The DevSecOps Iceberg @ Cloud Native London

The DevSecOps Iceberg @ Cloud Native London

The DevSecOps Iceberg was coined in this (https://wott.io/blog/thoughts/2019/11/29/the-devsecops-iceberg) blog post and speaks about the various layers (application, container, operating system) in your stack and infrastructure that needs to be protected. The relevant code, along with a PDF of the above deck (with working links) can be found here (https://github.com/vpetersson/cloudnative-london-demo).

C770b64f01d6b9360b59e8470c2754f4?s=128

Viktor Petersson

January 08, 2020
Tweet

Transcript

  1. THE DEVSECOPS ICEBERG wott.io @vpetersson

  2. OUTLINE What is the DevSecOps Iceberg? Why is it an

    iceberg? Review of the layers in the iceberg Summary @vpetersson wott.io
  3. @vpetersson wott.io

  4. @vpetersson wott.io

  5. WHY IS THIS IMPORTANT? @vpetersson wott.io

  6. WHAT'S WOTT? @vpetersson wott.io Security tool for developers Provides cryptographic

    identity (x509) Ongoing security audit of fleet CVE scanning Workflow integrations (GitHub, Slack etc) Gamification (DevSecOps)
  7. PREP Created an account with: (GitHub) Snyk Aqua WoTT Got

    a GitHub repo with sample code Connected CircleCI to the repo @vpetersson wott.io
  8. PREP CIRCLE CI @vpetersson wott.io

  9. ENVIRONMENT Python app ...with dependencies ...running in Docker ...on a

    Linux host ...which we deploy daily(ish) @vpetersson wott.io
  10. APPLICATION LAYER @vpetersson wott.io

  11. OVERVIEW @vpetersson wott.io Your code Your dependencies [ ]

  12. WHY DOES IT MATTER? Your app servers are likely publicly

    exposed Your app(s) likely uses a large set of libraries/dependencies Supply chain security "event-stream" npm package example @vpetersson wott.io
  13. WHEN TO RUN? During development During the Pull Request (or

    similar) During build on CI This is what we'll do @vpetersson wott.io
  14. TOOLS Snyk GitHub Security Alerts (former Dependabot) @vpetersson wott.io

  15. @vpetersson wott.io DEMO GOD

  16. DEMO Let's use Snyk for our scanner Let's use CircleCI

    as our CI/CD runner Let's break out the test to a separate container for isolation @vpetersson wott.io
  17. CONTAINER LAYER @vpetersson wott.io

  18. OVERVIEW @vpetersson wott.io Your container Your runtime [ ]

  19. WHY DOES IT MATTER? Can provide a false sense of

    security There are a lot of vulnerable docker images out there @vpetersson wott.io
  20. WHEN TO RUN? On CI This is what we will

    do In the Container Registry @vpetersson wott.io
  21. TOOLS Aqua MicroScanner (to be replaced by Trivy) Anchore Sysdig

    Secure and Falco hadolint - Lint/Audit Dockerfiles Docker Bench for Security - Audit Docker host security CoreOS/RedHat Quay Snyk Container @vpetersson wott.io
  22. DEMO Let's use Aqua's MicroScanner for our scanner Again, let's

    extend our CircleCI to do this too @vpetersson wott.io
  23. OPERATING SYSTEM LAYER @vpetersson wott.io

  24. "This is out of scope, said no attacker ever." @vpetersson

    wott.io
  25. OVERVIEW Pet vs Cattle Understand your vs your cloud vendors

    responsibilities @vpetersson wott.io
  26. WHY DOES IT MATTER? root on host == game over

    Remember Heartbleed, Spectre and Meltdown? Think about network'd services on any server (Zero Trust Networking) @vpetersson wott.io
  27. WHEN TO RUN? Continuously on all hosts @vpetersson wott.io

  28. TOOLS WoTT Red Hat Satellite Aqua Security for Cloud VMs

    Ubuntu Landscape DevSec.io - Server Hardening @vpetersson wott.io
  29. DEMO Let's use WoTT to audit the host Regular VM

    on GCE @vpetersson wott.io
  30. SUMMARY @vpetersson wott.io

  31. Understand your threat model You need to secure all layers

    in the DevSecOps Iceberg Different layers have different attack vectors @vpetersson wott.io
  32. REFERENCES Example GitHub repo DevSecOps Iceberg blog post @vpetersson wott.io