VSHN – The DevOps Company Adrian Kosmaczewski, Developer Relations, VSHN Airlock Microgateway 2.1 August 19th, 2021 – 16:00 CEST Welcome to this presentation about Airlock Microgateway! My name is Adrian Kosmaczewski, I’m in charge of Developer Relations at VSHN, the DevOps company, and I’ll be your host tonight. Joining me are Aarno Aukia and Sergio Nuzzo from VSHN, and also Stefan Dietiker and Martin Burkhart from Ergon, the company behind Airlock Microgateway. Speaker notes 1

VSHN – The DevOps Company Pronounced ˈvɪʒn – like "vision" The DevOps Company Founded 2014, 46 VSHNeers located in Zürich Switzerland’s leading DevOps, Docker & Kubernetes partner 24/7 support ISO 27001 certi ed ISAE 3402 Report Type 1 veri ed First Swiss Kubernetes Certi ed Service Provider Just a few words about VSHN; that’s how you pronounce the name, and we’re "The DevOps Company". We’ve been in Zurich since 2014, we’re 46 VSHNeers and we’re Switzerland’s leading DevOps, Docker & Kubernetes partner, offering 24/7 support to our customers. We’ve got a few certifications, and most importantly, we were the First Swiss Kubernetes Certified Service Provider back in 2016. Speaker notes 2

VSHN – The DevOps Company We’re partners with many companies very active in the Cloud Native space, you might recognize some of the logos on this slide. Speaker notes 3

VSHN – The DevOps Company We also run our own "Platform as a Service" offering called "APPUiO". We’ve created our own suite of tools to manage lots of Kubernetes services from a central location, called "Project Syn". Last but not least, we have developed our own Kubernetes operator for backups, called K8up, which just like Project Syn is 100% open source on GitHub. Speaker notes 4

VSHN – The DevOps Company DevSecOps & Zero-Trust Airlock Microgateway 2.1 Demo Questions & Answers Agenda Today we’re going to see how security can be incorporated in DevOps workflows. Then, how Airlock Microgateway 2.1 can be used to protect applications from attackers. Finally, we’re going to see a short live demo: an integration of Airlock Microgateway in a Kubernetes cluster. Please feel free to ask your questions in the Q&A box at the bottom of your Zoom window, and my colleagues and I will answer them at the end of the session. Let’s get started! Speaker notes 5

VSHN – The DevOps Company 1. The Principle of Flow Continuously and proactively harden the security of apps 2. The Principle of Feedback Keeping an eye open on threats 3. The Principle of Continual Learning and Experimentation Through retrospectives and post-mortem reports DevSecOps How do the principles of DevOps apply in DevSecOps? Very straightforwardly, as it happens; through continuous monitoring, and learning of new threats, DevSecOps teams can increase proactively the security of their applications, through a flow of new security rules added to the system. The feedback loops goes to & from & with security specialists and developers and operators, all working together as a team. Speaker notes 6

VSHN – The DevOps Company 1. Explicit Veri cation 2. Least-privilege Access 3. Breach assumption Zero-Trust The guiding principles of Zero Trust are the following: 1. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies. 2. Limit user access with Just-In-Time and Just-Enough Access (JIT/JEA), risk-based adaptive polices, and data protection to protect both data and productivity. 3. Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and application awareness. Verify all sessions are encrypted end to end. Use analytics to get visibility, drive threat detection, and improve defenses Speaker notes 7

VSHN – The DevOps Company Key component for Zero-Trust security with a DevSecOps strategy Airlock Microgateway can be used in a DevSecOps strategy to implement a Zero-Trust strategy increased security to applications running in production, even when the source code of those applications is no longer available. Speaker notes 8

VSHN – The DevOps Company Protects off-the-box from a long list of attack vectors Including OWASP Top 10 Designed for the cloud: containers and Kubernetes OpenAPI and JSON Schema protection Access management in combination with Airlock IAM Authentication check (including JWT token validation) Security as Code → easily stored in Git repositories Features Airlock Microgateway is a lightweight security gateway designed specifically for use in container environments. It helps DevOps engineers and application teams protect their services from unauthorized or malicious access with little effort. This increases agility and ensures high security in the right place and from the very beginning. Speaker notes 9

VSHN – The DevOps Company Deny Rule Group Options SQL or NoSQL Injection In parameter or header Cross-Site Scripting (XSS) In path, parameter or header HTML Injection In parameter or header Windows or Unix command injection In parameter or header Automated scanning – Full list: docs.airlock.com/microgateway/2.1/#data/defaultdenyr.html What can Airlock Microgateway 2.1 do for you? Turns out, off the box, it can do a lot. Just by redirecting ingress traffic to it, your application immediately benefits from a long list of default rules, ready to be used and applied. Speaker notes 10

VSHN – The DevOps Company Agile protection for microservices Zero trust for monoliths Integration gateway for developers Use Cases In which cases is Airlock Microgateway the best option? If you use microservices, you can use it to harden each part of your application. For those of us still stuck with good old monoliths, Airlock Microgateway provides a lightweight option to secure applications, and we’re precisely going to see that in this presentation. Finally, thanks for being so lightweight, developers can use it in their workflows during development and testing, so that they can iron out any problems early on. Speaker notes 11

VSHN – The DevOps Company Airlock Microgateway works together with the whole ecosystem of Airlock products, including Airlock IAM and Airlock Gateway. Source: Speaker notes www.airlock.com/fileadmin/content/07_Airlock- PDFs/Airlock_Microgateway_en.pdf 12

