Chapter 3. Cloud-Based Lines of Defense for Web Application Security

In this chapter, you learn what lines of defense I highly recommend to fully protect web applications deployed in cloud environments. This discussion begins with the very outside edge of the cloud, which is where traffic enters the cloud environment from the internet. You can think of this as a boundary between the internet and the cloud resources deployed downstream. This discussion ends with the very inside edge, which you can think of as the very last line of defense before a web application is actually accessed by a user or attacker on the internet. All of the technologies discussed in this section make up the lines of defense in what I call the modern cloud edge.

Defensive Line 1: Edge Routers

Edge routers can often act as the first line of defense because they are fully capable of discarding unwanted traffic, given that they are processing it anyway. Organizations that either implement Border Gateway Protocol (BGP) FlowSpec on their own edge routers or work with cloud providers (who do the same to offload other downstream lines of defense) have discovered the best approach to defend against various attacks using this line of defense.

Although not always thought of in the terms of security (because edge routers are often managed by network teams and not security teams), as already mentioned, edge routers are fully capable of acting as the first line of defense to defend networks, websites, and applications. ...

Get Modern Defense in Depth now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.