Integracia security do ci cd pipelines

•

0 gostou•159 visualizações

Juraj Hantak

CNCF meetup 21. kubernetes.

Internet

Integrate Security into CI/CD
Andrej Krnáč

● Agile and Security
● Vulnerability management
● Application security testing methodologies
● CI/CD pipeline phases with integrated security checks
● Demo
● Limitations of tools
● Final thoughts
Agenda

Agile and Security
● Agile development and Security
● Manual testing and compliance checking cannot keep up with
the speed of delivery
● Security teams that try to reduce risk by minimizing change are
irrelevant in an Agile world
● Instead of doing security, enable security (DevSecOps)
○ Document techniques
○ Build capability to develop and deploy secure services
○ Build tools and automation

Vulnerability management
● Vulnerability scanning and patching
● Some ways of getting vulnerability information:
○ Automated Security Testing (AST) tools
○ Software Component Analysis (SCA) tools
○ Scanning container images
○ Scanning cloud instances (AWS Inspector)
○ Bug reports from partners, users, …
○ ...
● Automate and streamline scanning and run it often - as part of
build pipelines
● The information should be consolidated, tracked and reported
● Handle vulnerabilities as any other software defects - “Shift Left”
to reduce the cost of defects

Application security testing methodologies
● SAST (Static Application Security Testing)
● SCA (Software Composition Analysis)
● DAST (Dynamic Application Security Testing)
● Negative Unit Testing
● Difficult to automate:
○ Penetration testing
○ API fuzzing

Demo
● Many tools available
○ SAST
○ DAST
● Demo
○ pre-commit - detect-secrets
■ https://github.com/adys/nodejs-security-demo/pull/1
○ npm audit
■ https://github.com/adys/nodejs-security-demo/pull/2
○ NodejsScan

Limitations of tools
● Automated web vulnerability scans run through a set of
well-known attacks and look for well-known vulnerabilities and
common mistakes
● Can't find holes in business logic
● Some types of vulnerabilities are difficult to detect such as
authentication problems, access control issues
● Understand what you are getting out of the tools and how much
you can rely on them

Final thoughts
● Tools that require significant effort from developers will end up
not being used
○ Long output with irrelevant information
● Handle false positives
● Do not introduce a new scan to pipelines without setting a
baseline first
● Avoid disruption
● Roll out incrementally (one aspect at a time, get feedback while
iterating)
● Do not stop with the automated security testing

Thank you
Andrej Krnáč
Cloud Architect
Contact:
andrej.krnac@lablabs.io

Mais conteúdo relacionado

Mais procurados

Netflix and Containers: Not A Stranger Thingaspyker

eigr.io – a Serverless Runtime on the BEAM (ACM SIGPLAN, ICFP 2021 Erlang Wor...MarcelLanz

OpenNebulaConf2018 - Welcome and Project Update - Ignacio M. Llorente, Rubén ...OpenNebula Project

Beyond OpenStackJirayut Nimsaeng

Secrets management vault cncf meetupJuraj Hantak

Intro to creating kubernetes operators Juraj Hantak

OpenStack Ansible for private cloud at KaideeJirayut Nimsaeng

[WSO2Con EU 2018] Deploying Applications in K8S and DockerWSO2

Netflix Open Source Meetup Season 3 Episode 2aspyker

Serverless architectures with Fn ProjectSven Bernhardt

GitBucket: Open source self-hosting Git server built by Scalatakezoe

Netflix oss season 1 episode 3 Ruslan Meshenberg

Bbva bank on Open StackJose Maria San Jose Juarez

E bpf and profilersLibbySchulze

Confoo - DevOps & Agile InfrastructureWill Stevens

CS80A Foothill College Open Source Talkaspyker

Designing and Debugging Mobile Apps with an Embedded, Scriptable Web ServerAll Things Open

Netflix oss season 2 episode 1 - meetup Lightning talksRuslan Meshenberg

Revisit Dependency Injection in scalatakezoe

ServerlessMaciej Dziergwa

Mais procurados (20)

Netflix and Containers: Not A Stranger Thing

eigr.io – a Serverless Runtime on the BEAM (ACM SIGPLAN, ICFP 2021 Erlang Wor...

