Your practical handbook for securing cloud-native applications KEY FEATURES ● An overview of security in cloud-native applications, such as modern architectures, containers, CI/CD pipeline, and so on. ● Using automation, such as infrastructure as code and policy as code, to achieve security at scale. ● Implementing security, from encryption and secrets management to threat management. DESCRIPTION Security for cloud-native applications is an overview of cloud-native application’s characteristics from a security point of view, filled with best practices for securing services based on AWS, Azure, and GCP infrastructure. This book is a practical guide for securing cloud-native applications throughout their lifecycle. It establishes foundational knowledge of cloud services and cloud-native characteristics. It focuses on securing design approaches like APIs, microservices, and event-driven architectures. Specific technologies like containers, Kubernetes, and serverless functions are covered with security best practices. The book emphasizes integrating security throughout development using CI/CD pipelines and IaC tools. It explores policy as code for enforcing security policies and immutable infrastructure for enhanced security posture. Key management and threat detection strategies are also covered. Finally, the book offers a practical example and resources for further learning. By the end of the book, the reader will be able to design and secure modern applications using the public cloud scale, managed services, automation, and built-in security controls. WHAT YOU WILL LEARN ● How to secure modern design architectures from APIs, event-driven architectures, and microservices. ● How to secure applications using containers and the Kubernetes platform. ● How to secure applications using serverless/function-as-a-service. ● How to implement key and secrets management as part of cloud-native applications. ● How to implement the 12-factor application methodology and immutable infrastructure in cloud-native applications. WHO THIS BOOK IS FOR This book is for security professionals, software development teams, DevOps and cloud architects, and all those who are designing, maintaining, and securing cloud-native applications. TABLE OF CONTENTS 1. Introduction to Cloud Native Applications 2. Securing Modern Design Architectures 3. Containers and Kubernetes for Cloud Native Applications 4. Serverless for Cloud Native Applications 5. Building Secure CI/CD Pipelines 6. The 12-Factor Application Methodology 7. Using Infrastructure as Code 8. Authorization and Policy as Code 9. Implementing Immutable Infrastructure 10. Encryption and Secrets Management 11. Threat Management in Cloud Native Applications 12. Summary and Key Takeaways Cover Title Page Copyright Page Dedication Page About the Author About the Reviewer Acknowledgement Preface Table of Contents 1. Introduction to Cloud Native Applications Introduction Structure Objectives Recap of cloud services Cloud-native services Cloud-native applications Conclusion References 2. Securing Modern Design Architectures Introduction Structure Objectives Application programmable interfaces Understanding APIs Benefits of using APIs Common use cases for using APIs Best practices for securing APIs Transport layer Authentication and authorization HTTPS methods Input validation API Gateway Network and application controls Auditing Information leakage Event-driven architectures Understanding Event-driven architecture Pub/Sub model Event streaming model Benefits of using Event-driven architecture Common use cases for using Event-driven architecture External integration Cross-account/Cross-region data replication Business workflow APIs versus Event-driven architecture Communication method Data transfer size Development effort Resiliency to load and failure Best practices for securing Event-driven architecture Network layer Transport layer Encryption at rest Authentication and authorization Auditing Microservices architecture Understanding microservice architecture Benefits of using microservices architecture Decoupled architecture Scalability Fault isolation and resiliency Continuous Integration/Continuous Delivery Language and technology agnostic Common use cases for using microservices architecture Modernizing legacy applications Big data applications Real-time data processing Security in Microservices architecture Conclusion References 3. Containers and Kubernetes for Cloud Native Applications Introduction Structure Objectives Containers technology Understanding Containers Container components Benefits of using containers Excellent use of resources Reduced overhead Small footprint Scalability Portability Speed Developer experience Best practices for securing containers Container registry Least privileged user Read-only file