Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / KubeCon + CloudNativeCon North America 2020 - Virtual / 4 Dec 2020
Cloud Native Computing Foundation / KubeCon + CloudNativeCon North America 2020 - Virtual / 4 Dec 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Sponsored Keynote: Marvin, Where is My Secure API? - Vijoy Pandey, Vice President

Description

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Sponsored Keynote: Marvin, Where is My Secure API? - Vijoy Pandey, Vice President, Engineering for Emerging Technologies and Incubations, Cisco

Modern cloud native developers use APIs and services from a variety of organic, public cloud and SaaS offers to build their apps and drive velocity. Unfortunately, this implies that the developer, security teams, infrastructure teams, the responsible SREs, and the management chain (e.g., CISOs) are out-of-sync and in the dark on the security ramifications behind any developer’s API choices. And worse, they have no visibility to the security exposure of the app's customers and their data. This talk will highlight these challenges due to the velocity mismatch between these teams, the potential lack of compliance, and the risk to customer data due to these API decisions. We will explore how solving it earlier in the application development lifecycle will lower the cost of the exposure of the entire software (and hardware) stack as well as what needs to be done in the community to solve these problems in a software-driven manner. It’s time to Go Up and Shift Left.

https://sched.co/ep5B

A

Hello folks, I'm v and welcome to kubecon, and I'm here to ask marvin about where my secure apis are. It's also an ask for the community to step up our application security game, but before we begin, we have to ask so who is marvin?

A

If you haven't read the hitchhiker's guide to the galaxy, go and get a copy now, marvin is a robot with a brain, the size of a planet by his own account. He is at least 50 000 times smarter than a human, but he is being made to park. Cars pick papers, check, airlocks, not really job satisfaction worthy, since he is built with genuine people, personality or gpp tech. He also has human emotions, so he gets depressed with all of this mindless work but, most importantly, he is a paranoid.

A

Android and all of these properties make him very suited for the state of affairs around api security, as you should find out, but first a little bit of historical context around the transformation to cloud native. As we all know, app architectures are changing from monolithic, bare metal or vms to composable or cloud native. Therefore, infrastructure is changing from monolithic to composable as well, and so are the operational paradigms and organizational structures.

A

Over the last three qube cons, we have discussed how the network needed to evolve, to handle this transformation to cloud native through the network service mesh project and today we're looking at this cloud native developer as she is building her new app moving fast, utilizing, the trove of apis from public cloud providers, sas providers and other services.

A

She is faced with the dependency graph complexity of a modern, globally distributed micro service based app security in such an architecture is a marvin brain size problem. By the way, this is the microservice dependency graph of the monzo banking app and, as she uses these globally distributed apis, which are either homegrown or from external providers.

A

The quality and security of these remote services is often unknown. The pivot on api reputation is not inherently part of the ci cd process, which might put your customers data eventually at risk.

A

This risk causes all kinds of unwanted behavior developers want convenience and velocity security, sre secops and csos pound the table for reviews and are still unsure whether the 2000 api is being used are safe or compliant platform and cloud engineers are always worried that insecure code has been pushed to prod and all of these reviews and gates and meetings, just add complexity and opacity to the simple job of developing and deploying fast, seeing all of this marvin the paranoid android with the weight of the world on his shoulders steps.

A

In with this depressing quote: wouldn't it be nice if there really was a marvin with a planet-sized brain who could be observing the entire application life cycle from repo to runtime and identify the risks of using an api to all the teams concerned, report that risk to security, sre, secops and csos, and maybe even remediate that risk to customer data before it happens.

A

Now that is indeed a marvin size problem, but do not underestimate marvin. He could simultaneously plan the entire planet's military strategy and solve all of these major problems of the universe three times over and in parallel. Also compose a number of lullabies, if you could do all of that, he could surely solve for the application and api security problem.

A

So what would the app lifecycle look like if we had this marvin, the developer would pick marvin, curated, apis and move fast fast, fast marvin would notify security teams of possible issues and remediations continuously and cloud platform teams could rest easy, knowing they can report compliance in a real-time manner, and how would we train this marvel? What are its boundary conditions? What are its parameters?

A

First and foremost, we have to realize that it's all about protecting your customers, data, the open internet, is really the runtime for all modern cloud native apps security attacks risk, both clients, users and other services, other applications and the new perimeter of apps and security is really diffuse and almost narrows down to an api or data object.

A

What would be some of the app specific questions we could ask this marvin? Is the correct in-house service image or artifact being used in creating a new app? Are we integrating with compliant third-party apis?

A

Are we tracking rpc calls to make sure we do not import nefarious data and are we using mitre and ova's attack taxonomies to ensure safety for our apps?

A

Some of the broader questions we have to ask ourselves as the community could be if a distributed app does get broken into. Do we have all the tooling to drive, mean time to detect and debug down? Can we formally model and verify the correctness of the logic in our business apps even across layers?

A

Can we, the community help spread the word on api misuse if we aren't able to step up to the plate and answer these questions, I'm afraid marvin has this to say to you.

A

Thank you for listening, please reach out to me. I would love to continue the conversation visit us at the cisco booth, where we have demos on app security, app and infra. Observability cloud-native networking a lot more and we are hiring and we would love to have you on board. Thank you.