PRESENTED BY:

Datacenter

Web App Database Web App

There was an executive decision

to move some apps to the cloud.

We need to change how we

develop new applications!

But if we are starting an

application from scratch and

using the public cloud, it makes

sense to do it in the new way.

I’m responsible for the application’s security.

But what are cloud-native applications?

You have a car, right?

Acquisition $$$$

Maintenance

Per-Mile Cost

$$ + Overhead

$ $$

Fixed Cost No

Matter the Usage

Passengers Unlimited4

To own a server is like owning a car.

So people start using services based

in the cloud instead of servers.

This architecture is called Serverless.

WEBSERVERS

APPSERVERS

DBSERVERS

COST

USAGE

Traditional

Serverless

Cost Savings

Administrative

Overhead

Users

Serverless

Traditional

Now I get it! The application is cloud native, using

services, and not based in legacy architecture!

Correct!

API Gateway Other Services

No, we are still responsible for

the cloud security. Remember

the Shared Responsibility Model?

Your work will be easy, right? If we

are using cloud services, they will

be responsible for the security.

OWASP Top 10 Application Security Risks - 2017

A1: Injection

A2: Broken Authentication

A3: Sensitive Data Exposure

A4: XML External Entities (XXE)

A5: Broken Access Control

A6: Security Misconfiguration

A7: Cross-Site Scripting (XSS)

A8: Insecure Deserialization

A9: Using Components with Known Vulnerabilities

A10: Insufficient Logging & Monitoring

Let me show you an example.

API Gateway

Known AttacksXSS, CSRF, Injection, etc...

API Gateway Other Services

IP Intelligence

Services

Updates

every 5 min.

Geolocation database

= Botnet

Anonymous

requests

Anonymous

proxies

Scanner

Restricted

region or

country

Attacker

API Gateway

API Gateway

Known AttacksXSS, CSRF, Injection, etc...

Signatures

Update

API Gateway

Legitimate TrafficCheck Parameters, URIs,

Methods, Size, Pattern, etc...

Unknown

Behavior

API Gateway

Credit Card Number

4321-1234-4321-1234

API Gateway

Credit Card Number

4321-1234-4321-1234

Credit Card Number

XXXXXXXXXXXXXXXXXXXX

API Gateway

It was a challenge, but we finally have

our cloud-native application deployed!And also protected!

BIG-IP VE Advanced Web Application Firewall

•

•

•

PROBLEMWhen moving applications to public cloud,

security is still the #1 concern. Who is

responsible when data is leaked or the

application compromised?

That is why cloud providers use a Shared

Responsibility Model. That means that the

customer is responsible for security IN the

cloud, while the provider is responsible for

the security OF the Cloud.

In other words, companies are still

responsible for the security of their

applications, including cloud-native ones that

leverage serverless architecture.

These applications are still vulnerable to

XSS, data exfiltration, DDoS attacks, etc.

ALTERNATIVES

Code reviews and a rigid security posture

when developing cloud applications.

Cloud-native applications rely on API calls to an API Gateway provided by the cloud provider. F5

Application Security Manager protects all calls made to the API Gateway, validating all requests

before sending them to be processed by the application itself.

F5 has been protecting applications and APIs for a long time and is recognized as a leader in this

market. As a full-proxy solution, caching requests that would consume cloud resources, F5 can

also improve performance and reduce usage bills.

SOLUTION

API Protection

Application

Attacker

Users

API Gateway