Spring I/O 2023 - Barcelona

cyberark.com/devsecops
Badr NASS LAHSEN
Cyber Security Architecture & EMEA DevSecOps SME
May 18th, 2023
@bnasslahsen
@nass_lahsen
Copyright © 2023 CyberArk Software Ltd. All rights reserved.

View Slide

cyberark.com
Who
Are
We
CyberArk is the global leader in privileged
access management, a critical layer of
IT security protecting access to data,
infrastructure and applications across
the enterprise, in the cloud and throughout
the DevOps pipeline.
3
cyberark.com

View Slide

cyberark.com
cyberark.com
Why Shift Security Left for Software
Development
How to manage Spring-Boot
Applications Secrets?
Summary and Q&A
What is Application Identity Security?
4

View Slide

cyberark.com 5
71%
66%
67%
Millions
Of organizations experienced an
attack on their software supply
chain in 2021
Of attacks in 2020-2021
compromised code
Of organizations have not done a
formal assessment or education
on software supply chain risk
Of organizations affected
CyberArk, 2022 Identity Security Threat Landscape Report
ENISA, Threat Landscape of Software Supply Chain attacks
PWC, 2022 Global Digital Trust Insights
5
* https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021

View Slide

cyberark.com
Massive Breach at Uber in September 2022
Outcome: Attacker gains broad administrative access to critical Uber IT systems
Attack Path:
• Phase 1: Attacker gains entry to Uber network via social engineering
• Phase 2: Discover hard-coded secret in PowerShell script for PAM solution
• Phase 3: Escalate privileges and spread the breach everywhere
6

View Slide

cyberark.com
7
* https://slsa.dev/spec/v0.1/threats
https://labs.cyberark.com/anun/
7

View Slide

cyberark.com
Developer
Identity/Access Endpoint
Test/Provision Run /Operate
Build
• Weak authentication
• Authentication fatigue
• Lack of credential rotation
• Lack of audit
• Over-permissioning
• Local admin rights
• Credential theft risk
• High variability of unknown
applications
• Relaxed security policy
• Exposed Credentials
• Compromised OSS
• Code Injection, Theft, and Tampering
• Malicious Use of Interactive Access
• Stolen Access Keys
• Hijacked Compute/Resources
• Exposed Data
• Stolen IP
CI/CD
8

View Slide

cyberark.com
cyberark.com
What is Application
Identity Security?
9

View Slide

cyberark.com
Machine Identities Outnumber Human Identities 45 to 1
Human Accounts
Apps and other
non-human
identities
*From Global survey of 1,750 security
decision makers
45 Non-human Identities to 1
human Identity (machines,
applications, workloads, etc.)*
10
10

View Slide

cyberark.com
11
SOLUTION
SECRETS MANAGEMENT
• Cannot rotate, track, audit, or enforce security policies
• Are exposed in code repositories – Git.
Hardcoded secrets =
“breach waiting to happen”
Secrets = privileged access for
non-human identities
• Credential, Access Key, SSH key, etc.
• Apps use secrets to securely access IT and other resources.
• If the attacker has the secret, they can access the resource.
Secrets and other non-human credentials
need to be protected
11

View Slide

cyberark.com
Islands of Security
Hiera Databags
Vault
Secrets Secrets
Secrets
Azure Key Vault Secrets Git Secret
Azure
DevOps GitHub
Secrets Mgr /KMS Azure Key Vault Secrets Manager
There are many ways to vault secrets,
But:
• Developers must learn multiple
solutions
• Hard to establish & share best-
practices
• Short-cuts often taken
• SoD not enforced
• GRC reporting is impossible
12

View Slide

cyberark.com
13
Most Frequent Audit Findings for Secrets
… is that while there is frequently standardisation in the management of privileged
human identities, the situation is very different in the non-human domain
X No audit or logs
X No rotation or Security governance
X No centralized control
APPS CI/CD CLOUD
RPA
X No visibility to security team (shadow IT)
X Secrets stored in different vaults (some are not secure)
X Hard coded credential in code or config files
13

View Slide

cyberark.com
Challenge that enterprises face …
14
Where will the
secrets live?
What secret
store?
Will the
application be
ported?
How will secrets
management
impact my
applications?
How can I increase
my application’s
security?
How will I audit
account usage?
Will developers
use the secrets
management
solution?
14

