Slide 1

Slide 1 text

API securing as a so ware developer at Cloud Era Cláudio Oliveira & Luram Archanjo

Slide 2

Slide 2 text

Who am I? Luram Archanjo Software Engineer MBA in Java projects Java and Microservice enthusiastic 2

Slide 3

Slide 3 text

Who am I? Cláudio E. de Oliveira APIs Tech Lead at LuizaLabs Golang, Java, microservices & k8s 3

Slide 4

Slide 4 text

Agenda API First Principles of security as a developer Responsibilities - Traffic North & South - Traffic East & West Demo 4

Slide 5

Slide 5 text

5 Why talk about it?

Slide 6

Slide 6 text

6 API First An API-first approach means that for any given development project, your APIs are treated as “first-class citizens.” That everything about a project revolves around the idea that the end product will be consumed by mobile devices, and that APIs will be consumed by client applications. Source: https://swagger.io/resources/articles/adopting-an-api-first-approach/

Slide 7

Slide 7 text

7 API First - Step Back Backend

Slide 8

Slide 8 text

8 API First #1 Development teams can work in parallel #2 Reduces the cost of developing apps #3 Increases the speed to market #4 Ensures good developer experiences Source: https://swagger.io/resources/articles/adopting-an-api-first-approach/

Slide 9

Slide 9 text

9 Principles of security as a developer

Slide 10

Slide 10 text

10 Authentication Authentication is the act of validating that users are whom they claim to be. This is the first step in any security process. Example: Employees in a company are required to authenticate through the network before accessing their company email

Slide 11

Slide 11 text

11 Authorization Authorization in a system security is the process of giving the user permission to access a specific resource or function. In secure environments, authorization must always follow authentication. Example: After an employee successfully authenticates, the system determines what information the employees are allowed to access

Slide 12

Slide 12 text

12 Ownership of data Ownership of data is a part of data security and is related to the proper handling of data. It is the process of check the ownership of the data! Example: After an employee successfully authenticates, the employee can only manipulate data that is yours.

Slide 13

Slide 13 text

13 Authentication Authorization Confirms users who are they say there are Gives users permission to access a resource Ownership Confirms users data and permissions to handle it

Slide 14

Slide 14 text

14 Cloud Native Security Principles

Slide 15

Slide 15 text

15 Basics knowledge for API Security ● HTTPS ● ssl/tls ● Metrics ● OpenID Connect

Slide 16

Slide 16 text

16 Perimeter Security

Slide 17

Slide 17 text

17 Perimeter Security ● Defense-in-depth multiple layers of security ● Should be easy to integrate with in place systems like VPN, Firewall etc... ● Multiple Policy Enforcement Points increase security

Slide 18

Slide 18 text

18 Infrastructure Security ● Language agnostic ● Infrastructure is secure (platforms) ● Increase governance level ● “Hot deployment”

Slide 19

Slide 19 text

19

Slide 20

Slide 20 text

Traffic Types 20

Slide 21

Slide 21 text

21 North-South traffic

Slide 22

Slide 22 text

22 North-South Traffic ● Clients is unknown in general ● Best place to put Bot detection and treat abusive traffic ● API Products expose business through APIs

Slide 23

Slide 23 text

23 East-West traffic

Slide 24

Slide 24 text

24 Zero Trusted Network ● The cloud environment is heterogeneous ● Different types of workloads ● Integrate with Defense-in-depth concept ● All elements in network is untrusted ● All systems should get kind of grant before call others systems

Slide 25

Slide 25 text

25 A of them are open-source

Slide 26

Slide 26 text

26 Big Picture

Slide 27

Slide 27 text

27 Demo time

Slide 28

Slide 28 text

28

Slide 29

Slide 29 text

29 Securing East-West

Slide 30

Slide 30 text

30 mTLS

Slide 31

Slide 31 text

31 Extracted from https://github.com/smallstep/autocert/blob/master/examples/hello-mtls/README.md

Slide 32

Slide 32 text

32

Slide 33

Slide 33 text

33

Slide 34

Slide 34 text

34 Demo time

Slide 35

Slide 35 text

35

Slide 36

Slide 36 text

Authn 36

Slide 37

Slide 37 text

37 Every sidecar can check jwt token and validate token integrity

Slide 38

Slide 38 text

38 RequestAuthentication is for Identity and AuthorizationPolicy is the rule

Slide 39

Slide 39 text

39 Ok...service mesh is enough to improve secure???

Slide 40

Slide 40 text

40

Slide 41

Slide 41 text

41 Turns to!!!

Slide 42

Slide 42 text

42

Slide 43

Slide 43 text

43 “Micro” Gateway can help us! Hiding implementation details and acting as Bounded Context https://www.solo.io/blog/challenges-of-adopting-service-mesh-in-enterprise-organizations/

Slide 44

Slide 44 text

44

Slide 45

Slide 45 text

45 Demo time

Slide 46

Slide 46 text

46

Slide 47

Slide 47 text

47 Securing North-South

Slide 48

Slide 48 text

48 Securing North-South #1 Micro gateway vs Enterprise Gateway #2 OpenID Connect for external clients (end-users) #3 Handle abusive traffic rate limiting #4 API Products

Slide 49

Slide 49 text

49

Slide 50

Slide 50 text

50 Demo time

Slide 51

Slide 51 text

51

Slide 52

Slide 52 text

52

Slide 53

Slide 53 text

Thanks! Any questions? You can find us at 53 claudioed claudioed luramarchanjo luram_archanjo

Slide 54

Slide 54 text

54 API First - Step Forward Frontend Team Backend Team Mock Backend Frontend

Slide 55

Slide 55 text

55 Authentication Authorization Confirms users who are they say there are Gives users permission to access a resource ??? ???

Slide 56

Slide 56 text

56 What is PeP?? The Policy Enforcement Point (PEP) is the piece of network or security equipment that controls user access and ensures the authorization decision made by the Policy Decision Point (PDP).

Slide 57

Slide 57 text

57 https://www.manning.com/books/microservices-security-in-action

Slide 58

Slide 58 text

58 Infrastructure Security

Slide 59

Slide 59 text

59 How mTLS works in Istio / Envoy 1. Service account token is assigned to Istio Proxy 2. Pilot agent send Token and CSR to Istiod 3. Istiod validate k8s token 4. The istiod signs the certificate and provides it to pilot agent 5. The pilot agent calls Envoy SDS to configure it https://www.manning.com/books/istio-in-action