Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Continuous Hacking

Omer Levi Hevroni
November 04, 2020
Programming
0
51

Continuous Hacking

Omer Levi Hevroni

November 04, 2020
Tweet

More Decks by Omer Levi Hevroni

See All by Omer Levi Hevroni
Hacking Monitoring for Fun and Profit
omerlh
0
120
Vulnerable Dependencies - Going Beyond Discovery
omerlh
0
66
GitOps keeping it secret
omerlh
1
84

Other Decks in Programming

See All in Programming
OpenTelemetryでRailsのパフォーマンス分析を始めてみよう(KoR2024)
ymtdzzz
4
1.6k
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
3
400
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
440
gopls を改造したら開発生産性が高まった
satorunooshie
8
240
WEBエンジニア向けAI活用入門
sutetotanuki
0
300
Kubernetes for Data Engineers: Building Scalable, Reliable Data Pipelines
sucitw
1
200
Vue3の一歩踏み込んだパフォーマンスチューニング2024
hal_spidernight
3
3.1k
破壊せよ!データ破壊駆動で考えるドメインモデリング / data-destroy-driven
minodriven
16
4.1k
ECSのサービス間通信 4つの方法を比較する 〜Canary,Blue/Greenも添えて〜
tkikuc
11
2.3k
Boost Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
890
詳細解説! ArrayListの仕組みと実装
yujisoftware
0
480
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
930

Featured

See All Featured
RailsConf 2023
tenderlove
29
880
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
14
1.9k
Product Roadmaps are Hard
iamctodd
PRO
48
10k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
228
52k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
Building an army of robots
kneath
302
42k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
3
370
The Power of CSS Pseudo Elements
geoffreycrofte
72
5.3k
Being A Developer After 40
akosma
86
590k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
328
21k

Transcript

  1. Kubernetes Edition Omer Levi Hevroni | AppSec Engineer | @omerlh

    Continuous Hacking

  2. @omerlh

  3. Secure defaults Easy Medium Hard Automated tools Bug bounty Pen

    tests Runtime monitoring https://Bit.ly/2020AppSecCali_Gibler Vulnerability Classification @omerlh

  4. @omerlh

  5. I’m a Developer @omerlh

  6. AppSec Engineer @ Snyk @omerlh

  7. Develop fast. Stay secure @omerlh

  8. One line of text slide confidential Dogfooding @omerlh

  9. Continues Hacking https://github.com/omerlh/juice-shop/pull/54 @omerlh

  10. Kubernetes Apps has many layers Code Packages Container Manifests files

    @omerlh

  11. @omerlh

  12. @omerlh

  13. Code Layer @omerlh

  14. Option A: Manual Code Review @omerlh

  15. Option B: Automatic Code Review @omerlh

  16. Code Layer @omerlh

  17. confidential Snyk.io 17 WHAT WHERE @omerlh

  18. 18 WHERE @omerlh

  19. 19 Exploit Time! @omerlh

  20. 20 Exploit Time! @omerlh

  21. 21 Exploit Time! @omerlh

  22. 22 What happened? @omerlh

  23. confidential Snyk.io 23 WHAT WHERE @omerlh

  24. 24 @omerlh

  25. 25 SQL Comment Sign @omerlh

  26. • Never trust user input • Input sanitization Mitigating SQLi

    https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preventio n_Cheat_Sheet.html @omerlh

  27. Packages Layer @omerlh

  28. Most Dangerous Command You Can Run? @omerlh

  29. https://info.snyk.io/sooss-report-2020 @omerlh

  30. https://info.snyk.io/sooss-report-2020 @omerlh

  31. ERe https://github.com/webpack/webpack/issues/690 React Dependencies @omerlh

  32. Running in the CI https://snyk.io/docs/github/ @omerlh

  33. And the results… @omerlh

  34. Let’s zoom in @omerlh

  35. Cross Site Scripting @omerlh

  36. Let’s zoom in @omerlh

  37. We can see the original GitHub issue! @omerlh

  38. Let’s exploit it! @omerlh

  39. Viola! @omerlh

  40. Fixing Vulnerable Packages @omerlh

  41. • Never trust user input • Input sanitization • Security

    headers • React is not immune to XSS! Mitigating XSS https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md @omerlh

  42. Container Layer @omerlh

  43. 43 @omerlh

  44. https://info.snyk.io/sooss-report-2020 @omerlh

  45. 45 https://snyk.io/vuln/search?q=node&type=upstream

  46. https://hadolint.github.io/hadolint

  47. 47 @omerlh

  48. 48 @omerlh

  49. Should we care? @omerlh

  50. 50 @omerlh

  51. 51 @omerlh

  52. Fixing it? @omerlh

  53. @omerlh

  54. https://hadolint.github.io/hadolint @omerlh

  55. Manifest Files Layer @omerlh

  56. https://madhuakula.com/kubernetes-goat/ @omerlh

  57. 57 @omerlh

  58. 58 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ @omerlh

  59. 59 @omerlh

  60. 60

  61. 61 @omerlh

  62. Wrapping Up @omerlh

  63. Kubernetes Apps has many layers Code Packages Container Manifests files

    @omerlh

  64. confidential Snyk.io 64 Tip of the Iceberg @omerlh

  65. @omerlh

  66. Omer Levi Hevroni | AppSec Engineer | @omerlh Thank You

  67. 67 References • https://www.omerlh.info/2018/10/04/write-good-code-with-security-tests/ • https://snyk.io/blog/from-image-security-to-workload-security/ • https://snyk.io/learn/container-security/ • https://www.youtube.com/watch?v=3H8pF6yoSgU

    • https://github.blog/2020-09-30-code-scanning-is-now-available/ • https://snyk.io/blog/developer-first-sast-with-snyk-code • https://cheatsheetseries.owasp.org/ • https://madhuakula.com/kubernetes-goat/ • https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ • https://snyk.io/open-source-security/ @omerlh