This document helps you identify Google Cloud products and mitigation strategies that can help you defend against common application-level attacks that are outlined in OWASP Top 10. OWASP Top 10 is a list by the Open Web Application Security (OWASP) Foundation of the top 10 security risks that every application owner should be aware of. Although no security product can guarantee full protection against these risks, applying these products and services when they make sense in your architecture can contribute to a strong multi-layer security solution.
Google infrastructure is designed to help you build, deploy, and operate services in a secure way. Physical and operational security, data encryption at rest and in transit, and many other important facets of a secure infrastructure are managed by Google. You inherit these benefits by deploying your applications to Google Cloud, but you might need to take additional measures to protect your application against specific attacks.
The mitigation strategies listed in this document are sorted by application security risk and Google Cloud product. Many products play a role in creating a defense-in-depth strategy against web security risks. This document provides information about how other products can mitigate OWASP Top 10 risks, but it provides additional detail about how Google Cloud Armor and Apigee can mitigate a wide range of those risks. Google Cloud Armor, acting as a web application firewall (WAF), and Apigee, acting as an API gateway, can be especially helpful in blocking different kinds of attacks. These products are in the traffic path from the internet and can block external traffic before it reaches your applications in Google Cloud.
Product overviews
The Google Cloud products listed in the following table can help defend against the top 10 security risks:
Product | Summary | A01 | A02 | A03 | A04 | A05 | A06 | A07 | A08 | A09 | A10 |
---|---|---|---|---|---|---|---|---|---|---|---|
Access Transparency | Expand visibility and control over your cloud provider with admin access logs and approval controls | ✓ | ✓ | ||||||||
Artifact Registry | Centrally stores artifacts and build dependencies | ✓ | |||||||||
Apigee | Design, secure, and scale application programming interfaces | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
Binary Authorization | Ensure only trusted container images are deployed on Google Kubernetes Engine | ✓ | ✓ | ||||||||
Google Security Operations | Automatically find threats in real time and at scale using Google's infrastructure, detection techniques, and signals | ✓ | |||||||||
Cloud Asset Inventory | View, monitor, and analyze all your Google Cloud and Google Distributed Cloud or multi-cloud assets across projects and services | ✓ | ✓ | ✓ | ✓ | ||||||
Cloud Build | Build, test, and deploy in Google Cloud | ✓ | |||||||||
Sensitive Data Protection | Discover, classify, and protect your most sensitive data | ✓ | ✓ | ✓ | |||||||
Cloud Load Balancing | Control which ciphers your SSL proxy or HTTPS load balancer negotiates | ✓ | ✓ | ✓ | ✓ | ||||||
Cloud Logging | Real-time log management and analysis at scale | ✓ | |||||||||
Cloud Monitoring | Collect and analyze metrics, events, and metadata from Google Cloud services and a wide variety of applications and third-party services | ✓ | |||||||||
Cloud Source Repositories | Store, manage, and track code in a single place for your team | ✓ | |||||||||
Container Threat Detection | Continuously monitor the state of container images, evaluate all changes, and monitor remote access attempts to detect runtime attacks in near-real time | ✓ | ✓ | ||||||||
Event Threat Detection | Monitor your organization's Cloud Logging stream and detect threats in near-real time | ✓ | ✓ | ✓ | |||||||
Google Cloud Armor | A web application firewall (WAF) deployed at the edge of Google's network to help defend against common attack vectors | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
Google Cloud security bulletins | The latest security bulletins related to Google Cloud products | ✓ | |||||||||
Identity-Aware Proxy (IAP) | Use identity and context to guard access to your applications and VMs | ✓ | ✓ | ✓ | |||||||
Identity Platform | Add identity and access management functionality to applications, protect user accounts, and scale identity management | ✓ | ✓ | ||||||||
Cloud Key Management Service | Manage encryption keys on Google Cloud | ✓ | ✓ | ||||||||
reCAPTCHA | Help protect your website from fraudulent activity, spam, and abuse | ✓ | |||||||||
Secret Manager | Store API keys, passwords, certificates, and other sensitive data | ✓ | ✓ | ||||||||
Security Command Center | Centralized visibility for security analytics and threat intelligence to surface vulnerabilities in your applications | ✓ | |||||||||
Security Health Analytics (SHA) | Generate vulnerability findings that are available in Security Command Center | ✓ | ✓ | ✓ | ✓ | ||||||
Titan Security Keys | Help protect high-value users with phishing-resistant 2FA devices that are built with a hardware chip (with firmware engineered by Google) to verify the integrity of the key | ✓ | |||||||||
Virtual Private Cloud firewalls | Allow or deny connections to or from your virtual machine (VM) instances | ✓ | |||||||||
VPC Service Controls | Isolate resources of multi-tenant Google Cloud services to mitigate data exfiltration risks | ✓ | ✓ | ||||||||
VirusTotal | Analyze suspicious files and URLs to detect types of malware; automatically share them with the security community | ✓ | ✓ | ||||||||
Web Security Scanner | Generate vulnerability finding types that are available in Security Command Center | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
A01: Broken access control
Broken access control refers to access controls that are only partially enforced on the client side, or weakly implemented. Mitigating these controls often requires a rewrite on the application side to properly enforce that resources are accessed only by authorized users.
Apigee
Use case:
- Access control enforcement
- Limit data manipulation
Apigee supports a layered approach to implement access controls to keep the bad actors from making unauthorized changes or accessing the system.
Configure role-based access control (RBAC) to only allow users access to the functionality and configuration that they need. Create encrypted key value maps to store sensitive key-value pairs, which appear masked in the Edge UI and in management API calls. Configure single sign-on with your company's identity provider.
