$30 off During Our Annual Pro Sale. View Details »

The DevSecOps Iceberg @ Cloud Native London

Viktor Petersson
January 08, 2020
Technology
0
260

The DevSecOps Iceberg @ Cloud Native London

The DevSecOps Iceberg was coined in this (https://wott.io/blog/thoughts/2019/11/29/the-devsecops-iceberg) blog post and speaks about the various layers (application, container, operating system) in your stack and infrastructure that needs to be protected. The relevant code, along with a PDF of the above deck (with working links) can be found here (https://github.com/vpetersson/cloudnative-london-demo).

Viktor Petersson

January 08, 2020
Tweet

More Decks by Viktor Petersson

See All by Viktor Petersson
From Pets to Cattle
vpetersson
0
54
Beyond Just a Menu Display
vpetersson
0
10
The history of how Screenly OSE became the most popular digital signage project on GitHub
vpetersson
0
120
What's mtLS? @ Docker London
vpetersson
0
370
The "S" in "IoT" stands for "Security"
vpetersson
0
160
Living on the Edge @ Kubernetes London
vpetersson
0
99
The 'S' in IoT Stands for Security (a.k.a. Internet of Shit)
vpetersson
0
260
Lessons learned from Screenly @ Linuxing in London
vpetersson
0
170
Provisioner @ Ansible London
vpetersson
0
8.9k

Other Decks in Technology

See All in Technology
ソフトウェアの内部品質に生じる様々な問題は組織設計にその原因があることも多い / Internal Quality Issues Caused by Organizational Design
mtx2s
111
45k
⾃律的な開発チームを⽀えるためのSLO運⽤
sansantech
PRO
5
870
分散ストレージはすごいぞ
sat
PRO
1
130
スタートアップにおける、チーム拡大を見据えたコンポーネント分割の取り組み
rynsuke
2
870
コロプラ_SRE_LCE_ゲームバックエンド_性能との戦い
colopl
0
140
Java in containers and serverless
takesection
0
120
kintone テクニカルライター採用ピッチ資料
cybozuinsideout
PRO
0
710
エンタープライズSaaSへの挑戦〜顧客の事業を成長させるプロダクトマネジメントとは?〜 / pmconf2023
route06
2
760
生成AIでシステム開発はどう変わるか
etaroid
17
7k
DMMプラットフォームにおける GKE を利用した プラットフォームエンジニアリングへの 取り組み
pospome
1
170
device mapperによるディスクI/O障害のエミュレーション
sat
PRO
7
2.1k
The future is already here – Mastering the challenges of the coming years
ufried
0
300

Featured

See All Featured
The MySQL Ecosystem @ GitHub 2015
samlambert
241
11k
The Invisible Side of Design
smashingmag
291
49k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
How GitHub Uses GitHub to Build GitHub
holman
467
280k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
890
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
4.1k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.8k
Mobile First: as difficult as doing things right
swwweet
214
8.3k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.3k
Gamification - CAS2011
davidbonilla
75
4.4k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k

Transcript

  1. THE DEVSECOPS ICEBERG
    wott.io @vpetersson

    View Slide

  2. OUTLINE
    What is the DevSecOps Iceberg?
    Why is it an iceberg?
    Review of the layers in the iceberg
    Summary
    @vpetersson
    wott.io

    View Slide

  3. @vpetersson
    wott.io

    View Slide

  4. @vpetersson
    wott.io

    View Slide

  5. WHY IS THIS IMPORTANT?
    @vpetersson
    wott.io

    View Slide

  6. WHAT'S WOTT?
    @vpetersson
    wott.io
    Security tool for developers
    Provides cryptographic identity
    (x509)
    Ongoing security audit of fleet
    CVE scanning
    Workflow integrations (GitHub,
    Slack etc)
    Gamification
    (DevSecOps)

    View Slide

  7. PREP
    Created an account with:
    (GitHub)
    Snyk
    Aqua
    WoTT
    Got a GitHub repo with sample code
    Connected CircleCI to the repo
    @vpetersson
    wott.io

