The DevSecOps Iceberg @ Cloud Native London

Transcript

1. THE DEVSECOPS ICEBERG wott.io @vpetersson

2. OUTLINE What is the DevSecOps Iceberg? Why is it an

   iceberg? Review of the layers in the iceberg Summary @vpetersson wott.io

3. @vpetersson wott.io

4. @vpetersson wott.io

5. WHY IS THIS IMPORTANT? @vpetersson wott.io

6. WHAT'S WOTT? @vpetersson wott.io Security tool for developers Provides cryptographic

   identity (x509) Ongoing security audit of fleet CVE scanning Workflow integrations (GitHub, Slack etc) Gamification (DevSecOps)

7. PREP Created an account with: (GitHub) Snyk Aqua WoTT Got

   a GitHub repo with sample code Connected CircleCI to the repo @vpetersson wott.io

8. PREP CIRCLE CI @vpetersson wott.io

9. ENVIRONMENT Python app ...with dependencies ...running in Docker ...on a

   Linux host ...which we deploy daily(ish) @vpetersson wott.io

10. APPLICATION LAYER @vpetersson wott.io

11. OVERVIEW @vpetersson wott.io Your code Your dependencies [ ]

12. WHY DOES IT MATTER? Your app servers are likely publicly

    exposed Your app(s) likely uses a large set of libraries/dependencies Supply chain security "event-stream" npm package example @vpetersson wott.io

13. WHEN TO RUN? During development During the Pull Request (or

    similar) During build on CI This is what we'll do @vpetersson wott.io

14. TOOLS Snyk GitHub Security Alerts (former Dependabot) @vpetersson wott.io

15. @vpetersson wott.io DEMO GOD

16. DEMO Let's use Snyk for our scanner Let's use CircleCI

    as our CI/CD runner Let's break out the test to a separate container for isolation @vpetersson wott.io

17. CONTAINER LAYER @vpetersson wott.io

18. OVERVIEW @vpetersson wott.io Your container Your runtime [ ]

19. WHY DOES IT MATTER? Can provide a false sense of

    security There are a lot of vulnerable docker images out there @vpetersson wott.io

20. WHEN TO RUN? On CI This is what we will

    do In the Container Registry @vpetersson wott.io

21. TOOLS Aqua MicroScanner (to be replaced by Trivy) Anchore Sysdig

    Secure and Falco hadolint - Lint/Audit Dockerfiles Docker Bench for Security - Audit Docker host security CoreOS/RedHat Quay Snyk Container @vpetersson wott.io

22. DEMO Let's use Aqua's MicroScanner for our scanner Again, let's

    extend our CircleCI to do this too @vpetersson wott.io

23. OPERATING SYSTEM LAYER @vpetersson wott.io

24. "This is out of scope, said no attacker ever." @vpetersson

    wott.io

25. OVERVIEW Pet vs Cattle Understand your vs your cloud vendors

    responsibilities @vpetersson wott.io

26. WHY DOES IT MATTER? root on host == game over

    Remember Heartbleed, Spectre and Meltdown? Think about network'd services on any server (Zero Trust Networking) @vpetersson wott.io

27. WHEN TO RUN? Continuously on all hosts @vpetersson wott.io

28. TOOLS WoTT Red Hat Satellite Aqua Security for Cloud VMs

    Ubuntu Landscape DevSec.io - Server Hardening @vpetersson wott.io

29. DEMO Let's use WoTT to audit the host Regular VM

    on GCE @vpetersson wott.io

30. SUMMARY @vpetersson wott.io

31. Understand your threat model You need to secure all layers

    in the DevSecOps Iceberg Different layers have different attack vectors @vpetersson wott.io

32. REFERENCES Example GitHub repo DevSecOps Iceberg blog post @vpetersson wott.io