Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Policy-as-Code: Across the Stack - OWASP AppSec DC 2023 | Abhay Bhargav

Abhay Bhargav
November 06, 2023
Technology
0
550

Policy-as-Code: Across the Stack - OWASP AppSec DC 2023 | Abhay Bhargav

In today's world of rapidly evolving technology and the increasing complexity of software systems, ensuring the security and compliance of applications across the stack has become paramount. This talk will provide an in-depth exploration of Policy-as-Code (PaC) and how it can be employed to implement decoupled security practices across the stack. PaC serves as a unified framework that enables organizations to define, manage, and enforce policies in a consistent, transparent, and automated manner. This approach facilitates better security, compliance, and risk management, while also reducing the need for manual intervention.

The talk will focus on the use of Open-Source Policy-as-Code Frameworks to do policy composition, management and enforcement across the stack

Abhay Bhargav

November 06, 2023
Tweet

More Decks by Abhay Bhargav

See All by Abhay Bhargav
Flaming Hot SLSA!
abhaybhargav
1
560
SecAppDev - Fantastic API Security Vulnerabilities and where to find them
abhaybhargav
1
93
SecAppDev 2022 - Everything as code
abhaybhargav
0
120
Hook, Line and Sinker - Pillaging API Webhooks
abhaybhargav
0
740
DevSecOops - Stories of DevSecOps Failures and Success
abhaybhargav
0
1.5k
Practical DevSecOps Pipelines
abhaybhargav
1
310
A Hitchhikers Guide to Secrets Management in the Cloud - OWASP Seattle
abhaybhargav
0
260
Agile Threat Modeling-as-Code
abhaybhargav
2
680

Other Decks in Technology

See All in Technology
JAWS-UG Bedrock Claude Night
yamahiro
3
620
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
1k
ChatworkのSRE部って実は 半分くらいPlatform Engineering部かもしれない
saramune
0
160
LangSmith入門―トレース/評価/プロンプト管理などを担うLLMアプリ開発プラットフォーム
os1ma
4
420
ServiceNow Knowledge Learning Rise up
manarobot
0
210
【NW X Security JAWS#3】L3-4:AWS環境のIPv6移行に向けて知っておきたいこと
shotashiratori
0
440
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
130
Building a RAG-powered AI chat app with Python and VS Code
pamelafox
0
110
DMM.com アルファ室採用案内資料
hsugita
1
170
どうするコスト最適化のトレードオフ
tetsuyaooooo
1
610
web-application-security
matsuihidetoshi
0
180
今年のRubyKaigiはProfiler Year🤘
osyoyu
0
200

Featured

See All Featured
Git: the NoSQL Database
bkeepers
PRO
422
63k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
2
3.4k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
2
1.3k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
659
120k
Making the Leap to Tech Lead
cromwellryan
124
8.5k
The Invisible Customer
myddelton
114
12k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Scaling GitHub
holman
457
140k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
WebSockets: Embracing the real-time Web
robhawkes
59
7k

Transcript

  1. abhaybhargav Policy-as-Code: Across the Stack Abhay Bhargav

  2. abhaybhargav Yours Truly • Founder @ we45 • Founder @

    AppSecEngineer • AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A De fi nitive Guide

  3. abhaybhargav My talk…

  4. abhaybhargav My talk…

  5. abhaybhargav Agenda

  6. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps

  7. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps • The need for “Policy-as-Code”

  8. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk

  9. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk • Application and API Gateway: Policy-as-Code

  10. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk • Application and API Gateway: Policy-as-Code • Cloud-Native Control Planes - Policy-as-Code

  11. abhaybhargav Agenda • Success Factors and Problems on the road

    to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk • Application and API Gateway: Policy-as-Code • Cloud-Native Control Planes - Policy-as-Code • Conclusions

  12. abhaybhargav The Promise of DevSecOps

  13. abhaybhargav The Promise of DevSecOps

  14. abhaybhargav The Promise of DevSecOps

  15. abhaybhargav The Promise of DevSecOps

  16. abhaybhargav The Reality

  17. abhaybhargav The Reality

  18. abhaybhargav The Paved Road

  19. abhaybhargav Why? • 88% troubled by problems due to API

    Authentication - Palo Alto API Security Report 2023 • Broken Object Level (and Property) Authorization - OWASP API Security Top 10 2023 • 40% - API Miscon fi gurations like Excessive Data Exposure, etc - Palo Alto API Security Report 2023

