$30 off During Our Annual Pro Sale. View Details »

The DevSecOps Iceberg @ Cloud Native London

The DevSecOps Iceberg @ Cloud Native London

The DevSecOps Iceberg was coined in this (https://wott.io/blog/thoughts/2019/11/29/the-devsecops-iceberg) blog post and speaks about the various layers (application, container, operating system) in your stack and infrastructure that needs to be protected. The relevant code, along with a PDF of the above deck (with working links) can be found here (https://github.com/vpetersson/cloudnative-london-demo).

Viktor Petersson

January 08, 2020
Tweet

More Decks by Viktor Petersson

Other Decks in Technology

Transcript

  1. THE DEVSECOPS ICEBERG
    wott.io @vpetersson

    View Slide

  2. OUTLINE
    What is the DevSecOps Iceberg?
    Why is it an iceberg?
    Review of the layers in the iceberg
    Summary
    @vpetersson
    wott.io

    View Slide

  3. @vpetersson
    wott.io

    View Slide

  4. @vpetersson
    wott.io

    View Slide

  5. WHY IS THIS IMPORTANT?
    @vpetersson
    wott.io

    View Slide

  6. WHAT'S WOTT?
    @vpetersson
    wott.io
    Security tool for developers
    Provides cryptographic identity
    (x509)
    Ongoing security audit of fleet
    CVE scanning
    Workflow integrations (GitHub,
    Slack etc)
    Gamification
    (DevSecOps)

    View Slide

  7. PREP
    Created an account with:
    (GitHub)
    Snyk
    Aqua
    WoTT
    Got a GitHub repo with sample code
    Connected CircleCI to the repo
    @vpetersson
    wott.io

    View Slide

  8. PREP CIRCLE CI
    @vpetersson
    wott.io

    View Slide

  9. ENVIRONMENT
    Python app
    ...with dependencies
    ...running in Docker
    ...on a Linux host
    ...which we deploy daily(ish)
    @vpetersson
    wott.io

    View Slide

  10. APPLICATION LAYER
    @vpetersson
    wott.io

    View Slide

  11. OVERVIEW
    @vpetersson
    wott.io
    Your code
    Your dependencies
    [ ]

    View Slide

  12. WHY DOES IT MATTER?
    Your app servers are likely publicly exposed
    Your app(s) likely uses a large set of libraries/dependencies
    Supply chain security
    "event-stream" npm package example
    @vpetersson
    wott.io

    View Slide

  13. WHEN TO RUN?
    During development
    During the Pull Request (or similar)
    During build on CI
    This is what we'll do
    @vpetersson
    wott.io

    View Slide

  14. TOOLS
    Snyk
    GitHub Security Alerts (former Dependabot)
    @vpetersson
    wott.io

    View Slide

  15. @vpetersson
    wott.io
    DEMO GOD

    View Slide

  16. DEMO
    Let's use Snyk for our scanner
    Let's use CircleCI as our CI/CD runner
    Let's break out the test to a separate
    container for isolation
    @vpetersson
    wott.io

    View Slide

  17. CONTAINER LAYER
    @vpetersson
    wott.io

    View Slide

  18. OVERVIEW
    @vpetersson
    wott.io
    Your container
    Your runtime
    [ ]

    View Slide

  19. WHY DOES IT MATTER?
    Can provide a false sense of security
    There are a lot of vulnerable docker images out there
    @vpetersson
    wott.io

    View Slide

  20. WHEN TO RUN?
    On CI
    This is what we will do
    In the Container Registry
    @vpetersson
    wott.io

    View Slide

  21. TOOLS
    Aqua MicroScanner (to be replaced by Trivy)
    Anchore
    Sysdig Secure and Falco
    hadolint - Lint/Audit Dockerfiles
    Docker Bench for Security - Audit Docker host security
    CoreOS/RedHat Quay
    Snyk Container
    @vpetersson
    wott.io

    View Slide

  22. DEMO
    Let's use Aqua's MicroScanner for our scanner
    Again, let's extend our CircleCI to do this too
    @vpetersson
    wott.io

    View Slide

  23. OPERATING SYSTEM LAYER
    @vpetersson
    wott.io

    View Slide

  24. "This is out of scope,
    said no attacker ever."
    @vpetersson
    wott.io

    View Slide

  25. OVERVIEW
    Pet vs Cattle
    Understand your vs your cloud vendors responsibilities
    @vpetersson
    wott.io

    View Slide

  26. WHY DOES IT MATTER?
    root on host == game over
    Remember Heartbleed, Spectre and Meltdown?
    Think about network'd services on any server
    (Zero Trust Networking)
    @vpetersson
    wott.io

    View Slide

  27. WHEN TO RUN?
    Continuously on all hosts
    @vpetersson
    wott.io

    View Slide

  28. TOOLS
    WoTT
    Red Hat Satellite
    Aqua Security for Cloud VMs
    Ubuntu Landscape
    DevSec.io - Server Hardening
    @vpetersson
    wott.io

    View Slide

  29. DEMO
    Let's use WoTT to audit the host
    Regular VM on GCE
    @vpetersson
    wott.io

    View Slide

  30. SUMMARY
    @vpetersson
    wott.io

    View Slide

  31. Understand your threat model
    You need to secure all layers in the DevSecOps Iceberg
    Different layers have different attack vectors
    @vpetersson
    wott.io

    View Slide

  32. REFERENCES
    Example GitHub repo
    DevSecOps Iceberg blog post
    @vpetersson
    wott.io

    View Slide