size slide

  45. abhaybhargav
    Need and Motivation
    • The idea is to NOT hardcode security rules in app that have rapidly evolving
    and changing requirements
    • Customisable and Purpose-Built
    • Testable
    • Scalable

    View full-size slide

  46. abhaybhargav
    Need and Motivation
    • The idea is to NOT hardcode security rules in app that have rapidly evolving
    and changing requirements
    • Customisable and Purpose-Built
    • Testable
    • Scalable
    • Create a “Paved Road” for Product Engineering Teams

    View full-size slide

  47. abhaybhargav
    Typical Use-Cases
    • Syscall Pro
    fi
    ling, Seccomp, AppArmor and eBPF for Runtime Security
    enforcement


    • Authorization, CORS, Rate-Limiting, mTLS and others on the API Gateway


    • Input Validation, Access Control with Policy-as-Code Frameworks

    View full-size slide

  48. abhaybhargav
    Across the Stack

    View full-size slide

  49. abhaybhargav
    Security Model - An Example

    View full-size slide

  50. abhaybhargav
    Dynamic PaC Stack at the
    Gateway

    View full-size slide

  51. abhaybhargav
    Imagine…

    View full-size slide

  52. abhaybhargav
    Imagine…

    View full-size slide

  53. abhaybhargav
    Imagine…

    View full-size slide

  54. abhaybhargav
    Imagine…

    View full-size slide

  55. abhaybhargav
    Imagine…

    View full-size slide

  56. abhaybhargav
    Imagine…

    View full-size slide

  57. abhaybhargav
    Imagine…

    View full-size slide

  58. abhaybhargav
    Imagine…
    Your Service Business Logic

    View full-size slide

  59. abhaybhargav
    Imagine…
    Your Service Business Logic
    JWT Authorization

    View full-size slide

  60. abhaybhargav
    Imagine…
    Your Service Business Logic
    JWT Authorization
    Input Validation

    View full-size slide

  61. abhaybhargav
    Imagine…
    Your Service Business Logic
    JWT Authorization
    Input Validation
    Object Access Control

    View full-size slide

  62. abhaybhargav
    Imagine…
    Your Service Business Logic
    JWT Authorization
    Input Validation
    Object Access Control
    Authentication

    View full-size slide

  63. abhaybhargav
    Imagine…
    Your Service Business Logic
    JWT Authorization
    Input Validation
    Object Access Control
    Authentication
    Logging

    View full-size slide

  64. abhaybhargav
    The Proposed Solution

    View full-size slide

  65. abhaybhargav
    PaC - Applicability

    View full-size slide

  66. abhaybhargav
    PaC - Applicability
    • Input Validation at Gateway

    View full-size slide

  67. abhaybhargav
    PaC - Applicability
    • Input Validation at Gateway
    • JWT Validation at Gateway + Claims

    View full-size slide

  68. abhaybhargav
    PaC - Applicability
    • Input Validation at Gateway
    • JWT Validation at Gateway + Claims
    • Function Level AuthZ at App + Gateway

    View full-size slide

  69. abhaybhargav
    PaC - Applicability
    • Input Validation at Gateway
    • JWT Validation at Gateway + Claims
    • Function Level AuthZ at App + Gateway
    • Object Level AuthZ at App + Gateway

    View full-size slide

  70. abhaybhargav
    Frameworks we’ll use
    • Open Policy Agent and Rego


    • Casbin/Oso, etc

    View full-size slide

  71. abhaybhargav
    Open-Policy-Agent
    • Policy Management Framework for “any”
    environment


    • Allows you to de
    fi
    ne policies that can be
    enforced based on generic json input and
    output parameters


    • Uses a DSL (domain speci
    fi
    c language)
    called “rego” that is used to de
    fi
    ne
    policies

    View full-size slide

  72. abhaybhargav
    Open Policy Agent - Operation

    View full-size slide

  73. abhaybhargav
    Rego Rule Syntax

    View full-size slide

  74. abhaybhargav
    Rego Rule Syntax

    View full-size slide

  75. abhaybhargav
    Rego Rule Syntax

    View full-size slide

  76. abhaybhargav
    Rego Rule Syntax

    View full-size slide

  77. abhaybhargav
    Rego Rule Syntax

    View full-size slide

  78. abhaybhargav
    Rego Rule Syntax

    View full-size slide

  79. abhaybhargav
    Rego Rule Syntax

    View full-size slide

  80. abhaybhargav
    Rego Rule Syntax

    View full-size slide

  81. abhaybhargav
    Rego Rule Syntax

    View full-size slide

  82. abhaybhargav
    Rego Rule Syntax

    View full-size slide

  83. abhaybhargav
    Rego Rule Syntax

    View full-size slide

  84. abhaybhargav
    Rego Rule Syntax

    View full-size slide

  85. abhaybhargav
    Rego Rule Syntax

    View full-size slide

  86. abhaybhargav
    Rego Rule Syntax

    View full-size slide

  87. abhaybhargav
    Rego Rule Syntax

    View full-size slide

  88. abhaybhargav
    OPA Use-Cases
    • Kubernetes Policy Management


    • API AuthZ and Policy Management


    • OS Policy Management - SSH and Access Control


    • Kafka Topic Authorization


    • Many more…

    View full-size slide

  89. Copyright © we45 2020
    abhaybhargav
    AuthZ-as-Code

    View full-size slide

  90. abhaybhargav
    Let’s look at most AuthZ flaws
    • Inconsistent implementation of Object Level Authorization