  20. abhaybhargav The “As-Code” Movement

  21. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth

  22. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth • Scalability and Automation

  23. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth • Scalability and Automation • Consistency and Reproducibility

  24. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth • Scalability and Automation • Consistency and Reproducibility • Continuous Improvement

  25. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth • Scalability and Automation • Consistency and Reproducibility • Continuous Improvement • High Fidelity

  26. abhaybhargav The “As-Code” Movement • Version Control and Single source

    of truth • Scalability and Automation • Consistency and Reproducibility • Continuous Improvement • High Fidelity • Testable ??

  27. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam

  28. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam

  29. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam

  30. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code

  31. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code

  32. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code

  33. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code

  34. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code

  35. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code

  36. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code

  37. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code Detection Engineering

  38. abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor

    Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code Detection Engineering

  39. abhaybhargav “PaC ‘cross the stack”

  40. abhaybhargav Policy as Code

  41. abhaybhargav Need and Motivation

  42. abhaybhargav Need and Motivation • The idea is to NOT

    hardcode security rules in app that have rapidly evolving and changing requirements

  43. abhaybhargav Need and Motivation • The idea is to NOT

    hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built

  44. abhaybhargav Need and Motivation • The idea is to NOT

    hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built • Testable

  45. abhaybhargav Need and Motivation • The idea is to NOT

    hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built • Testable • Scalable

  46. abhaybhargav Need and Motivation • The idea is to NOT

    hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built • Testable • Scalable • Create a “Paved Road” for Product Engineering Teams

  47. abhaybhargav Typical Use-Cases • Syscall Pro fi ling, Seccomp, AppArmor

    and eBPF for Runtime Security enforcement • Authorization, CORS, Rate-Limiting, mTLS and others on the API Gateway • Input Validation, Access Control with Policy-as-Code Frameworks

  48. abhaybhargav Across the Stack

  49. abhaybhargav Security Model - An Example

  50. abhaybhargav Dynamic PaC Stack at the Gateway

  51. abhaybhargav Imagine…

  52. abhaybhargav Imagine…

  53. abhaybhargav Imagine…

  54. abhaybhargav Imagine…

  55. abhaybhargav Imagine…

  56. abhaybhargav Imagine…

  57. abhaybhargav Imagine…

  58. abhaybhargav Imagine… Your Service Business Logic

  59. abhaybhargav Imagine… Your Service Business Logic JWT Authorization

  60. abhaybhargav Imagine… Your Service Business Logic JWT Authorization Input Validation

  61. abhaybhargav Imagine… Your Service Business Logic JWT Authorization Input Validation

    Object Access Control

  62. abhaybhargav Imagine… Your Service Business Logic JWT Authorization Input Validation

    Object Access Control Authentication

  63. abhaybhargav Imagine… Your Service Business Logic JWT Authorization Input Validation

    Object Access Control Authentication Logging

  64. abhaybhargav The Proposed Solution

  65. abhaybhargav PaC - Applicability

  66. abhaybhargav PaC - Applicability • Input Validation at Gateway

  67. abhaybhargav PaC - Applicability • Input Validation at Gateway •

    JWT Validation at Gateway + Claims

  68. abhaybhargav PaC - Applicability • Input Validation at Gateway •

    JWT Validation at Gateway + Claims • Function Level AuthZ at App + Gateway

  69. abhaybhargav PaC - Applicability • Input Validation at Gateway •

    JWT Validation at Gateway + Claims • Function Level AuthZ at App + Gateway • Object Level AuthZ at App + Gateway

  70. abhaybhargav Frameworks we’ll use • Open Policy Agent and Rego

    • Casbin/Oso, etc

  71. abhaybhargav Open-Policy-Agent • Policy Management Framework for “any” environment •

    Allows you to de fi ne policies that can be enforced based on generic json input and output parameters • Uses a DSL (domain speci fi c language) called “rego” that is used to de fi ne policies