    View Slide

  8. PREP CIRCLE CI
    @vpetersson
    wott.io

    View Slide

  9. ENVIRONMENT
    Python app
    ...with dependencies
    ...running in Docker
    ...on a Linux host
    ...which we deploy daily(ish)
    @vpetersson
    wott.io

    View Slide

  10. APPLICATION LAYER
    @vpetersson
    wott.io

    View Slide

  11. OVERVIEW
    @vpetersson
    wott.io
    Your code
    Your dependencies
    [ ]

    View Slide

  12. WHY DOES IT MATTER?
    Your app servers are likely publicly exposed
    Your app(s) likely uses a large set of libraries/dependencies
    Supply chain security
    "event-stream" npm package example
    @vpetersson
    wott.io

    View Slide

  13. WHEN TO RUN?
    During development
    During the Pull Request (or similar)
    During build on CI
    This is what we'll do
    @vpetersson
    wott.io

    View Slide

  14. TOOLS
    Snyk
    GitHub Security Alerts (former Dependabot)
    @vpetersson
    wott.io

    View Slide

  15. @vpetersson
    wott.io
    DEMO GOD

    View Slide

  16. DEMO
    Let's use Snyk for our scanner
    Let's use CircleCI as our CI/CD runner
    Let's break out the test to a separate
    container for isolation
    @vpetersson
    wott.io

    View Slide

  17. CONTAINER LAYER
    @vpetersson
    wott.io

    View Slide

  18. OVERVIEW
    @vpetersson
    wott.io
    Your container
    Your runtime
    [ ]

    View Slide

  19. WHY DOES IT MATTER?
    Can provide a false sense of security
    There are a lot of vulnerable docker images out there
    @vpetersson
    wott.io

    View Slide

  20. WHEN TO RUN?
    On CI
    This is what we will do
    In the Container Registry
    @vpetersson
    wott.io

    View Slide

  21. TOOLS
    Aqua MicroScanner (to be replaced by Trivy)
    Anchore
    Sysdig Secure and Falco
    hadolint - Lint/Audit Dockerfiles
    Docker Bench for Security - Audit Docker host security
    CoreOS/RedHat Quay
    Snyk Container
    @vpetersson
    wott.io

    View Slide

  22. DEMO
    Let's use Aqua's MicroScanner for our scanner
    Again, let's extend our CircleCI to do this too
    @vpetersson
    wott.io

    View Slide

  23. OPERATING SYSTEM LAYER
    @vpetersson
    wott.io

    View Slide

  24. "This is out of scope,
    said no attacker ever."
    @vpetersson
    wott.io

    View Slide

  25. OVERVIEW
    Pet vs Cattle
    Understand your vs your cloud vendors responsibilities
    @vpetersson
    wott.io

    View Slide

  26. WHY DOES IT MATTER?
    root on host == game over
    Remember Heartbleed, Spectre and Meltdown?
    Think about network'd services on any server
    (Zero Trust Networking)
    @vpetersson
    wott.io

    View Slide

  27. WHEN TO RUN?
    Continuously on all hosts
    @vpetersson
    wott.io

    View Slide

  28. TOOLS
    WoTT
    Red Hat Satellite
    Aqua Security for Cloud VMs
    Ubuntu Landscape
    DevSec.io - Server Hardening
    @vpetersson
    wott.io

    View Slide

  29. DEMO
    Let's use WoTT to audit the host
    Regular VM on GCE
    @vpetersson
    wott.io

    View Slide

  30. SUMMARY
    @vpetersson
    wott.io

    View Slide

  31. Understand your threat model
    You need to secure all layers in the DevSecOps Iceberg
    Different layers have different attack vectors
    @vpetersson
    wott.io

    View Slide

  32. REFERENCES
    Example GitHub repo
    DevSecOps Iceberg blog post
    @vpetersson
    wott.io

    View Slide