DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • DevOps Chats
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Communities
    • AWS Community Hub
    • CloudBees
    • IT as Code
    • Rocket on DevOps.com
    • Traceable on DevOps.com
    • Quali on DevOps.com
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Digital Anarchist
  • Media Kit
  • About
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DevSecOps
  • Leadership Suite
  • Practices
  • ROELBOB
  • Low-Code/No-Code
  • IT as Code
  • More Topics
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps

Home » Blogs » DevSecOps » Securing Internet-Facing Portals

portal GitHub DevSecOps - securing internet-facing portals _ application security

Securing Internet-Facing Portals

By: Aaron Mulgrew on May 4, 2020 Leave a Comment

Against the backdrop of the current pandemic, barely a day goes by without another portal or web application being launched to help citizens and customers interact with governments and corporations. Bringing these applications to market quickly, and ensuring they can’t compromise the security of the organization, requires DevOps to embrace news techniques and technologies. So, how best can DevOps ensure these applications don’t become a backdoor for the bad guys?

Recent Posts By Aaron Mulgrew
  • Moving Legacy Applications to the Cloud
More from Aaron Mulgrew
Related Posts
  • Securing Internet-Facing Portals
  • 15 DevSecOps Best Practices
  • DevSecOps: Realities of Policy Management
    Related Categories
  • Blogs
  • DevOps in the Cloud
  • DevSecOps
    Related Topics
  • application security
  • devsecops
  • internet-facing portal
  • serverless architecture
Show more
Show less

Additional Defensive Techniques

In the OWASP Top Ten list of vulnerabilities in Web Applications, ensuring uploaded documents and images are threat-free doesn’t factor. Yet, these can be the Achilles Heel of any internet-facing portal or application. 

DevOps/Cloud-Native Live! Boston

The primary vehicle for smuggling malware into an organization is via documents and images. These are routinely embedded with malware, some basic, some extremely sophisticated, targeting the user or employee who eventually uploads the document. Alternatively, the concealed malware can attack the portal itself, for example, via a malformed document.

This malware is sufficiently new and well-concealed that it repeatedly evades detection-based cyber defences and even modern AI technologies. Ensuring that what arrives via the portal is threat-free means finding additional defensive techniques that increase the security without slowing down the application. 

Best Practice

The UK’s NCSC has published a set of essential guidelines for anyone charged with the security of an application that must accept documents and images from the internet. In the NCSC “Pattern: For Safely Importing Data,” the organization describes a set of best practice guidelines for accepting documents from untrusted sources and recommends an approach called document transformation to ensure imported documents are threat-free. 

Transformation is a mechanism whereby untrusted documents and images have the essential business information extracted from them. The originals are then discarded–along with any embedded threats. The business information is then verified and brand-new documents are then created and formatted to match the originals.

Securing internet-facing portals - Figure 1_transformation engine
Figure 1: Transformation engine.

Once documents have been through the transformation engine they are completely safe and can be used without any further security measures.

“Baked-in” Security Controls

For the AppSec manager, transformation is a great approach to promote across DevOps teams. It can be accessed via cloud APIs and it adds an additional layer of security–conformant with security best practices–that helps ensure web applications and portals don’t become a backdoor for malware infiltration. 

Securing internet-facing portals - Fig 2 python
Figure 2: Uploading a Document via an API.

Developers need a choice of transformation APIs, depending on the nature of the particular application. For example, some applications will require a simple upload/download API to transform a file, while other applications will need APIs capable of handling more complex tasks, such as event-driven workflows or moving files between different storage buckets.

Securing internet-facing portals - Fig 3 AWS flow
Figure 3: AWS Flow Using S3 API.

Head Start

The demand for web applications to accept uploaded documents into portals is only going to increase, and with it the risk of potential for compromise from concealed malware. The good news is that any DevSecOps professional building a web application or portal that must accept documents and images from the internet, already has a head start when it comes to building securely if they are using a serverless architecture.

From a security perspective, the alternative to serverless architectures, machine images in the cloud, have the associated risk that if, for example, malware succeeds in compromising the machine, it remains compromised thereafter. With a serverless, cloud native architecture, there is no residual machine and, therefore, little residual risk.

Another key point in favor of building on a serverless cloud-native computing model is that it devolves the responsibility of patching to the service provider. It is widely understood that unpatched systems are one of the main causes of cybersecurity breaches. Serverless architectures enable the developer to shift operational responsibilities and routine security tasks, such as patching, maintenance and upgrades, to their service provider. 

The current pandemic has turbo-charged the demand for internet-facing portals and with it the risk of malware infiltration via uploaded documents and images. For developers, that means finding new defensive techniques like transformation that can be quickly and easily baked into the code to ensure uploads are threat-free.

Filed Under: Blogs, DevOps in the Cloud, DevSecOps Tagged With: application security, devsecops, internet-facing portal, serverless architecture

Sponsored Content
Featured eBook
The Automated Enterprise

The Automated Enterprise

“The Automated Enterprise” e-book shows the important role IT automation plays in business today. Optimize resources and speed development with Red Hat® management solutions, powered by Red Hat Ansible® Automation. IT automation helps your business better serve your customers, so you can be successful as you: Optimize resources by automating ... Read More
« How to Manage Data in Hybrid Cloud Environments
Need for Increased Training — Strained Budgets Strain Enterprise IT Teams »

TechStrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

LIVE WORKSHOP - Fast, Reliable and Secure Access to Private Web Apps
Tuesday, May 24, 2022 - 3:00 pm EDT
LIVE WORKSHOP - Boost Your Serverless Application Availability With AIOps on AWS
Wednesday, May 25, 2022 - 8:00 am EDT
Supercharge Your AWS Cloud Platform With Self-Service Cloud Ops
Thursday, May 26, 2022 - 1:00 pm EDT

Latest from DevOps.com

Competing Priorities Prevent Devs From Creating Secure Code
May 24, 2022 | Pieter Danhieux
DevOps/Cloud-Native Live Boston: Get Certified, Network and Grow Your Career
May 23, 2022 | Veronica Haggar
GitLab Gets an Overhaul
May 23, 2022 | George V. Hulme
DevOps and Hybrid Cloud: Life in the Fast Lane?
May 23, 2022 | Benjamin Brial
DevSecOps Deluge: Choosing the Right Tools
May 20, 2022 | Gary Robinson

Get The Top Stories of the Week

  • View DevOps.com Privacy Policy
  • This field is for validation purposes and should be left unchanged.

Download Free eBook

The State of Open Source Vulnerabilities 2020
The State of Open Source Vulnerabilities 2020

Most Read on DevOps.com

DevOps Institute Releases Upskilling IT 2022 Report 
May 18, 2022 | Natan Solomon
DevSecOps Deluge: Choosing the Right Tools
May 20, 2022 | Gary Robinson
Creating Automated GitHub Bots in Go
May 18, 2022 | Sebastian Spaink
Managing Hardcoded Secrets to Shrink Your Attack Surface 
May 20, 2022 | John Morton
Is Your Future in SaaS? Yes, Except …
May 18, 2022 | Don Macvittie

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2022 ·Techstrong Group, Inc.All rights reserved.