Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The DevSecOps Iceberg @ Cloud Native London

The DevSecOps Iceberg @ Cloud Native London

The DevSecOps Iceberg was coined in this (https://wott.io/blog/thoughts/2019/11/29/the-devsecops-iceberg) blog post and speaks about the various layers (application, container, operating system) in your stack and infrastructure that needs to be protected. The relevant code, along with a PDF of the above deck (with working links) can be found here (https://github.com/vpetersson/cloudnative-london-demo).

Viktor Petersson

January 08, 2020

More Decks by Viktor Petersson

Other Decks in Technology


  1. OUTLINE What is the DevSecOps Iceberg? Why is it an

    iceberg? Review of the layers in the iceberg Summary @vpetersson wott.io
  2. WHAT'S WOTT? @vpetersson wott.io Security tool for developers Provides cryptographic

    identity (x509) Ongoing security audit of fleet CVE scanning Workflow integrations (GitHub, Slack etc) Gamification (DevSecOps)
  3. PREP Created an account with: (GitHub) Snyk Aqua WoTT Got

    a GitHub repo with sample code Connected CircleCI to the repo @vpetersson wott.io
  4. ENVIRONMENT Python app ...with dependencies ...running in Docker ...on a

    Linux host ...which we deploy daily(ish) @vpetersson wott.io
  5. WHY DOES IT MATTER? Your app servers are likely publicly

    exposed Your app(s) likely uses a large set of libraries/dependencies Supply chain security "event-stream" npm package example @vpetersson wott.io
  6. WHEN TO RUN? During development During the Pull Request (or

    similar) During build on CI This is what we'll do @vpetersson wott.io
  7. DEMO Let's use Snyk for our scanner Let's use CircleCI

    as our CI/CD runner Let's break out the test to a separate container for isolation @vpetersson wott.io
  8. WHY DOES IT MATTER? Can provide a false sense of

    security There are a lot of vulnerable docker images out there @vpetersson wott.io
  9. WHEN TO RUN? On CI This is what we will

    do In the Container Registry @vpetersson wott.io
  10. TOOLS Aqua MicroScanner (to be replaced by Trivy) Anchore Sysdig

    Secure and Falco hadolint - Lint/Audit Dockerfiles Docker Bench for Security - Audit Docker host security CoreOS/RedHat Quay Snyk Container @vpetersson wott.io
  11. DEMO Let's use Aqua's MicroScanner for our scanner Again, let's

    extend our CircleCI to do this too @vpetersson wott.io
  12. WHY DOES IT MATTER? root on host == game over

    Remember Heartbleed, Spectre and Meltdown? Think about network'd services on any server (Zero Trust Networking) @vpetersson wott.io
  13. TOOLS WoTT Red Hat Satellite Aqua Security for Cloud VMs

    Ubuntu Landscape DevSec.io - Server Hardening @vpetersson wott.io
  14. Understand your threat model You need to secure all layers

    in the DevSecOps Iceberg Different layers have different attack vectors @vpetersson wott.io