Tweet
Tweet

Slide 1

Slide 1 text

abhaybhargav Policy-as-Code: Across the Stack Abhay Bhargav

Slide 2

Slide 2 text

abhaybhargav Yours Truly • Founder @ we45 • Founder @ AppSecEngineer • AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A De fi nitive Guide

Slide 3

Slide 3 text

abhaybhargav My talk…

Slide 4

Slide 4 text

abhaybhargav My talk…

Slide 5

Slide 5 text

abhaybhargav Agenda

Slide 6

Slide 6 text

abhaybhargav Agenda • Success Factors and Problems on the road to DevSecOps

Slide 7

Slide 7 text

abhaybhargav Agenda • Success Factors and Problems on the road to DevSecOps • The need for “Policy-as-Code”

Slide 8

Slide 8 text

abhaybhargav Agenda • Success Factors and Problems on the road to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk

Slide 9

Slide 9 text

abhaybhargav Agenda • Success Factors and Problems on the road to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk • Application and API Gateway: Policy-as-Code

Slide 10

Slide 10 text

abhaybhargav Agenda • Success Factors and Problems on the road to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk • Application and API Gateway: Policy-as-Code • Cloud-Native Control Planes - Policy-as-Code

Slide 11

Slide 11 text

abhaybhargav Agenda • Success Factors and Problems on the road to DevSecOps • The need for “Policy-as-Code” • PaC across the StaCk • Application and API Gateway: Policy-as-Code • Cloud-Native Control Planes - Policy-as-Code • Conclusions

Slide 12

Slide 12 text

abhaybhargav The Promise of DevSecOps

Slide 13

Slide 13 text

abhaybhargav The Promise of DevSecOps

Slide 14

Slide 14 text

abhaybhargav The Promise of DevSecOps

Slide 15

Slide 15 text

abhaybhargav The Promise of DevSecOps

Slide 16

Slide 16 text

abhaybhargav The Reality

Slide 17

Slide 17 text

abhaybhargav The Reality

Slide 18

Slide 18 text

abhaybhargav The Paved Road

Slide 19

Slide 19 text

abhaybhargav Why? • 88% troubled by problems due to API Authentication - Palo Alto API Security Report 2023 • Broken Object Level (and Property) Authorization - OWASP API Security Top 10 2023 • 40% - API Miscon fi gurations like Excessive Data Exposure, etc - Palo Alto API Security Report 2023

Slide 20

Slide 20 text

abhaybhargav The “As-Code” Movement

Slide 21

Slide 21 text

abhaybhargav The “As-Code” Movement • Version Control and Single source of truth

Slide 22

Slide 22 text

abhaybhargav The “As-Code” Movement • Version Control and Single source of truth • Scalability and Automation

Slide 23

Slide 23 text

abhaybhargav The “As-Code” Movement • Version Control and Single source of truth • Scalability and Automation • Consistency and Reproducibility

Slide 24

Slide 24 text

abhaybhargav The “As-Code” Movement • Version Control and Single source of truth • Scalability and Automation • Consistency and Reproducibility • Continuous Improvement

Slide 25

Slide 25 text

abhaybhargav The “As-Code” Movement • Version Control and Single source of truth • Scalability and Automation • Consistency and Reproducibility • Continuous Improvement • High Fidelity

Slide 26

Slide 26 text

abhaybhargav The “As-Code” Movement • Version Control and Single source of truth • Scalability and Automation • Consistency and Reproducibility • Continuous Improvement • High Fidelity • Testable ??

Slide 27

Slide 27 text

abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam

Slide 28

Slide 28 text

abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam

Slide 29

Slide 29 text

abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam

Slide 30

Slide 30 text

abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code

Slide 31

Slide 31 text

abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code

Slide 32

Slide 32 text

abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code

Slide 33

Slide 33 text

abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code

Slide 34

Slide 34 text

abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code

Slide 35

Slide 35 text

abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code

Slide 36

Slide 36 text

abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code

Slide 37

Slide 37 text

abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code Detection Engineering

Slide 38

Slide 38 text

abhaybhargav DevSecOps Plan Code Build Test Release Deploy Operate Monitor Threat modeling, Training, Baselines SAST Source Composition Analysis Secure Defaults Build Security Processes DAST IAST, InfraSec, Sec Regression Infrastructure Security, Cloud Hardening, Secrets Management Security monitoring & attack detection, Threat Hunting, Attack Simulation/RedTeam SAST as Code DAST/Regression as Code Decoupled Security Controls /Policy-As-Code Threat Models as Code Detection Engineering

Slide 39

Slide 39 text

abhaybhargav “PaC ‘cross the stack”

Slide 40

Slide 40 text

abhaybhargav Policy as Code

Slide 41

Slide 41 text

abhaybhargav Need and Motivation

Slide 42

Slide 42 text

abhaybhargav Need and Motivation • The idea is to NOT hardcode security rules in app that have rapidly evolving and changing requirements

