Conference:  Global AppSec San Francisco 2022

Authors: Eli Nesterov

2022-11-18

Enabling production-level TLS/mTLS for applications and API often requires a lot of effort and cross-team collaboration. It is easier for south-north and Internet-facing traffic but much harder for east-west traffic and internal applications. Adding secure authentication on top of that even harder task.As developers, we want to focus on business logic, adding new features, and shipping products. So it is not a surprise that we often push adding transport level security and secure authentication till the very last moment and then rush to enable it. Sounds familiar? This situation often leads to different "bolt-on" security solutions as a compromise. It lets development teams focus on the business logic and security features added transparently through various mechanisms like side-cars, service meshes, and API gateways.What if there is a better way?What if we can build apps and APIs with automated mTLS and secure authentication without adding friction to developers?In this talk, we'll discuss SPIFFE and SPIRE and how you can use them to secure microservices communication automatically. We'll look into different SPIRE architecture models and usage scenarios and examine ways to enable it by default removing frictions for developers.I'll demonstrate different use-cases, including transparent authentication to AWS, GCP, or Azure cloud services through federation, even if you are running in your on-prem data center.

Conference:  Global AppSec San Francisco 2022

Authors: Zohar Shchar, Dmitry Ryskin

2022-11-18

When doing application security for an API–centric enterprise spanning over thousands of micro services, Dynamic Application Security Testing (DAST) is almost a must-have. However, DAST products often fail to execute even the most rudimentary tests on internal endpoints that require a complex user flow. If an API call requires an ID that was obtained in the response BODY 5 HTTP calls ago, the chances a traditional DAST will be able to test your API are slim.In this talk we’ll present our approach for solving this issue, by leveraging existing headless-chrome test suites (built by the engineers as part of the R&D flow) to serve as the attack surface for our custom DAST solution, Krampus. By using Chromium interceptors, we were able to introduce appsec payloads into HTTP requests issued during the execution of normal 'user flow' test scenarios (and pick up the results) and have an effective DAST for internal API's and endpoints.It wasn't smooth sailing, though, with many challenges along the way. Particularly, we realized that replicating each API call & param with a separate test will mean that the number of our test calls grows exponentially, pushing up both cost and overhead. As many of our API’s also include dynamic params as part of the path, we had to build an API asset DB to understand if and when a specific URL was already tested (code for which we plan to release as open source).At the end of the talk the participants will have the tools to leverage similar testing suites in their own orgs to drastically improve the quality & coverage of the automatic testing in their environment.

Conference:  OWASP 20th Anniversary Event

Authors: Alexander Barabanov

2021-09-24

The presentation focuses on providing practical tips for conducting a basic security assessment of microservice-based systems to find microservice-specific vulnerabilities.

• Microservice architecture is increasingly used for designing and implementing application systems, but it brings new security architecture patterns and approaches that may lead to vulnerabilities
• The presentation provides approaches and practical tips for conducting a basic security assessment of microservice-based systems to find microservice-specific vulnerabilities
• The research results were extracted during multiple security assessments, collected, structured and contributed to the OWASP community