RUNTIME.md

September 2, 2023 ยท View on GitHub

The Software Supply Chain Stages

PeopleLocal ReqsSource CodeIntegrationDeploymentRuntimeHardwareDNSServicesCloud
DevelopersIDELanguagesSCM providersBuild solutionsServersEmbedded PCURLSaaS solutionsCDN
QA teamSCVFrameworksPull requestsDeployment platformsOperating systemsPCBhostnameThird party APIsCloud services
DevOps teamLocal testsLibrariesSecrets mgmtReleasesWebserversUSB donglePayment gateways
Package MaintainersGit reposPackage ManagersGit reposFunctional testsApplication serversGPU/CPUIdentity Providers
Page BuildersPackagesSecurity testsWeb enginesAnalytics
Open sourceAPI test frameworksDatabasesProxies
Proprietary CodeUnit tests
PeopleLocal ReqsSource CodeIntegrationDeploymentRuntimeHardwareDNSServicesCloud

Runtime

The web application runtime is the environment in which a web application is executed. It typically includes the web server, the application server, and other necessary components such as databases, messaging systems, and caching mechanisms. The runtime is responsible for managing the application's resources, handling incoming requests, and returning responses to users.

What's in scope

  • Operating systems
  • Webservers
  • Application servers
  • Content management systems
  • Web runtime engines
  • Databases
  • Containers, AMIs & golden images

Examples

Operating systems

Webservers

Application servers

Content management systems

Clarity, Kentico, Sharepoint, Adobe Experience Manager

Web runtime

Node.js, WebKit, Chrome, V8

Databases

Containers, AMIs & Golden Images

Who owns it?

  • CloudOps team
  • Operations teams

Security concerns with runtime components?

  • Traditional concerns around server security: patching, firewalls, user access, etc
  • Container origin is a huge concern as Docker hub and container registries are prime areas for dependency attacks
  • Runtime components have multiple layers of user access controls to worry about
  • Golden images and AMIs don't age well, and are often "pinned" in launch

How do I secure it?

  • Centralized logging
  • SIEM
  • Intrusion detection/prevention
  • OS hardening
  • Web appliation firewall
  • Container scanning
  • IaC scans