Configure developer portals to show specific API products according to user role. Configure the portal to show or hide content based on user role.
Cloud Asset Inventory
Use case:
- Monitor for unauthorized IT (also known as "shadow IT")
- Outdated compute instances
One of the most common vectors for data exposure is orphaned or unauthorized IT infrastructure. Set up real-time notifications to alert you for unexpected running resources, which might be improperly secured or using outdated software.
Cloud Load Balancing
Use case:
- Fine-grained SSL and TLS cipher control
Prevent the use of weak SSL or TLS ciphers by assigning a predefined group or custom list of ciphers that Cloud Load Balancing can use.
Google Cloud Armor
Use case:
- Filter cross-origin requests
- Filter local or remote file inclusion attacks
- Filter HTTP parameter pollution attacks
Many cases of broken access control cannot be mitigated by using a web application firewall, because applications don't require or don't properly check access tokens for every request, and data can be manipulated client side. Multiple Juice Shop challenges related to broken access control. For example, posting feedback in another user's name uses the fact that some requests are not authenticated server side. As you can see in the challenge solution, the exploit for this vulnerability is completely client-side and can therefore not be mitigated using Google Cloud Armor.
Some challenges can be partially mitigated server side if the application cannot be immediately patched.
For example, if cross-site request forgery (CSRF) attacks are possible because your web server implements cross-origin resource sharing (CORS) poorly, as demonstrated in the CSRF Juice Shop challenge, you can mitigate this issue by blocking requests from unexpected origins altogether with a custom rule. The following rule matches all requests with origins other than example.com and google.com:
has(request.headers['origin']) &&
!((request.headers['origin'] == 'https://example.com')||
(request.headers['origin'] == 'https://google.com') )
When traffic that matches such a rule is denied, the solution for the CSRF challenge stops working.
The
basket manipulation challenge
uses
HTTP parameter pollution (HPP)
so that you can see how to attack the shop by following the
challenge solution.
HPP is detected as part of the protocol attack rule set. To help block this kind of attack, use the following rule:
evaluatePreconfiguredExpr('protocolattack-stable')
.
Identity-Aware Proxy and Context-Aware Access
Use case:
- Centralized access control
- Works with cloud and on-premises
- Protects HTTP and TCP connections
- Context-Aware Access
IAP lets you use identity and context to form a secure authentication and authorization wall around your application. Prevent broken authorization or access control to your public-facing application with a centrally managed authentication and authorization system built on Cloud Identity and IAM.
Enforce granular access controls to web applications, VMs, Google Cloud APIs, and Google Workspace applications based on a user's identity and the context of the request without the need for a traditional VPN. Use a single platform for both your cloud and on-premises applications and infrastructure resources.
Security Health Analytics
Use case:
- MFA or 2FA enforcement
- API key protection
- SSL policy monitoring
Prevent broken access control by monitoring for multi-factor authentication compliance, SSL policy, and the health of your API keys.
Web Security Scanner
Use case:
- Repositories exposed to the public
- Insecure request header validation
Web Security Scanner scans your web applications for vulnerabilities, such as publicly visible code repositories and misconfigured validation of request headers.
A02: Cryptographic failures
Cryptographic failures can happen due to a lack of encryption or weak encryption in transit, or accidentally exposed sensitive data. Attacks against those vulnerabilities are usually specific to the application and therefore, need a defense-in-depth approach to mitigate.
Apigee
Use case:
- Protect sensitive data
Use one-way and two-way TLS to guard sensitive information at the protocol level.
Use policies such as Assign Message policy and JavaScript policy to remove sensitive data before it's returned to the client.
Use standard OAuth techniques and consider adding HMAC, hash, state, nonce, PKCE, or other techniques to improve the level of authentication for each request.
Mask sensitive data in the Edge Trace tool.
Encrypt sensitive data at rest in key value maps.
Cloud Asset Inventory
Use case:
- Search service
- Access analyzer
One of the most common vectors for data exposure is orphaned or unauthorized IT infrastructure. You can identify servers that nobody is maintaining and buckets with over-broad sharing rules by analyzing the cloud asset time series data.
Set up real-time notifications to alert you to unexpected provisioning of resources which might be improperly secured or unauthorized.
Cloud Data Loss Prevention API (part of Sensitive Data Protection)
Use case:
- Sensitive data discovery and classification
- Automatic data masking
The Cloud Data Loss Prevention API (DLP API) lets you scan for any potentially sensitive data stored in buckets or databases to prevent unintended information leakage. If disallowed data is identified, it can be automatically flagged or redacted.
Cloud Key Management Service
Use case:
- Secure cryptographic key management
(Cloud KMS) helps to prevent potential exposure of your cryptographic keys. Use this cloud-hosted key management service to manage symmetric and asymmetric cryptographic keys for your cloud services the same way that you do on-premises. You can generate, use, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys.
Cloud Load Balancing
Use case:
- Fine-grained SSL and TLS cipher control
SSL policies can help prevent sensitive data exposure by giving you control over the SSL and TLS features and ciphers that are allowed in a load balancer. Block unapproved or insecure ciphers as needed.
Google Cloud Armor
Use case:
- Filter known attack URLs
- Restrict sensitive endpoint access
In general, sensitive data exposure should be stopped at the source, but because every attack is application specific, web application firewalls can only be used in a limited way to stop data exposure broadly. However, if your application can't be immediately patched, you can restrict access to vulnerable endpoints or request patterns by using Google Cloud Armor custom rules.
For example, several Juice Shop challenges about sensitive data exposure can be exploited due to insecure directory traversal and null byte injection attacks. You can mitigate these injections by checking for the strings in the URL with the following custom expression:
request.path.contains("