Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Continuous Hacking

Omer Levi Hevroni
November 04, 2020
Programming
0
51

Continuous Hacking

Omer Levi Hevroni

November 04, 2020
Tweet

More Decks by Omer Levi Hevroni

See All by Omer Levi Hevroni
Hacking Monitoring for Fun and Profit
omerlh
0
120
Vulnerable Dependencies - Going Beyond Discovery
omerlh
0
72
GitOps keeping it secret
omerlh
1
86

Other Decks in Programming

See All in Programming
.NETでOBS Studio操作してみたけど…… / Operating OBS Studio by .NET
skasweb
0
120
PicoRubyと暮らす、シェアハウスハック
ryosk7
0
220
どうして手を動かすよりもチーム内のコードレビューを優先するべきなのか
okashoi
3
870
良いユニットテストを書こう
mototakatsu
11
3.6k
Асинхронность неизбежна: как мы проектировали сервис уведомлений
lamodatech
0
1.3k
Alba: Why, How and What's So Interesting
okuramasafumi
0
210
いりゃあせ、PHPカンファレンス名古屋2025 / Welcome to PHP Conference Nagoya 2025
ttskch
1
180
KMP와 kotlinx.rpc로 서버와 클라이언트 동기화
kwakeuijin
0
300
Package Traits
ikesyo
1
210
“あなた” の開発を支援する AI エージェント Bedrock Engineer / introducing-bedrock-engineer
gawa
4
220
watsonx.ai Dojo #6 継続的なAIアプリ開発と展開
oniak3ibm
PRO
0
170
『改訂新版 良いコード/悪いコードで学ぶ設計入門』活用方法−爆速でスキルアップする!効果的な学習アプローチ / effective-learning-of-good-code
minodriven
28
4.2k

Featured

See All Featured
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
870
Building a Scalable Design System with Sketch
lauravandoore
460
33k
How STYLIGHT went responsive
nonsquared
96
5.3k
How to Think Like a Performance Engineer
csswizardry
22
1.3k
4 Signs Your Business is Dying
shpigford
182
22k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.5k
Done Done
chrislema
182
16k
The Language of Interfaces
destraynor
155
24k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
113
50k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
7k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
26
1.9k
Build your cross-platform service in a week with App Engine
jlugia
229
18k

Transcript

  1. Kubernetes Edition Omer Levi Hevroni | AppSec Engineer | @omerlh

    Continuous Hacking

  2. @omerlh

  3. Secure defaults Easy Medium Hard Automated tools Bug bounty Pen

    tests Runtime monitoring https://Bit.ly/2020AppSecCali_Gibler Vulnerability Classification @omerlh

  4. @omerlh

  5. I’m a Developer @omerlh

  6. AppSec Engineer @ Snyk @omerlh

  7. Develop fast. Stay secure @omerlh

  8. One line of text slide confidential Dogfooding @omerlh

  9. Continues Hacking https://github.com/omerlh/juice-shop/pull/54 @omerlh

  10. Kubernetes Apps has many layers Code Packages Container Manifests files

    @omerlh

  11. @omerlh

  12. @omerlh

  13. Code Layer @omerlh

  14. Option A: Manual Code Review @omerlh

  15. Option B: Automatic Code Review @omerlh

  16. Code Layer @omerlh

  17. confidential Snyk.io 17 WHAT WHERE @omerlh

  18. 18 WHERE @omerlh

  19. 19 Exploit Time! @omerlh

  20. 20 Exploit Time! @omerlh

  21. 21 Exploit Time! @omerlh

  22. 22 What happened? @omerlh

  23. confidential Snyk.io 23 WHAT WHERE @omerlh

  24. 24 @omerlh

  25. 25 SQL Comment Sign @omerlh

  26. • Never trust user input • Input sanitization Mitigating SQLi

    https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preventio n_Cheat_Sheet.html @omerlh

  27. Packages Layer @omerlh

  28. Most Dangerous Command You Can Run? @omerlh

  29. https://info.snyk.io/sooss-report-2020 @omerlh

  30. https://info.snyk.io/sooss-report-2020 @omerlh

  31. ERe https://github.com/webpack/webpack/issues/690 React Dependencies @omerlh

  32. Running in the CI https://snyk.io/docs/github/ @omerlh

  33. And the results… @omerlh

  34. Let’s zoom in @omerlh

  35. Cross Site Scripting @omerlh

  36. Let’s zoom in @omerlh

  37. We can see the original GitHub issue! @omerlh

  38. Let’s exploit it! @omerlh

  39. Viola! @omerlh

  40. Fixing Vulnerable Packages @omerlh

  41. • Never trust user input • Input sanitization • Security

    headers • React is not immune to XSS! Mitigating XSS https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md @omerlh

  42. Container Layer @omerlh

  43. 43 @omerlh

  44. https://info.snyk.io/sooss-report-2020 @omerlh

  45. 45 https://snyk.io/vuln/search?q=node&type=upstream

  46. https://hadolint.github.io/hadolint

  47. 47 @omerlh

  48. 48 @omerlh

  49. Should we care? @omerlh

  50. 50 @omerlh

  51. 51 @omerlh

  52. Fixing it? @omerlh

  53. @omerlh

  54. https://hadolint.github.io/hadolint @omerlh

  55. Manifest Files Layer @omerlh

  56. https://madhuakula.com/kubernetes-goat/ @omerlh

  57. 57 @omerlh

  58. 58 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ @omerlh

  59. 59 @omerlh

  60. 60

  61. 61 @omerlh

  62. Wrapping Up @omerlh

  63. Kubernetes Apps has many layers Code Packages Container Manifests files

    @omerlh

  64. confidential Snyk.io 64 Tip of the Iceberg @omerlh

  65. @omerlh

  66. Omer Levi Hevroni | AppSec Engineer | @omerlh Thank You

  67. 67 References • https://www.omerlh.info/2018/10/04/write-good-code-with-security-tests/ • https://snyk.io/blog/from-image-security-to-workload-security/ • https://snyk.io/learn/container-security/ • https://www.youtube.com/watch?v=3H8pF6yoSgU

    • https://github.blog/2020-09-30-code-scanning-is-now-available/ • https://snyk.io/blog/developer-first-sast-with-snyk-code • https://cheatsheetseries.owasp.org/ • https://madhuakula.com/kubernetes-goat/ • https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ • https://snyk.io/open-source-security/ @omerlh