SlideShare uma empresa Scribd logo

THE THREE DISCIPLINES OF CI/CD SECURITY, DANIEL KRIVELEVICH, Cider Security

Transferir como PPTX, PDF
DevOpsDays Tel Aviv
DevOpsDays Tel Aviv

CI/CD pipelines are quickly becoming the path of least resistance for would-be attackers into sensitive internal systems, gaining access to critical data, with minimal effort. In the InfoSec world when we talk about CI/CD security often times this focuses on specific aspects of securing your pipeline - scanning the code, protecting secrets, securely managing code deployments, or even authentication and authorization mechanisms, but we rarely talk about all of these together. After years of being in the trenches and realizing that the attack surface is growing and the threat landscape becoming more and more complex, it has become increasingly apparent that security teams need to adapt and modify strategies to keep up with the new reality of CI/CD protection, without compromising developer velocity. In this talk I would like to propose a new way of thinking about CI/CD security - that encompasses the three disciplines that comprise CI/CD security - security in the pipeline, of the pipeline, and around the pipeline. Partial coverage of any or all of these disciplines simply will not cut it with the continuously evolving risk landscape. Security engineers need to address each of these aspects in their entirety to provide the full scope of coverage that modern organizations need, and I will take a deep dive on the challenges each introduce, and the approaches and techniques for mitigating them based on adversarial sec research.

Tecnologia
1 de 25
The 3 disciplines of CI/CD security Daniel Krivelevich Cider Security
cidersecurity.io CTO & Co-Founder of Cider Security Intro ● CI/CD ● Cyber ● Catchy 5 letter word ● We like Cider
cidersecurity.io What does CI/CD security mean?
Shorter time to release More automation CI/CD IAC Larger diversity in tech stack Rapid adoption of new tech The engineering train moves faster and faster...
How well is security adapting to these changes?
cidersecurity.io The Engineering Ecosystem Repo CI Pipeline CD Pipeline Artifact Language SCM CI CD Artifact Repository Container Registry Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator
cidersecurity.io The Challenge Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Language Language Language Language Language Language Language Language Language Language Language Language SCM CI CD Artifact Repository Container Registry SCM CI CD Artifact Repository Container Registry Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Repo Repo Artifact Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator
cidersecurity.io Github Jenkins Artifactory ECR EKS The complexity User 1 User 3 User 2 User 4 App 1 App 3 App 2 App 4 Devops Repo Service 1 Repo Service 2 Repo Terraform Pulumi Jenkinsfile Python JavaScript Jenkinsfile Ruby JavaScript Jenkinsfile Artifact 1 Artifact 2 Artifact 3 Artifact 4 Pipeline 3 (CD) Deploy{...} Artifactory_Read_Key AWS_Access_Key_1 AWS_Access_Key_2 Pipeline 1 (CI) Build {...} Test {...} Pipeline 2 (CI + CD) Build {...} Test {...} Deploy{...} Artifactory_write_key R RW Pod 1 Pod 2 Container 2 Container 1
cidersecurity.io For Security, maneuvering through the engineering realm, Feels like walking through New York with a map of Tokyo Mapping the environment
cidersecurity.io Engineering environments have become the new attacker’s turf Today’s attack surface A single insecure step in the CI, or insecure package import - can lead to devastating results Engineers are also looking for ways to bridge the gap
cidersecurity.io CI/CD security is about allowing engineering to continue to move fast Without making any compromises on Security
cidersecurity.io SIP SOP SAP
cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline
cidersecurity.io Github Devops Repo Service 1 Repo Service 2 Repo Gitlab Devops Repo Service 3 Repo Service 4 Repo Terraform Pulumi Jenkinsfile Python JavaScript Jenkinsfile Ruby JavaScript Jenkinsfile Ansible Chef Python Java Go JavaScript Jenkinsfile SIP - Security In the Pipeline
cidersecurity.io Github Devops Repo Service 1 Repo Service 2 Repo Gitlab Devops Repo Service 3 Repo Service 4 Repo Terraform Pulumi Jenkinsfile Python JavaScript Jenkinsfile Ruby JavaScript Jenkinsfile Ansible Chef Python Java Go JavaScript Jenkinsfile SIP - Security In the Pipeline
cidersecurity.io Scanner Issue Description Severity Repo Location Checkov Bad stuff Extremely Bad Repo 1 Line 1 GoSec Bad stuff Horrible Repo 2 Line 2 Bandit Bad stuff Very severe Repo 1 Line 4 Brakeman Bad stuff Not good Repo 3 Line 5 Checkov Bad stuff Fix now Repo 4 Line 2 PMD Bad stuff Fix fast Repo 1 Line 3 Nodejsscan Bad stuff So so Repo 2 Line 7 Nodejsscan Bad stuff doing ok Repo 3 Line 18
cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline SOP - Security Of the Pipeline Addresses the risk of the systems in the pipeline being compromised
cidersecurity.io SOP - Security Of the Pipeline Crown Jewels (Production) Exploiting workstations endpoints Abusing cloud misconfigurations Breaching the perimeter Abusing software delivery systems/ processes AV/EDR /EP WAF/IPS /PT CSPM SOP
cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline SOP - Security Of the Pipeline Addresses the risk of the systems in the pipeline being compromised SAP - Security Around the Pipeline: Addresses the risk of the pipeline being bypassed
cidersecurity.io SAP - Security Around the Pipeline Code/ Artifacts Production Code/ Artifacts Code/ Artifacts
cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline SOP - Security Of the Pipeline Addresses the risk of the systems in the pipeline being compromised SAP - Security Around the Pipeline: Addresses the risk of the pipeline being bypassed
cidersecurity.io November 2021 Takeaway #1 - for defenders ●Appsec has extended far beyond the scope of code scanning. ●To address today’s challenges, we need to be thinking about SIP, SOP and SAP
cidersecurity.io November 2021 Takeaway #2 - for engineers Be patient with your AppSec teams. We have a lot to catch up on.
cidersecurity.io November 2021 Takeaway #3 - for hackers You’ve done your fair share of damage for 2021.. take a break
cidersecurity.io Thank you!