Slide 43

Slide 43 text

abhaybhargav Need and Motivation • The idea is to NOT hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built

Slide 44

Slide 44 text

abhaybhargav Need and Motivation • The idea is to NOT hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built • Testable

Slide 45

Slide 45 text

abhaybhargav Need and Motivation • The idea is to NOT hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built • Testable • Scalable

Slide 46

Slide 46 text

abhaybhargav Need and Motivation • The idea is to NOT hardcode security rules in app that have rapidly evolving and changing requirements • Customisable and Purpose-Built • Testable • Scalable • Create a “Paved Road” for Product Engineering Teams

Slide 47

Slide 47 text

abhaybhargav Typical Use-Cases • Syscall Pro fi ling, Seccomp, AppArmor and eBPF for Runtime Security enforcement • Authorization, CORS, Rate-Limiting, mTLS and others on the API Gateway • Input Validation, Access Control with Policy-as-Code Frameworks

Slide 48

Slide 48 text

abhaybhargav Across the Stack

Slide 49

Slide 49 text

abhaybhargav Security Model - An Example

Slide 50

Slide 50 text

abhaybhargav Dynamic PaC Stack at the Gateway

Slide 51

Slide 51 text

abhaybhargav Imagine…

Slide 52

Slide 52 text

abhaybhargav Imagine…

Slide 53

Slide 53 text

abhaybhargav Imagine…

Slide 54

Slide 54 text

abhaybhargav Imagine…

Slide 55

Slide 55 text

abhaybhargav Imagine…

Slide 56

Slide 56 text

abhaybhargav Imagine…

Slide 57

Slide 57 text

abhaybhargav Imagine…

Slide 58

Slide 58 text

abhaybhargav Imagine… Your Service Business Logic

Slide 59

Slide 59 text

abhaybhargav Imagine… Your Service Business Logic JWT Authorization

Slide 60

Slide 60 text

abhaybhargav Imagine… Your Service Business Logic JWT Authorization Input Validation

Slide 61

Slide 61 text

abhaybhargav Imagine… Your Service Business Logic JWT Authorization Input Validation Object Access Control

Slide 62

Slide 62 text

abhaybhargav Imagine… Your Service Business Logic JWT Authorization Input Validation Object Access Control Authentication

Slide 63

Slide 63 text

abhaybhargav Imagine… Your Service Business Logic JWT Authorization Input Validation Object Access Control Authentication Logging

Slide 64

Slide 64 text

abhaybhargav The Proposed Solution

Slide 65

Slide 65 text

abhaybhargav PaC - Applicability

Slide 66

Slide 66 text

abhaybhargav PaC - Applicability • Input Validation at Gateway

Slide 67

Slide 67 text

abhaybhargav PaC - Applicability • Input Validation at Gateway • JWT Validation at Gateway + Claims

Slide 68

Slide 68 text

abhaybhargav PaC - Applicability • Input Validation at Gateway • JWT Validation at Gateway + Claims • Function Level AuthZ at App + Gateway

Slide 69

Slide 69 text

abhaybhargav PaC - Applicability • Input Validation at Gateway • JWT Validation at Gateway + Claims • Function Level AuthZ at App + Gateway • Object Level AuthZ at App + Gateway

Slide 70

Slide 70 text

abhaybhargav Frameworks we’ll use • Open Policy Agent and Rego • Casbin/Oso, etc

Slide 71

Slide 71 text

abhaybhargav Open-Policy-Agent • Policy Management Framework for “any” environment • Allows you to de fi ne policies that can be enforced based on generic json input and output parameters • Uses a DSL (domain speci fi c language) called “rego” that is used to de fi ne policies

Slide 72

Slide 72 text

abhaybhargav Open Policy Agent - Operation

Slide 73

Slide 73 text

abhaybhargav Rego Rule Syntax

Slide 74

Slide 74 text

abhaybhargav Rego Rule Syntax

Slide 75

Slide 75 text

abhaybhargav Rego Rule Syntax

Slide 76

Slide 76 text

abhaybhargav Rego Rule Syntax

Slide 77

Slide 77 text

abhaybhargav Rego Rule Syntax

Slide 78

Slide 78 text

abhaybhargav Rego Rule Syntax

Slide 79

Slide 79 text

abhaybhargav Rego Rule Syntax

Slide 80

Slide 80 text

abhaybhargav Rego Rule Syntax

Slide 81

Slide 81 text

abhaybhargav Rego Rule Syntax

Slide 82

Slide 82 text

abhaybhargav Rego Rule Syntax

Slide 83

Slide 83 text

abhaybhargav Rego Rule Syntax

Slide 84

Slide 84 text

abhaybhargav Rego Rule Syntax

Slide 85

Slide 85 text

abhaybhargav Rego Rule Syntax

Slide 86

Slide 86 text

abhaybhargav Rego Rule Syntax

Slide 87

Slide 87 text

abhaybhargav Rego Rule Syntax

Slide 88

Slide 88 text

abhaybhargav OPA Use-Cases • Kubernetes Policy Management • API AuthZ and Policy Management • OS Policy Management - SSH and Access Control • Kafka Topic Authorization • Many more…

