SlideShare uma empresa Scribd logo

Automating Security Tests in Development with Docker

Gabriel Schuyler
Gabriel Schuyler

This talk provided an introduction to testing web applications using readily-available docker images. Slides were paired with live demos of the tools covered.

Tecnologia
1 de 17
Baixar para ler offline
Gabe Schuyler @gabe_sky LASCON 2022 Automating security tests in development with Docker (an introduction)
Gabe Schuyler LASCON 2022 @gabe_sky Who am I? Gabe Schuyler • Operations • Cybersecurity • Dev(Sec)Ops • Now: Wiz, Inc. • Past: Palo Alto Networks, PuppetLabs, Sony Playstation ...
Gabe Schuyler LASCON 2022 @gabe_sky Why bother? framing the problem • Use the same tools as attackers • An ounce of prevention • Shift-left • Developers know what to double-down on in an attack • Continuously shifting attacks -- don't just scan once and forget it • Avoid gating before production • Pen tests take weeks, a Docker run takes seconds
Gabe Schuyler LASCON 2022 @gabe_sky Containers in a very small nutshell • Tiny • Prepackaged • Single purpose • Virtual machines
Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down • Overview • Images • Volumes • Ports • Web apps • Attack platforms apps tools games kernel
Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down • Overview • Images • Volumes • Ports • Web apps • Attack platforms apps tools games kernel app fi les ports
Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down • Overview • Images • Volumes • Ports • Web apps • Attack platforms kernel app fi les ports
Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down kernel attack fi les ports web server • Overview • Images • Volumes • Ports • Web apps • Attack platforms
Gabe Schuyler LASCON 2022 @gabe_sky Readme.txt relax, it's all here • Requirements • Commands to run • We're trying to help • "Pull requests welcome!"
Gabe Schuyler LASCON 2022 @gabe_sky Caveat haX0r you break it you bought it • Virtualize • Snapshot • Embrace destruction
Gabe Schuyler LASCON 2022 @gabe_sky Launching broad attacks it's not just for script kiddies • ZAProxy • nikto • Ask your developers what to try!
Gabe Schuyler LASCON 2022 @gabe_sky Application-specific attacks know your enemy • wpscan • SQLmap
Gabe Schuyler LASCON 2022 @gabe_sky Fuzzing what's that you say? • ff uf • wfuzz • API security
Gabe Schuyler LASCON 2022 @gabe_sky General purpose toolkits generic linux as a container • Kali • Some assembly required • Versatile • Docker fi les and layers
Gabe Schuyler LASCON 2022 @gabe_sky Continuous attack in the software lifecycle • Research • Development • Deployment • Production • Share results • Borrow knowledge
Gabe Schuyler LASCON 2022 @gabe_sky Where to start danger is my middle name • Web application • Basic attacks • Get fancy • Integrate into CICD • Integrate into monitoring
Q & A and Discussion Gabe Schuyler @gabe_sky LASCON 2022

Recomendados

Texas Cyber Summit 2022: Challenges Securing Cloud-Native.pdf
Texas Cyber Summit 2022: Challenges Securing Cloud-Native.pdfTexas Cyber Summit 2022: Challenges Securing Cloud-Native.pdf
Texas Cyber Summit 2022: Challenges Securing Cloud-Native.pdfGabriel Schuyler
 
2022 GrrCON Shifting Right with Policy as Code.pdf
2022 GrrCON Shifting Right with Policy as Code.pdf2022 GrrCON Shifting Right with Policy as Code.pdf
2022 GrrCON Shifting Right with Policy as Code.pdfGabriel Schuyler
 
DevOpsCon 2015 - DevOps in Mobile Games
DevOpsCon 2015 - DevOps in Mobile GamesDevOpsCon 2015 - DevOps in Mobile Games
DevOpsCon 2015 - DevOps in Mobile GamesAndreas Katzig
 
Kernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native WorkloadsKernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native WorkloadsGabriel Schuyler
 
321 codeincontainer brewbox
321 codeincontainer brewbox321 codeincontainer brewbox
321 codeincontainer brewboxLino Telera
 
Building Top-Notch Androids SDKs
Building Top-Notch Androids SDKsBuilding Top-Notch Androids SDKs
Building Top-Notch Androids SDKsrelayr
 
Android : How Do I Code Thee?
Android : How Do I Code Thee?Android : How Do I Code Thee?
Android : How Do I Code Thee?Viswanath J
 