  72. abhaybhargav Open Policy Agent - Operation

  73. abhaybhargav Rego Rule Syntax

  74. abhaybhargav Rego Rule Syntax

  75. abhaybhargav Rego Rule Syntax

  76. abhaybhargav Rego Rule Syntax

  77. abhaybhargav Rego Rule Syntax

  78. abhaybhargav Rego Rule Syntax

  79. abhaybhargav Rego Rule Syntax

  80. abhaybhargav Rego Rule Syntax

  81. abhaybhargav Rego Rule Syntax

  82. abhaybhargav Rego Rule Syntax

  83. abhaybhargav Rego Rule Syntax

  84. abhaybhargav Rego Rule Syntax

  85. abhaybhargav Rego Rule Syntax

  86. abhaybhargav Rego Rule Syntax

  87. abhaybhargav Rego Rule Syntax

  88. abhaybhargav OPA Use-Cases • Kubernetes Policy Management • API AuthZ

    and Policy Management • OS Policy Management - SSH and Access Control • Kafka Topic Authorization • Many more…

  89. Copyright © we45 2020 abhaybhargav AuthZ-as-Code

  90. abhaybhargav Let’s look at most AuthZ flaws • Inconsistent implementation

    of Object Level Authorization • Access Control code strewn across multiple services • Lack of standardization and expressive capability for AuthZ frameworks • Heavily design dependent - which gets complex at scale

  91. abhaybhargav AuthZ-as-Code Frameworks

  92. abhaybhargav Object Level AuthZ has access to to perform

  93. abhaybhargav Functional AuthZ has access to to perform

  94. abhaybhargav RBAC - Role Based Access Control

  95. abhaybhargav ABAC - Attribute Based Access Control

  96. abhaybhargav Google Zanzibar approach

  97. abhaybhargav Approach

  98. abhaybhargav Approach

  99. abhaybhargav Approach

  100. abhaybhargav Approach

  101. abhaybhargav Approach

  102. abhaybhargav Casbin

  103. abhaybhargav Casbin

  104. abhaybhargav Casbin

  105. abhaybhargav Casbin

  106. abhaybhargav Casbin

  107. abhaybhargav

  108. abhaybhargav PERM

  109. abhaybhargav PERM Policy, Effect, Request, Matchers

  110. abhaybhargav What is PERM?

  111. abhaybhargav What is PERM? Request Attributes must MATCH Policy Attributes

  112. abhaybhargav Lab: OPA, Traefik and Decentralized security Controls

  113. abhaybhargav PaC on Cloud Control-Planes

  114. abhaybhargav PaC Applicability • PaC is already important for enforcing

    policies across Cloud and Cloud-Native Control-Planes • Can be leveraged for Access Control, Admission Control • Common Use-Cases: Network Policy, Service Policies, Admission Control Policies

  115. abhaybhargav PaC - Cloud Control-Planes

  116. abhaybhargav PaC - Cloud Control-Planes

  117. abhaybhargav PaC - Cloud Control-Planes

  118. abhaybhargav PaC - Cloud Control-Planes

  119. abhaybhargav PaC - Cloud Control-Planes

  120. abhaybhargav PaC - Cloud Control-Planes

  121. abhaybhargav PaC - Cloud Control-Planes

  122. abhaybhargav PaC - Cloud Control-Planes

  123. abhaybhargav PaC - Cloud Control-Planes

  124. Policy Management with Kyverno

  125. What is Kyverno? • Policy-Engine speci fi cally designed for

    Kubernetes • Policies are created and managed as native Kubernetes resources and authored in YAML • Validating and Mutating Policies and Webhooks are Supported by Kyverno

  126. Kyverno Concepts • Install Kyverno CRDs, Webhooks, Service Accounts and

    Namespaces • Policies => Validating or Mutating Policy De fi nitions • Selectors => Matches Resources in Request based on Policy

  127. Kyverno Policy Structure

  128. Basic Kyverno Validate Policy

  129. Kyverno Mutate Policy

  130. Kyverno Generate Policy

  131. Kyverno Benefits • No additional DSL required. • Mutate, Validate

    AND Generate • Background Capabilities • Audit/Enforce • Reporting - Out of the box

  132. Lab: Kyverno

  133. abhaybhargav Conclusions • Policy-as-Code is a powerful way to create

    and enforce consistent Secure Defaults and Paved Roads for your AppSec use-cases • Policy-as-code helps bring in order to a complex world of distrubuted systems • Policy-as-code can be applied across the stack