Copyright © 2020 HashiCorp March 2022 Security vs. Delivery Win with dependency inversion

Security “We must secure!” Delivery “We must innovate!” DATACENTERS ACCESS CONTROL VULNERABILITY MANAGEMENT AUDIT LOGGING CLOUDS SECRETS NETWORK POLICY MANAGED SERVICES 😰

Author, Patterns & Practices for IaC Developer Advocate, HashiCorp 
 she/her 
 @joatmon08 Rosemary Wang

Dependency Inversion In software development 01 Round 1 / Security vs. Delivery

High-Level Object Low-Level Object Application Depends On Database

APPLICATION CODE Database Type 1 Implement access to 
 MySQL Database Type 2 Implement access to PostgreSQL public class CustomerService { private CustomerDao customer ; public Optional findById(int id) { return customer.findById(id) ; } public List findAll() { return customer.findAll() ; } } Example from https://www.baeldung.com/java-dependency-inversion-principle DATA ACCESS OBJECT public interface CustomerDao { Optional findById(int id) ; List findAll() ; } High-Level Object Low-Level Object Abstraction

…both high-level and low-level objects must depend on same abstraction. This loosely couples software modules.

Loose coupling supports evolution. Change low-level object while minimizing impact to high-level object.

02 Infrastructure as code Round 2 / Security vs. Delivery

…both high-level and low-level objects must depend on same abstraction. This loosely couples infrastructure dependencies. infrastructure resources

High-Level Object Low-Level Object Depends On Server Network

SERVER CONFIG resource "aws_instance" “machine" { ## omitted for clarit y subnet_id = data.aws_subnet.selected.id tags = { Name = local.nam e } } DATA ACCESS OBJECT data "aws_subnet" "selected" { filter { name = "tag:Team " values = [var.team ] } filter { name = "tag:Environment " values = [var.environment ] } } High-Level Object Low-Level Object Abstraction NETWORK CONFIG resource "aws_subnet" "main" { vpc_id = aws_vpc.main.i d cidr_block = cidrsubnet ( var.cidr_block, 4, 1 ) tags = { Name = local.nam e } } Infrastructure API

DATA ACCESS OBJECT output "ip" { value = aws_instance.machine.private_i p } High-Level Object Low-Level Object Abstraction DNS CONFIG resource "cloudflare_record" "machine" { ## omitted for clarit y zone_id = var.cloudflare_zone_i d name = "vm " value = module.vm.ip } SERVER CONFIG resource "aws_instance" "machine" { ## omitted for clarit y subnet_id = data.aws_subnet.selected.i d tags = { Name = local.nam e } } Infrastructure Module Output

DNS CONFIG resource "cloudflare_record" "machine" { ## omitted for clarit y zone_id = var.cloudflare_zone_i d name = "vm " value = module.vm.ip } DATA ACCESS OBJECT output "ip" { value = azurerm_linux_virtual_machine.machin e .private_ip_addres s } High-Level Object Low-Level Object Abstraction SERVER CONFIG resource "azurerm_linux_virtual_machine" "machine" { ## omitted for clarit y subnet_id = data.aws_subnet.selected.i d tags = { Name = local.nam e } } Multiple Clouds / Platforms

03 Security Round 3 / Security vs. Delivery

Infrastructure / applications depend on security. Benefits from dependency inversion principle.

Secrets

High-Level Object Low-Level Object Application Depends On Database Secret

1. Regret 2. Revoke 3. Rotate 4. Reference 5. Replace 6. Restart Can you imagine contacting multiple teams to fix their passwords? 😞 😞 😞 Invert application’s dependency on secret.

APPLICATION CODE public class CustomerService { private CustomerDao customer ; public Optional findById(int id) { return customer.findById(id) ; } public List findAll() { return customer.findAll() ; } } https://cloud.spring.io/spring-cloud-vault/reference/html/#vault.config.backends.database-backends High-Level Object Low-Level Object Abstraction CODE LIBRARY ## install spring-cloud-vault- config-databases dependenc y ## application.propertie s spring.cloud.vault : database : enabled: tru e role: readonl y backend: database Application does not change! Change these if necessary. Secrets Manager + Code Library Database Secret Database Password /database/creds/customer

APPLICATION CODE public class CustomerService { private CustomerDao customer ; public Optional findById(int id) { return customer.findById(id) ; } public List findAll() { return customer.findAll() ; } } https://cloud.spring.io/spring-cloud-vault/reference/html/#vault.config.backends.database-backends High-Level Object Low-Level Object Abstraction SIDECAR PROCESS ## run Vault agent as a separate proces s vault agent -config /vault-agent/agent.hc l ## Vault agent generates application.propertie s {{ with secret “database/creds/customer“ -} } spring.datasource.username={{ .Data.username }} spring.datasource.password={{ .Data.password } } {{- end }} Application reads configuration from file. 
 No changes to code. Secrets Manager + Sidecar Process Database Secret Database Password /database/creds/customer APPLICATION.PROPERTIES spring.datasource.username=custome r spring.datasource.password=Depend3ncy!nversio n

Network Policy

High-Level Object Low-Level Object Web Depends On App Database SHOULD NOT DEPEND ON

1. API Authorization 2. Certificates 3. Traffic Management 4. Telemetry 5. Firewalls 6. Network Routing 7. Security Groups Can you imagine contacting multiple teams to manage these configurations? 😞 😞 😞

1. API Authorization 2. Certificates 3. Traffic Management 4. Telemetry 5. Firewalls 6. Network Routing 7. Security Groups Inverts application’s dependencies on these.

High-Level Object Low-Level Object Web App Database Service Mesh + Sidecar Proxy Abstraction NETWORK POLICY Kind = "service-intentions " Name = "db " Sources = [ { Name = "web " Action = "deny " } , { Name = “app " Action = "allow " } ] Offers abstraction for certificates, traffic management, API authorization, and telemetry.

1. API Authorization 2. Certificates 3. Traffic Management 4. Telemetry 5. Firewalls 6. Network Routing 7. Security Groups Service catalog + automation can help invert infrastructure’s dependency on these.

Access Control

High-Level Object Low-Level Object Depends On Identity SSH Access to Server

High-Level Object Low-Level Object Depends On Many Identity Providers Across platforms, clouds, and services. …and more SSH Access to Server

High-Level Object Low-Level Object Many Identity Providers Many platforms, clouds, etc. …and more Secure Access Management Abstraction SSH Access to Server TERRAFORM ## Azure AD operator group should have SSH acces s resource "boundary_role" "core_infra" { ## omitted for clarit y scope_id = boundary_scope.org.i d grant_scope_id = boundary_scope.core_infra.i d grant_strings = [ "id=*;type=*;actions=* " ] principal_ids = [ boundary_managed_group.operators.id ] }

Is it a win? 04 Final Round / Security vs. Delivery

Units of Effort over Time Effort Time No Dependency Inversion You spend several months changing your security architecture and refactoring high-level applications and infrastructure.

Can I change my security tool or policy tomorrow without affecting delivery?

1. Dependency inversion 2. Choose an abstraction between low-level and high-level objects 3. Share security practices and knowledge

Units of Effort over Time Effort Time No Dependency Inversion Dependency Inversion Initially, you spend a month or two adding abstraction. Initially, you spend a month or two adding abstraction. Future changes to security architecture minimizes refactor for high-level applications and infrastructure. Benefit of “Shifting Security Left”!

Rosemary Wang joatmon08.github.io 
 she/her 
 @joatmon08 Thank you!