stackconf 2021 | Continuous Security – integrating security into your pipelines
•
0 gostou•48 visualizações
In the world of continuous delivery and cloud native, the boundaries between what is our application and what constitutes infrastructure is becoming increasing blurred. Our workloads, the containers they ship in, and our platform configuration is now often developed and deployed by the same teams, and development velocity is the key metric to success. This presents us with a challenge which the previous models of security as a final external gatekeeper step cannot keep up with. To ensure our apps and platforms are secure, we need to integrate security at all stages of our pipelines and ensure that our developers and engineering teams have tools and data with enable them to make decisions about security on an ongoing basis. In this session I will talk through the problem space, look at the kinds of security issues we need to consider, and look at where the integration points are to build in security as part of our CI/CD process.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a stackconf 2021 | Continuous Security – integrating security into your pipelines
Semelhante a stackconf 2021 | Continuous Security – integrating security into your pipelines (20)
Último
Último (20)
stackconf 2021 | Continuous Security – integrating security into your pipelines
- 1. Snyk.io Building security into your pipelines Matt Jarvis | Senior Developer Advocate | matt.jarvis@snyk.io Continuous Security 1
- 2. Snyk.io ● Matt Jarvis ○ Senior Developer Advocate @ Snyk ● Building stuff with open source for ~20 years ● Ops, Dev, DevOps and now Security $whoami @mattj_io mattj-io mattjarvis.org.uk
- 3. What is an application? Networking Virtual Machines Your application Pre-Cloud era Developers wrote the application IT Operations had the rest of the stack Security was a step in the process Virtual Infrastructure Physical Hardware
- 4. What is an application? Networking Virtual Machines Your application Pre-Cloud era Developers wrote the application IT Operations had the rest of the stack Security was a step in the process Cloud Era Developers write the code and deploy, network and provision This is now your application So where does security fit? Virtual Infrastructure Physical Hardware Cloud Infrastructure Terraform Kubernetes Your application Container Image
- 5. Shifting security Your application code Are my open source dependencies up to date? Do I have any vulnerabilities? Cloud Infrastructure Terraform Kubernetes Your application Container Image Deploying your code Have I configured my containers correctly? Do I need a root user? What is this load balancer? Provision your infrastructure Is my blobstore readable by the world? Have I setup my permissions appropriately?
- 10. Snyk.io Jan 2015 rimrafall Jan 2017 crossenv May 2018 getcookies Jul 2018 eslint-scope Nov 2018 event-stream
- 11. Snyk.io May 2018 getcookies Parse HTTP headers for cookie data
- 12. Snyk.io May 2018 getcookies Parse HTTP headers for cookie data or does it...?
- 13. Snyk.io
- 16. Developer owned 68% Developers own the security of container images
- 20. Snyk.io 44% of docker image vulnerabilities can be fixed with newer base images
- 21. Snyk.io 20% of docker image vulnerabilities can be fixed just by rebuilding them
- 22. Configuration is increasingly in code
- 23. Configuration is everywhere Azure ARM 250k+ Terraform 200k+ Kubernetes 2m+ AWS CF 90k+ Serverless 40k+ Compose 600k+ Sense of scale of infrastructure as code in public repositories on GitHub
- 24. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage... “ “ Configuration is a security risk https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration
- 25. CI/CD Git repository Traditional/PaaS Serverless Production Container Security Spectrum Securing development and operations Registry deploy Security gate Code Test & fix Test, fix, monitor build Kubernetes Monitor & fix submit Test, fix, monitor
- 26. Developer First ... Integrated workflows - IDE, CLI $ snyk container test garethr/snyky --file=Dockerfile Testing garethr/snyky... ✗ High severity vulnerability found in libpng Description: Out-of-Bounds Info: https://snyk.io/vuln/SNYK-LINUX-LIBPNG-172022 Introduced through: libpng@1.6.34-r1, freetype@2.9.1-r1, openjdk8-jre@8.191.12-r0 From: libpng@1.6.34-r1 From: freetype@2.9.1-r1 > libpng@1.6.34-r1 From: openjdk8-jre@8.191.12-r0 > libpng@1.6.34-r1 Fixed in: 1.6.37-r0 ✗ High severity vulnerability found in git Description: Untrusted Search Path Info: https://snyk.io/vuln/SNYK-LINUX-GIT-175991 Introduced through: git@2.18.1-r0 From: git@2.18.1-r0 Fixed in: 2.18.1-r1
- 27. Remediation guidance to minimize exposure and reduce time-to-fix Get straight to the Dockerfile instructions that introduce vulnerabilities Follow base image recommendations to reduce your total vulnerability exposure
- 28. ● 2 factor authentication ● Strong key management practices ● Update git ● Beware of exposing private data ● Strong review processes Make sure our repos are secure !
- 29. Pull request scanning and repository monitoring Automated remediation Scan new code
- 30. Scan images in registries ...
- 31. CI Pipelines
- 32. The Snyk Kubernetes controller scans your workloads for vulnerable images. Then detects insecure configurations that makes those vulnerabilities easier for an attacker to exploit. Prioritise vulnerabilities based on production configuration H A remotely exploitable Java vulnerability. Deployed to production, not just development. Running in a Kubernetes pod which is running as root and doesn’t drop capabilities. Connected to a service with a public IP address. + = Protect your application After the initial scan
- 33. Containers shift ownership of code + runtime environment to developers Developers aren’t security experts - they need support and tools that empower them More software + faster release cycles leads to more software risk It is critical for developers to secure containers from the start
- 34. Local CI/CD Registry Production $ snyk test --docker garethr/snyky Testing garethr/snyky... ✗ Low severity vulnerability found in git Description: CVE-2018-19486 Info: https://snyk.io/vuln/SNYK-LINUX-GIT-175991 Introduced through: git@2.18.1-r0 From: git@2.18.1-r0 Introduced by your base image (release) Fixed in: 2.18.1-r1 Organisation: garethr Package manager: apk Git Detect vulnerabilities Throughout the software supply chain
- 35. Snyk.io Thanks For Listening ! 35