Ohio Devfest - Visual Analysis with GCP
Ohio Devfest - Visual Analysis with GCPOhio Devfest - Visual Analysis with GCP
Ohio Devfest - Visual Analysis with GCPWesley Workman
 

Recomendados

Texas Cyber Summit 2022: Challenges Securing Cloud-Native.pdf
Texas Cyber Summit 2022: Challenges Securing Cloud-Native.pdfTexas Cyber Summit 2022: Challenges Securing Cloud-Native.pdf
Texas Cyber Summit 2022: Challenges Securing Cloud-Native.pdfGabriel Schuyler
 
2022 GrrCON Shifting Right with Policy as Code.pdf
2022 GrrCON Shifting Right with Policy as Code.pdf2022 GrrCON Shifting Right with Policy as Code.pdf
2022 GrrCON Shifting Right with Policy as Code.pdfGabriel Schuyler
 
DevOpsCon 2015 - DevOps in Mobile Games
DevOpsCon 2015 - DevOps in Mobile GamesDevOpsCon 2015 - DevOps in Mobile Games
DevOpsCon 2015 - DevOps in Mobile GamesAndreas Katzig
 
Kernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native WorkloadsKernel Con 2022: Securing Cloud Native Workloads
Kernel Con 2022: Securing Cloud Native WorkloadsGabriel Schuyler
 
321 codeincontainer brewbox
321 codeincontainer brewbox321 codeincontainer brewbox
321 codeincontainer brewboxLino Telera
 
Building Top-Notch Androids SDKs
Building Top-Notch Androids SDKsBuilding Top-Notch Androids SDKs
Building Top-Notch Androids SDKsrelayr
 
Android : How Do I Code Thee?
Android : How Do I Code Thee?Android : How Do I Code Thee?
Android : How Do I Code Thee?Viswanath J
 
Ohio Devfest - Visual Analysis with GCP
Ohio Devfest - Visual Analysis with GCPOhio Devfest - Visual Analysis with GCP
Ohio Devfest - Visual Analysis with GCPWesley Workman
 
DWX 2018 - Automatisiertes Datenbank-Deployment im DevOps Prozess
DWX 2018 - Automatisiertes Datenbank-Deployment im DevOps ProzessDWX 2018 - Automatisiertes Datenbank-Deployment im DevOps Prozess
DWX 2018 - Automatisiertes Datenbank-Deployment im DevOps ProzessMarc Müller
 
DWX 2018 - Automatisiertes Datenbankdeployment im DevOps Prozess
DWX 2018 - Automatisiertes Datenbankdeployment im DevOps ProzessDWX 2018 - Automatisiertes Datenbankdeployment im DevOps Prozess
DWX 2018 - Automatisiertes Datenbankdeployment im DevOps ProzessMarc Müller
 
Philly CocoaHeads 20160414 - Building Your App SDK With Swift
Philly CocoaHeads 20160414 - Building Your App SDK With SwiftPhilly CocoaHeads 20160414 - Building Your App SDK With Swift
Philly CocoaHeads 20160414 - Building Your App SDK With SwiftJordan Yaker
 
Node.js for .NET Developers
Node.js for .NET DevelopersNode.js for .NET Developers
Node.js for .NET DevelopersDavid Neal
 
Interop 2017 - Managing Containers in Production
Interop 2017 - Managing Containers in ProductionInterop 2017 - Managing Containers in Production
Interop 2017 - Managing Containers in ProductionBrian Gracely
 
Docker in pratice -chenyifei
Docker in pratice -chenyifeiDocker in pratice -chenyifei
Docker in pratice -chenyifeidotCloud
 
SSJS, NoSQL, GAE and AppengineJS
SSJS, NoSQL, GAE and AppengineJSSSJS, NoSQL, GAE and AppengineJS
SSJS, NoSQL, GAE and AppengineJSEugene Lazutkin
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
cadec-2017-golang
cadec-2017-golangcadec-2017-golang
cadec-2017-golangTiNguyn863920
 
Shift Remote: JS - Javascript Build Tools: Past & Beyond - Shedrack Akintayo
Shift Remote: JS - Javascript Build Tools: Past & Beyond - Shedrack Akintayo Shift Remote: JS - Javascript Build Tools: Past & Beyond - Shedrack Akintayo
Shift Remote: JS - Javascript Build Tools: Past & Beyond - Shedrack Akintayo Shift Conference
 
