Welcome!

Cloud Security Authors: Derek Weeks, Elizabeth White, Ed Featherston, Darren Anstee, Liz McMillan

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security, @DevOpsSummit

@CloudExpo: Article

Serverless Security | @DevOpsSummit #DevOps #LowCode #Serverless

In case you haven’t heard, the new hotness in app architectures is serverless

In case you haven’t heard, the new hotness in app architectures is serverless. Mainly restricted to cloud environments (Amazon Lambda, Google Cloud Functions, Microsoft Azure Functions) the general concept is that you don’t have to worry about anything but the small snippets of code (functions) you write to do something when something happens. That’s an event-driven model, by the way, that should be very familiar to anyone who has taken advantage of a programmable proxy to do app or API routing and rewriting or executed inspection of requests or responses for malicious content.

The “events” that trigger functions in a serverless app architecture are, by nature, related to application interaction with users. When a user clicks this button, or enters data in that field, a function is triggered that does something interesting.

In the network, the “events” that trigger functions on a programmable proxy are related to the app (HTTP) and transport (TCP) protocol states. When a request or response is received or a TCP connection is opened, the event can trigger a snippet of code that executes on the proxy, before the app or the user gets to see it.

Now, one can easily liken this to serverless computing, and in the sense that the person who codes up the actual ‘function’ doesn’t need to care about the underlying server on which the proxy is deployed and the code executes based on an event. There are aspects that aren’t the same (yet) like auto-scaling and provisioning because obviously on a few programmable infrastructure components capable of this level of application-like functionality, but in general the concept applies well. Particularly in the realm of security.

It’s been said before (many times, I know, because I’ve been beating the drum for a long time) that application security is a stack. That is, there’s more than meets the eye when it comes to securing applications against attacks, and a comprehensive strategy must include the ability to protect not only the app but its platform and protocols, too. Programmable proxies enable that strategy to manifest itself by providing a platform on which functions can be quickly developed and deployed to protect against zero-day exploits, newly discovered vulnerabilities, and other security issues that can’t as readily be addressed in the application or its supporting web platform. That may mean blocking Heartbleed while a plan is formulated to patch three hundred vulnerable servers. It may mean deploying a small snippet of logic to detect and prevent a code-level vulnerability in a commercial app or platform while waiting for a patch from the vendor.

It may mean simply inserting the appropriate Content-Security-Policy (CSP) headers into responses while the request for developers to address in the app slowly creeps up app dev’s list of priorities.

What are those? I’m glad you asked, because this is an excellent example of how to use the event-driven nature of a programmable proxy to implement a quick fix and secure apps against a variety of potential threats.

In a nutshell, CSP are just HTTP headers. Diogo Monica over at Docker has a great article on digging into CSP. I highly recommend giving it a read.

CSP are just HTTP headers. Their purpose is to help detect and prevent a variety of attacks such as XSS and injection-based attacks. They work on a whitelist model, and lets you restrict the sources of various types of content such as scripts, style sheets, and images, all of which have been used in the past as attack transports into the organization. For example, the following policy restricts the browser to loading data and scripts from only the domain f5.com:

Content-Security-Policy: default-src data: f5.com; script-src 'self' f5.com;

This policy header restricts the browser to loading content only with a base URI of “https://f5.com/base”:

Content-Security-Policy: base-uri https://f5.com/base/;

If you want to play around with generating CSP headers, check out Scott Helme’s CSP Builder. It’s fantabulous.

Now, because these are just HTTP headers, that means a programmable proxy like BIG-IP can insert them on the way out to the user. You might want to do that because the developers didn’t add them to the app, or the app is third-party (commercial) and you can’t force it to add them, or because you want to implement a corporate wide (standardized) security policy without having to modify every single web application you serve up (our research says that’s a lot for the average org, like 300+). And it’s pretty painless to implement.

Really, I just did it to make sure and if I can do it, well…

Assuming you’re using node.js (cause you can do that now with iRules LX, but you knew that, right?) you can add a simple line of code (line #2) to insert a CSP header:

1: function handleRequest(request, response){

2: response.setHeader("Content-Security-Policy", "base-uri: https://f5.com/base;");

3: console.log("Response headers: ", response.getHeader("Content-Security-Policy"));

4: response.end('CSP headers added\n');

5: }

Note the surrounding code was just for testing; it’s a simple HTTP server I play with from time to time for things like this. You’d obviously want the policy to match you own and maybe be loaded from a central repository (infrastructure as code, and all that). So YMMV on “easy” depending on how mature/complex your security and delivery architecture is.

It really is that easy to add an HTTP header to outgoing responses, and it’s a great way to beef up security by enforcing some basic content-based restrictions across all applications without having to modify each and every one.

Happy (Secure) Coding!

