Peeling the Web Application Security Onion Without Tears

Noam Lorberbaum, Sr. Engineering Manager, Adobe Document Cloud linkedin
Keith Mashinter, Sr. Computer Scientist, Adobe Document Cloud twitter, linkedin
BSidesSF. February 23rd, 2020.
💬 abstract 🖥 slides 📹️ video

In this talk, Noam and Keith describe the prior architecture for Adobe’s Document Cloud web application, some secure-by-default services and frameworks Adobe has developed that can be leveraged by the rest of the organization, and the new architecture they’ve moved to and its associated hardening steps and security best practices.

Building Reusable Security Controls

The biggest, most important takeaway from this talk is the value in investing in robust, secure by default services and infrastructure that can be used across an organization. This lets you solve a problem domain once, well, and then reap those security wins everywhere.

One Standard to Rule Them All

One particular aspect of this I found especially interesting is that they evaluated over 10 different standards (e.g. SOC, FedRAMP, ISO 27001, HITRUST) with around ~1,350 control requirements, and distilled that down to ~290 common controls across 20 control domains.

Holy cow, that is a lot of work! But once you do it, you know that if you follow these controls you can (relatively) easily be compliant to a vast number of relevant standards. Pretty smart 👍

The URL the slides provide will take you to a form where you have to enter your email to see the document. Fortunately, I gotchu my friend, go here to see the PDF directly.

Security Control Examples

The talk then gives several example of security controls, including an Identity Management Service based on OAuth 2.0, a shared cloud platform for storing data, and CI/CD infrastructure.

Ethos is a standardized container-based way that Adobe teams can do CI/CD. It’s compliant to their Common Control Framework, has centralized, hardened base containers, supports multiple environments (e.g. dev, stage, and production), and will later support Kubernetes for container orchestration.

New Architecture

The rest of the talk walks through various aspects of their new architecture.

They cover their CDN, securing the NGINX proxy server, protecting AWS S3 buckets, using React, Adobe.io gateway authentication and service token signing, and more.

One part I found interesting is how NGINX is used in several ways to enhance security, including adding a strong Content-Security-Policy and several security-focused headers, like X-XSS-Protection, X-Content-Type-Options "nosniff", Strict-Transport-Security, X-Frame-Options 'SAMEORIGIN', etc., as well as what’s listed below.

This idea of using a proxy to add security properties is also discussed in Hongyi Hu’s excellent AppSec Cali 2019 talk, The Call is Coming From Inside the House: Lessons in Securing Internal Apps, which I highly recommend.