Auto-Scaling Web Application Security in the Cloud presented at AppSecUSA 2014

by Misha Govshteyn,

Summary : Securing web applications has placed extreme demands on security professionals – in addition to understanding attack patterns and defense tactics, effectively protecting web apps requires some level of programming and database management expertise. With broad adoption of public clouds, this bar is rising once again. Today’s cloud enabled applications scale-up well beyond previous web applications. It is not unusual for cloud enabled web applications to have changing infrastructure footprint within minutes that scale to millions of users. This has placed a greater burden on securing these applications. How can you design auto-scaling security to match these rapidly scaling web applications? Older style web application defenses and security almost always fail. Additional web application security capacity added days or even weeks after the server farm has grown and began processing live transactions is not acceptable.
In this session the audience will learn several approaches to auto-scaling web application security, using practical examples built around Amazon Web Services. The audience will learn about:
• Common techniques and tools used to provide security for auto-scaling web applications including Chef/Puppet, CloudFormation, Elastic Load Balancer.
• Role of auto-scaling groups and common requirements for management APIs in automatically deploying web security infrastructure.
• Common scaling triggers and mechanics by which web application security infrastructure must scale to operate in lockstep with elastic web server farms.
• Impact Platform-as-a-Service (PaaS) services have on auto-scaling web application security and approaches to deploying application security controls embedded directly into web applications.
While this is a session primarily designed for an advanced audience with strong understanding of IP networking, web application security fundamentals and experience in managing security infrastructure in a public cloud environment, the information covered will also be of interest to intermediate attendees that set technology strategy and formulate requirements for cloud security controls.