Cloud Security, RASP, Security How-To Guides

How to get started with PaaS in Heroku, IBM Bluemix, and Pivotal

Phillip Maddux

Your friendly neighborhood AppSec advisor and honeypot enthusiast. Formerly @ Goldman Sachs and Ernst & Young. Find his thoughts in code form committed to Github.

If you work in Information Technology, there is no doubt you are well aware of the shift to the cloud. Startups exist in the cloud as it makes complete sense from a tactical and strategic stand point to do so. Tactically, startups can get off the ground with low cost, minimal administration overhead, and easily scale out as they grow. Even large enterprises are realizing the cost and management benefits of migrating from their datacenters to the cloud. This trend is nothing new, and the pace of cloud adoption is picking up significant speed.

In my role as a Sales Engineer at Signal Sciences, I’ve had the opportunity to develop solutions for deploying the Signal Sciences’ Web Protection Platform on various cloud PaaS offerings. In this post I’d like to share some of the docker containers to bootstrap development and testing for three popular PaaS offerings: Heroku, Pivotal and IBM Bluemix. If you are curious about deploying on cloud platforms, or just getting started then these will jumpstart your efforts. For each platform there is an opensource example I provide along with some starting instructions.

Who Should Continue Reading?

Free Download: Detecting Account Takeovers and Defending Your Users  Account takeovers are on the rise, putting critical company data at risk.  Learn about these attacks and how you can protect against them. Free ReportAnyone of course! This post will be particularly helpful to anybody that just wants to get familiar with PaaS cloud offerings. If you're an IT practitioner, developer, or information security practitioner and haven’t experimented with PaaS, now is your chance. I strongly urge the security folks (especially application security) to become familiar with PaaS platforms. You need to sharpen your skills and knowledge over these platforms to keep up with the evolving technology and development cycles. “Why?”, you may ask, watch Rich Mogull’s presentation entitled, “Tidal Forces: The Changes Ripping Apart Security as We Know it” if you haven’t already.

As a technical note, to use the tools provided you should be familiar with using Git and Docker, and have both installed.

A Light Overview of Cloud Offerings

For any readers that may be new to the cloud, the offerings from providers can get confusing fairly quickly. The common terms you will see and hear are Infrastructure as a Service (IaaS), containers, and Platform as a Service (PaaS). Note, some may consider “containers” a type of PaaS offering. If you’d like to dive deeper on these topics, see Service models on Wikipedia. And if you really want to go further, also get familiar with the various Deployment models as well. However, the goal of this section is to keep it light, so I just want to provide a mapping of the cloud terms above to product names from the major cloud providers. You will find this useful when trying to navigate all the different service offerings.

PaaS offerings (IaaS, Containers, Paas) providers and product names
Source

Jumping Into the PaaS Cloud

Ok, let’s jump straight to it. PaaS solutions make it easy to get started as you can setup a free account, and they provide sample applications to get you going with your first deploy. The three primary PaaS solutions, IBM Bluemix, Pivotal Web Services (PWS), and Heroku use a concept called buildpacks. Buildpacks are composed of a set of scripts that automatically setup the environment depending on which language you select. For example, to deploy a PHP application you would select the PHP buildpack. All you have to worry about is the application code itself.

For each PaaS solution below I’ll provide a brief description and a container that sets up the tooling needed to get started. These really are simple containers, and they are convenient to spin up when you want to work with any PaaS solution. One advantage to using these containers is you don’t have to pollute your computer with a bunch of tools or dependencies.

IBM Bluemix

IBM Bluemix is based on the Cloud Foundry platform. Languages or frameworks supported on this platform are PHP, Go, Ruby, Node.js, Python, Liberty for Java, Tomcat, .NET, and Swift. To get up and running with Bluemix, sign up for an account at https://bluemix.com, and then run the following commands:

git clone https://github.com/foospidy/DockerDev-Bluemix
cd DockerDev-Bluemix
make build
make run

Next, see the “Getting Started” section of the readme file.

Pivotal Web Services

PWS is also based on the Cloud Foundry platform. If you use both Bluemix and PWS you will notice the similarities. Languages or frameworks supported on this platform are PHP, Go, Ruby, Node.js, Python, Java, .NET, Binaries, and Staticfiles. More details here. To get up and running with PWS, sign up for an account at http://run.pivotal.io, and then run the following commands:

git clone https://github.com/foospidy/DockerDev-PWS
cd DockerDev-PWS
make build
make run

Next, you can jump to the Deploy the Sample App step of the Pivotal tutorial.

Heroku

Heroku is a great platform to work with too. While it is not based on Cloud Foundry, you will notice it also uses the concept of buildpacks. Supported languages include Node.js, Ruby, Java, PHP, Python, Go, Scala, and Clojure. To get up and running with Heroku, sign up for an account at https://www.heroku.com, and then run the following commands:

git clone https://github.com/foospidy/DockerDev-Heroku
cd DockerDev-Heroku
make build
make run

Next, reference the “Getting Started” section of the readme file to select which language you want to get started with.

Conclusion

I hope the tooling I provided helped you successfully deploy a sample application to at least one of the PaaS offerings above. Moreover, I hope this has demonstrated how easy it can be to deploy applications in the cloud. Many developers as well as enterprises have recognized the benefits, and they are pushing to migrate their applications to these and other PaaS offerings. I think it is safe to expect this trend to continue, and perhaps your next project will add to the trend!


The Signal Sciences’ Web Protection Platform protects modern applications, microservices and APIs from real attack and threat scenarios, and can be deployed in any infrastructure and technology stack.

 
https://info.signalsciences.com/request-a-demo