Red Hat Summit 2018: Develop Secure Apps and Services
Red Hat Summit 2018 will focus on modern application development. A critical part of modern application development is of course securing your applications and services. Things were challenging when you only needed to secure a single monolithic application. In a modern application landscape, you’re probably looking at building microservices and possibly exposing application services and APIs outside the boundaries of your enterprise. In order to deploy cloud-native applications and microservices you must be able to secure them. You might be faced with the challenge of securing both applications and back-end services accessed by mobile devices while using third party identity providers like social networks. Fortunately, Red Hat Summit 2018 has a number of developer-oriented sessions where you can learn how to secure your applications and services, integrate single-sign on, and manage your APIs. Session highlights include:
- I’m a developer. What do I need to know about security?
- Securing apps and services with Red Hat Single Sign-On
- Securing service mesh, microservices, and modern applications with JSON Web Token (JWT)
- Red Hat API management: Overview, security models, and roadmap
- Best practices for securing the container life cycle
- Distributed API management in a hybrid cloud environment
- DevSecOps with disconnected Red Hat OpenShift
- OpenShift + Single sign-on = Happy security teams and happy users
- Shift security left—and right—in the container life cycle
Red Hat Summit 2018 security sessions for developers
Abstract: As DevOps breaks down traditional silos, fewer and fewer things are exclusively “someone else’s problem.” Everyone should have some knowledge of good security practices, to give just one example. In this interactive session, we’ll delve into security topics like common problem areas, shifting security left, automation, and more. We’ll answer questions like:
- How can you make containers secure?
- What is the low hanging fruit and what are good things to start with?
- How can people who aren’t traditional security professionals engage with those who are?
- How will new open source projects like Istio change things?
Bring your questions to learn from Red Hat experts and from each other.
Abstract: If you have a number of applications and services, the applications may be HTML5, server-side, or mobile, while the services may be monolithic or microservices, deployed on-premise or to the cloud. You may have started looking at using a service mesh. Now, you need to easily secure all these applications and services.
Securing applications and services is no longer just about assigning a username and password. You need to manage identities. You need two-factor authentication. You need to integrate with legacy and external authentication systems. Your list of other requirements may be long. But you don’t want to develop all of this yourself—nor should you.
In this session, we’ll demonstrate how to easily secure all your applications and services—regardless of how they’re implemented and hosted—with Red Hat single sign-on. After this session, you’ll know how to secure your HTML5 application or service, deployed to a service mesh and everything in between. Once your applications and services are secured with Red Hat single sign-on, you’ll know how to easily adopt single sign-on, two-factor authentication, social login, and other security capabilities.
In this session, we’ll cover the specifications of the JOSE framework, focusing especially on JSON Web Token (JWT). We’ll discuss practical applications of the JOSE framework, including relevant specifications, such as OpenID Connect. After this session, you’ll have an understanding of the specifications and how to easily adopt them using Red Hat single sign-on or another OpenID Connect provider.
Abstract: In this session, you’ll learn a framework to evaluate different API security models—including API keys, mutual SSL certificates, and OpenID Connect—and how to choose the right one for your architecture needs. We’ll demonstrate applying API access controls to different real-world scenarios. Finally, we’ll share a preview of the roadmap for Red Hat 3scale API Management.
Abstract: IT organizations are using container technology and DevOps processes to bring new-found agility to delivering applications that create business value. However, enterprise use requires strong security at every stage of the life cycle. Nothing is secure by default—security takes work. You need defense in depth. Red Hat delivers multiple layers of security controls throughout your applications, infrastructure, and processes to help you minimize security risks.
In this session, Red Hat’s Laurent Domb and Kirsten Newcomer will identify the 10 most common layers in a typical container deployment and deliver a deep-dive on best practices for securing containers through the CI/CD process, including verifying container provenance, creating security gates and policies, and managing updates to deployed containers.
Abstract: Swiss Railways operates a substantial Red Hat OpenShift hybrid cloud installation, hosting many thousand containers. Introducing microservices at scale and moving to hybrid container infrastructures introduces a new set of challenges. What about security, life cycle, dependencies, governance, and self-service with thousands of services on a hybrid environment?
To handle the enormous growth of APIs, an API management platform based on 3scale by Red Hat on-premise and Red Hat single sign-on (SSO) was built, integrating internal and external IdPs. The solution is portable, scalable, and highly available, and all processes are automated and available as self service. The platform is in production, serving multiple critical internal and external APIs targeting 100K+ API calls per second.
In this session, you will learn about the benefits of building a fully automated self-service API management and SSO platform in a distributed, hybrid environment, how we approached the project, what challenges we faced, and how we solved them.
Abstract: MITRE and Red Hat Consulting worked together with the U.S. Air Force Program Management Office to develop a system that fulfills the mission requirements of a containerized DevSecOps platform. Using an Infrastructure-as-Code model, the team was able to produce a self-contained, bootable DVD that automates the installation of Red Hat OpenShift Container Platform and related components, with the following characteristics:
- Dev—Replicable, consistent runtime environment across multiple sites. Extends native deployment pipeline functionality to support development through production via air-gapped, secure environments.
- Sec—Secured out of the box via automation and hardening tools to comply with U.S. Government security baselines, STIG, and FIPS requirements via OpenSCAP and Red Hat Ansible Automation. STIG-compliant reference configurations for Red Hat JBoss EAP, Red Hat JBoss AMQ, and PostgreSQL.
- Ops—Fully autonomous installation of Red Hat OpenShift, Red Hat CloudForms, container-native storage with Red Hat Gluster Storage, and Red Hat Enterprise Linux into a bare metal or virtual environment.
Abstract: One username and password to rule them all.
In this lab, we’ll discuss and demonstrate single sign-on technologies and how to implement them using Red Hat products. We’ll take you through bringing up an OpenShift cluster in a development environment, installing Red Hat single sign-on on top of it, and then integrating that with a variety of example applications.
Abstract: The black hat hackers of the world are making the internet a challenging place and have forced all of us to spend a tremendous amount of time securing our systems and apps. In this BOF, join Red Hat and partners AquaSecurity, Black Duck, Sonatype, and Twistlock for a conversation about shifting security left—and right—in the container lifecycle. if you aren’t familiar with the shift-left principle, attend the session to find out how it helps you to improve container security.
Don’t miss Red Hat Summit 2018
Red Hat Summit 2018 is May 8th – 10th in San Francisco, CA at the Moscone Center. Register early to save on a full conference pass.