Upgrade to Pro — share decks privately, control downloads, hide ads and more …

APPLICATION MODERNIZATION STRATEGIES: A LOOK TH...

Rafik Harabi
November 25, 2023
0
33

APPLICATION MODERNIZATION STRATEGIES: A LOOK THROUGH THE LENS OF SECURITY

Cloud-native transition initiatives and application modernization programs encompass a diverse array of strategies and approaches. Each strategy introduces its unique technology stack, ecosystem, and, inevitably, security considerations.

In this enlightening session, I will delve into an exploration of the most prevalent application modernization strategies. My focus will be on understanding how these strategies dynamically reshape and broaden the attack surface. This transformation underscores the critical necessity of establishing a robust security architecture and deploying appropriate tooling. By dissecting these strategies, their impact on security, and the countermeasures needed, I aim to provide attendees with an understanding of safeguarding modernized applications in an ever-evolving digital landscape.

Rafik Harabi

November 25, 2023
Tweet

More Decks by Rafik Harabi

See All by Rafik Harabi
Enhancing Cyber Resilience Through Zero Trust Chaos Experiments in Cloud Native Environments
rafik8
0
6
Cloud Native Application Threat Modeling and Adversary Emulation : Techniques and Tools
rafik8
0
81
CLOUD NATIVE APPLICATION THREAT MODELING AND ADVERSARY EMULATION : TECHNIQUES AND TOOLS
rafik8
0
45
Cloud Native Security 101: Building Blocks, Patterns and Best Practices
rafik8
0
510
Managing Microservices with Istio Service Mesh
rafik8
0
310
Managing microservices with Istio Service Mesh
rafik8
1
370

Featured

See All Featured
Large-scale JavaScript Application Architecture
addyosmani
511
110k
Fireside Chat
paigeccino
34
3.2k
Code Reviewing Like a Champion
maltzj
521
39k
GraphQLとの向き合い方2022年版
quramy
44
13k
Making Projects Easy
brettharned
116
6k
GitHub's CSS Performance
jonrohan
1030
460k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Build your cross-platform service in a week with App Engine
jlugia
229
18k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.3k
Designing for humans not robots
tammielis
250
25k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.1k

Transcript

  1. #BHMEA2 www.blackhatmea.co | | Application Modernization Strategies- A Look Through

    the Lens of Security 14 - 16 NOVEMBER 2023 RIYADH, SAUDI ARABIA Application Modernization Strategies- A Look Through the Lens of Security Mohamed Shaaban Rafik Harabi

  2. #BHMEA2 www.blackhatmea.co | | Mohamed Shaaban Solution Architect META Dubai,UAE

    [email protected] What I Do ? • Helping Cloud native organizations in adopting devops security strategies in their Environments Exp ? • +10 Years Industry Experience : Containers Orchestration / Cloud & Cloud Security / IAC / CI/CD / Automation / (Mail/Web Sec / Fws / Nacs / Proxies / WAFs … ) Mohamed Shaaban Senior Solutions Architect Dubai,UAE [email protected] What I Do ? • Security Advocate for Cloud Native Security, helping customers to adopt best practices to protect their cloud based assets. Exp ? • 15 years in highly regulated environments.

  3. #BHMEA2 www.blackhatmea.co | |

  4. #BHMEA2 www.blackhatmea.co | | 4 Harden and Prevent Detect and

    Respond Workload Activity Identity Activity Cloud Activity Vulnerabilities Configurations Permissions Cloud Cloud

  5. #BHMEA2 www.blackhatmea.co | | Rehost Flexibility Replatform Modernization Refactor Speed

    & Scale Relocate Repurchase Retire Retain Application Migration Strategies ( The 7 Rs ) Cloud transition and App Modernization Journey

  6. #BHMEA2 www.blackhatmea.co | | Network/Security Management Identity and Access Data

    Platforms Workload Rehost Cloud Provider Logs & Monitoring Cloud Load Balancer Security Groups Instance IAM Cloud Infrastructure Audit logs 6

  7. #BHMEA2 www.blackhatmea.co | | Cloud-Native Application Security Stack 7 Harden

    and Prevent Detect and Respond Identity Activity CDR Traditional VM CSPM CIEM Cloud-Native Application Security Traditional Workload Activity

  8. #BHMEA2 www.blackhatmea.co | | Network/Security Management Identity and Access Data

    Platforms Workload Replatform Cloud Provider Logs & Monitoring Messaging Service Cloud Load Balancer Security Groups Storage Object storage Instance Database Managed SQL IAM Cloud Infrastructure Containers Audit logs Container as a Service 8

  9. #BHMEA2 www.blackhatmea.co | | Cloud-Native Application Security Stack 9 Harden

    and Prevent Detect and Respond Traditional Workload Activity Identity Activity CDR Traditional VM CSPM CIEM Cloud-Native Application Security Container Detection & Response Traditional Workload Activity + Cloud-native VM +

  10. #BHMEA2 www.blackhatmea.co | | Network/Security Management Identity and Access Data

    Platforms Workload Refactor Cloud Provider Logs & Monitoring Messaging Service Cloud Load Balancer Security Groups Storage Object storage Instance Serverless Database Managed SQL IAM Cloud Infrastructure Containers Audit logs Kubernetes Container as a Service 10

  11. #BHMEA2 www.blackhatmea.co | | Cloud-Native Application Security Stack 11 Harden

    and Prevent Detect and Respond Traditional Workload Activity Identity Activity CDR Traditional VM CSPM CIEM Cloud-Native Application Security CSPM CIEM Identity Activity CDR + Container Detection & Response Traditional Workload Activity + + + + Container Detection & Response + Cloud-native VM + Cloud-native VM + KSPM KSPM + IAC IAC +

