Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Continuous Hacking

Omer Levi Hevroni
November 04, 2020
Programming
0
51

Continuous Hacking

Omer Levi Hevroni

November 04, 2020
Tweet

More Decks by Omer Levi Hevroni

See All by Omer Levi Hevroni
Hacking Monitoring for Fun and Profit
omerlh
0
120
Vulnerable Dependencies - Going Beyond Discovery
omerlh
0
69
GitOps keeping it secret
omerlh
1
86

Other Decks in Programming

See All in Programming
.NET のための通信フレームワーク MagicOnion 入門 / Introduction to MagicOnion
mayuki
1
1.7k
cmp.Or に感動した
otakakot
3
200
Realtime API 入門
riofujimon
0
150
Jakarta EE meets AI
ivargrimstad
0
210
What’s New in Compose Multiplatform - A Live Tour (droidcon London 2024)
zsmb
1
480
Amazon Qを使ってIaCを触ろう!
maruto
0
410
[Do iOS '24] Ship your app on a Friday...and enjoy your weekend!
polpielladev
0
110
Quine, Polyglot, 良いコード
qnighy
4
650
AI時代におけるSRE、
あるいはエンジニアの生存戦略
pyama86
6
1.2k
CSC509 Lecture 11
javiergs
PRO
0
180
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
610
Kaigi on Rails 2024 〜運営の裏側〜
krpk1900
1
230

Featured

See All Featured
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
What's in a price? How to price your products and services
michaelherold
243
12k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Code Reviewing Like a Champion
maltzj
520
39k
Ruby is Unlike a Banana
tanoku
97
11k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k

Transcript

  1. Kubernetes Edition Omer Levi Hevroni | AppSec Engineer | @omerlh

    Continuous Hacking

  2. @omerlh

  3. Secure defaults Easy Medium Hard Automated tools Bug bounty Pen

    tests Runtime monitoring https://Bit.ly/2020AppSecCali_Gibler Vulnerability Classification @omerlh

  4. @omerlh

  5. I’m a Developer @omerlh

  6. AppSec Engineer @ Snyk @omerlh

  7. Develop fast. Stay secure @omerlh

  8. One line of text slide confidential Dogfooding @omerlh

  9. Continues Hacking https://github.com/omerlh/juice-shop/pull/54 @omerlh

  10. Kubernetes Apps has many layers Code Packages Container Manifests files

    @omerlh

  11. @omerlh

  12. @omerlh

  13. Code Layer @omerlh

  14. Option A: Manual Code Review @omerlh

  15. Option B: Automatic Code Review @omerlh

  16. Code Layer @omerlh

  17. confidential Snyk.io 17 WHAT WHERE @omerlh

  18. 18 WHERE @omerlh

  19. 19 Exploit Time! @omerlh

  20. 20 Exploit Time! @omerlh

  21. 21 Exploit Time! @omerlh

  22. 22 What happened? @omerlh

  23. confidential Snyk.io 23 WHAT WHERE @omerlh

  24. 24 @omerlh

  25. 25 SQL Comment Sign @omerlh

  26. • Never trust user input • Input sanitization Mitigating SQLi

    https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preventio n_Cheat_Sheet.html @omerlh

  27. Packages Layer @omerlh

  28. Most Dangerous Command You Can Run? @omerlh

  29. https://info.snyk.io/sooss-report-2020 @omerlh

  30. https://info.snyk.io/sooss-report-2020 @omerlh

  31. ERe https://github.com/webpack/webpack/issues/690 React Dependencies @omerlh

  32. Running in the CI https://snyk.io/docs/github/ @omerlh

  33. And the results… @omerlh

  34. Let’s zoom in @omerlh

  35. Cross Site Scripting @omerlh

  36. Let’s zoom in @omerlh

  37. We can see the original GitHub issue! @omerlh

  38. Let’s exploit it! @omerlh

  39. Viola! @omerlh

  40. Fixing Vulnerable Packages @omerlh

  41. • Never trust user input • Input sanitization • Security

    headers • React is not immune to XSS! Mitigating XSS https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md @omerlh

  42. Container Layer @omerlh

  43. 43 @omerlh

  44. https://info.snyk.io/sooss-report-2020 @omerlh

  45. 45 https://snyk.io/vuln/search?q=node&type=upstream

  46. https://hadolint.github.io/hadolint

  47. 47 @omerlh

  48. 48 @omerlh

  49. Should we care? @omerlh

  50. 50 @omerlh

  51. 51 @omerlh

  52. Fixing it? @omerlh

  53. @omerlh

  54. https://hadolint.github.io/hadolint @omerlh

  55. Manifest Files Layer @omerlh

  56. https://madhuakula.com/kubernetes-goat/ @omerlh

  57. 57 @omerlh

  58. 58 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ @omerlh

  59. 59 @omerlh

  60. 60

  61. 61 @omerlh

  62. Wrapping Up @omerlh

  63. Kubernetes Apps has many layers Code Packages Container Manifests files

    @omerlh

  64. confidential Snyk.io 64 Tip of the Iceberg @omerlh

  65. @omerlh

  66. Omer Levi Hevroni | AppSec Engineer | @omerlh Thank You

  67. 67 References • https://www.omerlh.info/2018/10/04/write-good-code-with-security-tests/ • https://snyk.io/blog/from-image-security-to-workload-security/ • https://snyk.io/learn/container-security/ • https://www.youtube.com/watch?v=3H8pF6yoSgU

    • https://github.blog/2020-09-30-code-scanning-is-now-available/ • https://snyk.io/blog/developer-first-sast-with-snyk-code • https://cheatsheetseries.owasp.org/ • https://madhuakula.com/kubernetes-goat/ • https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ • https://snyk.io/open-source-security/ @omerlh