Recomendados

DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
SRE Demystified - 14 - SRE Practices overview
SRE Demystified - 14 - SRE Practices overviewSRE Demystified - 14 - SRE Practices overview
SRE Demystified - 14 - SRE Practices overview
Dr Ganesh Iyer
 
SRE & Kubernetes
SRE & KubernetesSRE & Kubernetes
SRE & Kubernetes
Afkham Azeez
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 

Recomendados

DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
SRE Demystified - 14 - SRE Practices overview
SRE Demystified - 14 - SRE Practices overviewSRE Demystified - 14 - SRE Practices overview
SRE Demystified - 14 - SRE Practices overview
Dr Ganesh Iyer
 
SRE & Kubernetes
SRE & KubernetesSRE & Kubernetes
SRE & Kubernetes
Afkham Azeez
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
The DevOps Journey
The DevOps JourneyThe DevOps Journey
The DevOps Journey
Micro Focus
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
Grafana overview deck - Tech - 2023 May v1.pdf
Grafana overview deck - Tech - 2023 May v1.pdfGrafana overview deck - Tech - 2023 May v1.pdf
Grafana overview deck - Tech - 2023 May v1.pdf
BillySin5
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Cheah Eng Soon
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
SRE-iously! Reliability!
SRE-iously! Reliability!SRE-iously! Reliability!
SRE-iously! Reliability!
New Relic
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
DevSecOpsSg
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
CloudPassage
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
stackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesstackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelines
NETWAYS
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
jonmccoy
 

