avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

5528

Abstract

on</a> template you can remove the details that vary and extract the common properties into parameters. Those parameters that get populated when the template gets executed.</p><p id="9b3c">Each particular execution of the template may have a different implementation resulting in a different resource by passing in different parameter values. However, all the stacks can use a <b>single template for their underlying definition.</b></p><p id="ee16"><i>That’s what I am referring to when I talk about <b>abstraction</b>.</i></p><p id="c96a">When I look up the terms abstraction and Java abstraction I find many varying definitions. The reason I used the term “abstraction” is because an <b>abstract class </b>is a concept in Java similar to the concept I am trying to explain. The abstract class contains the properties and methods that are common to all the classes that extend that abstract class.</p><p id="b359">Other classes can extend and build on the class as shown in the following example, but they must include and implement the properties and methods in the abstract class.</p><p id="1d55">In this example below, courtesy of Oracle, the Circle extends a Graphic Object and fills in the specific implementation of the placeholder methods provided by the abstract class.</p><figure id="fad2"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*x9qX8WC6gdo4Eh6Q6lvMpQ.png"><figcaption></figcaption></figure><div id="8998" class="link-block"> <a href="https://docs.oracle.com/javase/tutorial/java/IandI/abstract.html"> <div> <div> <h2>Abstract Methods and Classes</h2> <div><h3>An abstract class is a class that is declared abstract -it may or may not include abstract methods. Abstract classes…</h3></div> <div><p>docs.oracle.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div> </div> </div> </a> </div><p id="c7ac">In the example above, the class that extends the abstract class has to implement the methods defined by the abstract class but it can also add its own functionality.</p><p id="f5f4"><b>DRY — Do not repeat yourself</b></p><p id="aa65">I mentioned the DRY concept in my series on software security. The less code you write, the less potential bugs or typos will exist in your application.</p><p id="fe4e">I wrote about <a href="https://readmedium.com/dry-dont-repeat-yourself-30e7a582ea4">DRY — Don’t repeat yourself </a>— in these two blog posts and some others:</p><div id="62c2" class="link-block"> <a href="https://readmedium.com/creating-shared-repositories-and-code-in-an-organization-7c68ef14de9f"> <div> <div> <h2>Creating Shared Repositories and Code in an Organization</h2> <div><h3>ACM.46 DRY. Don’t Repeat Yourself.</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*WnuDVawPfX9Fh9yaGbcyYQ.png)"></div> </div> </div> </a> </div><div id="e251" class="link-block"> <a href="https://readmedium.com/every-line-of-code-is-a-potential-bug-49108a0d8045"> <div> <div> <h2>Every Line of Code is a Potential Bug</h2> <div><h3>How to reduce the chances of a security flaw in your application with the principle of abstraction</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*HLUYkxxm-rSD_46s66q1Pg.png)"></div> </div> </div> </a> </div><p id="22fd">The abstract class itself, unlike an interface in Java, can include implementation, or in other words functionality. You can implement some code and each class that extends that abstract class will include that code.</p><p id="f8f2">If every “GraphicObject” in our example above (or Shape in the prior example) is going to repeat the same code over and over because each one implements the same functionality, it makes more sense to move that common functionality into the abstract class. That way each class that extends the abstract class will not be repeating the same code over and over. It will get that code when it extends the abstract class.</p><p id="4fe7">The idea here can be used when creating IAM policies. You abstract out the smallest possible policy that is common across a number of resources and use that, let’s say, for all users. Then you create more specific policies on top of that only where required instead of repeating the same code over and over.</p><p id="a2f1">The same concept applies in networking. You don’t want to create a single security group for every single application if you can abstract out a number of common rules that every application will need into a single, reusable group. Then you can apply that reusable group wherever possible, and add the unique rules in a separate group if you need them.</p><p id="1465">In a CloudFormation policy, you can “abstract” or “extract” the values that change from template to template and pass them in as parameters. Then you can reuse all the code in that template that is the same across all the same types of