Lightweight Virtualization Docker in Practice
Lightweight Virtualization Docker in PracticeLightweight Virtualization Docker in Practice
Lightweight Virtualization Docker in PracticeDocker, Inc.
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Docker in Production: How RightScale Delivers Cloud Applications
Docker in Production: How RightScale Delivers Cloud ApplicationsDocker in Production: How RightScale Delivers Cloud Applications
Docker in Production: How RightScale Delivers Cloud ApplicationsRightScale
 
Getting Started with Docker
Getting Started with DockerGetting Started with Docker
Getting Started with Dockervisual28
 
Get your Project back in Shape!
Get your Project back in Shape!Get your Project back in Shape!
Get your Project back in Shape!Joachim Tuchel
 
Greenfields tech decisions
Greenfields tech decisionsGreenfields tech decisions
Greenfields tech decisionsTrent Hornibrook
 
Building a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger HuntBuilding a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger HuntAshley Roach
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
SeaJUG 5 15-2018
SeaJUG 5 15-2018SeaJUG 5 15-2018
SeaJUG 5 15-2018Will Iverson
 
Overcoming 5 Common Docker Challenges: How We Do It at RightScale
Overcoming 5 Common Docker Challenges: How We Do It at RightScaleOvercoming 5 Common Docker Challenges: How We Do It at RightScale
Overcoming 5 Common Docker Challenges: How We Do It at RightScaleRightScale
 
2024 Kernelcon Attack and Defense of AI.pdf
2024 Kernelcon Attack and Defense of AI.pdf2024 Kernelcon Attack and Defense of AI.pdf
2024 Kernelcon Attack and Defense of AI.pdfGabriel Schuyler
 
2023 BSides ATX Trending Attack and Defense.pdf
2023 BSides ATX Trending Attack and Defense.pdf2023 BSides ATX Trending Attack and Defense.pdf
2023 BSides ATX Trending Attack and Defense.pdfGabriel Schuyler
 

Mais conteúdo relacionado

Semelhante a Automating Security Tests in Development with Docker

DWX 2018 - Automatisiertes Datenbank-Deployment im DevOps Prozess
DWX 2018 - Automatisiertes Datenbank-Deployment im DevOps ProzessDWX 2018 - Automatisiertes Datenbank-Deployment im DevOps Prozess
DWX 2018 - Automatisiertes Datenbank-Deployment im DevOps ProzessMarc Müller
 
DWX 2018 - Automatisiertes Datenbankdeployment im DevOps Prozess
DWX 2018 - Automatisiertes Datenbankdeployment im DevOps ProzessDWX 2018 - Automatisiertes Datenbankdeployment im DevOps Prozess
DWX 2018 - Automatisiertes Datenbankdeployment im DevOps ProzessMarc Müller
 
Philly CocoaHeads 20160414 - Building Your App SDK With Swift
Philly CocoaHeads 20160414 - Building Your App SDK With SwiftPhilly CocoaHeads 20160414 - Building Your App SDK With Swift
Philly CocoaHeads 20160414 - Building Your App SDK With SwiftJordan Yaker
 
Node.js for .NET Developers
Node.js for .NET DevelopersNode.js for .NET Developers
Node.js for .NET DevelopersDavid Neal
 
Interop 2017 - Managing Containers in Production
Interop 2017 - Managing Containers in ProductionInterop 2017 - Managing Containers in Production
Interop 2017 - Managing Containers in ProductionBrian Gracely
 
Docker in pratice -chenyifei
Docker in pratice -chenyifeiDocker in pratice -chenyifei
Docker in pratice -chenyifeidotCloud
 
SSJS, NoSQL, GAE and AppengineJS
SSJS, NoSQL, GAE and AppengineJSSSJS, NoSQL, GAE and AppengineJS
SSJS, NoSQL, GAE and AppengineJSEugene Lazutkin
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Shift Remote: JS - Javascript Build Tools: Past & Beyond - Shedrack Akintayo
Shift Remote: JS - Javascript Build Tools: Past & Beyond - Shedrack Akintayo Shift Remote: JS - Javascript Build Tools: Past & Beyond - Shedrack Akintayo
Shift Remote: JS - Javascript Build Tools: Past & Beyond - Shedrack Akintayo Shift Conference
 
