Shifting left - How to use Continuous Integration tools to bring security into the DevOps world
In today's modern software factories, organizations are shifting security to the left. No longer just the purview of firewalls, security needs to be built in during development and deployment processes. By doing so, organizations can ensure they are limiting vulnerabilities getting into production while cutting costs of both downtime and code rework.
Key Takeaways:
○ How to ensure that the use of open source doesn’t introduce vulnerabilities and other security risks
○ How to automate the delivery of trusted images using a policy-driven approach
○ Empowering developers to secure their applications, while maintaining segregation of duties
○ Ensuring the consistent flow of images through the pipeline, with no side-doors or introduction of unvetted images
○ Enforcing immutability of containers, preventing container-image drift
2. 2
The Leading Cloud Native Security Company
Aqua helps the world’s leading enterprises to modernize
security for their container-based, serverless and cloud native
applications, from development to production
Open Source Leadership
Maintaining the industry-standard tools
for container, Kubernetes and cloud
security
We “wrote the book” on K8s
security, and chair the CNCF
Technical Oversight Committee
Community Leadership
CloudSploit
3. Agenda
n Aqua’s Open Source Tools
n Kubernetes config with Kube-Bench
n Kubernetes penetration testing tool with Kube-Hunter
n Image scanning and CI integration with Trivvy
n Aqua Enterprise called Aqua CSP
n Runtime protection
n Container firewall
4. 4
Aqua’s Open Source Tools
n Scans Kubernetes nodes
against the CIS
benchmark checks
n github.com/aquasecuri
ty/kube-bench
n Scan images for known
vulnerabilities
n Works within CI tools
n github.com/aquasecuri
ty/trivy
CIS benchmark for K8S
Image vulnerability
scanner K8S penetration-testing
n Tests K8s clusters
against known attack
vectors, both remote
and internal
n github.com/aquasecurit
y/kube-hunter
5. 5
….and more Aqua Open Source Tools….
n CloudSploit is a cloud security auditing and monitoring product that
scans IaaS and SaaS accounts for security risks, including
misconfigurations, malicious API calls and insider threats.
CloudSploit is a CSPM (Cloud Security Posture Management) service.
n github.com/cloudsploit
n Tracee is a lightweight, easy
to use container and system
tracing tool. After launching
the tool, it will start collecting
traces of newly created
containers (container mode)
or processes (system mode).
n github.com/aquasecuri
ty/tracee
System Tracing Tool
Tracee
CloudSploit
Cloud Security Posture Management
CSPM
7. 7
Kubernetes components
■ Kubernetes components
installed on your servers
■ Master & node components
■ Many configuration settings
have a security impact
■ Example: open Kubelet port =
root access
■ Defaults depend on the
installer
Scheduler Controllers Etcd
Kubernetes Master Node
Node
Kubelet
Kube-
proxy
Pod
Node
Kubelet
Kube-
proxy
Pod
Node
Kubelet
Kube-
proxy
Pod
Node
Kubelet
Kube-
proxy
Pod
API Server
9. ■ Open source automated tests for CIS Kubernetes Benchmark
■ Tests for Kubernetes Masters and Nodes
■ Available as a container
kube-bench
github.com/aquasecurity/kube-bench
12. ■ Open source penetration tests for Kubernetes
■ See what an attacker would see
■ github.com/aquasecurity/kube-hunter
■ Online report viewer
■ kube-hunter.aquasec.com
kube-hunter
How do I know the
config is working to
secure my cluster?
20. 20
Vulnerability sources
■ Vulnerabilities are
published on different
security advisories
■ NVD – national
vulnerability database
■ Vendors will have
their own advisories
21. l NVD reports this in Varnish HTTP Cache versions 4.0.0 - 5.2.0
Case study: Debian / CVE-2017-8807
30. DevSecOps
ContainerContainer
l Immutable containers are easier to
protect
l Any change in runtime is not legit
l If a change is detected, it’s blocked
= No code injection into
containers
Image Container
bin
user
etc
bin
user
etc
?
=
31. Container Firewall that learns network traffic and then allows granular control of all
inbound and outbound traffic. Policy is enforced regardless where the orchestrator
places the pod/container