Options

resources. That’s what I did when I created a single template to create all the KMS keys in your organization from a single template.</p><div id="46e5" class="link-block"> <a href="https://readmedium.com/automating-cybersecurity-metrics-890dfabb6198"> <div> <div> <h2>Automating Cybersecurity Metrics (ACM)</h2> <div><h3>A series of blog posts on cybersecurity metrics and security automation</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*L9lEIsaWt6xm2Op2ww-G5w.png)"></div> </div> </div> </a> </div><p id="2cc0">That’s what I did when creating security groups in the above framework for batch jobs, which has turned into a full-on AWS architecture from start to finish. I started down the rabbit-hole of secure automation and now I am digging my way out.</p><p id="0f2e"><b>Defining Abstraction in Cybersecurity</b></p><p id="4ed1">While searching for definitions of abstraction many variations presented themselves but I think this definition is the closest to the concept I am trying to convey when I use the word abstraction:</p><p id="c91a"><i>Abstraction (from the Latin abs, meaning away from and trahere , meaning to draw) is the process of taking away or removing characteristics from something in order to <b>reduce it to a set of essential characteristics.</b></i></p><div id="c27d" class="link-block"> <a href="https://www.techtarget.com/whatis/definition/abstraction#:~:text=Abstraction%20(from%20the%20Latin%20abs,a%20set%20of%20essential%20characteristics."> <div> <div> <h2>What is Abstraction? - Definition from WhatIs.com</h2> <div><h3>By Abstraction (from the Latin abs, meaning away from and trahere , meaning to draw) is the process of taking away or…</h3></div> <div><p>www.techtarget.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*GTmADe_DYtumxCiy)"></div> </div> </div> </a> </div><p id="abe2">Yes, there are other definitions, but the point I am trying to make to simplify management of your security resources is in line with that definition. If you want to use another definition for some other purpose, feel free, but that is not what I mean when I’m talking about using the <a href="https://readmedium.com/the-principle-of-abstraction-c569df6daf81"><b>principal of abstraction</b></a> to simply your security management.</p><p id="e584">We want to reduce and extract all the common properties into the highest-level, simplest policy, and then extend that policy as needed, only adding complexity and addition words and code where they are absolutely required. We’ll try to do that in the upcoming policies to prevent the types of privilege escalation I wrote about on AWS in the last few posts.</p><p id="0060">The least words to describe a thought — correctly — are best. Or to paraphrase Mark Twain — if I had more time, I would write a shorter blog post.</p><p id="053e">More posts on Abstraction:</p><div id="07c5" class="link-block"> <a href="https://readmedium.com/the-principle-of-abstraction-c569df6daf81"> <div> <div> <h2>The Principle of Abstraction</h2> <div><h3>Reduction of a topic to the essential parts</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*YuTwzNqwL5P_dtvHDj6biA.png)"></div> </div> </div> </a> </div><p id="31c7">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2023</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="5a42"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="faf5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Abstraction in Cybersecurity

135. Simplifying cybersecurity policies and code to limit risk and reduce overhead

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Application Security | Cloud Security Architecture | The Principle of Abstraction

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post, I wrote about privilege escalation in a cloud account (AWS specifically, but it applies to any cloud environment.)

Now we want to try to write the policies using the approaches I mentioned in those blog posts. Before we do that I want to clarify something I wrote about previously as it is applicable to writing IAM policies with as few lines of code as possible and still achieve a correct result.

I’ve referenced the term abstraction in multiple blog posts. I talk about abstraction in terms of taking your policies and reducing them down to the things that are common into a higher level policy.

I recently saw the word abstraction used in a different manner, and applied to cybersecurity. I suppose that definition works but it is not what I mean when I talk about abstraction, so it prompted me to write this blog post.

Where did I get this concept of abstraction? From the same place I came up with the concept of immutable infrastructure — years of Java programming. Concepts used to reduce code and write reusable components in Java and other object oriented programming languages can be used to write better cybersecurity policies.

Abstract Class

In Java you can create an abstract class. You cannot instantiate an abstract class. Instead you use an abstract class as the basis for creating other classes with common properties but different implementations. For example, a shape has some common properties, regardless of whether it is a circle, a square or a triangle. For the sake of time and not to reinvent the wheel I will reference this class diagram from geeksforgeeks.com (and I could draw up my own image if needed using cars, fruit, animals, or whatever.)