Lightweight Virtualization Docker in Practice
Lightweight Virtualization Docker in PracticeLightweight Virtualization Docker in Practice
Lightweight Virtualization Docker in PracticeDocker, Inc.
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Docker in Production: How RightScale Delivers Cloud Applications
Docker in Production: How RightScale Delivers Cloud ApplicationsDocker in Production: How RightScale Delivers Cloud Applications
Docker in Production: How RightScale Delivers Cloud ApplicationsRightScale
 
Getting Started with Docker
Getting Started with DockerGetting Started with Docker
Getting Started with Dockervisual28
 
Get your Project back in Shape!
Get your Project back in Shape!Get your Project back in Shape!
Get your Project back in Shape!Joachim Tuchel
 
Greenfields tech decisions
Greenfields tech decisionsGreenfields tech decisions
Greenfields tech decisionsTrent Hornibrook
 
Building a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger HuntBuilding a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger HuntAshley Roach
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Overcoming 5 Common Docker Challenges: How We Do It at RightScale
Overcoming 5 Common Docker Challenges: How We Do It at RightScaleOvercoming 5 Common Docker Challenges: How We Do It at RightScale
Overcoming 5 Common Docker Challenges: How We Do It at RightScaleRightScale
 

Semelhante a Automating Security Tests in Development with Docker (20)

DWX 2018 - Automatisiertes Datenbank-Deployment im DevOps Prozess
DWX 2018 - Automatisiertes Datenbank-Deployment im DevOps ProzessDWX 2018 - Automatisiertes Datenbank-Deployment im DevOps Prozess
DWX 2018 - Automatisiertes Datenbank-Deployment im DevOps Prozess
 
DWX 2018 - Automatisiertes Datenbankdeployment im DevOps Prozess
DWX 2018 - Automatisiertes Datenbankdeployment im DevOps ProzessDWX 2018 - Automatisiertes Datenbankdeployment im DevOps Prozess
DWX 2018 - Automatisiertes Datenbankdeployment im DevOps Prozess
 
Philly CocoaHeads 20160414 - Building Your App SDK With Swift
Philly CocoaHeads 20160414 - Building Your App SDK With SwiftPhilly CocoaHeads 20160414 - Building Your App SDK With Swift
Philly CocoaHeads 20160414 - Building Your App SDK With Swift
 
Node.js for .NET Developers
Node.js for .NET DevelopersNode.js for .NET Developers
Node.js for .NET Developers
 
Interop 2017 - Managing Containers in Production
Interop 2017 - Managing Containers in ProductionInterop 2017 - Managing Containers in Production
Interop 2017 - Managing Containers in Production
 
Docker in pratice -chenyifei
Docker in pratice -chenyifeiDocker in pratice -chenyifei
Docker in pratice -chenyifei
 
SSJS, NoSQL, GAE and AppengineJS
SSJS, NoSQL, GAE and AppengineJSSSJS, NoSQL, GAE and AppengineJS
SSJS, NoSQL, GAE and AppengineJS
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
cadec-2017-golang
cadec-2017-golangcadec-2017-golang
cadec-2017-golang
 
Shift Remote: JS - Javascript Build Tools: Past & Beyond - Shedrack Akintayo
Shift Remote: JS - Javascript Build Tools: Past & Beyond - Shedrack Akintayo Shift Remote: JS - Javascript Build Tools: Past & Beyond - Shedrack Akintayo
Shift Remote: JS - Javascript Build Tools: Past & Beyond - Shedrack Akintayo
 
Lightweight Virtualization Docker in Practice
Lightweight Virtualization Docker in PracticeLightweight Virtualization Docker in Practice
Lightweight Virtualization Docker in Practice
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
 
Docker in Production: How RightScale Delivers Cloud Applications
Docker in Production: How RightScale Delivers Cloud ApplicationsDocker in Production: How RightScale Delivers Cloud Applications
Docker in Production: How RightScale Delivers Cloud Applications
 
Getting Started with Docker
Getting Started with DockerGetting Started with Docker
Getting Started with Docker
 
Get your Project back in Shape!
Get your Project back in Shape!Get your Project back in Shape!
Get your Project back in Shape!
 