  12. #BHMEA2 www.blackhatmea.co | |

  13. #BHMEA2 www.blackhatmea.co | | CI TOOLS IMAGE REGISTRIES IaC Tools

    ON-DEMAND CONTAINERS, PAAS, AND SERVERLESS CONTAINER PLATFORMS SIEM, INCIDENT RESPONSE Cloud-Native Ecosystem PUBLIC CLOUD & ON-PREM ENVIRONMENTS Ecosystem Integration

  14. Plan Create Verify Preproductio n Release Configure Operate

  15. Plan • Threat modeling • Security training • Source code

    protection policies • Trusted component registry • Secrets scanning • Secrets management

  16. Plan Create • SAST/DAST/IAST/RASP • Semantic code analysis • API

    Security • Mobile application security testing • Firmware testing • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management

  17. Plan Create Verify • SAST/DAST/IAST/RASP • Semantic code analysis •

    API Security • Mobile application security testing • Firmware testing • Govern third party dependencies • Software bill of materials • Code signing and pipeline integrity • PKI and certificate management • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management

  18. Plan Create Verify Preproduction • Fuzz testing • Penetration Testing

    • Infrastructure Policy-as-Code • Application Shielding and Protection • SAST/DAST/IAST/RASP • Semantic code analysis • API Security • Mobile application security testing • Firmware testing • Govern third party dependencies • Software bill of materials • Code signing and pipeline integrity • PKI and certificate management • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management

  19. Plan Create Verify Preproduction Release • Fuzz testing • Penetration

    Testing • Infrastructure Policy-as-Code • Application Shielding and Protection • SAST/DAST/IAST/RASP • Semantic code analysis • API Security • Mobile application security testing • Firmware testing • Govern third party dependencies • Software bill of materials • Code signing and pipeline integrity • PKI and certificate management • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management • Artifact repositories • Compliance automation • Cloud security posture management • API Management and security • Continuous verification for NFRs

  20. Plan Create Verify Preproduction Release Configure •Configuration Drift Detection •Secret

    Leak Detection •Devops Pipeline Backup and Recovery •Patch Management and Remediation • Fuzz testing • Penetration Testing • Infrastructure Policy-as-Code • Application Shielding and Protection • SAST/DAST/IAST/RASP • Semantic code analysis • API Security • Mobile application security testing • Firmware testing • Govern third party dependencies • Software bill of materials • Code signing and pipeline integrity • PKI and certificate management • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management • Artifact repositories • Compliance automation • Cloud security posture management • API Management and security • Continuous verification for NFRs

  21. Plan Create Verify Preproductio n Release Configure Operate •Configuration Drift

    Detection •Secret Leak Detection •Devops Pipeline Backup and Recovery •Patch Management and Remediation •Detect/Remediate anomalies access • Privilege access management •Machine Identity management •Zero Trust network access •Passwordless MFA • Vulnerability management • Cloud Workload Protection • API Protection • Serverless Functions security • Web Application and API Protection • Container and Kubernetes Security • Fuzz testing • Penetration Testing • Infrastructure Policy-as-Code • Application Shielding and Protection • SAST/DAST/IAST/RASP • Semantic code analysis • API Security • Mobile application security testing • Firmware testing • Govern third party dependencies • Software bill of materials • Code signing and pipeline integrity • PKI and certificate management • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management • Artifact repositories • Compliance automation • Cloud security posture management • API Management and security • Continuous verification for NFRs

  22. Plan Create Verify Preproductio n Release Configure Operate •Configuration Drift

    Detection •Secret Leak Detection •Devops Pipeline Backup and Recovery •Patch Management and Remediation •Detect/Remediate anomalies access • Privilege access management •Machine Identity management •Zero Trust network access •Passwordless MFA • Vulnerability management • Cloud Workload Protection • API Protection • Serverless Functions security • Web Application and API Protection • Container and Kubernetes Security • Fuzz testing • Penetration Testing • Infrastructure Policy-as-Code • Application Shielding and Protection • SAST/DAST/IAST/RASP • Semantic code analysis • API Security • Mobile application security testing • Firmware testing • Govern third party dependencies • Software bill of materials • Code signing and pipeline integrity • PKI and certificate management • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management • Artifact repositories • Compliance automation • Cloud security posture management • API Management and security • Continuous verification for NFRs Integrated Security Approach across the SDLC

  23. #BHMEA2 www.blackhatmea.co | | Security is Central Pillar in Application

    Modernization Initiatives the Holistic Approach Requires Integrating Security across all SDLC Phases Continuously Assessing against Evolving Attack Surfaces is a must-do

  24. #BHMEA2 www.blackhatmea.co | | Thank You

  25. Plan Create Verify Preproductio n Release Configure Operate •Configuration Drift

    Detection •Secret Leak Detection •Devops Pipeline Backup and Recovery •Patch Management and Remediation •Detect/Remediate anomalies access • Privilege access management •Machine Identity management •Zero Trust network access •Passwordless MFA • Vulnerability management • Cloud Workload Protection • API Protection • Serverless Functions security • Web Application and API Protection • Container and Kubernetes Security • Fuzz testing • Penetration Testing • Infrastructure Policy-as-Code • Application Shielding and Protection • SAST/DAST/IAST/RASP • Semantic code analysis • API Security • Mobile application security testing • Firmware testing • Govern third party dependencies • Software bill of materials • Code signing and pipeline integrity • PKI and certificate management • Threat modeling • Security training • Source code protection policies • Trusted component registry • Secrets scanning • Secrets management • Artifact repositories • Compliance automation • Cloud security posture management • API Management and security • Continuous verification for NFRs Integrated Security Approach across the SDLC