system Container image size Container base image Container image signing Handling third-party vulnerabilities Secrets management Container host Network Layer (Docker images) Container operating systems Understanding container operating systems Benefits of container operating system Small footprint Improved security Update mechanism Immutable file system Fast boot time Examples of Container operating systems AWS Bottlerocket Google Container-optimized OS Kubernetes as a Container orchestrator Understanding Kubernetes Kubernetes components Control plane Serverless control plane Worker node Benefits of using Kubernetes Run anywhere Automation Community support Cloud support Self-healing capability Horizontal scaling capability Portability and vendor lock-in Cost efficiency Best practices for securing the Kubernetes platform Managed Kubernetes Container OS Confidential computing Pod Security Network layer Pod to Pod communication Service mesh Transport layer Certificate management Encryption at Rest Secrets management Authentication and authorization Configuration standard Security updates Auditing Conclusion References 4. Serverless for Cloud Native Applications Introduction Structure Objectives Serverless fundamentals Types of Serverless Services Compute Database Storage Application integration Benefits of using Serverless Time to market Scalability High availability Security Cost Introducing Serverless/Function as a Service Introducing AWS Lambda Introducing Azure Functions Introducing Google Cloud Functions Best practices for securing Serverless/Function as a Service Securing Containerized Functions Function isolation Network layer Transport layer Secrets management Authentication and authorization Code signing Vulnerability management Code repository Configuration Management Auditing Conclusion References 5. Building Secure CI/CD Pipelines Introduction Structure Objectives CI/CD pipeline fundamentals Static Application Security Testing tools Introducing Static Application Security Testing tools Embedding SAST as part of the CI/CD pipeline Examples of open-source SAST tools Software Composition Analysis tools Introducing SCA tools Embedding SCA tools as part of the CI/CD pipeline Examples of open-source SCA tools Static code analyzers for Infrastructure as Code Embedding IaC scanning tools as part of the CI/CD pipeline Examples of open-source IaC scanning tools Repositories and artifacts Using repositories as part of the CI/CD process Source code and library repositories AWS CodeCommit Azure Repos Google Cloud Source Repositories Artifact package repositories AWS CodeArtifact Azure Artifacts Google Artifact Registry Container image repositories Amazon Elastic Container Registry Azure Container Registry Google Artifact Registry Software supply chain Definition of software supply chain Common threats relating to the software supply chain Introducing Software bill of materials Amazon Inspector Azure SBOM Tool Google Artifact Analysis Best practices for securing the CI/CD pipeline Network layer Transport layer Authentication and authorization Design/Plan phase Code development phase Build phase Test phase Delivery phase Deployment phase Operational/Maintenance phase Auditing Conclusion References 6. The 12-Factor Application Methodology Introduction Structure Objectives The twelve-factor app methodology Introduction to the 12-Factors application methodology Codebase Security best practices Dependencies Security best practices Config Security best practices Backing services Security best practices Build, release, run Security best practices Processes Security best practices Port binding Security best practices Concurrency Disposability Security best practices Dev/prod parity Security best practices Logs Security best practices Admin processes Security best practices Conclusion References 7. Using Infrastructure as Code Introduction Structure Objectives Introduction to Infrastructure as Code IaC: Declarative versus imperative Imperative programming Declarative programming Benefits of using IaC AWS CloudFormation Introduction to AWS CloudFormation templates Best practices for securing AWS CloudFormation Identity management Secrets management Parameters management Syntax validation Policy as code Network connectivity Auditing HashiCorp Terraform Benefits of using Terraform Multi-cloud provider support Community support State management Authentication Authorization Best practices for securing Terraform Authentication and authorization Code repository State management Secrets management Static code analysis Policy as Code Auditing CI/CD pipeline Configuration management Using secure Terraform modules Terraform code samples Terraform modules on AWS Terraform modules on Azure Terraform modules on GCP Conclusion References 8. Authorization and Policy as Code