Mais conteúdo relacionado

Mais procurados

Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Grafana overview deck - Tech - 2023 May v1.pdf
Grafana overview deck - Tech - 2023 May v1.pdfGrafana overview deck - Tech - 2023 May v1.pdf
Grafana overview deck - Tech - 2023 May v1.pdf
BillySin5
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
CloudPassage
 

Mais procurados (20)

Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
The DevOps Journey
The DevOps JourneyThe DevOps Journey
The DevOps Journey
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Grafana overview deck - Tech - 2023 May v1.pdf
Grafana overview deck - Tech - 2023 May v1.pdfGrafana overview deck - Tech - 2023 May v1.pdf
Grafana overview deck - Tech - 2023 May v1.pdf
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
SRE-iously! Reliability!
SRE-iously! Reliability!SRE-iously! Reliability!
SRE-iously! Reliability!
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 

Semelhante a THE THREE DISCIPLINES OF CI/CD SECURITY, DANIEL KRIVELEVICH, Cider Security

stackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesstackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelines
NETWAYS
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
Liran Tal
 
DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга Свиридова
Mail.ru Group
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-time
DataWorks Summit
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Weaveworks
 

Semelhante a THE THREE DISCIPLINES OF CI/CD SECURITY, DANIEL KRIVELEVICH, Cider Security (20)

stackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesstackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelines
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
 
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
 
Cilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPF
 
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your CloudHumans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
 
Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/Green
 
All Day DevOps 2016 Fabian - Defending Thyself with Blue Green
All Day DevOps 2016 Fabian - Defending Thyself with Blue GreenAll Day DevOps 2016 Fabian - Defending Thyself with Blue Green
All Day DevOps 2016 Fabian - Defending Thyself with Blue Green
 
Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservices
 
DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга Свиридова
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-time
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
 
Alexey Kupriyanenko "Release Early, Often, Stable"
Alexey Kupriyanenko "Release Early, Often, Stable"Alexey Kupriyanenko "Release Early, Often, Stable"
Alexey Kupriyanenko "Release Early, Often, Stable"
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Networking in Java with NIO and Netty
Networking in Java with NIO and NettyNetworking in Java with NIO and Netty
Networking in Java with NIO and Netty
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 

Mais de DevOpsDays Tel Aviv

YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...
YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...
YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...
DevOpsDays Tel Aviv
 
GRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, Salto
GRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, SaltoGRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, Salto
GRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, Salto
DevOpsDays Tel Aviv
 
MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...
MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...
MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...
DevOpsDays Tel Aviv
 
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
DevOpsDays Tel Aviv
 
PRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDog
PRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDogPRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDog
PRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDog
DevOpsDays Tel Aviv
 
NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...
NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...
NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...
DevOpsDays Tel Aviv
 
BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...
BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...
BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...
DevOpsDays Tel Aviv
 
THE PLEASURES OF ON-PREM, TOMER GABEL
THE PLEASURES OF ON-PREM, TOMER GABELTHE PLEASURES OF ON-PREM, TOMER GABEL
THE PLEASURES OF ON-PREM, TOMER GABEL
DevOpsDays Tel Aviv
 
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPackCONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
DevOpsDays Tel Aviv
 
SOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, Develeap
SOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, DeveleapSOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, Develeap
SOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, Develeap
DevOpsDays Tel Aviv
 
OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...
OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...
OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...
DevOpsDays Tel Aviv
 
HOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKH
HOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKHHOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKH
HOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKH
DevOpsDays Tel Aviv
 
HOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearB
HOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearBHOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearB
HOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearB
DevOpsDays Tel Aviv
 
FLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, Icinga
FLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, IcingaFLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, Icinga
FLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, Icinga
DevOpsDays Tel Aviv
 
(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY
(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY
(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY
DevOpsDays Tel Aviv
 
SLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.io
SLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.ioSLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.io
SLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.io
DevOpsDays Tel Aviv
 
ONBOARDING IN LOCKDOWN, HILA FOX, Augury
ONBOARDING IN LOCKDOWN, HILA FOX, AuguryONBOARDING IN LOCKDOWN, HILA FOX, Augury
ONBOARDING IN LOCKDOWN, HILA FOX, Augury
DevOpsDays Tel Aviv
 
DON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, Firefly
DON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, FireflyDON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, Firefly
DON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, Firefly
DevOpsDays Tel Aviv
 

Mais de DevOpsDays Tel Aviv (20)

YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...
YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...
YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...
 
GRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, Salto
GRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, SaltoGRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, Salto
GRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, Salto
 
MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...
MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...
MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...
 
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
 
PRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDog
PRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDogPRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDog
PRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDog
 
NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...
NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...
NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...
 
(Ignite) TAKE A HIKE: PREVENTING BATTERY CORROSION - LEAH VOGEL, CHEGG
(Ignite) TAKE A HIKE: PREVENTING BATTERY CORROSION - LEAH VOGEL, CHEGG(Ignite) TAKE A HIKE: PREVENTING BATTERY CORROSION - LEAH VOGEL, CHEGG
(Ignite) TAKE A HIKE: PREVENTING BATTERY CORROSION - LEAH VOGEL, CHEGG
 
BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...
BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...
BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...
 
THE PLEASURES OF ON-PREM, TOMER GABEL
THE PLEASURES OF ON-PREM, TOMER GABELTHE PLEASURES OF ON-PREM, TOMER GABEL
THE PLEASURES OF ON-PREM, TOMER GABEL
 
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPackCONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
 
SOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, Develeap
SOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, DeveleapSOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, Develeap
SOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, Develeap
 
OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...
OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...
OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...
 
HOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKH
HOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKHHOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKH
HOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKH
 
HOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearB
HOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearBHOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearB
HOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearB
 
FLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, Icinga
FLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, IcingaFLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, Icinga
FLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, Icinga
 
(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY
(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY
(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY
 
SLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.io
SLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.ioSLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.io
SLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.io
 
ONBOARDING IN LOCKDOWN, HILA FOX, Augury
ONBOARDING IN LOCKDOWN, HILA FOX, AuguryONBOARDING IN LOCKDOWN, HILA FOX, Augury
ONBOARDING IN LOCKDOWN, HILA FOX, Augury
 
DON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, Firefly
DON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, FireflyDON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, Firefly
DON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, Firefly
 
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Último (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