    • Access Control code strewn across multiple services


    • Lack of standardization and expressive capability for AuthZ frameworks


    • Heavily design dependent - which gets complex at scale

    View full-size slide

  91. abhaybhargav
    AuthZ-as-Code Frameworks

    View full-size slide

  92. abhaybhargav
    Object Level AuthZ
    has access to to perform

    View full-size slide

  93. abhaybhargav
    Functional AuthZ
    has access to to perform

    View full-size slide

  94. abhaybhargav
    RBAC - Role Based Access Control

    View full-size slide

  95. abhaybhargav
    ABAC - Attribute Based Access Control

    View full-size slide

  96. abhaybhargav
    Google Zanzibar approach

    View full-size slide

  97. abhaybhargav
    Approach

    View full-size slide

  98. abhaybhargav
    Approach

    View full-size slide

  99. abhaybhargav
    Approach

    View full-size slide

  100. abhaybhargav
    Approach

    View full-size slide

  101. abhaybhargav
    Approach

    View full-size slide

  102. abhaybhargav
    Casbin

    View full-size slide

  103. abhaybhargav
    Casbin

    View full-size slide

  104. abhaybhargav
    Casbin

    View full-size slide

  105. abhaybhargav
    Casbin

    View full-size slide

  106. abhaybhargav
    Casbin

    View full-size slide

  107. abhaybhargav

    View full-size slide

  108. abhaybhargav
    PERM

    View full-size slide

  109. abhaybhargav
    PERM
    Policy, Effect, Request, Matchers

    View full-size slide

  110. abhaybhargav
    What is PERM?

    View full-size slide

  111. abhaybhargav
    What is PERM?
    Request Attributes must MATCH Policy Attributes

    View full-size slide

  112. abhaybhargav
    Lab: OPA, Traefik and Decentralized security
    Controls

    View full-size slide

  113. abhaybhargav
    PaC on Cloud Control-Planes

    View full-size slide

  114. abhaybhargav
    PaC Applicability
    • PaC is already important for enforcing policies across Cloud and Cloud-Native
    Control-Planes


    • Can be leveraged for Access Control, Admission Control


    • Common Use-Cases: Network Policy, Service Policies, Admission Control
    Policies

    View full-size slide

  115. abhaybhargav
    PaC - Cloud Control-Planes

    View full-size slide

  116. abhaybhargav
    PaC - Cloud Control-Planes

    View full-size slide

  117. abhaybhargav
    PaC - Cloud Control-Planes

    View full-size slide

  118. abhaybhargav
    PaC - Cloud Control-Planes

    View full-size slide

  119. abhaybhargav
    PaC - Cloud Control-Planes

    View full-size slide

  120. abhaybhargav
    PaC - Cloud Control-Planes

    View full-size slide

  121. abhaybhargav
    PaC - Cloud Control-Planes

    View full-size slide

  122. abhaybhargav
    PaC - Cloud Control-Planes

    View full-size slide

  123. abhaybhargav
    PaC - Cloud Control-Planes

    View full-size slide

  124. Policy Management with
    Kyverno

    View full-size slide

  125. What is Kyverno?
    • Policy-Engine speci
    fi
    cally designed for
    Kubernetes


    • Policies are created and managed as native
    Kubernetes resources and authored in YAML


    • Validating and Mutating Policies and
    Webhooks are Supported by Kyverno

    View full-size slide

  126. Kyverno Concepts
    • Install Kyverno CRDs, Webhooks, Service Accounts and Namespaces


    • Policies => Validating or Mutating Policy De
    fi
    nitions


    • Selectors => Matches Resources in Request based on Policy

    View full-size slide

  127. Kyverno Policy Structure

    View full-size slide

  128. Basic Kyverno Validate Policy

    View full-size slide

  129. Kyverno Mutate Policy

    View full-size slide

  130. Kyverno Generate Policy

    View full-size slide

  131. Kyverno Benefits
    • No additional DSL required.


    • Mutate, Validate AND Generate


    • Background Capabilities


    • Audit/Enforce


    • Reporting - Out of the box

    View full-size slide

  132. Lab: Kyverno

    View full-size slide

  133. abhaybhargav
    Conclusions
    • Policy-as-Code is a powerful way to create and enforce consistent Secure
    Defaults and Paved Roads for your AppSec use-cases


    • Policy-as-code helps bring in order to a complex world of distrubuted
    systems


    • Policy-as-code can be applied across the stack

    View full-size slide