OpenNebulaConf2018 - Welcome and Project Update - Ignacio M. Llorente, Rubén ...

Beyond OpenStack

Secrets management vault cncf meetup

Intro to creating kubernetes operators

OpenStack Ansible for private cloud at Kaidee

[WSO2Con EU 2018] Deploying Applications in K8S and Docker

Netflix Open Source Meetup Season 3 Episode 2

Serverless architectures with Fn Project

GitBucket: Open source self-hosting Git server built by Scala

Netflix oss season 1 episode 3

Bbva bank on Open Stack

E bpf and profilers

Confoo - DevOps & Agile Infrastructure

CS80A Foothill College Open Source Talk

Designing and Debugging Mobile Apps with an Embedded, Scriptable Web Server

Netflix oss season 2 episode 1 - meetup Lightning talks

Revisit Dependency Injection in scala

Serverless

Semelhante a Integracia security do ci cd pipelines

DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services

Bsides Delhi Security Automation for Red and Blue TeamsSuraj Pratap

Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com

DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills

DevOps & DevSecOps in Swiss BankingAarno Aukia

Tw noche geek quito webappsecThoughtworks

Web Application Security: Introduction to common classes of security flaws an...Thoughtworks

Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker

Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker

Codebits 2014 - Secure Coding - Gamification and automation for the winTiago Henriques

Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier

SOCstock 2021 The Cloud-native SOC Anton Chuvakin

apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays

Software Security: In the World of Cloud & CI-CDOWASP Delhi

Lecture Course Outline and Secure SDLC.pptDrBasemMohamedElomda

The Science of Compliance - Early Code to Secure your Node (11/6/19)judy (fink) johnson

4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn

How to apply machine learning into your CI/CD pipelineAlon Weiss

Security Incident machnism Security Incident machnismSecurity Incident machni...karthikvcyber

DevSecOps 101Narudom Roongsiriwong, CISSP

Semelhante a Integracia security do ci cd pipelines (20)

DevSecOps: What Why and How : Blackhat 2019

Bsides Delhi Security Automation for Red and Blue Teams

Security in CI/CD Pipelines: Tips for DevOps Engineers

DevSecOps: essential tooling to enable continuous security 2019-09-16

DevOps & DevSecOps in Swiss Banking

Tw noche geek quito webappsec

Web Application Security: Introduction to common classes of security flaws an...

Agile Secure Software Development in a Large Software Development Organisatio...

Bringing Security Testing to Development: How to Enable Developers to Act as ...

Codebits 2014 - Secure Coding - Gamification and automation for the win

Application Security in an Agile World - Agile Singapore 2016

SOCstock 2021 The Cloud-native SOC

apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...

Software Security: In the World of Cloud & CI-CD

Lecture Course Outline and Secure SDLC.ppt

The Science of Compliance - Early Code to Secure your Node (11/6/19)

4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt

How to apply machine learning into your CI/CD pipeline

Security Incident machnism Security Incident machnismSecurity Incident machni...

DevSecOps 101

Mais de Juraj Hantak

Kubernetes day 2_jozef_halgas_pfJuraj Hantak

Kubernetes day 2 @ zse energiaJuraj Hantak

Dev ops culture_finalJuraj Hantak

23 meetup rancherJuraj Hantak

CNCF opaJuraj Hantak

Introductiontohelmcharts2021Juraj Hantak

19. stretnutie komunity kubernetesJuraj Hantak

16. meetup sietovy model v kubernetesJuraj Hantak

16.meetup uvodJuraj Hantak

14. meetupJuraj Hantak

Terraform a gitlab ciJuraj Hantak

Monitoring with prometheus at scaleJuraj Hantak

Kubernetes monitoring using prometheus stackJuraj Hantak

12.cncfsk meetup observability and analysisJuraj Hantak

Grafana 7.0Juraj Hantak

Nginx app protect-for-meetup-v1.0-202006_lkJuraj Hantak

10. th cncf meetup - Routing microservice-architectures-with-traefik-cncfskJuraj Hantak