THE THREE DISCIPLINES OF CI/CD SECURITY, DANIEL KRIVELEVICH, Cider Security

  • 1. The 3 disciplines of CI/CD security Daniel Krivelevich Cider Security
  • 2. cidersecurity.io CTO & Co-Founder of Cider Security Intro ● CI/CD ● Cyber ● Catchy 5 letter word ● We like Cider
  • 5. How well is security adapting to these changes?
  • 6. cidersecurity.io The Engineering Ecosystem Repo CI Pipeline CD Pipeline Artifact Language SCM CI CD Artifact Repository Container Registry Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator
  • 7. cidersecurity.io The Challenge Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Language Language Language Language Language Language Language Language Language Language Language Language SCM CI CD Artifact Repository Container Registry SCM CI CD Artifact Repository Container Registry Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Repo Repo Artifact Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator
  • 8. cidersecurity.io Github Jenkins Artifactory ECR EKS The complexity User 1 User 3 User 2 User 4 App 1 App 3 App 2 App 4 Devops Repo Service 1 Repo Service 2 Repo Terraform Pulumi Jenkinsfile Python JavaScript Jenkinsfile Ruby JavaScript Jenkinsfile Artifact 1 Artifact 2 Artifact 3 Artifact 4 Pipeline 3 (CD) Deploy{...} Artifactory_Read_Key AWS_Access_Key_1 AWS_Access_Key_2 Pipeline 1 (CI) Build {...} Test {...} Pipeline 2 (CI + CD) Build {...} Test {...} Deploy{...} Artifactory_write_key R RW Pod 1 Pod 2 Container 2 Container 1
  • 9. cidersecurity.io For Security, maneuvering through the engineering realm, Feels like walking through New York with a map of Tokyo Mapping the environment
  • 10. cidersecurity.io Engineering environments have become the new attacker’s turf Today’s attack surface A single insecure step in the CI, or insecure package import - can lead to devastating results Engineers are also looking for ways to bridge the gap
  • 11. cidersecurity.io CI/CD security is about allowing engineering to continue to move fast Without making any compromises on Security
  • 13. cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline
  • 14. cidersecurity.io Github Devops Repo Service 1 Repo Service 2 Repo Gitlab Devops Repo Service 3 Repo Service 4 Repo Terraform Pulumi Jenkinsfile Python JavaScript Jenkinsfile Ruby JavaScript Jenkinsfile Ansible Chef Python Java Go JavaScript Jenkinsfile SIP - Security In the Pipeline
  • 15. cidersecurity.io Github Devops Repo Service 1 Repo Service 2 Repo Gitlab Devops Repo Service 3 Repo Service 4 Repo Terraform Pulumi Jenkinsfile Python JavaScript Jenkinsfile Ruby JavaScript Jenkinsfile Ansible Chef Python Java Go JavaScript Jenkinsfile SIP - Security In the Pipeline
  • 16. cidersecurity.io Scanner Issue Description Severity Repo Location Checkov Bad stuff Extremely Bad Repo 1 Line 1 GoSec Bad stuff Horrible Repo 2 Line 2 Bandit Bad stuff Very severe Repo 1 Line 4 Brakeman Bad stuff Not good Repo 3 Line 5 Checkov Bad stuff Fix now Repo 4 Line 2 PMD Bad stuff Fix fast Repo 1 Line 3 Nodejsscan Bad stuff So so Repo 2 Line 7 Nodejsscan Bad stuff doing ok Repo 3 Line 18
  • 17. cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline SOP - Security Of the Pipeline Addresses the risk of the systems in the pipeline being compromised
  • 18. cidersecurity.io SOP - Security Of the Pipeline Crown Jewels (Production) Exploiting workstations endpoints Abusing cloud misconfigurations Breaching the perimeter Abusing software delivery systems/ processes AV/EDR /EP WAF/IPS /PT CSPM SOP
  • 19. cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline SOP - Security Of the Pipeline Addresses the risk of the systems in the pipeline being compromised SAP - Security Around the Pipeline: Addresses the risk of the pipeline being bypassed
  • 20. cidersecurity.io SAP - Security Around the Pipeline Code/ Artifacts Production Code/ Artifacts Code/ Artifacts
  • 21. cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline SOP - Security Of the Pipeline Addresses the risk of the systems in the pipeline being compromised SAP - Security Around the Pipeline: Addresses the risk of the pipeline being bypassed
  • 22. cidersecurity.io November 2021 Takeaway #1 - for defenders ●Appsec has extended far beyond the scope of code scanning. ●To address today’s challenges, we need to be thinking about SIP, SOP and SAP
  • 23. cidersecurity.io November 2021 Takeaway #2 - for engineers Be patient with your AppSec teams. We have a lot to catch up on.
  • 24. cidersecurity.io November 2021 Takeaway #3 - for hackers You’ve done your fair share of damage for 2021.. take a break

