Upgrade to Pro — share decks privately, control downloads, hide ads and more …

APPLICATION MODERNIZATION STRATEGIES: A LOOK THROUGH THE LENS OF SECURITY

Rafik Harabi
November 25, 2023
0
31

APPLICATION MODERNIZATION STRATEGIES: A LOOK THROUGH THE LENS OF SECURITY

Cloud-native transition initiatives and application modernization programs encompass a diverse array of strategies and approaches. Each strategy introduces its unique technology stack, ecosystem, and, inevitably, security considerations.

In this enlightening session, I will delve into an exploration of the most prevalent application modernization strategies. My focus will be on understanding how these strategies dynamically reshape and broaden the attack surface. This transformation underscores the critical necessity of establishing a robust security architecture and deploying appropriate tooling. By dissecting these strategies, their impact on security, and the countermeasures needed, I aim to provide attendees with an understanding of safeguarding modernized applications in an ever-evolving digital landscape.

Rafik Harabi

November 25, 2023
Tweet

More Decks by Rafik Harabi

See All by Rafik Harabi
Cloud Native Application Threat Modeling and Adversary Emulation : Techniques and Tools
rafik8
0
35
CLOUD NATIVE APPLICATION THREAT MODELING AND ADVERSARY EMULATION : TECHNIQUES AND TOOLS
rafik8
0
22
Cloud Native Security 101: Building Blocks, Patterns and Best Practices
rafik8
0
430
Managing Microservices with Istio Service Mesh
rafik8
0
290
Managing microservices with Istio Service Mesh
rafik8
1
360

Featured

See All Featured
The Brand Is Dead. Long Live the Brand.
mthomps
49
29k
The Power of CSS Pseudo Elements
geoffreycrofte
62
5k
What's new in Ruby 2.0
geeforr
337
31k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
660
120k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Code Review Best Practice
trishagee
56
15k
RailsConf 2023
tenderlove
9
570
Building Flexible Design Systems
yeseniaperezcruz
320
37k
Debugging Ruby Performance
tmm1
70
11k
Rails Girls Zürich Keynote
gr2m
91
13k
[RailsConf 2023] Rails as a piece of cake
palkan
28
4k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.7k

Transcript

  1. #BHMEA2 www.blackhatmea.co | | Application Modernization Strategies- A Look Through

    the Lens of Security 14 - 16 NOVEMBER 2023 RIYADH, SAUDI ARABIA Application Modernization Strategies- A Look Through the Lens of Security Mohamed Shaaban Rafik Harabi

  2. #BHMEA2 www.blackhatmea.co | | Mohamed Shaaban Solution Architect META Dubai,UAE

    [email protected] What I Do ? • Helping Cloud native organizations in adopting devops security strategies in their Environments Exp ? • +10 Years Industry Experience : Containers Orchestration / Cloud & Cloud Security / IAC / CI/CD / Automation / (Mail/Web Sec / Fws / Nacs / Proxies / WAFs … ) Mohamed Shaaban Senior Solutions Architect Dubai,UAE [email protected] What I Do ? • Security Advocate for Cloud Native Security, helping customers to adopt best practices to protect their cloud based assets. Exp ? • 15 years in highly regulated environments.

  3. #BHMEA2 www.blackhatmea.co | |

  4. #BHMEA2 www.blackhatmea.co | | 4 Harden and Prevent Detect and

    Respond Workload Activity Identity Activity Cloud Activity Vulnerabilities Configurations Permissions Cloud Cloud

  5. #BHMEA2 www.blackhatmea.co | | Rehost Flexibility Replatform Modernization Refactor Speed

    & Scale Relocate Repurchase Retire Retain Application Migration Strategies ( The 7 Rs ) Cloud transition and App Modernization Journey

  6. #BHMEA2 www.blackhatmea.co | | Network/Security Management Identity and Access Data

    Platforms Workload Rehost Cloud Provider Logs & Monitoring Cloud Load Balancer Security Groups Instance IAM Cloud Infrastructure Audit logs 6

  7. #BHMEA2 www.blackhatmea.co | | Cloud-Native Application Security Stack 7 Harden

    and Prevent Detect and Respond Identity Activity CDR Traditional VM CSPM CIEM Cloud-Native Application Security Traditional Workload Activity

  8. #BHMEA2 www.blackhatmea.co | | Network/Security Management Identity and Access Data

    Platforms Workload Replatform Cloud Provider Logs & Monitoring Messaging Service Cloud Load Balancer Security Groups Storage Object storage Instance Database Managed SQL IAM Cloud Infrastructure Containers Audit logs Container as a Service 8

  9. #BHMEA2 www.blackhatmea.co | | Cloud-Native Application Security Stack 9 Harden

    and Prevent Detect and Respond Traditional Workload Activity Identity Activity CDR Traditional VM CSPM CIEM Cloud-Native Application Security Container Detection & Response Traditional Workload Activity + Cloud-native VM +

  10. #BHMEA2 www.blackhatmea.co | | Network/Security Management Identity and Access Data

    Platforms Workload Refactor Cloud Provider Logs & Monitoring Messaging Service Cloud Load Balancer Security Groups Storage Object storage Instance Serverless Database Managed SQL IAM Cloud Infrastructure Containers Audit logs Kubernetes Container as a Service 10

  11. #BHMEA2 www.blackhatmea.co | | Cloud-Native Application Security Stack 11 Harden

    and Prevent Detect and Respond Traditional Workload Activity Identity Activity CDR Traditional VM CSPM CIEM Cloud-Native Application Security CSPM CIEM Identity Activity CDR + Container Detection & Response Traditional Workload Activity + + + + Container Detection & Response + Cloud-native VM + Cloud-native VM + KSPM KSPM + IAC IAC +

