Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The DevSecOps Iceberg @ Cloud Native London

Viktor Petersson
January 08, 2020
Technology
0
220

The DevSecOps Iceberg @ Cloud Native London

The DevSecOps Iceberg was coined in this (https://wott.io/blog/thoughts/2019/11/29/the-devsecops-iceberg) blog post and speaks about the various layers (application, container, operating system) in your stack and infrastructure that needs to be protected. The relevant code, along with a PDF of the above deck (with working links) can be found here (https://github.com/vpetersson/cloudnative-london-demo).

Viktor Petersson

January 08, 2020
Tweet

More Decks by Viktor Petersson

See All by Viktor Petersson
The history of how Screenly OSE became the most popular digital signage project on GitHub
vpetersson
0
100
What's mtLS? @ Docker London
vpetersson
0
340
The "S" in "IoT" stands for "Security"
vpetersson
0
130
Living on the Edge @ Kubernetes London
vpetersson
0
94
The 'S' in IoT Stands for Security (a.k.a. Internet of Shit)
vpetersson
0
230
Lessons learned from Screenly @ Linuxing in London
vpetersson
0
160
Provisioner @ Ansible London
vpetersson
0
8.8k
Screenly @ IoT London
vpetersson
1
6.9k
IoT Use Case: Screenly
vpetersson
0
140

Other Decks in Technology

See All in Technology
replace of cart system on ZOZOTOWN
takahashikazutaro
0
340
“品質”をみんなのものにするために行なっている入社者オンボーディング/Onboarding new members to think about "quality" together
mii3king
0
250
[CI/CD2023]OSSで構築するOpenAPI開発のCI/CD
xibuka
2
260
レコメンドコンペ入門
t88
0
120
TSN(Time-Sensitive Networking)を環境構築して遊んでみた
iotengineer22
0
630
nlp2023 位置属性を有しない事物に対する地理的特定性の分析
takashiinui
0
140
Invitation to K8s-Docs ja
nasa9084
0
1.1k
人生がときめく自宅ネットワークの魔法
tatematsu_san
1
600
Agileを始める前に知っておきたい3つの真実
chiroruxx
8
1.2k
スタートアップだからこそ考えるフロントエンドのテスト戦略
yoshinagaiwnl
4
570
ビギナー向け エッジランタイムのすすめ | エッジランタイムを意識した開発をはじめよう
aiji42
1
620
GitHub Actionsと"仲良くなる"ための練習方法
tsubakimoto_s
10
2.8k

Featured

See All Featured
Fantastic passwords and where to find them - at NoRuKo
philnash
32
1.9k
Become a Pro
speakerdeck
PRO
6
3.3k
Fashionably flexible responsive web design (full day workshop)
malarkey
396
64k
Designing on Purpose - Digital PM Summit 2013
jponch
108
5.9k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
128
8.8k
Automating Front-end Workflow
addyosmani
1351
200k
Creatively Recalculating Your Daily Design Routine
revolveconf
207
11k
Web development in the modern age
philhawksworth
197
9.6k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.2k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
31
20k

Transcript

  1. THE DEVSECOPS ICEBERG
    wott.io @vpetersson

    View Slide

  2. OUTLINE
    What is the DevSecOps Iceberg?
    Why is it an iceberg?
    Review of the layers in the iceberg
    Summary
    @vpetersson
    wott.io

    View Slide

  3. @vpetersson
    wott.io

    View Slide

  4. @vpetersson
    wott.io

    View Slide

  5. WHY IS THIS IMPORTANT?
    @vpetersson
    wott.io

    View Slide

  6. WHAT'S WOTT?
    @vpetersson
    wott.io
    Security tool for developers
    Provides cryptographic identity
    (x509)
    Ongoing security audit of fleet
    CVE scanning
    Workflow integrations (GitHub,
    Slack etc)
    Gamification
    (DevSecOps)

