DeepSec 2022 Talk: Protecting Your Web Application/API With CrowdSec – Klaus Agnoletti
Protecting your web applications and APIs are more important than ever. Especially these days where one can deploy their application in the cloud, where everything but the application itself is a standardized application constantly updated for you by continuous patch processes, it is more evident than ever that the biggest risk is present in the code you produce yourself and expose to the internet.
But what are the risks? And how to mitigate them? And is it true that APIs don’t need to be secured as much as your website?
All competent security professionals know that there’s no such thing as a silver bullet, so obviously creating an AppSec program is inevitable to achieve a sufficient security posture.
But how do we handle the remaining risks?
CrowdSec is a FOSS security tool that can be used for those (as well as many other risks). I’ll show you how to achieve this without it costing an arm and a leg.
We asked Klaus Agnoletti a few more questions about his talk.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
After speaking to René Pfeiffer, who sees this as a big challenge, I was inspired to do both a talk that talks about governing AppSec and practically applying tools that can help you out and improve security.
Why do you think this is an important topic?
As cloud computing is gaining popularity the primary thing you have to think about yourself these days is how to secure your own code, as everything else (OS, services etc) is being handled for you, depending, of course on which types of cloud services you use. So as companies only have to think about the security in their own code, AppSec has gone from being important to imperative since this is, by definition, your weakest link. This is where you run the code that fewest eyes have looked at and tried to find holes. Also, security vulnerabilities here most likely have a huge impact on your business.
Is there something you want everybody to know – some good advice for
our readers maybe? (Except for “come to my talk”)
Security is really about communication; talking about why something is important and making other people understand that what is logical to you might not be as self explanatory for others. It’s times like these we are reminded to understand and remember that nothing is hard if you know how to do it. And yes, come to my talk!
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
I see no indications that cloud computing will be used less in the future – on the contrary. So I will simply repeat that the part of a technology attack where there’s the biggest risk of screwing up and introduce vulnerability is the application layer where your own code typically is. Especially since in cloud computing this is one of the few areas where you as a user have full control – and full authority to allow things to blow up in your face unless you prepare and reduce the risk of vulnerabilities in the application layer by having proper appsec practices, procedures and tools.
Klaus Agnoletti has been an infosec professional since 2004. As a long time active member of the infosec community in Copenhagen, Denmark he co-founded BSides København in 2019. Currently as Head of Community in CrowdSec one of his current roles is to spread the word and inspire an engaging community.