OWASP Global AppSec US 2021
Attending this event?
Back To Schedule
Friday, November 12 • 11:00am - 12:00pm
Why checking your infrastructure-as-code for misconfigurations is not enough – How to secure your cloud native applications

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Misconfigurations are often the focus of security for cloud-native applications, and for good reason. Back in 2017, more than 60,000 files from the U.S. Department of Defense were left unsecured on an Amazon S3 repository, available to the public. Earlier this year, Hobby lobby accidentally exposed 136 GB of sensitive data for 300,000 customers.
Most organizations focus on checking misconfigurations post-deployment. With the adoption of infrastructure-as-code, many organizations are now looking to identify misconfigurations earlier in the development lifecycle by assessing the infrastructure-as-code. This is certainly a very important practice to avoid the unforced errors we see in the news so often, but the security challenges we face are broader.

Despite the many high-profile breaches caused by misconfigurations, focusing security only around fixing these errors ignores the larger security design flaws in the application architecture. It’s akin to a building inspector checking that all the doors have locks without bothering to make sure the structure is sound. If your application has inherent design flaws, then not only is this going to expose the business to security risks, but it will also create security debt that will be costly to pay off.

We need a more dynamic and comprehensive approach to securing cloud-native applications that focuses on security & compliance by-design. We need to holistically consider the security and compliance objectives of the application and be able to assess how well the application architecture is meeting these objectives. Fortunately, with the adoption of infrastructure-as-code, application architectures are now represented as code, and organizations can leverage automation to assess the design of their cloud-native application.

This session will focus on best practices to dynamically and comprehensively assess the security design of their cloud-native application.

avatar for Aakash Shah

Aakash Shah

CTO, Oak9
Aakash is the CTO of Oak9. He is focused on building foundational security capabilities to help customers transform their security practice and deliver dynamic, comprehensive & risk-appropriate security that enables the velocity of modern software development.Aakash is a proven leader... Read More →

Friday November 12, 2021 11:00am - 12:00pm PST
Feedback form isn't open yet.

Attendees (8)