In the example above, a shape always has certain properties. In this example, all shapes have a color, an area, and a “toString()” function which could return whatever string a developer wants to return for that particular shape.

The common properties have been extracted or in other words the details are abstracted to create higher level class with all the common properties for a particular type of objects.

The classes that extend that abstract class are of the same type as the abstract class but will fill in their particular implementation. In other words, the implementation of calculating the area for a circle will differ from that of a rectangle or a triangle.

Abstraction in cloud code and cloud security policies

When you create a CloudFormation template you can remove the details that vary and extract the common properties into parameters. Those parameters that get populated when the template gets executed.

Each particular execution of the template may have a different implementation resulting in a different resource by passing in different parameter values. However, all the stacks can use a single template for their underlying definition.

That’s what I am referring to when I talk about abstraction.

When I look up the terms abstraction and Java abstraction I find many varying definitions. The reason I used the term “abstraction” is because an abstract class is a concept in Java similar to the concept I am trying to explain. The abstract class contains the properties and methods that are common to all the classes that extend that abstract class.

Other classes can extend and build on the class as shown in the following example, but they must include and implement the properties and methods in the abstract class.

In this example below, courtesy of Oracle, the Circle extends a Graphic Object and fills in the specific implementation of the placeholder methods provided by the abstract class.

In the example above, the class that extends the abstract class has to implement the methods defined by the abstract class but it can also add its own functionality.

DRY — Do not repeat yourself

I mentioned the DRY concept in my series on software security. The less code you write, the less potential bugs or typos will exist in your application.

I wrote about DRY — Don’t repeat yourself — in these two blog posts and some others:

The abstract class itself, unlike an interface in Java, can include implementation, or in other words functionality. You can implement some code and each class that extends that abstract class will include that code.

If every “GraphicObject” in our example above (or Shape in the prior example) is going to repeat the same code over and over because each one implements the same functionality, it makes more sense to move that common functionality into the abstract class. That way each class that extends the abstract class will not be repeating the same code over and over. It will get that code when it extends the abstract class.

The idea here can be used when creating IAM policies. You abstract out the smallest possible policy that is common across a number of resources and use that, let’s say, for all users. Then you create more specific policies on top of that only where required instead of repeating the same code over and over.

The same concept applies in networking. You don’t want to create a single security group for every single application if you can abstract out a number of common rules that every application will need into a single, reusable group. Then you can apply that reusable group wherever possible, and add the unique rules in a separate group if you need them.

In a CloudFormation policy, you can “abstract” or “extract” the values that change from template to template and pass them in as parameters. Then you can reuse all the code in that template that is the same across all the same types of resources. That’s what I did when I created a single template to create all the KMS keys in your organization from a single template.

That’s what I did when creating security groups in the above framework for batch jobs, which has turned into a full-on AWS architecture from start to finish. I started down the rabbit-hole of secure automation and now I am digging my way out.

Defining Abstraction in Cybersecurity

While searching for definitions of abstraction many variations presented themselves but I think this definition is the closest to the concept I am trying to convey when I use the word abstraction:

Abstraction (from the Latin abs, meaning away from and trahere , meaning to draw) is the process of taking away or removing characteristics from something in order to reduce it to a set of essential characteristics.

Yes, there are other definitions, but the point I am trying to make to simplify management of your security resources is in line with that definition. If you want to use another definition for some other purpose, feel free, but that is not what I mean when I’m talking about using the principal of abstraction to simply your security management.

We want to reduce and extract all the common properties into the highest-level, simplest policy, and then extend that policy as needed, only adding complexity and addition words and code where they are absolutely required. We’ll try to do that in the upcoming policies to prevent the types of privilege escalation I wrote about on AWS in the last few posts.

The least words to describe a thought — correctly — are best. Or to paraphrase Mark Twain — if I had more time, I would write a shorter blog post.

More posts on Abstraction:

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Abstraction
Cybersecurity
Programming
Iam
Coud Security
Recommended from ReadMedium