Greenfields tech decisions
Greenfields tech decisionsGreenfields tech decisions
Greenfields tech decisions
 
Building a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger HuntBuilding a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger Hunt
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
 
SeaJUG 5 15-2018
SeaJUG 5 15-2018SeaJUG 5 15-2018
SeaJUG 5 15-2018
 
Overcoming 5 Common Docker Challenges: How We Do It at RightScale
Overcoming 5 Common Docker Challenges: How We Do It at RightScaleOvercoming 5 Common Docker Challenges: How We Do It at RightScale
Overcoming 5 Common Docker Challenges: How We Do It at RightScale
 

Mais de Gabriel Schuyler

2024 Kernelcon Attack and Defense of AI.pdf
2024 Kernelcon Attack and Defense of AI.pdf2024 Kernelcon Attack and Defense of AI.pdf
2024 Kernelcon Attack and Defense of AI.pdfGabriel Schuyler
 
2023 BSides ATX Trending Attack and Defense.pdf
2023 BSides ATX Trending Attack and Defense.pdf2023 BSides ATX Trending Attack and Defense.pdf
2023 BSides ATX Trending Attack and Defense.pdfGabriel Schuyler
 
Trends in Cloud Security Attack & Defense
Trends in Cloud Security Attack & DefenseTrends in Cloud Security Attack & Defense
Trends in Cloud Security Attack & DefenseGabriel Schuyler
 
Pancakes Con 4 Trends in Cloud Security & Fun Facts about Real Clouds
Pancakes Con 4 Trends in Cloud Security & Fun Facts about Real CloudsPancakes Con 4 Trends in Cloud Security & Fun Facts about Real Clouds
Pancakes Con 4 Trends in Cloud Security & Fun Facts about Real CloudsGabriel Schuyler
 
Dog Days of Devops 2022: Policy as Code
Dog Days of Devops 2022: Policy as CodeDog Days of Devops 2022: Policy as Code
Dog Days of Devops 2022: Policy as CodeGabriel Schuyler
 
fwd:cloudsec 2022: Shifting right with policy-as-code
fwd:cloudsec 2022: Shifting right with policy-as-codefwd:cloudsec 2022: Shifting right with policy-as-code
fwd:cloudsec 2022: Shifting right with policy-as-codeGabriel Schuyler
 
Hope 2022: Just Enough RFID Cloning to be Dangerous
Hope 2022: Just Enough RFID Cloning to be DangerousHope 2022: Just Enough RFID Cloning to be Dangerous
Hope 2022: Just Enough RFID Cloning to be DangerousGabriel Schuyler
 
ShmooCon 2022: RFID Key Cloning for Angry Bikers
ShmooCon 2022: RFID Key Cloning for Angry BikersShmooCon 2022: RFID Key Cloning for Angry Bikers
ShmooCon 2022: RFID Key Cloning for Angry BikersGabriel Schuyler
 
Migrating Puppet 3 to 4 -- Code Changes
Migrating Puppet 3 to 4 -- Code ChangesMigrating Puppet 3 to 4 -- Code Changes
Migrating Puppet 3 to 4 -- Code ChangesGabriel Schuyler
 
IC3 -- Configuration Management 101
IC3 -- Configuration Management 101IC3 -- Configuration Management 101
IC3 -- Configuration Management 101Gabriel Schuyler
 

Mais de Gabriel Schuyler (11)

2024 Kernelcon Attack and Defense of AI.pdf
2024 Kernelcon Attack and Defense of AI.pdf2024 Kernelcon Attack and Defense of AI.pdf
2024 Kernelcon Attack and Defense of AI.pdf
 
2023 BSides ATX Trending Attack and Defense.pdf
2023 BSides ATX Trending Attack and Defense.pdf2023 BSides ATX Trending Attack and Defense.pdf
2023 BSides ATX Trending Attack and Defense.pdf
 
Trends in Cloud Security Attack & Defense
Trends in Cloud Security Attack & DefenseTrends in Cloud Security Attack & Defense
Trends in Cloud Security Attack & Defense
 
Pancakes Con 4 Trends in Cloud Security & Fun Facts about Real Clouds
Pancakes Con 4 Trends in Cloud Security & Fun Facts about Real CloudsPancakes Con 4 Trends in Cloud Security & Fun Facts about Real Clouds
Pancakes Con 4 Trends in Cloud Security & Fun Facts about Real Clouds
 