  12. #BHMEA2 www.blackhatmea.co | |

  13. #BHMEA2 www.blackhatmea.co | | CI TOOLS IMAGE REGISTRIES IaC Tools

    ON-DEMAND CONTAINERS, PAAS, AND SERVERLESS CONTAINER PLATFORMS SIEM, INCIDENT RESPONSE Cloud-Native Ecosystem PUBLIC CLOUD & ON-PREM ENVIRONMENTS Ecosystem Integration

  14. Plan Create Verify Preproductio n Release Configure Operate

  15. Plan • Threat modeling • Security training • Source code

    protection policies • Trusted component registry • Secrets scanning • Secrets management

  16. Plan Create • SAST/DAST/IAST/RASP • Semantic code analysis • API

    Security • Mobile application security testing • Firmware testing • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management

  17. Plan Create Verify • SAST/DAST/IAST/RASP • Semantic code analysis •

    API Security • Mobile application security testing • Firmware testing • Govern third party dependencies • Software bill of materials • Code signing and pipeline integrity • PKI and certificate management • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management

  18. Plan Create Verify Preproduction • Fuzz testing • Penetration Testing

    • Infrastructure Policy-as-Code • Application Shielding and Protection • SAST/DAST/IAST/RASP • Semantic code analysis • API Security • Mobile application security testing • Firmware testing • Govern third party dependencies • Software bill of materials • Code signing and pipeline integrity • PKI and certificate management • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management

  19. Plan Create Verify Preproduction Release • Fuzz testing • Penetration

    Testing • Infrastructure Policy-as-Code • Application Shielding and Protection • SAST/DAST/IAST/RASP • Semantic code analysis • API Security • Mobile application security testing • Firmware testing • Govern third party dependencies • Software bill of materials • Code signing and pipeline integrity • PKI and certificate management • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management • Artifact repositories • Compliance automation • Cloud security posture management • API Management and security • Continuous verification for NFRs

  20. Plan Create Verify Preproduction Release Configure •Configuration Drift Detection •Secret

    Leak Detection •Devops Pipeline Backup and Recovery •Patch Management and Remediation • Fuzz testing • Penetration Testing • Infrastructure Policy-as-Code • Application Shielding and Protection • SAST/DAST/IAST/RASP • Semantic code analysis • API Security • Mobile application security testing • Firmware testing • Govern third party dependencies • Software bill of materials • Code signing and pipeline integrity • PKI and certificate management • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management • Artifact repositories • Compliance automation • Cloud security posture management • API Management and security • Continuous verification for NFRs

  21. Plan Create Verify Preproductio n Release Configure Operate •Configuration Drift

    Detection •Secret Leak Detection •Devops Pipeline Backup and Recovery •Patch Management and Remediation •Detect/Remediate anomalies access • Privilege access management •Machine Identity management •Zero Trust network access •Passwordless MFA • Vulnerability management • Cloud Workload Protection • API Protection • Serverless Functions security • Web Application and API Protection • Container and Kubernetes Security • Fuzz testing • Penetration Testing • Infrastructure Policy-as-Code • Application Shielding and Protection • SAST/DAST/IAST/RASP • Semantic code analysis • API Security • Mobile application security testing • Firmware testing • Govern third party dependencies • Software bill of materials • Code signing and pipeline integrity • PKI and certificate management • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management • Artifact repositories • Compliance automation • Cloud security posture management • API Management and security • Continuous verification for NFRs

  22. Plan Create Verify Preproductio n Release Configure Operate •Configuration Drift

    Detection •Secret Leak Detection •Devops Pipeline Backup and Recovery •Patch Management and Remediation •Detect/Remediate anomalies access • Privilege access management •Machine Identity management •Zero Trust network access •Passwordless MFA • Vulnerability management • Cloud Workload Protection • API Protection • Serverless Functions security • Web Application and API Protection • Container and Kubernetes Security • Fuzz testing • Penetration Testing • Infrastructure Policy-as-Code • Application Shielding and Protection • SAST/DAST/IAST/RASP • Semantic code analysis • API Security • Mobile application security testing • Firmware testing • Govern third party dependencies • Software bill of materials • Code signing and pipeline integrity • PKI and certificate management • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management • Artifact repositories • Compliance automation • Cloud security posture management • API Management and security • Continuous verification for NFRs Integrated Security Approach across the SDLC

  23. #BHMEA2 www.blackhatmea.co | | Security is Central Pillar in Application

    Modernization Initiatives the Holistic Approach Requires Integrating Security across all SDLC Phases Continuously Assessing against Evolving Attack Surfaces is a must-do

  24. #BHMEA2 www.blackhatmea.co | | Thank You

  25. Plan Create Verify Preproductio n Release Configure Operate •Configuration Drift

    Detection •Secret Leak Detection •Devops Pipeline Backup and Recovery •Patch Management and Remediation •Detect/Remediate anomalies access • Privilege access management •Machine Identity management •Zero Trust network access •Passwordless MFA • Vulnerability management • Cloud Workload Protection • API Protection • Serverless Functions security • Web Application and API Protection • Container and Kubernetes Security • Fuzz testing • Penetration Testing • Infrastructure Policy-as-Code • Application Shielding and Protection • SAST/DAST/IAST/RASP • Semantic code analysis • API Security • Mobile application security testing • Firmware testing • Govern third party dependencies • Software bill of materials • Code signing and pipeline integrity • PKI and certificate management • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management • Artifact repositories • Compliance automation • Cloud security posture management • API Management and security • Continuous verification for NFRs Integrated Security Approach across the SDLC