Introduction Structure Objectives Introduction for Policy as Code Benefits of using Policy as Code Using AWS Service control policies Using Azure Policy Using Google Organization Policy service Introduction to the HashiCorp Sentinel framework Using Sentinel to complement Terraform modules Code samples for Sentinel policies Introduction to Open Policy Agent Benefits of using OPA Authorization process using OPA Sample “Hello World” policy Sample code for using OPA to secure Kubernetes Introduction to Cedar policy language Authorization process using Cedar Sample Cedar code Conclusion References 9. Implementing Immutable Infrastructure Introduction Structure Objectives Introduction to immutable infrastructure Differences between stateful and stateless applications Introducing Immutable Infrastructure Benefits of using immutable infrastructure Building a golden image Best practices for creating container golden image Virtual machine image source Virtual Machine Image update Virtual Machine Image builder Container Image source Container Image Builder Container registry Managing persistent data Managing environment variables Secrets management Creating deployment pipeline Implementing Immutable Infrastructure as part of the CI/CD pipeline CI/CD pipeline using AWS services CI/CD pipeline using Azure services CI/CD pipeline using GCP services CI/CD pipeline using vendor-agnostic tools Conclusion References 10. Encryption and Secrets Management Introduction Structure Objectives Introducing encryption and key management services Introducing key management services Best practices for securing key management services Introduction to AWS KMS Best practices for securing AWS KMS Introduction to Azure Key Vault Best practices for securing Azure Key Vault Introduction to Google Cloud KMS Best practices for securing Google Cloud KMS Introduction to secrets management in cloud-native applications Secrets management risks Best practices for securing secrets management services Introduction to AWS Secrets Manager Best practices for securing AWS Secrets Manager Secrets Management in Azure Best practices for securing secrets using Azure Key Vault Introduction to Google Secret Manager Best practices for securing secrets using Google Secret Manager Introduction to HashiCorp Vault Best practices for securing secrets using HashiCorp Vault Secrets management in Git repositories Secrets management in the CI/CD pipeline AWS CodeBuild Azure DevOps pipelines Google Cloud Build Secrets management in Containers Scanning for secrets inside Container images Securing access to secrets in Kubernetes Secrets management in Function-as-a-Service AWS Lambda Azure Functions Google Cloud Functions Secrets management in Infrastructure-as-Code Conclusion References 11. Threat Management in Cloud Native Applications Introduction Structure Objectives Vulnerability versus threat versus risk Introducing vulnerability management in Cloud-native applications Introduction to Amazon Inspector Amazon Inspector for Containers Amazon Inspector for Lambda Best practices for implementing Amazon Inspector Introduction to Microsoft Defender for Cloud Microsoft Defender for Containers Microsoft Defender for Cloud DevOps Security Best practices for implementing Microsoft Defender for Cloud Introducing GitHub advanced security for Azure DevOps Best practices for implementing GitHub Advanced Security for Azure DevOps Introducing Google vulnerability management services Best practices for implementing Google vulnerability management services Implementing threat intelligence at scale Introduction to Amazon GuardDuty Best practices for implementing Amazon GuardDuty Introducing Microsoft Sentinel Best practices for implementing Microsoft Sentinel Introducing Google Security Command Center Best practices for implementing Google Security Command Center Conclusion References 12. Summary and Key Takeaways Introduction Structure Objectives Introducing Pet Store Key takeaways from the book Chapter 1, Introduction to Cloud Native Applications: Key takeaways Chapter 2, Securing Modern Design Architectures: Key takeaways Chapter 3, Containers and Kubernetes for Cloud Native Applications: Key takeaways Chapter 4, Serverless for Cloud Native Applications: Key takeaways Chapter 5, Building Secure CI/CD Pipelines: Key takeaways Chapter 6, The 12-Factor Application Methodology: Key takeaways Chapter 7, Using Infrastructure as Code: Key takeaways Chapter 8, Authorization and Policy as Code: Key takeaways Chapter 9, Implementing Immutable Infrastructure: Key takeaways Chapter 10, Encryption and Secrets Management: Key takeaways Chapter 11, Threat Management in Cloud Native Applications: Key takeaways Recommendations for the readers of the book Gain hands-on experience Share knowledge with your peers Learn from experts Index