Peeling the Web Application Security Onion Without Tears
Lessons from Adobe in how building reusable, secure-by-default services and infrastructure improves your security and reduces compliance burden.
Noam Lorberbaum, Sr. Engineering Manager, Adobe Document Cloud linkedin
Keith Mashinter, Sr. Computer Scientist, Adobe Document Cloud twitter, linkedin
BSidesSF. February 23rd, 2020.
💬 abstract 🖥 slides 📹️ video
In this talk, Noam and Keith describe the prior architecture for Adobe’s Document Cloud web application, some secure-by-default services and frameworks Adobe has developed that can be leveraged by the rest of the organization, and the new architecture they’ve moved to and its associated hardening steps and security best practices.
In peak Adobe fashion, if you download the slides, you need a password to print or export it.
Building Reusable Security Controls
The biggest, most important takeaway from this talk is the value in investing in robust, secure by default services and infrastructure that can be used across an organization. This lets you solve a problem domain once, well, and then reap those security wins everywhere.
One Standard to Rule Them All
One particular aspect of this I found especially interesting is that they evaluated over 10 different standards (e.g. SOC, FedRAMP, ISO 27001, HITRUST) with around ~1,350 control requirements, and distilled that down to ~290 common controls across 20 control domains.
Holy cow, that is a lot of work! But once you do it, you know that if you follow these controls you can (relatively) easily be compliant to a vast number of relevant standards. Pretty smart 👍
Security Control Examples
The talk then gives several example of security controls, including an Identity Management Service based on OAuth 2.0, a shared cloud platform for storing data, and CI/CD infrastructure.
Ethos is a standardized container-based way that Adobe teams can do CI/CD. It’s compliant to their Common Control Framework, has centralized, hardened base containers, supports multiple environments (e.g. dev, stage, and production), and will later support Kubernetes for container orchestration.
Container-based Multi-Cloud CI/CD
The rest of the talk walks through various aspects of their new architecture.
They cover their CDN, securing the NGINX proxy server, protecting AWS S3 buckets, using React, Adobe.io gateway authentication and service token signing, and more.
One part I found interesting is how NGINX is used in several ways to enhance security, including adding a strong
Content-Security-Policy and several security-focused headers, like
X-Frame-Options 'SAMEORIGIN', etc., as well as what’s listed below.
This idea of using a proxy to add security properties is also discussed in Hongyi Hu’s excellent AppSec Cali 2019 talk, The Call is Coming From Inside the House: Lessons in Securing Internal Apps, which I highly recommend.