Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Continuous Hacking
Search
Omer Levi Hevroni
November 04, 2020
Programming
0
51
Continuous Hacking
Omer Levi Hevroni
November 04, 2020
Tweet
Share
More Decks by Omer Levi Hevroni
See All by Omer Levi Hevroni
Hacking Monitoring for Fun and Profit
omerlh
0
120
Vulnerable Dependencies - Going Beyond Discovery
omerlh
0
66
GitOps keeping it secret
omerlh
1
84
Other Decks in Programming
See All in Programming
OpenTelemetryでRailsのパフォーマンス分析を始めてみよう(KoR2024)
ymtdzzz
4
1.6k
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
3
400
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
440
gopls を改造したら開発生産性が高まった
satorunooshie
8
240
WEBエンジニア向けAI活用入門
sutetotanuki
0
300
Kubernetes for Data Engineers: Building Scalable, Reliable Data Pipelines
sucitw
1
200
Vue3の一歩踏み込んだパフォーマンスチューニング2024
hal_spidernight
3
3.1k
破壊せよ!データ破壊駆動で考えるドメインモデリング / data-destroy-driven
minodriven
16
4.1k
ECSのサービス間通信 4つの方法を比較する 〜Canary,Blue/Greenも添えて〜
tkikuc
11
2.3k
Boost Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
890
詳細解説! ArrayListの仕組みと実装
yujisoftware
0
480
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
930
Featured
See All Featured
RailsConf 2023
tenderlove
29
880
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
14
1.9k
Product Roadmaps are Hard
iamctodd
PRO
48
10k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
228
52k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
Building an army of robots
kneath
302
42k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
3
370
The Power of CSS Pseudo Elements
geoffreycrofte
72
5.3k
Being A Developer After 40
akosma
86
590k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
328
21k
Transcript
Kubernetes Edition Omer Levi Hevroni | AppSec Engineer | @omerlh
Continuous Hacking
@omerlh
Secure defaults Easy Medium Hard Automated tools Bug bounty Pen
tests Runtime monitoring https://Bit.ly/2020AppSecCali_Gibler Vulnerability Classification @omerlh
@omerlh
I’m a Developer @omerlh
AppSec Engineer @ Snyk @omerlh
Develop fast. Stay secure @omerlh
One line of text slide confidential Dogfooding @omerlh
Continues Hacking https://github.com/omerlh/juice-shop/pull/54 @omerlh
Kubernetes Apps has many layers Code Packages Container Manifests files
@omerlh
@omerlh
@omerlh
Code Layer @omerlh
Option A: Manual Code Review @omerlh
Option B: Automatic Code Review @omerlh
Code Layer @omerlh
confidential Snyk.io 17 WHAT WHERE @omerlh
18 WHERE @omerlh
19 Exploit Time! @omerlh
20 Exploit Time! @omerlh
21 Exploit Time! @omerlh
22 What happened? @omerlh
confidential Snyk.io 23 WHAT WHERE @omerlh
24 @omerlh
25 SQL Comment Sign @omerlh
• Never trust user input • Input sanitization Mitigating SQLi
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preventio n_Cheat_Sheet.html @omerlh
Packages Layer @omerlh
Most Dangerous Command You Can Run? @omerlh
https://info.snyk.io/sooss-report-2020 @omerlh
https://info.snyk.io/sooss-report-2020 @omerlh
ERe https://github.com/webpack/webpack/issues/690 React Dependencies @omerlh
Running in the CI https://snyk.io/docs/github/ @omerlh
And the results… @omerlh
Let’s zoom in @omerlh
Cross Site Scripting @omerlh
Let’s zoom in @omerlh
We can see the original GitHub issue! @omerlh
Let’s exploit it! @omerlh
Viola! @omerlh
Fixing Vulnerable Packages @omerlh
• Never trust user input • Input sanitization • Security
headers • React is not immune to XSS! Mitigating XSS https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md @omerlh
Container Layer @omerlh
43 @omerlh
https://info.snyk.io/sooss-report-2020 @omerlh
45 https://snyk.io/vuln/search?q=node&type=upstream
https://hadolint.github.io/hadolint
47 @omerlh
48 @omerlh
Should we care? @omerlh
50 @omerlh
51 @omerlh
Fixing it? @omerlh
@omerlh
https://hadolint.github.io/hadolint @omerlh
Manifest Files Layer @omerlh
https://madhuakula.com/kubernetes-goat/ @omerlh
57 @omerlh
58 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ @omerlh
59 @omerlh
60
61 @omerlh
Wrapping Up @omerlh
Kubernetes Apps has many layers Code Packages Container Manifests files
@omerlh
confidential Snyk.io 64 Tip of the Iceberg @omerlh
@omerlh
Omer Levi Hevroni | AppSec Engineer | @omerlh Thank You
67 References • https://www.omerlh.info/2018/10/04/write-good-code-with-security-tests/ • https://snyk.io/blog/from-image-security-to-workload-security/ • https://snyk.io/learn/container-security/ • https://www.youtube.com/watch?v=3H8pF6yoSgU
• https://github.blog/2020-09-30-code-scanning-is-now-available/ • https://snyk.io/blog/developer-first-sast-with-snyk-code • https://cheatsheetseries.owasp.org/ • https://madhuakula.com/kubernetes-goat/ • https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ • https://snyk.io/open-source-security/ @omerlh