Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Cncf checkov and bridgecrew
Semelhante a Cncf checkov and bridgecrew (20)
Mais de LibbySchulze
Mais de LibbySchulze (20)
Último
Último (20)
Cncf checkov and bridgecrew
- 1. CNCF Live Webinar: Cloud native DevOps security Sebastian Straube Cloud Solutions Architect | ALPS Lead Prisma Cloud sstraube@paloaltonetworks.com Prisma Cloud Cloud Native Application Protection Simon Melotte Cloud Solutions Architect smelotte@paloaltonetworks.com
- 2. Nearly 1 in 2 open-source Terraform modules contain misconfigurations Security check is enabled by default? Nearly half of open-source CloudFormation templates were insecure Source: Bridgecrew research scanning Terraform Registry and Unit 42 scanning GitHub Open source allows for great scalability, but we question the default security. Half of scanned OS templates we found in public*1 are not secure, based on our research. *1 incl. Terraform Registry and Github Open Source code.
- 3. What is Checkov? ● Checkov by Bridgecrew is an open-source static analysis tool and policy-as-code engine for infrastructure as code (IaC). ● Pre-built with hundreds of policies that cover security and compliance best practices across AWS, Azure, Google Cloud, and Kubernetes. ● With over 2M downloads to date, Checkov is the most popular IaC scanner on the market, ● Native scanning support for Terraform, CloudFormation, Kubernetes manifests, Azure Resource Manager, and more. ● Checkov is written in Python and is fully extensible to fit into any developer workflow ● provide a simple and flexible tool for enforcing codified, version-controlled policies.
- 5. Have you checked every corner in your SDLifecycle? Find cloud infrastructure Misconfigurations and security errors ● Powered by open source & community ● Both build-time and run-time Fix issues in code, with code in Dev and Prod ● Merge-ready pull requests ● Transform cloud misconfigs into secure code and detect drift Prevent Vulnerabilities and Compliance issues from being deployed in Prod and any Stage ● Enforce policy-as-code across all config ● Streamlined into developer workflows
- 6. The next big challenge: “Shift-Left” DevSecOps security 1 Misconfigured or vulnerable code Security Run-Time 100s of deployments Developers DevOps Build Deploy Issues To Fix 1,000s of security alerts Turns Into Turns Into 1x Cost to fix a bug found during coding 5x Cost to fix a bug found during testing 20x Cost to fix a bug found in production Uncaught Uncaught
- 7. How it works Fix & Prevent IDE extension, block PRs and builds Configuration assurance AWS, Azure, Google Cloud, Kubernetes IaC scanning Terraform, CloudFormation, Azure Resource Manager, etc. Monitor & Remediate Automated remediations Bridgecrew platform Dashboards Compliance reports Policy engine Notifications Code & Commit Build & Test Deploy & Operate
- 8. How do we integrate? Integrations Infrastructure as code frameworks Cloud providers
- 9. Benefits of automated IaC security Lower time to remediation Decrease high severity events Simplify compliance Minimize the attack surface Reduced Nr. groups and roles by xx% Reduced non-compliant resources by xx% Reduced high severity incidents in production by xx% Reduced time to fix misconfigurations by xx%
- 10. What requirements IaC security should include? Infrastructure as code (IaC) security Integrate IaC scanning with actionable feedback, PR fixes, and CI/CD guardrails for improved posture before deployment Drift detection Automate finding and fixing drift between code and cloud to benefit from GitOps best practices Secrets scanning Prevent exposing passwords, API keys, and other secrets from ever making it into public repositories Least privilege IAM Reduce the attack surface with cloud IAM converted to code and audited for least privilege
- 11. Box Ticker Upstream vs. Downstream IaC scanning ✓ ✓ Cloud and workload scanning - ✓ Security-as-code fixes - ✓ Runtime remediations - ✓ CI/CD integration Requires customization ✓ Notifications Requires customization ✓ Custom policies Requires customization ✓ Graph queries ✓ ✓ Dashboards - ✓ Compliance reporting - ✓ Drift Detection - ✓
- 12. Cloud Native Application Platform Approach (CNAPP) Source: https://www.esecurityplanet.com/networks/cybersecurity-mesh-decentralized-identity-emerging-security-technology/
- 13. Cloud Native Application Platform Approach (CNAPP) CNAPP enables IT leader: 1. Laser Focus on Shift-Left 2. Optimizing App Deployment time by integrating Security in DevOps processes (DevSecOps) 3. Reduce Application Down-Time for Break-Fix procedure 4. Reduce security alerts and false-positives in SOC 5. Increase DevSecOps Team agility and App resilience. 6. Enables integrated and centralized management interfaces and dashboards 7. Consolidate Tool Landscape and Licensing Model
- 14. Demo Let’s DO IT
- 15. $ pip3 install checkov $ checkov -l $ checkov -f Dockerfile $ checkov -d . $ checkov -f Dockerfile --skip-check CKV_DOCKER_*
- 16. ● Checkov: VS Code Extension ● Azure Devops ○ Validation ■ Scan external modules ■ Scan Terraform templates ■ Publish JUnit tests results ○ Plan ■ Verify terraform plan with Checkov ○ Approve ○ Apply ● Bonus ○ Github Actions
- 17. Thank you for joining our Webinar and your attention. Do you have any Questions?