View Slide

cyberark.com
15
APP ID
Create Auditable
Identity for Apps
Access is
Authorized, Logged
and Auditable
Establish Identity
to Applications
Limits Discovery &
Reduces Attack
Surface
Enables Compliance
with Audit &
Best Practices
Removes Security
Island Dilemma
Regularly Perform
Secrets Rotation
No Updates to Files,
Code or DBs when
Secrets Rotated
No Application
Downtime Required
to Rotate Secrets
Removal of Hard-Coded
Credentials
Credential
Rotation
MFA Enforce Strong
Authn for Apps
Authn
15

View Slide

cyberark.com
• Humans have built-in authentication
support:
–Built-in vault for passwords
–Back-channels for MFA (e.g. phones)
• Non-humans need a way to bootstrap
identity authentication that doesn’t put
credentials at risk
• But how to manage that initial secret
required by apps to bootstrap identity?
• This is the Secret-Zero problem.
Human Identity
16
16

View Slide

cyberark.com
• Strong Application Authentication - enable a secure way for applications running on various platforms
to authenticate using a JSON Web Token (JWT) or a Certificate.
• Support for advanced use cases - provide a generic and flexible authentication method based on the
workload attributes.
• Allow the organization to comply with protocol's security standards.
• Provide an authentication endpoint to any modern workload which can identified with a JWT or a
Certificate.
• The authenticator is responsible for authenticating workloads / non-human identities and acting as an
authorization layer to the secrets.
• Easy to extend and adopt 17

View Slide

cyberark.com
/
conjur
authn-azure
auth-k8s
tenant-1
cluster-1
Team2
Vault
data
Team1
Apps
(hosts)
Apps
(hosts)
Team3
Apps
(hosts)
Team1-Safe
Team2-Safe
Team3-Safe
managers managers managers
consumers
consumers
consumers
cluster-2
Security admins
Team admins
Grants
18
18

View Slide

cyberark.com
Identity Attribute Authenticator
IAM Roles authn-iam
Azure Resources authn-azure
Namespace, Deployment, Stateful Set, Others authn-k8s
OpenID Connect (OIDC) Identity Layer authn-oidc
Google identity platform authn-gcp
LDAP User Credentials authn-ldap
Json web token authentication authn-jwt
Leverage unique native capabilities of non-human identity for highest level of security
Application
Conjur
19

View Slide

cyberark.com
1) Admin allow-lists app identity
Options for identity granularity include (but not limited to):
• Identity = Cluster/Namespace
• Identity = Cluster/Namespace/Service Account
2) Authenticator client in app pod submits CSR
w/platform attributes to CyberArk Conjur
3) CyberArk Conjur verifies attributes w/platform
service
4) CyberArk Conjur issues cert & key creds to
authenticator client in app pod
5) Authenticator client in app pod uses creds to
authenticate, get CyberArk Conjur access token
and shares via shared memory volume.
Policy
1
2
csr
identity
5
access
token
4
CyberArk
Secrets Manager
3 verify
20
20

View Slide

cyberark.com
cyberark.com
How to manage
Spring-Boot
Applications Secrets?
21

View Slide

cyberark.com
GOOD DEVELOPER EXPERIENCE IS IMPORTANT!
SO IS COLLABORATION!
Developers
Security
22
22

View Slide

cyberark.com
APIs
Conjur
Spring Use Case
1 authenticate get token get secret
login request
authenticate
authorize
authorize
3 2 4
short lived
access token
User
Conjur
provides
Conjur policy
Spring Security
23

View Slide

cyberark.com
1. An application requests an identity token from
a JWT provider
2. The JWT provider sends a JWT back to the
application
3. The application sends an authentication
request to CyberArk Conjur using the JWT
Authenticator REST API.
4. CyberArk Conjur fetches a public key from the
JWT provider, by accessing the JWKS
endpoint of the vendor. (jwks-uri or public-keys
value)
5. CyberArk Conjur attempts to authenticate and
authorize the request. If successful, CyberArk
Conjur sends a short-lived access token back
to the application.
6. The application can use the
CyberArk Conjur token to retrieve secrets
stored in Conjur (Summon/Conjur API
APIs
24

View Slide

cyberark.com
• Securing etcd—secret data is stored in etcd. By default, etcd data is not encrypted.
• You can’t share the manifest file or push it into a repo.
• Users who consume a secret can see its value.
• Root exploit — anyone with root access on any node can read any secret.
• No visibility or change management.
• No built in rotation
-> A tool for scanning Kubernetes cluster for risky permissions in Kubernetes's Role-based access control
(RBAC) authorization model.
https://github.com/cyberark/KubiScan 25

