Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Continuous Hacking
Search
Omer Levi Hevroni
November 04, 2020
Programming
0
51
Continuous Hacking
Omer Levi Hevroni
November 04, 2020
Tweet
Share
More Decks by Omer Levi Hevroni
See All by Omer Levi Hevroni
Hacking Monitoring for Fun and Profit
omerlh
0
120
Vulnerable Dependencies - Going Beyond Discovery
omerlh
0
69
GitOps keeping it secret
omerlh
1
86
Other Decks in Programming
See All in Programming
.NET のための通信フレームワーク MagicOnion 入門 / Introduction to MagicOnion
mayuki
1
1.7k
cmp.Or に感動した
otakakot
3
200
Realtime API 入門
riofujimon
0
150
Jakarta EE meets AI
ivargrimstad
0
210
What’s New in Compose Multiplatform - A Live Tour (droidcon London 2024)
zsmb
1
480
Amazon Qを使ってIaCを触ろう!
maruto
0
410
[Do iOS '24] Ship your app on a Friday...and enjoy your weekend!
polpielladev
0
110
Quine, Polyglot, 良いコード
qnighy
4
650
AI時代におけるSRE、 あるいはエンジニアの生存戦略
pyama86
6
1.2k
CSC509 Lecture 11
javiergs
PRO
0
180
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
610
Kaigi on Rails 2024 〜運営の裏側〜
krpk1900
1
230
Featured
See All Featured
Building a Modern Day E-commerce SEO Strategy
aleyda
38
6.9k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
What's in a price? How to price your products and services
michaelherold
243
12k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
Code Reviewing Like a Champion
maltzj
520
39k
Ruby is Unlike a Banana
tanoku
97
11k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
Transcript
Kubernetes Edition Omer Levi Hevroni | AppSec Engineer | @omerlh
Continuous Hacking
@omerlh
Secure defaults Easy Medium Hard Automated tools Bug bounty Pen
tests Runtime monitoring https://Bit.ly/2020AppSecCali_Gibler Vulnerability Classification @omerlh
@omerlh
I’m a Developer @omerlh
AppSec Engineer @ Snyk @omerlh
Develop fast. Stay secure @omerlh
One line of text slide confidential Dogfooding @omerlh
Continues Hacking https://github.com/omerlh/juice-shop/pull/54 @omerlh
Kubernetes Apps has many layers Code Packages Container Manifests files
@omerlh
@omerlh
@omerlh
Code Layer @omerlh
Option A: Manual Code Review @omerlh
Option B: Automatic Code Review @omerlh
Code Layer @omerlh
confidential Snyk.io 17 WHAT WHERE @omerlh
18 WHERE @omerlh
19 Exploit Time! @omerlh
20 Exploit Time! @omerlh
21 Exploit Time! @omerlh
22 What happened? @omerlh
confidential Snyk.io 23 WHAT WHERE @omerlh
24 @omerlh
25 SQL Comment Sign @omerlh
• Never trust user input • Input sanitization Mitigating SQLi
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preventio n_Cheat_Sheet.html @omerlh
Packages Layer @omerlh
Most Dangerous Command You Can Run? @omerlh
https://info.snyk.io/sooss-report-2020 @omerlh
https://info.snyk.io/sooss-report-2020 @omerlh
ERe https://github.com/webpack/webpack/issues/690 React Dependencies @omerlh
Running in the CI https://snyk.io/docs/github/ @omerlh
And the results… @omerlh
Let’s zoom in @omerlh
Cross Site Scripting @omerlh
Let’s zoom in @omerlh
We can see the original GitHub issue! @omerlh
Let’s exploit it! @omerlh
Viola! @omerlh
Fixing Vulnerable Packages @omerlh
• Never trust user input • Input sanitization • Security
headers • React is not immune to XSS! Mitigating XSS https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md @omerlh
Container Layer @omerlh
43 @omerlh
https://info.snyk.io/sooss-report-2020 @omerlh
45 https://snyk.io/vuln/search?q=node&type=upstream
https://hadolint.github.io/hadolint
47 @omerlh
48 @omerlh
Should we care? @omerlh
50 @omerlh
51 @omerlh
Fixing it? @omerlh
@omerlh
https://hadolint.github.io/hadolint @omerlh
Manifest Files Layer @omerlh
https://madhuakula.com/kubernetes-goat/ @omerlh
57 @omerlh
58 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ @omerlh
59 @omerlh
60
61 @omerlh
Wrapping Up @omerlh
Kubernetes Apps has many layers Code Packages Container Manifests files
@omerlh
confidential Snyk.io 64 Tip of the Iceberg @omerlh
@omerlh
Omer Levi Hevroni | AppSec Engineer | @omerlh Thank You
67 References • https://www.omerlh.info/2018/10/04/write-good-code-with-security-tests/ • https://snyk.io/blog/from-image-security-to-workload-security/ • https://snyk.io/learn/container-security/ • https://www.youtube.com/watch?v=3H8pF6yoSgU
• https://github.blog/2020-09-30-code-scanning-is-now-available/ • https://snyk.io/blog/developer-first-sast-with-snyk-code • https://cheatsheetseries.owasp.org/ • https://madhuakula.com/kubernetes-goat/ • https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ • https://snyk.io/open-source-security/ @omerlh