The DevSecOps Iceberg @ Cloud Native London

Slide 1

Slide 1 text

THE DEVSECOPS ICEBERG wott.io @vpetersson

Slide 2

Slide 2 text

OUTLINE What is the DevSecOps Iceberg? Why is it an iceberg? Review of the layers in the iceberg Summary @vpetersson wott.io

Slide 3

Slide 3 text

@vpetersson wott.io

Slide 4

Slide 4 text

@vpetersson wott.io

Slide 5

Slide 5 text

WHY IS THIS IMPORTANT? @vpetersson wott.io

Slide 6

Slide 6 text

WHAT'S WOTT? @vpetersson wott.io Security tool for developers Provides cryptographic identity (x509) Ongoing security audit of fleet CVE scanning Workflow integrations (GitHub, Slack etc) Gamification (DevSecOps)

Slide 7

Slide 7 text

PREP Created an account with: (GitHub) Snyk Aqua WoTT Got a GitHub repo with sample code Connected CircleCI to the repo @vpetersson wott.io

Slide 8

Slide 8 text

PREP CIRCLE CI @vpetersson wott.io

Slide 9

Slide 9 text

ENVIRONMENT Python app ...with dependencies ...running in Docker ...on a Linux host ...which we deploy daily(ish) @vpetersson wott.io

Slide 10

Slide 10 text

APPLICATION LAYER @vpetersson wott.io

Slide 11

Slide 11 text

OVERVIEW @vpetersson wott.io Your code Your dependencies [ ]

Slide 12

Slide 12 text

WHY DOES IT MATTER? Your app servers are likely publicly exposed Your app(s) likely uses a large set of libraries/dependencies Supply chain security "event-stream" npm package example @vpetersson wott.io

Slide 13

Slide 13 text

WHEN TO RUN? During development During the Pull Request (or similar) During build on CI This is what we'll do @vpetersson wott.io

Slide 14

Slide 14 text

TOOLS Snyk GitHub Security Alerts (former Dependabot) @vpetersson wott.io

Slide 15

Slide 15 text

@vpetersson wott.io DEMO GOD

Slide 16

Slide 16 text

DEMO Let's use Snyk for our scanner Let's use CircleCI as our CI/CD runner Let's break out the test to a separate container for isolation @vpetersson wott.io

Slide 17

Slide 17 text

CONTAINER LAYER @vpetersson wott.io

Slide 18

Slide 18 text

OVERVIEW @vpetersson wott.io Your container Your runtime [ ]

Slide 19

Slide 19 text

WHY DOES IT MATTER? Can provide a false sense of security There are a lot of vulnerable docker images out there @vpetersson wott.io

Slide 20

Slide 20 text

WHEN TO RUN? On CI This is what we will do In the Container Registry @vpetersson wott.io

Slide 21

Slide 21 text

TOOLS Aqua MicroScanner (to be replaced by Trivy) Anchore Sysdig Secure and Falco hadolint - Lint/Audit Dockerﬁles Docker Bench for Security - Audit Docker host security CoreOS/RedHat Quay Snyk Container @vpetersson wott.io

Slide 22

Slide 22 text

DEMO Let's use Aqua's MicroScanner for our scanner Again, let's extend our CircleCI to do this too @vpetersson wott.io

Slide 23

Slide 23 text

OPERATING SYSTEM LAYER @vpetersson wott.io

Slide 24

Slide 24 text

"This is out of scope, said no attacker ever." @vpetersson wott.io

Slide 25

Slide 25 text

OVERVIEW Pet vs Cattle Understand your vs your cloud vendors responsibilities @vpetersson wott.io

Slide 26

Slide 26 text

WHY DOES IT MATTER? root on host == game over Remember Heartbleed, Spectre and Meltdown? Think about network'd services on any server (Zero Trust Networking) @vpetersson wott.io

Slide 27

Slide 27 text

WHEN TO RUN? Continuously on all hosts @vpetersson wott.io

Slide 28

Slide 28 text

TOOLS WoTT Red Hat Satellite Aqua Security for Cloud VMs Ubuntu Landscape DevSec.io - Server Hardening @vpetersson wott.io

Slide 29

Slide 29 text

DEMO Let's use WoTT to audit the host Regular VM on GCE @vpetersson wott.io

Slide 30

Slide 30 text

SUMMARY @vpetersson wott.io

Slide 31

Slide 31 text

Understand your threat model You need to secure all layers in the DevSecOps Iceberg Different layers have different attack vectors @vpetersson wott.io

Slide 32

Slide 32 text

REFERENCES Example GitHub repo DevSecOps Iceberg blog post @vpetersson wott.io