Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps meets GitOps with Twistlock and Weaveworks

Twistlock
September 26, 2018
0
130

DevSecOps meets GitOps with Twistlock and Weaveworks

Today’s enterprises are tasked with building and deploying modern applications more quickly than ever before. As they embrace cloud native technologies like containers and Kubernetes for managing their applications, they leverage purpose-built platforms designed for efficiency and security.

Twistlock and Weaveworks partnered up to present this webinar that shows you how you can increase reliability and velocity through implementing a GitOps model while keeping an eye on vulnerabilities and compliance through DevSecOps best practices.

Twistlock

September 26, 2018
Tweet

More Decks by Twistlock

See All by Twistlock
Container Security & Application Modernization
twistlock
0
83
2019 CISO Leadership Forum: Security 3.0 – Shifting to Automation
twistlock
0
64
AWS Containerized and Serverless services for running enterprise code at scale
twistlock
0
32
A Continuous Journey with Jenkins
twistlock
0
27
How Containers Change the Security Paradigm
twistlock
0
33
Going Infinite, handling 1M websockets connections in Go
twistlock
0
130
The Story of Escape Sequence Vulnerabilities
twistlock
0
95
Real World Security: Software Supply Chain
twistlock
0
96
Exploiting Alpine Linux From Vulnerability to Code Execution
twistlock
1
330

Featured

See All Featured
How GitHub Uses GitHub to Build GitHub
holman
468
290k
BBQ
matthewcrist
80
8.8k
Making Projects Easy
brettharned
109
5.5k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
323
20k
The MySQL Ecosystem @ GitHub 2015
samlambert
244
12k
VelocityConf: Rendering Performance Case Studies
addyosmani
321
23k
Scaling GitHub
holman
457
140k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
20
6.4k
Statistics for Hackers
jakevdp
790
220k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Building Effective Engineering Teams - LeadDev
addyosmani
30
1.9k
Adopting Sorbet at Scale
ufuk
69
8.6k

Transcript

  1. None

  2. TWISTLOCK | © 2018 | Confidential Keith Mokris Leads product

    marketing at Twistlock with previous security experience in the mobile app security space. Based in Portland, OR. Avid photographer. @keithmokris

  3. TWISTLOCK | © 2018 | Confidential Gain visibility Deploy higher

    quality code Avoid security incidents in production Control what can and can’t progress through your development pipeline. Know exactly what’s in your images and where risk is introduced. Fixing flaws earlier in the software development lifecycle reduces costs and helps your organization avoid costly data breaches and security issues. Tangible benefits of DevSecOps

  4. TWISTLOCK | © 2018 | Confidential Steps and tools involved

    with building, shipping, and running containers BUILD SHIP RUN Developer writes a Dockerfile, which includes a base image, maintainer, run instructions, etc., that is then built into an image. Images are stored in a repository which is used to deploy images to run in environments of your choosing. Teams can run containers in their own data center or on various cloud services like the ones shown here.

  5. TWISTLOCK | © 2018 | Confidential Know the source and

    content of your images 5 Do you know where your containers come from? Are your developers downloading container images and libraries from unknown and potentially harmful sources? Do the containers use third party code that is obsolete or vulnerable?

  6. TWISTLOCK | © 2018 | Confidential Eradicate vulnerabilities from your

    containers 6 Container images are typically built on some base image, which is itself built on top of other base images. A developer may grab a base image and other layers from public third party sources. These images and libraries may contain obsolete or vulnerable code, thereby putting your application at risk.

  7. TWISTLOCK | © 2018 | Confidential 7 Would you want

    this image running in your environment? An example hellonode image using a GitHub tutorial. 270 High Vulnerabilities 900 Medium Vulnerabilities Yeah, no thanks!

  8. TWISTLOCK | © 2018 | Confidential Harden your images, containers,

    daemons, and hosts 8 Implementing the Docker and Kubernetes CIS Benchmarks is essential. Automation provides tremendous benefits. Example checks: • Do not mount sensitive host system directories on containers • Open only needed ports on container • Only allow trusted users to control Docker daemon • Don’t allow secrets in clear text environment variables

  9. TWISTLOCK | © 2018 | Confidential Integrating security into your

    CI/CD pipeline 9 The best place to detect and fix security vulnerabilities is during development and as part of the CI/CD workflow. Use your CI/CD tools to initiate security scans whenever a new image is constructed and publish the results in the native CI/CD console. Twistlock offers the ability to fail a build and set grace periods based on granular policies.

  10. TWISTLOCK | © 2018 | Confidential An example with Jenkins

    10

  11. TWISTLOCK | © 2018 | Confidential 11 Continuously monitor your

    containers, images, hosts, and registry with Twistlock Vulnerability Explorer Stack-rank highest vulnerabilities correlated with contextual data Examples: Does the container have listening ports? Does is have a security profile applied? Does the vulnerability included remote code execution?

  12. TWISTLOCK | © 2018 | Confidential Automate anomaly detection and

    threat defense in container runtime 12 Containers should be minimal, declarative, and immutable. Those characteristics mean that it is actually possible to build a reliable baseline for the containerized application. Using this baseline in runtime you can detect anomalies and active threats much more accurately than with monolithic applications that change frequently. Automating the baselining process, the detection actions, as well as the enforcement, is the only way to scale up runtime security.

  13. TWISTLOCK | © 2018 | Confidential 13 Powerful Runtime Defense

    with Twistlock Defense-in-depth provides several security layers to protect running applications CNAF, layer 7 firewall, prevents modern network attacks Runtime Defense automatically models each image, container, and host to prevent anomalous activity CNNF, layer 3 firewall, locks down pod-to-pod traffic without any manual work