Tweet
Tweet

Slide 1

Slide 1 text

© 2022 Aqua Security Software Ltd., All Rights Reserved Desmistificando as Vulnerabilidades em Golang

Slide 2

Slide 2 text

2 in/carolgv krol3 @krol_valencia

Slide 3

Slide 3 text

3 • Intro • Vulnerabilities • Secure Golang in the SDLC Agenda

Slide 4

Slide 4 text

4 Security is Hard Process, People and Technology

Slide 5

Slide 5 text

5 Container security? k8s security? Cybersecurity?

Slide 6

Slide 6 text

6

Slide 7

Slide 7 text

7 Who’ s to blame for the security breach ?

Slide 8

Slide 8 text

8 Maturity Model in my company – Agile process

Slide 9

Slide 9 text

9 Maturity Model in my company – Agile process

Slide 10

Slide 10 text

10 Applying Devops …. Where is the vulnerabilities in my SDLC? ….

Slide 11

Slide 11 text

11 Vulnerabilities

Slide 12

Slide 12 text

12 A flaw or weakness that may allow harm to occur to an IT system or activity.

Slide 13

Slide 13 text

13 Common Vulnerabilities and Exposures Is it an exploitable vulnerability?

Slide 14

Slide 14 text

14 Zero day CISO Chief Information Security Officer

Slide 15

Slide 15 text

15 Developing web applications … What are the common vulnerabilities?

Slide 16

Slide 16 text

16 Top 10 Open Web Application Security Project – Top 10

Slide 17

Slide 17 text

Go net library affected by critical ip address validation vulnerability https://www.bleepingcomputer.com/news/security/go-rust-net-library-affected-by-critical-ip-address-validation-vulnerability/ SSRF - Server side request forgery

Slide 18

Slide 18 text

18 Secure Golang in the Software Development Lifecycle (SDLC)

Slide 19

Slide 19 text

19 Go vulnerability check

Slide 20

Slide 20 text

20 Go vulnerability check

Slide 21

Slide 21 text

21 Go vulnerability check https://go.dev/security/vuln/

Slide 22

Slide 22 text

22 Before vulncheck

Slide 23

Slide 23 text

23 How scanners work? How to find CVEs?

Slide 24

Slide 24 text

24 Golang Dependency Management

Slide 25

Slide 25 text

25 go.mod go.sum

Slide 26

Slide 26 text

26 Lock file ? - Dependency Confusion

Slide 27

Slide 27 text

27 Auditable Checksum database https://go.dev/blog/module-mirror-launch

Slide 28

Slide 28 text

28 Open Source Vulnerabilities https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html

Slide 29

Slide 29 text

29 Consumer / Producer Code – Supply chain

Slide 30

Slide 30 text

30 scala-network/GUI-miner dstellitecoin/gui-miner Supply Chain Attacks

Slide 31

Slide 31 text

31 Supply Chain Attacks

Slide 32

Slide 32 text

32 Supply Chain Attacks

Slide 33

Slide 33 text

34 Supply Chain Attacks

Slide 34

Slide 34 text

35 Supply Chain Security Tool

Slide 35

Slide 35 text

36

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

38 Applying Devops ….

Slide 38

Slide 38 text

39 New technology ... new security holes ... new security best practices.

Slide 39

Slide 39 text

40 Applying DevSecOps ….

Slide 40

Slide 40 text

41 Pipeline sample https://github.com/krol3/demo-go-xss/

Slide 41

Slide 41 text

42 Pipeline sample – Detecting xss

Slide 42

Slide 42 text

43

Slide 43

Slide 43 text

© 2022 Aqua Security Software Ltd., All Rights Reserved Thanks in/carolgv krol3 @krol_valencia