Tweet
Tweet

Slide 1

Slide 1 text

Kubernetes Edition Omer Levi Hevroni | AppSec Engineer | @omerlh Continuous Hacking

Slide 2

Slide 2 text

@omerlh

Slide 3

Slide 3 text

Secure defaults Easy Medium Hard Automated tools Bug bounty Pen tests Runtime monitoring https://Bit.ly/2020AppSecCali_Gibler Vulnerability Classification @omerlh

Slide 4

Slide 4 text

@omerlh

Slide 5

Slide 5 text

I’m a Developer @omerlh

Slide 6

Slide 6 text

AppSec Engineer @ Snyk @omerlh

Slide 7

Slide 7 text

Develop fast. Stay secure @omerlh

Slide 8

Slide 8 text

One line of text slide confidential Dogfooding @omerlh

Slide 9

Slide 9 text

Continues Hacking https://github.com/omerlh/juice-shop/pull/54 @omerlh

Slide 10

Slide 10 text

Kubernetes Apps has many layers Code Packages Container Manifests files @omerlh

Slide 11

Slide 11 text

@omerlh

Slide 12

Slide 12 text

@omerlh

Slide 13

Slide 13 text

Code Layer @omerlh

Slide 14

Slide 14 text

Option A: Manual Code Review @omerlh

Slide 15

Slide 15 text

Option B: Automatic Code Review @omerlh

Slide 16

Slide 16 text

Code Layer @omerlh

Slide 17

Slide 17 text

confidential Snyk.io 17 WHAT WHERE @omerlh

Slide 18

Slide 18 text

18 WHERE @omerlh

Slide 19

Slide 19 text

19 Exploit Time! @omerlh

Slide 20

Slide 20 text

20 Exploit Time! @omerlh

Slide 21

Slide 21 text

21 Exploit Time! @omerlh

Slide 22

Slide 22 text

22 What happened? @omerlh

Slide 23

Slide 23 text

confidential Snyk.io 23 WHAT WHERE @omerlh

Slide 24

Slide 24 text

24 @omerlh

Slide 25

Slide 25 text

25 SQL Comment Sign @omerlh

Slide 26

Slide 26 text

● Never trust user input ● Input sanitization Mitigating SQLi https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preventio n_Cheat_Sheet.html @omerlh

Slide 27

Slide 27 text

Packages Layer @omerlh

Slide 28

Slide 28 text

Most Dangerous Command You Can Run? @omerlh

Slide 29

Slide 29 text

https://info.snyk.io/sooss-report-2020 @omerlh

Slide 30

Slide 30 text

https://info.snyk.io/sooss-report-2020 @omerlh

Slide 31

Slide 31 text

ERe https://github.com/webpack/webpack/issues/690 React Dependencies @omerlh

Slide 32

Slide 32 text

Running in the CI https://snyk.io/docs/github/ @omerlh

Slide 33

Slide 33 text

And the results… @omerlh

Slide 34

Slide 34 text

Let’s zoom in @omerlh

Slide 35

Slide 35 text

Cross Site Scripting @omerlh

Slide 36

Slide 36 text

Let’s zoom in @omerlh

Slide 37

Slide 37 text

We can see the original GitHub issue! @omerlh

Slide 38

Slide 38 text

Let’s exploit it! @omerlh

Slide 39

Slide 39 text

Viola! @omerlh

Slide 40

Slide 40 text

Fixing Vulnerable Packages @omerlh

Slide 41

Slide 41 text

● Never trust user input ● Input sanitization ● Security headers ● React is not immune to XSS! Mitigating XSS https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md @omerlh

Slide 42

Slide 42 text

Container Layer @omerlh

Slide 43

Slide 43 text

43 @omerlh

Slide 44

Slide 44 text

https://info.snyk.io/sooss-report-2020 @omerlh

Slide 45

Slide 45 text

45 https://snyk.io/vuln/search?q=node&type=upstream

Slide 46

Slide 46 text

https://hadolint.github.io/hadolint

Slide 47

Slide 47 text

47 @omerlh

Slide 48

Slide 48 text

48 @omerlh

Slide 49

Slide 49 text

Should we care? @omerlh

Slide 50

Slide 50 text

50 @omerlh

Slide 51

Slide 51 text

51 @omerlh

Slide 52

Slide 52 text

Fixing it? @omerlh

Slide 53

Slide 53 text

@omerlh

Slide 54

Slide 54 text

https://hadolint.github.io/hadolint @omerlh

Slide 55

Slide 55 text

Manifest Files Layer @omerlh

Slide 56

Slide 56 text

https://madhuakula.com/kubernetes-goat/ @omerlh

Slide 57

Slide 57 text

57 @omerlh

Slide 58

Slide 58 text

58 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ @omerlh

Slide 59

Slide 59 text

59 @omerlh

Slide 60

Slide 60 text

60

Slide 61

Slide 61 text

61 @omerlh

Slide 62

Slide 62 text

Wrapping Up @omerlh

Slide 63

Slide 63 text

Kubernetes Apps has many layers Code Packages Container Manifests files @omerlh

Slide 64

Slide 64 text

confidential Snyk.io 64 Tip of the Iceberg @omerlh

Slide 65

Slide 65 text

@omerlh

Slide 66

Slide 66 text

Omer Levi Hevroni | AppSec Engineer | @omerlh Thank You

Slide 67

Slide 67 text

67 References • https://www.omerlh.info/2018/10/04/write-good-code-with-security-tests/ • https://snyk.io/blog/from-image-security-to-workload-security/ • https://snyk.io/learn/container-security/ • https://www.youtube.com/watch?v=3H8pF6yoSgU • https://github.blog/2020-09-30-code-scanning-is-now-available/ • https://snyk.io/blog/developer-first-sast-with-snyk-code • https://cheatsheetseries.owasp.org/ • https://madhuakula.com/kubernetes-goat/ • https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ • https://snyk.io/open-source-security/ @omerlh