Using OpenTelemetry for Application Security, with a Real Life Example

The presentation discusses the use of openTelemetry for application security and highlights the importance of using modern tools, collecting cloud-native information, utilizing open-source tools, and prioritizing observability to make applications more secure.

• Modern problems require modern solutions, and application security testing tools need to evolve to keep up with changing vulnerabilities in modern applications.
• Collecting all available cloud-native information, such as traces and infrastructure configuration, is crucial when addressing vulnerabilities in cloud-native applications.
• Open-source tools, such as openTelemetry, can be repurposed for application security purposes to make organizations more secure.
• Observability is essential for understanding the real risk of microservices-based and Kubernetes-based applications, and analyzing each microservice separately without knowledge of the surrounding infrastructure is insufficient.

The presentation provides an example of using openTelemetry for appsec by tracing an HTTP request from an external API to an internal service, identifying a vulnerability, and connecting the information collected by openTelemetry to a static analysis tool to prioritize the vulnerability. The speaker emphasizes the importance of collecting all available cloud-native information and utilizing open-source tools to make applications more secure.

The composition of application vulnerabilities has changed as a result of the shift from monolithic applications to cloud native applications, but application security testing hasn't kept up, and the security of cloud native applications is at risk. In this presentation, we’ll explore how vulnerabilities have evolved in the shift from monolithic to cloud native and microservices. We’ll see how cloud native vulnerabilities are executed, and how they look like vulnerable flows rather than just a static bug. Starting with an overview of OpenTelemetry, we’ll explore what observability is, why it’s needed in modern software development, and how it works. We’ll then dive into a real life example of a ‘cloud native vulnerability’, and how OpenTelemetry helps us detect it. We will: • Demonstrate a Kubernetes application with two microservices, and a message queue in between them. One microservice exposes an API to the internet, and a payload continues through the MQ up to the internal microservice. • Deploy the application & show the attack • Install OpenTelemetry manually on the environment, and show a vulnerable flow in Jaeger We will also look at the challenges: • Additional security related instrumentation • Test coverage - you don’t know what you don’t know • Installation process