    View Slide

  7. PREP
    Created an account with:
    (GitHub)
    Snyk
    Aqua
    WoTT
    Got a GitHub repo with sample code
    Connected CircleCI to the repo
    @vpetersson
    wott.io

    View Slide

  8. PREP CIRCLE CI
    @vpetersson
    wott.io

    View Slide

  9. ENVIRONMENT
    Python app
    ...with dependencies
    ...running in Docker
    ...on a Linux host
    ...which we deploy daily(ish)
    @vpetersson
    wott.io

    View Slide

  10. APPLICATION LAYER
    @vpetersson
    wott.io

    View Slide

  11. OVERVIEW
    @vpetersson
    wott.io
    Your code
    Your dependencies
    [ ]

    View Slide

  12. WHY DOES IT MATTER?
    Your app servers are likely publicly exposed
    Your app(s) likely uses a large set of libraries/dependencies
    Supply chain security
    "event-stream" npm package example
    @vpetersson
    wott.io

    View Slide

  13. WHEN TO RUN?
    During development
    During the Pull Request (or similar)
    During build on CI
    This is what we'll do
    @vpetersson
    wott.io

    View Slide

  14. TOOLS
    Snyk
    GitHub Security Alerts (former Dependabot)
    @vpetersson
    wott.io

    View Slide

  15. @vpetersson
    wott.io
    DEMO GOD

    View Slide

  16. DEMO
    Let's use Snyk for our scanner
    Let's use CircleCI as our CI/CD runner
    Let's break out the test to a separate
    container for isolation
    @vpetersson
    wott.io

    View Slide

  17. CONTAINER LAYER
    @vpetersson
    wott.io

    View Slide

  18. OVERVIEW
    @vpetersson
    wott.io
    Your container
    Your runtime
    [ ]

    View Slide

  19. WHY DOES IT MATTER?
    Can provide a false sense of security
    There are a lot of vulnerable docker images out there
    @vpetersson
    wott.io

    View Slide

  20. WHEN TO RUN?
    On CI
    This is what we will do
    In the Container Registry
    @vpetersson
    wott.io

    View Slide

  21. TOOLS
    Aqua MicroScanner (to be replaced by Trivy)
    Anchore
    Sysdig Secure and Falco
    hadolint - Lint/Audit Dockerfiles
    Docker Bench for Security - Audit Docker host security
    CoreOS/RedHat Quay
    Snyk Container
    @vpetersson
    wott.io

    View Slide

  22. DEMO
    Let's use Aqua's MicroScanner for our scanner
    Again, let's extend our CircleCI to do this too
    @vpetersson
    wott.io

    View Slide

  23. OPERATING SYSTEM LAYER
    @vpetersson
    wott.io

    View Slide

  24. "This is out of scope,
    said no attacker ever."
    @vpetersson
    wott.io

    View Slide

  25. OVERVIEW
    Pet vs Cattle
    Understand your vs your cloud vendors responsibilities
    @vpetersson
    wott.io

    View Slide

  26. WHY DOES IT MATTER?
    root on host == game over
    Remember Heartbleed, Spectre and Meltdown?
    Think about network'd services on any server
    (Zero Trust Networking)
    @vpetersson
    wott.io

    View Slide

  27. WHEN TO RUN?
    Continuously on all hosts
    @vpetersson
    wott.io

    View Slide

  28. TOOLS
    WoTT
    Red Hat Satellite
    Aqua Security for Cloud VMs
    Ubuntu Landscape
    DevSec.io - Server Hardening
    @vpetersson
    wott.io

    View Slide

  29. DEMO
    Let's use WoTT to audit the host
    Regular VM on GCE
    @vpetersson
    wott.io

    View Slide

  30. SUMMARY
    @vpetersson
    wott.io

    View Slide

  31. Understand your threat model
    You need to secure all layers in the DevSecOps Iceberg
    Different layers have different attack vectors
    @vpetersson
    wott.io

    View Slide

  32. REFERENCES
    Example GitHub repo
    DevSecOps Iceberg blog post
    @vpetersson
    wott.io

    View Slide