View Slide

cyberark.com
• Native ways to consume secrets for a great developer experience
• Cloud-agnostic
• One integration across all Kubernetes/OpenShift platforms that can be re-used everywhere
Secrets Provider
(Push to Kubernetes Secrets)
Make the secrets available in
Kubernetes Secrets
Secrets Provider
(Push to Files)
Makes secrets available to the
application as environment
variables files on the pod
memory
Summon
Fetches secrets and makes
them available to the
application as environment
variables
Native experience for
developers that already use
Kubernetes Secrets
Easier deployment using HELM
No code change to the
application
Supports rotations
No code change required
APIs
Uses API calls to retrieve
secrets
Available APIs for Java, Ruby
and Go
Supports rotations
Secretless Broker
Brokers the connection to the
target resource
No secrets delivered to the
application
No code changes required
Supports rotations
K8s
Secrets Summon
APIs
Secretless
Broker
Push To
Files
26

View Slide

cyberark.com
27
• Secrets Provider for
Kubernetes
1. cyberark-secrets-provider-for-k8s
init container, starts and
authenticates to the Follower using
the Kubernetes Authenticator
init container reads all Kubernetes
Secrets required by the pod
3. For each mapped Kubernetes
secret, the cyberark-secrets-
provider-for-k8s init container:
• Retrieves Conjur secrets
• Updates the Kubernetes secret with the
Conjur secret value
init container runs to completion
5. Application container starts and
consumes the Kubernetes Secrets
K8s
Secrets

View Slide

cyberark.com
28
1. The Secrets Provider is deployed in the same
Pod as your application container. The
authentication container starts up and parses
Pod annotations from a Kubernetes Downward
API volume. The Pod annotations are organized
in secret groups, with each secret group
indicating to the Secrets Provider:
2. The Secrets Provider authenticates to Conjur
using the Kubernetes Authenticator.
3. The Secrets Provider reads all Conjur secrets
required across all secret groups.
4. The Secrets Provider renders secrets files for
each secret group, and writes the resulting files
to a volume that is shared with your application
container.
5. The Secrets Provider container runs to
completion.
6. Your application container starts and
consumes the secrets files from the shared
volume.
Push To
Files

View Slide

cyberark.com
Summon
3
1 2
1
2
3
Summon invoked
with authenticated
identity
Summon fetches
secrets using
identity
Processes launched
with secrets in
environment
Learn more at: https://cyberark.github.io/summon/
29

View Slide

cyberark.com
30
30
Modern Solution Architecture
Vault Credentials
No Solution
Hardcode Credentials
Secretless Broker Architecture
Isolate Applications
Secure – manage credentials in
vault with comprehensive audit
Simpler – Developers can focus on writing code
More Secure – Applications cannot leak what
they don't have
UserName = “app”
Password = “y7qeF$1”
Host = “10.10.3.56”
ConnectDatabase(Host,
UserName, Password)
At Risk – Widely exposes
credentials
Potential for
App to Leak
Secrets
Secretless
Broker

View Slide

cyberark.com
cyberark.com
Summary
31

View Slide

cyberark.com
üThink about secrets management across hybrid and multi cloud environments
üSimplify secrets management with a uniform developer and security experience independent of cloud
providers, tools
üEnd-to-end encryption of secrets through mutual TLS (Transport Layer Security) using SPIFFE-
compliant resource identifiers.
üRobust authentication and authorization incorporating RBAC policies
üIt’s important to have a federated governance to guarantee and all identities and provide autonomy to
the development teams
üRemember the overhead and the risks related to security islands
üIdeally, credentials should not be exposed to any 3rd party and should reside only in memory
üStrong container authentication based on its attributes
üLeverage Applications Secrets rotation, to mitigate attack risks
üYou should get full central audit trail of your secrets – Vendors Agnostic 32
Demos: https://github.com/bnasslahsen/conjur-spring-boot-demos/tree/spring-io-23

View Slide

cyberark.com
cyberark.com
Q&A
33

View Slide

cyberark.com
cyberark.com
Thank You
34

View Slide

Spring I/O 2023 - Barcelona

Spring I/O 2023 - Barcelona

Badr

Other Decks in Technology

Featured

Transcript