Notas do Editor

  1. Good morning everyone, this is the 3 disciplines of CI/CD security Great honor and privileged to be speaking here
  2. A short intro I’m the Co-Founder and CTO of Cider Many people ask us why ‘what kind of a name is Cider’
  3. Releases are conducted on a daily or hourly basis The stack is comprised of more technologies It takes a much shorter time to adopt a new technology or framework Not only applications are codified, infra is And of course a lot less manual process, a lot more automation and continuous integration continuous delivery
  4. Security is struggling to keep up Especially relevant now that security is no longer a blocker
  5. when we look at the The building blocks that comprise the ecosystem Different systems moving around different types of objects and artifacts all the way from the engineers endpoint to production a fusion of human collaborators and services and applications accessing the systems and a lot of 3rd parties and access tokens and keys spread out through the environment
  6. And the challenge for us as defenders, Is that reality doesn’t really like in the slide we saw earlier it looks a little more like this Even in a small startup, definitely a big organization Each one of these building blocks being potentially connected to one or more of the others
  7. And the complexity of coping with the challange, stems from how deeply familiar we need to become with the inner working of the environment in order to understand where the risks are and what security measures are required ((click)) what repos what languages how do CI pipelines connect to repos, with what permissions what secrets are stored in CI and what is their scope how do CI and CD pipelines take code, package it, upload to artifcat repositories, which are then bundled in cotaniers and ultimately deployed to prod and which humans and which applications have access to that ecosystem unless we know all of this, it is pretty hard to understand what security risks exist in our ecosystem
  8. Coping with the challange of what is going on in this fast paced and dynamic ecosystem Very easy to get lost Have partial visibility and understanding of what’s going Don’t really know who to refer to if we have specific questions
  9. In parallel what’s evident is that engineering have become a primary area of focus for attackers some examples of that, which I’m sure many of you are familiar with - just from the past year - Solarwinds - which had their built/ci system compromised, ending with malware being shipped to 18000 orgs the codecov hack - where orgs using codecov as part of their ci had their environment variables php - that had their git infrastructure compromised and served a PHP version with a backdoor dependency confusion - where apple, msft and dozens of other giants were at the risk of having their CI compromised by managing dependencies in an insecure manner and the recent COA, RC, UA PARSES NPM packages - with millions of weekly downloads, were compromised and infected with malware So in this reality - it’s not just about security bridging the gap towards engineering
  10. We at Cider have defined 3 disciplines which, together, help organizations address the challenges and complexities we described earlier and build strong CI/CD security progrmas they are called SIP, SOP, SAP Security in the pipeline Security of the pipeline Security around the pipeline In the next slides we’ll review each one and understand what they are
  11. We have to keep in mind that , as we discussed, building strong CI/CD security programs requires us to begin a very intimate level of familiarity with the ecosystem, the technologies and the interconnectivity between the different systems. Having that “technical DNA” is basically our base layer on top of which we build our CI/CD security program let’s start with SIP Security in the pipeline is about implementing the effective measure to detect security flaws in our code
  12. CI Pipeline
  13. CI Pipeline
  14. CI Pipeline
  15. Security of the pipeline is about understanding that hackers are targeting our SCM, our CI, the rest of the systems down the pipeline, and we need to make sure they are secure enough to prevent those attacks
  16. The best way to understand SOP is to look at it from the attacker’s perspective, and that means looking at it from the crown jewels SOP is the equivalent of the solutions in blue, for the vector of abusing software delivery systems and processes for getting to production
  17. SAP - addresses the concern of our pipeline being bypassed
  18. So when we look at our ecosystem... If we think about it, it’s not enough to be perfect in SIP and in SOP, if someone can connect directly to k8s and deploy malware to production. Or connect directly to AWS and modify a lambda function in a manner that isn’t consistent with what’s stored in our SCM. (click) So SAP is about taking the measure to be able to answer 2 main questions
  19. SAP - addresses the concern of our pipeline being bypassed
  20. Daniel and I are coming from many years in the trenches and we felt the pain in our day-to-day work. Even companies like AppsFlyer that have strong security teams and strong understanding of the need for security as part of engineering (it was a competitive advantage for us) can’t handle the complexity and the security teams are struggling with working with the engineering teams. I always felt that I have so many blind spots in the engineering even after I found something I realized that there are many other issues that I’m not aware. We need to change the way we interact with engineering teams. We need to do it better and faster. This is why we established Cider.