10.cncfsk en-storyJuraj Hantak

Ingress controller present, past and futureJuraj Hantak

Cncf meetup-service-mesh-skJuraj Hantak

Mais de Juraj Hantak (20)

Kubernetes day 2_jozef_halgas_pf

Kubernetes day 2 @ zse energia

Dev ops culture_final

23 meetup rancher

CNCF opa

Introductiontohelmcharts2021

19. stretnutie komunity kubernetes

16. meetup sietovy model v kubernetes

16.meetup uvod

14. meetup

Terraform a gitlab ci

Monitoring with prometheus at scale

Kubernetes monitoring using prometheus stack

12.cncfsk meetup observability and analysis

Grafana 7.0

Nginx app protect-for-meetup-v1.0-202006_lk

10. th cncf meetup - Routing microservice-architectures-with-traefik-cncfsk

10.cncfsk en-story

Ingress controller present, past and future

Cncf meetup-service-mesh-sk

Último

Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh

Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany

VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023

VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure

Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh

Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure

Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls

How is AI changing journalism? (v. April 2024)Damian Radcliffe

Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh

Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh

CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Onlineanilsa9823

Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5

On Starlink, presented by Geoff Huston at NZNOG 2024APNIC

Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.soniya singh

(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7Call Girls in Nagpur High Profile Call Girls

@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure

Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh

Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceCall Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure

All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi

𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey

Integracia security do ci cd pipelines

1. Integrate Security into CI/CD Andrej Krnáč

2. ● Agile and Security ● Vulnerability management ● Application security testing methodologies ● CI/CD pipeline phases with integrated security checks ● Demo ● Limitations of tools ● Final thoughts Agenda

3. Agile and Security ● Agile development and Security ● Manual testing and compliance checking cannot keep up with the speed of delivery ● Security teams that try to reduce risk by minimizing change are irrelevant in an Agile world ● Instead of doing security, enable security (DevSecOps) ○ Document techniques ○ Build capability to develop and deploy secure services ○ Build tools and automation

4. Vulnerability management ● Vulnerability scanning and patching ● Some ways of getting vulnerability information: ○ Automated Security Testing (AST) tools ○ Software Component Analysis (SCA) tools ○ Scanning container images ○ Scanning cloud instances (AWS Inspector) ○ Bug reports from partners, users, … ○ ... ● Automate and streamline scanning and run it often - as part of build pipelines ● The information should be consolidated, tracked and reported ● Handle vulnerabilities as any other software defects - “Shift Left” to reduce the cost of defects

5. Application security testing methodologies ● SAST (Static Application Security Testing) ● SCA (Software Composition Analysis) ● DAST (Dynamic Application Security Testing) ● Negative Unit Testing ● Difficult to automate: ○ Penetration testing ○ API fuzzing

7. Demo ● Many tools available ○ SAST ○ DAST ● Demo ○ pre-commit - detect-secrets ■ https://github.com/adys/nodejs-security-demo/pull/1 ○ npm audit ■ https://github.com/adys/nodejs-security-demo/pull/2 ○ NodejsScan

8. Limitations of tools ● Automated web vulnerability scans run through a set of well-known attacks and look for well-known vulnerabilities and common mistakes ● Can't find holes in business logic ● Some types of vulnerabilities are difficult to detect such as authentication problems, access control issues ● Understand what you are getting out of the tools and how much you can rely on them

9. Final thoughts ● Tools that require significant effort from developers will end up not being used ○ Long output with irrelevant information ● Handle false positives ● Do not introduce a new scan to pipelines without setting a baseline first ● Avoid disruption ● Roll out incrementally (one aspect at a time, get feedback while iterating) ● Do not stop with the automated security testing

10. Thank you Andrej Krnáč Cloud Architect Contact: andrej.krnac@lablabs.io

Integracia security do ci cd pipelines

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Integracia security do ci cd pipelines

Semelhante a Integracia security do ci cd pipelines (20)

Mais de Juraj Hantak

Mais de Juraj Hantak (20)

Último

Último (20)

Integracia security do ci cd pipelines