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@ThingsExpo Stories
IoT is fundamentally transforming the auto industry, turning the vehicle into a hub for connected services, including safety, infotainment and usage-based insurance. Auto manufacturers – and businesses across all verticals – have built an entire ecosystem around the Connected Car, creating new customer touch points and revenue streams. In his session at @ThingsExpo, Macario Namie, Head of IoT Strategy at Cisco Jasper, will share real-world examples of how IoT transforms the car from a static p...
Fifty billion connected devices and still no winning protocols standards. HTTP, WebSockets, MQTT, and CoAP seem to be leading in the IoT protocol race at the moment but many more protocols are getting introduced on a regular basis. Each protocol has its pros and cons depending on the nature of the communications. Does there really need to be only one protocol to rule them all? Of course not. In his session at @ThingsExpo, Chris Matthieu, co-founder and CTO of Octoblu, walk you through how Oct...
Web Real-Time Communication APIs have quickly revolutionized what browsers are capable of. In addition to video and audio streams, we can now bi-directionally send arbitrary data over WebRTC's PeerConnection Data Channels. With the advent of Progressive Web Apps and new hardware APIs such as WebBluetooh and WebUSB, we can finally enable users to stitch together the Internet of Things directly from their browsers while communicating privately and securely in a decentralized way.
"My role is working with customers, helping them go through this digital transformation. I spend a lot of time talking to banks, big industries, manufacturers working through how they are integrating and transforming their IT platforms and moving them forward," explained William Morrish, General Manager Product Sales at Interoute, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
The Internet of Things can drive efficiency for airlines and airports. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Sudip Majumder, senior director of development at Oracle, will discuss the technical details of the connected airline baggage and related social media solutions. These IoT applications will enhance travelers' journey experience and drive efficiency for the airlines and the airports. The session will include a working demo and a technical d...
Why do your mobile transformations need to happen today? Mobile is the strategy that enterprise transformation centers on to drive customer engagement. In his general session at @ThingsExpo, Roger Woods, Director, Mobile Product & Strategy – Adobe Marketing Cloud, covered key IoT and mobile trends that are forcing mobile transformation, key components of a solid mobile strategy and explored how brands are effectively driving mobile change throughout the enterprise.
Developing software for the Internet of Things (IoT) comes with its own set of challenges. Security, privacy, and unified standards are a few key issues. In addition, each IoT product is comprised of (at least) three separate application components: the software embedded in the device, the back-end service, and the mobile application for the end user’s controls. Each component is developed by a different team, using different technologies and practices, and deployed to a different stack/target –...
Identity is in everything and customers are looking to their providers to ensure the security of their identities, transactions and data. With the increased reliance on cloud-based services, service providers must build security and trust into their offerings, adding value to customers and improving the user experience. Making identity, security and privacy easy for customers provides a unique advantage over the competition.
SYS-CON Events announced today that Commvault, a global leader in enterprise data protection and information management, has been named “Bronze Sponsor” of SYS-CON's 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Commvault is a leading provider of data protection and information management solutions, helping companies worldwide activate their data to drive more value and business insight and to transform moder...
SYS-CON Events has announced today that Roger Strukhoff has been named conference chair of Cloud Expo and @ThingsExpo 2016 Silicon Valley. The 19th Cloud Expo and 6th @ThingsExpo will take place on November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. "The Internet of Things brings trillions of dollars of opportunity to developers and enterprise IT, no matter how you measure it," stated Roger Strukhoff. "More importantly, it leverages the power of devices and the Interne...
Personalization has long been the holy grail of marketing. Simply stated, communicate the most relevant offer to the right person and you will increase sales. To achieve this, you must understand the individual. Consequently, digital marketers developed many ways to gather and leverage customer information to deliver targeted experiences. In his session at @ThingsExpo, Lou Casal, Founder and Principal Consultant at Practicala, discussed how the Internet of Things (IoT) has accelerated our abil...
Digital innovation is the next big wave of business transformation based on digital technologies of which IoT and Big Data are key components, For example: Business boundary innovation is a challenge to excavate third-party business value using IoT and BigData, like Nest Business structure innovation may propose re-building business structure from scratch, as Uber does in the taxicab industry The social model innovation is also a big challenge to the new social architecture with the design fr...
If you had a chance to enter on the ground level of the largest e-commerce market in the world – would you? China is the world’s most populated country with the second largest economy and the world’s fastest growing market. It is estimated that by 2018 the Chinese market will be reaching over $30 billion in gaming revenue alone. Admittedly for a foreign company, doing business in China can be challenging. Often changing laws, administrative regulations and the often inscrutable Chinese Interne...
So, you bought into the current machine learning craze and went on to collect millions/billions of records from this promising new data source. Now, what do you do with them? Too often, the abundance of data quickly turns into an abundance of problems. How do you extract that "magic essence" from your data without falling into the common pitfalls? In her session at @ThingsExpo, Natalia Ponomareva, Software Engineer at Google, provided tips on how to be successful in large scale machine learning...
In his session at @ThingsExpo, Kausik Sridharabalan, founder and CTO of Pulzze Systems, Inc., will focus on key challenges in building an Internet of Things solution infrastructure. He will shed light on efficient ways of defining interactions within IoT solutions, leading to cost and time reduction. He will also introduce ways to handle data and how one can develop IoT solutions that are lean, flexible and configurable, thus making IoT infrastructure agile and scalable.
Data is an unusual currency; it is not restricted by the same transactional limitations as money or people. In fact, the more that you leverage your data across multiple business use cases, the more valuable it becomes to the organization. And the same can be said about the organization’s analytics. In his session at 19th Cloud Expo, Bill Schmarzo, CTO for the Big Data Practice at EMC, will introduce a methodology for capturing, enriching and sharing data (and analytics) across the organizati...
SYS-CON Events announced today that Bsquare has been named “Silver Sponsor” of SYS-CON's @ThingsExpo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. For more than two decades, Bsquare has helped its customers extract business value from a broad array of physical assets by making them intelligent, connecting them, and using the data they generate to optimize business processes.
Internet of @ThingsExpo has announced today that Chris Matthieu has been named tech chair of Internet of @ThingsExpo 2016 Silicon Valley. The 6thInternet of @ThingsExpo will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, wh...
Video experiences should be unique and exciting! But that doesn’t mean you need to patch all the pieces yourself. Users demand rich and engaging experiences and new ways to connect with you. But creating robust video applications at scale can be complicated, time-consuming and expensive. In his session at @ThingsExpo, Zohar Babin, Vice President of Platform, Ecosystem and Community at Kaltura, will discuss how VPaaS enables you to move fast, creating scalable video experiences that reach your...