VSHN – The DevOps Company Editions & Support Community Premium DevSecOps-ready   Monitoring & Reporting   Standard Protection   Access Control with Airlock IAM   Advanced Protection (OpenAPI) Log only  Integrated Access Control Log only  Airlock Microgateway offers two tiers of licensing and support; in the premium version, users get advanced features such as: Advanced Application Protection: OpenAPI Schema Enforcement, Additional Deny- and Allow-Rules, CSRF Tokens, HTTP Parameter Pollution, Multipart Parser, URL Encryption, Strict UTF8 Encoding Enforcement (to be demo’d in this session) Integrated Access Control: Verify JWT tokens, access decisions based on token details Speaker notes 13

VSHN – The DevOps Company Securing a problematic app Enabling the Airlock Microgateway Adding a custom rule Enabling OpenAPI support Demo Let’s see Airlock Migrogateway in action. In this demo we are going to see a simple application deployed in a Kubernetes cluster, which has some security problems. First we are going to see how just by redirecting traffic to Airlock Microgateway we can solve lots of problems off-the-box. Then we’re going to add some custom rules to our deployment, and finally we’re going to enable OpenAPI support and we’ll see how it’s enforced. Speaker notes 14

VSHN – The DevOps Company x Ingress Microgateway Fortune Demo Architecture By default, the configuration of this deployment redirects all incoming traffic to the Fortune services; now we’re going to activate the Microgateway service to intercept all inbound unsecure requests. Speaker notes 15

VSHN – The DevOps Company But not even Argon’s great security team thought about one of the greatest and latest threats: the Smurfs; also known as "Die Schlümpfe" auf Deutsch, "Les Schtroumpfs" en Français, "Los Pitufos" en Español, or "I Puffi" in Italiano. They have a known tendency to use the verb "Smurf" to indicate pretty much any activity, including, of course, hacking, as shown in the picture of this slide. They have been known to infiltrate systems and whenever Clumsy Smurf does it, you can be sure there’s going to be a system failure smurfing somewhere. Source of the image: Speaker notes www.lulu-berlu.com/the-smurfs- schleich-40249-smurf-with-computer-a47195-en.html 16

VSHN – The DevOps Company Source: www.toonpool.com/user/1688/ les/brainy_2110615.jpg In this declassified picture from the CIA archives you can see Smurfs learning the arts of hacking, guided by the patient and wise hand of Brainy Smurf. Source of the image: Speaker notes www.toonpool.com/user/1688/files/brainy_2110615.jpg 17

VSHN – The DevOps Company 1 Rule de nition 2 Rule application apiVersion: v1 kind: ConfigMap metadata: name: microgateway-config data: config.yaml: | deny_rule_groups: - rule_group_key: "BLOCK_SMURFS" deny_rules: - rule_key: "NO_SMURFS" parameter_value: pattern: "smurf" apps: - virtual_host: name: demo hostname: microgateway.eu.ngrok.io mappings: - deny_rule_groups: - enabled: true level: strict - rule_group_keys: - BLOCK_SMURFS backend: hosts: - name: fortune-svc port: 9090 1 2 docs.airlock.com/microgateway/2.1/#data/dslreference.html This is how you define custom rules on your configuration file.  Every time that this file is modified, the Airlock Microgateway pod must be killed, so that it is re- created with the new configuration. Speaker notes 18

VSHN – The DevOps Company 1 OpenAPI ("Swagger") de nition 2 Application apiVersion: v1 kind: ConfigMap data: swagger.json: | { "openapi": "3.0.1", "info": { "title": "Fortune.NET", }, "version": "v1" }, "paths": { "/api": { # ... config.yaml: | apps: - virtual_host: hostname: microgateway.eu.ngrok.io mappings: - api_security: openapi: spec_file: /config/swagger.json backend: hosts: - name: fortune-svc port: 9090 1 2 docs.airlock.com/microgateway/2.1/#data/openapispecv.html This slide shows how to enable OpenAPI ("Swagger") based security. Speaker notes 19

VSHN – The DevOps Company 1 OpenAPI ("Swagger") le 2 Microgateway con guration le apiVersion: apps/v1 kind: Deployment metadata: name: microgateway spec: selector: matchLabels: app: microgateway template: spec: initContainers: - name: configbuilder image: ergon/airlock-microgateway-configbuilder:2.1.0 imagePullPolicy: IfNotPresent volumeMounts: - name: config mountPath: /config/swagger.json subPath: swagger.json - name: config mountPath: /config/config.yaml subPath: config.yaml - name: secret mountPath: /secret/ readOnly: true - name: config-files mountPath: /resources-gen # ... 1 2 This slide shows how to use the values defined in the ConfigMap; this exposes the configuration and the OpenAPI definitions to the Microgateway service. This information is used by the init containers used to launch the Microgateway service. Speaker notes 20

VSHN – The DevOps Company Airlock Microgateway 2.1 Documentation Community Support Forum Ergon OWASP Top Ten airlock.com/en/secure-access-hub/components/microgateway docs.airlock.com/microgateway/2.1 forum.airlock.com www.ergon.ch/en owasp.org/www-project-top-ten For more information about Airlock Microgateway 2.1, check these links. Speaker notes 21

VSHN – The DevOps Company Adrian Kosmaczewski, Developer Relations, VSHN – VSHN AG – Neugasse 10 – CH-8005 Zürich – +41 44 545 53 00 – – Thanks! [email protected] vshn.ch [email protected] We hope that this presentation and its demo will be useful to you, and please do not hesitate to contact us if you need more information, a trial account, or a personalized demo for your team. Thanks for watching, and beware of Smurfs! Speaker notes 22