Build and secure containers to support your CI/CD pipeline - Xebia Knowledge Exchange 2019-01-22

by João Rosa

Slide 1

Slide 1 text

Build and secure containers to support your CI/CD pipeline

Slide 2

Slide 2 text

Hello! I am João Rosa I am Software Consultant, focused on Quality. You can find me at @joaoasrosa 2

Slide 3

Slide 3 text

Horror story What we found at a customer 1.

Slide 4

Slide 4 text

The most important systems in your organisation are: the payroll system and the CI/CD server. 4

Slide 5

Slide 5 text

Problems found with CI/CD server Lifecycle management There is not a lifecycle management on the tool. It has Critical CVE’s. Misconfiguration The server holds multiple services. Also, the configuration of the services is not secure. Agents drift The build and deploy agents are in a drift state. Plus, old frameworks are installed. 5

Slide 6

Slide 6 text

LEAD TIME For new capabilities. Such as a new version of a framework, or new tool features. 6

Slide 7

Slide 7 text

A way out What we proposed to the customer 2.

Slide 8

Slide 8 text

SaaS Move from the on-premises solution, to a SaaS solution. It will mitigate some of the risks. Proposed solution Shift responsibilities From manage tooling, to enable development teams to deliver value. 8

Slide 9

Slide 9 text

Use containers to build and deploy ▪ Today, mature solutions offer containers as compute unit ▪ Isolated by default (between jobs) ▪ Granular capabilities ▪ Allow teams to create the container images 9

Slide 10

Slide 10 text

With great power, comes great responsibility! Ben Parker 10

Slide 11

Slide 11 text

How about security? Teams are creating their own containers! 11 Photo by Alistair MacRobert on Unsplash

Slide 12

Slide 12 text

Back to basics… on software development code test deploy 12

Slide 13

Slide 13 text

A (possible) solution Implementation details 3.

Slide 14

Slide 14 text

What test means for containers in a financial institution? We can understand it as testing the capabilities and security. Other definitions? 14 Photo by Saffu on Unsplash

Slide 15

Slide 15 text

What does that means? ▪ Test the dependencies ▪ Scan the dependencies 15

Slide 16

Slide 16 text

Test Test the container image, to assert the dependencies are installed according to the expectations. What does that mean? Scan Scan the container image, discovering if there are problems with any of the dependencies. Bonus, is it possible to monitor it? 16

Slide 17

Slide 17 text

Implementation ▪ The container image definition is a Dockerfile ▪ Testing using Google’s Container Structure Tests ▪ Scanning and monitoring using Snyk However there are other tools! :) 17

Slide 18

Slide 18 text

DEMO TIME 18

Slide 19

Slide 19 text

Container Structure Tests ▪ Command tests ▪ File Existence tests ▪ File Content tests ▪ Metadata tests ▪ License tests * 19 * (licenses allowed by Google)

Slide 20

Slide 20 text

Snyk ▪ Scan dependencies ▪ Monitoring snapshots of the dependencies 20

Slide 21

Slide 21 text

Thanks! Any questions? You can find me at ▪ @joaoasrosa ▪ [email protected] 21

Slide 22

Slide 22 text

Credits Special thanks to all the people who made and released these awesome resources for free: ▪ Presentation template by SlidesCarnival ▪ Photographs by Unsplash 22