Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Continuous Hacking
Search
Omer Levi Hevroni
November 04, 2020
Programming
68
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Continuous Hacking
Omer Levi Hevroni
November 04, 2020
More Decks by Omer Levi Hevroni
See All by Omer Levi Hevroni
Hacking Monitoring for Fun and Profit
omerlh
0
140
Vulnerable Dependencies - Going Beyond Discovery
omerlh
0
100
GitOps keeping it secret
omerlh
1
100
Other Decks in Programming
See All in Programming
キャリア迷子上等 ─ "ない道"は自分で作ればいい
16bitidol
3
2.7k
Javaの型とAI時代に型が大事な理由 / java types and type in AI era
kishida
2
170
Generative UI & AI-Assistants for Your Angular Solutions
manfredsteyer
PRO
0
110
どこまでゆるくて許されるのか
tk3fftk
0
300
「AIで開発し、AIを届ける」をEvalでつなぐ 〜AIネイティブに始めるプロダクト開発の実践〜 / Connecting "Develop with AI, deliver AI" with Eval
rkaga
4
5.6k
TSKaigi Night Talks 2026_TypeScriptでサプライチェーンの整合性を型に閉じ込める
geekplus_tech
0
430
任せる範囲はこう広がった / How the Scope of AI Delegation Has Expanded
nrslib
1
230
Spec Driven Development | AI Summit Lisbon
danielsogl
PRO
0
230
1B+ /day規模のログを管理する技術
broadleaf
0
120
技術記事、 専門家としてのプログラマ、 言語化
mizchi
14
7.2k
Datadog × OpenTelemetry 入門と実践のあいだ
kn_to_maxpno
1
180
symfony/aiとlaravel/boost
77web
0
120
Featured
See All Featured
Conquering PDFs: document understanding beyond plain text
inesmontani
PRO
4
2.9k
Lightning talk: Run Django tests with GitHub Actions
sabderemane
0
210
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
auna
0
180
A Modern Web Designer's Workflow
chriscoyier
698
190k
Why You Should Never Use an ORM
jnunemaker
PRO
61
9.9k
ラッコキーワード サービス紹介資料
rakko
1
3.8M
Leveraging Curiosity to Care for An Aging Population
cassininazir
1
300
So, you think you're a good person
axbom
PRO
2
2.1k
Paper Plane (Part 1)
katiecoart
PRO
0
9.5k
BBQ
matthewcrist
89
10k
Impact Scores and Hybrid Strategies: The future of link building
tamaranovitovic
0
330
Building Flexible Design Systems
yeseniaperezcruz
330
40k
Transcript
Kubernetes Edition Omer Levi Hevroni | AppSec Engineer | @omerlh
Continuous Hacking
@omerlh
Secure defaults Easy Medium Hard Automated tools Bug bounty Pen
tests Runtime monitoring https://Bit.ly/2020AppSecCali_Gibler Vulnerability Classification @omerlh
@omerlh
I’m a Developer @omerlh
AppSec Engineer @ Snyk @omerlh
Develop fast. Stay secure @omerlh
One line of text slide confidential Dogfooding @omerlh
Continues Hacking https://github.com/omerlh/juice-shop/pull/54 @omerlh
Kubernetes Apps has many layers Code Packages Container Manifests files
@omerlh
@omerlh
@omerlh
Code Layer @omerlh
Option A: Manual Code Review @omerlh
Option B: Automatic Code Review @omerlh
Code Layer @omerlh
confidential Snyk.io 17 WHAT WHERE @omerlh
18 WHERE @omerlh
19 Exploit Time! @omerlh
20 Exploit Time! @omerlh
21 Exploit Time! @omerlh
22 What happened? @omerlh
confidential Snyk.io 23 WHAT WHERE @omerlh
24 @omerlh
25 SQL Comment Sign @omerlh
• Never trust user input • Input sanitization Mitigating SQLi
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preventio n_Cheat_Sheet.html @omerlh
Packages Layer @omerlh
Most Dangerous Command You Can Run? @omerlh
https://info.snyk.io/sooss-report-2020 @omerlh
https://info.snyk.io/sooss-report-2020 @omerlh
ERe https://github.com/webpack/webpack/issues/690 React Dependencies @omerlh
Running in the CI https://snyk.io/docs/github/ @omerlh
And the results… @omerlh
Let’s zoom in @omerlh
Cross Site Scripting @omerlh
Let’s zoom in @omerlh
We can see the original GitHub issue! @omerlh
Let’s exploit it! @omerlh
Viola! @omerlh
Fixing Vulnerable Packages @omerlh
• Never trust user input • Input sanitization • Security
headers • React is not immune to XSS! Mitigating XSS https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md @omerlh
Container Layer @omerlh
43 @omerlh
https://info.snyk.io/sooss-report-2020 @omerlh
45 https://snyk.io/vuln/search?q=node&type=upstream
https://hadolint.github.io/hadolint
47 @omerlh
48 @omerlh
Should we care? @omerlh
50 @omerlh
51 @omerlh
Fixing it? @omerlh
@omerlh
https://hadolint.github.io/hadolint @omerlh
Manifest Files Layer @omerlh
https://madhuakula.com/kubernetes-goat/ @omerlh
57 @omerlh
58 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ @omerlh
59 @omerlh
60
61 @omerlh
Wrapping Up @omerlh
Kubernetes Apps has many layers Code Packages Container Manifests files
@omerlh
confidential Snyk.io 64 Tip of the Iceberg @omerlh
@omerlh
Omer Levi Hevroni | AppSec Engineer | @omerlh Thank You
67 References • https://www.omerlh.info/2018/10/04/write-good-code-with-security-tests/ • https://snyk.io/blog/from-image-security-to-workload-security/ • https://snyk.io/learn/container-security/ • https://www.youtube.com/watch?v=3H8pF6yoSgU
• https://github.blog/2020-09-30-code-scanning-is-now-available/ • https://snyk.io/blog/developer-first-sast-with-snyk-code • https://cheatsheetseries.owasp.org/ • https://madhuakula.com/kubernetes-goat/ • https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ • https://snyk.io/open-source-security/ @omerlh