Slide 89

Slide 89 text

Copyright © we45 2020 abhaybhargav AuthZ-as-Code

Slide 90

Slide 90 text

abhaybhargav Let’s look at most AuthZ flaws • Inconsistent implementation of Object Level Authorization • Access Control code strewn across multiple services • Lack of standardization and expressive capability for AuthZ frameworks • Heavily design dependent - which gets complex at scale

Slide 91

Slide 91 text

abhaybhargav AuthZ-as-Code Frameworks

Slide 92

Slide 92 text

abhaybhargav Object Level AuthZ has access to to perform

Slide 93

Slide 93 text

abhaybhargav Functional AuthZ has access to to perform

Slide 94

Slide 94 text

abhaybhargav RBAC - Role Based Access Control

Slide 95

Slide 95 text

abhaybhargav ABAC - Attribute Based Access Control

Slide 96

Slide 96 text

abhaybhargav Google Zanzibar approach

Slide 97

Slide 97 text

abhaybhargav Approach

Slide 98

Slide 98 text

abhaybhargav Approach

Slide 99

Slide 99 text

abhaybhargav Approach

Slide 100

Slide 100 text

abhaybhargav Approach

Slide 101

Slide 101 text

abhaybhargav Approach

Slide 102

Slide 102 text

abhaybhargav Casbin

Slide 103

Slide 103 text

abhaybhargav Casbin

Slide 104

Slide 104 text

abhaybhargav Casbin

Slide 105

Slide 105 text

abhaybhargav Casbin

Slide 106

Slide 106 text

abhaybhargav Casbin

Slide 107

Slide 107 text

abhaybhargav

Slide 108

Slide 108 text

abhaybhargav PERM

Slide 109

Slide 109 text

abhaybhargav PERM Policy, Effect, Request, Matchers

Slide 110

Slide 110 text

abhaybhargav What is PERM?

Slide 111

Slide 111 text

abhaybhargav What is PERM? Request Attributes must MATCH Policy Attributes

Slide 112

Slide 112 text

abhaybhargav Lab: OPA, Traefik and Decentralized security Controls

Slide 113

Slide 113 text

abhaybhargav PaC on Cloud Control-Planes

Slide 114

Slide 114 text

abhaybhargav PaC Applicability • PaC is already important for enforcing policies across Cloud and Cloud-Native Control-Planes • Can be leveraged for Access Control, Admission Control • Common Use-Cases: Network Policy, Service Policies, Admission Control Policies

Slide 115

Slide 115 text

abhaybhargav PaC - Cloud Control-Planes

Slide 116

Slide 116 text

abhaybhargav PaC - Cloud Control-Planes

Slide 117

Slide 117 text

abhaybhargav PaC - Cloud Control-Planes

Slide 118

Slide 118 text

abhaybhargav PaC - Cloud Control-Planes

Slide 119

Slide 119 text

abhaybhargav PaC - Cloud Control-Planes

Slide 120

Slide 120 text

abhaybhargav PaC - Cloud Control-Planes

Slide 121

Slide 121 text

abhaybhargav PaC - Cloud Control-Planes

Slide 122

Slide 122 text

abhaybhargav PaC - Cloud Control-Planes

Slide 123

Slide 123 text

abhaybhargav PaC - Cloud Control-Planes

Slide 124

Slide 124 text

Policy Management with Kyverno

Slide 125

Slide 125 text

What is Kyverno? • Policy-Engine speci fi cally designed for Kubernetes • Policies are created and managed as native Kubernetes resources and authored in YAML • Validating and Mutating Policies and Webhooks are Supported by Kyverno

Slide 126

Slide 126 text

Kyverno Concepts • Install Kyverno CRDs, Webhooks, Service Accounts and Namespaces • Policies => Validating or Mutating Policy De fi nitions • Selectors => Matches Resources in Request based on Policy

Slide 127

Slide 127 text

Kyverno Policy Structure

Slide 128

Slide 128 text

Basic Kyverno Validate Policy

Slide 129

Slide 129 text

Kyverno Mutate Policy

Slide 130

Slide 130 text

Kyverno Generate Policy

Slide 131

Slide 131 text

Kyverno Benefits • No additional DSL required. • Mutate, Validate AND Generate • Background Capabilities • Audit/Enforce • Reporting - Out of the box

Slide 132

Slide 132 text

Lab: Kyverno

Slide 133

Slide 133 text

abhaybhargav Conclusions • Policy-as-Code is a powerful way to create and enforce consistent Secure Defaults and Paved Roads for your AppSec use-cases • Policy-as-code helps bring in order to a complex world of distrubuted systems • Policy-as-code can be applied across the stack