Dog Days of Devops 2022: Policy as Code
Dog Days of Devops 2022: Policy as CodeDog Days of Devops 2022: Policy as Code
Dog Days of Devops 2022: Policy as Code
 
fwd:cloudsec 2022: Shifting right with policy-as-code
fwd:cloudsec 2022: Shifting right with policy-as-codefwd:cloudsec 2022: Shifting right with policy-as-code
fwd:cloudsec 2022: Shifting right with policy-as-code
 
Hope 2022: Just Enough RFID Cloning to be Dangerous
Hope 2022: Just Enough RFID Cloning to be DangerousHope 2022: Just Enough RFID Cloning to be Dangerous
Hope 2022: Just Enough RFID Cloning to be Dangerous
 
ShmooCon 2022: RFID Key Cloning for Angry Bikers
ShmooCon 2022: RFID Key Cloning for Angry BikersShmooCon 2022: RFID Key Cloning for Angry Bikers
ShmooCon 2022: RFID Key Cloning for Angry Bikers
 
Cybersecurity in 2022
Cybersecurity in 2022Cybersecurity in 2022
Cybersecurity in 2022
 
Migrating Puppet 3 to 4 -- Code Changes
Migrating Puppet 3 to 4 -- Code ChangesMigrating Puppet 3 to 4 -- Code Changes
Migrating Puppet 3 to 4 -- Code Changes
 
IC3 -- Configuration Management 101
IC3 -- Configuration Management 101IC3 -- Configuration Management 101
IC3 -- Configuration Management 101
 

Último

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 

Último (20)

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 

Automating Security Tests in Development with Docker

  • 1. Gabe Schuyler @gabe_sky LASCON 2022 Automating security tests in development with Docker (an introduction)
  • 2. Gabe Schuyler LASCON 2022 @gabe_sky Who am I? Gabe Schuyler • Operations • Cybersecurity • Dev(Sec)Ops • Now: Wiz, Inc. • Past: Palo Alto Networks, PuppetLabs, Sony Playstation ...
  • 3. Gabe Schuyler LASCON 2022 @gabe_sky Why bother? framing the problem • Use the same tools as attackers • An ounce of prevention • Shift-left • Developers know what to double-down on in an attack • Continuously shifting attacks -- don't just scan once and forget it • Avoid gating before production • Pen tests take weeks, a Docker run takes seconds
  • 4. Gabe Schuyler LASCON 2022 @gabe_sky Containers in a very small nutshell • Tiny • Prepackaged • Single purpose • Virtual machines
  • 5. Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down • Overview • Images • Volumes • Ports • Web apps • Attack platforms apps tools games kernel
  • 6. Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down • Overview • Images • Volumes • Ports • Web apps • Attack platforms apps tools games kernel app fi les ports
  • 7. Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down • Overview • Images • Volumes • Ports • Web apps • Attack platforms kernel app fi les ports
  • 8. Gabe Schuyler LASCON 2022 @gabe_sky Docker in a nutshell shrinking it down kernel attack fi les ports web server • Overview • Images • Volumes • Ports • Web apps • Attack platforms
  • 9. Gabe Schuyler LASCON 2022 @gabe_sky Readme.txt relax, it's all here • Requirements • Commands to run • We're trying to help • "Pull requests welcome!"
  • 10. Gabe Schuyler LASCON 2022 @gabe_sky Caveat haX0r you break it you bought it • Virtualize • Snapshot • Embrace destruction
  • 11. Gabe Schuyler LASCON 2022 @gabe_sky Launching broad attacks it's not just for script kiddies • ZAProxy • nikto • Ask your developers what to try!
  • 12. Gabe Schuyler LASCON 2022 @gabe_sky Application-specific attacks know your enemy • wpscan • SQLmap
  • 13. Gabe Schuyler LASCON 2022 @gabe_sky Fuzzing what's that you say? • ff uf • wfuzz • API security
  • 14. Gabe Schuyler LASCON 2022 @gabe_sky General purpose toolkits generic linux as a container • Kali • Some assembly required • Versatile • Docker fi les and layers
  • 15. Gabe Schuyler LASCON 2022 @gabe_sky Continuous attack in the software lifecycle • Research • Development • Deployment • Production • Share results • Borrow knowledge
  • 16. Gabe Schuyler LASCON 2022 @gabe_sky Where to start danger is my middle name • Web application • Basic attacks • Get fancy • Integrate into CICD • Integrate into monitoring
  • 17. Q & A and Discussion Gabe Schuyler @gabe_sky LASCON 2022