SlideShare a Scribd company logo

Introducing a Security Feedback Loop to your CI Pipelines

Codefresh
Codefresh

Watch the webinar here: https://codefresh.io/security-feedback-loop-lp/ Sign up for a FREE Codefresh account today: https://codefresh.io/codefresh-signup/ We're all looking at ways to prevent vulnerabilities from escaping into our production environments. Why not require scans of your Docker images before they're even uploaded to your production Docker registry? SHIFT LEFT! Codefresh has worked with Twistlock to run Twist CLI using a Docker image as a build step in CI pipelines. Join Codefresh, Twistlock, and Steelcase as we demonstrate setting up vulnerability and compliance thresholds in a CI pipeline. We will show you how to give your teams access to your Docker images' security reports & trace back to your report from your production Kubernetes cluster using Codefresh.

Technology
1 of 19
Download to read offline
Introducing a Security Feedback Loop to your CI Pipelines Matthew Barker ⎸Twistlock Dustin Van Buskirk ⎸Codefresh Varun Tagore Korrapati ⎸Steelcase
Matthew Barker Senior Solutions Architect
Dustin Van Buskirk Senior Solutions Architect
Varun Tagore Korrapati DevOps Engineer
How to Implement Security Scanning with Codefresh and Twistlock ➢How Twistlock Improves Security ➢Why Steelcase uses Security Scanning in their CI Pipelines ➢How Codefresh Automation Works ➢DEMO! Twistlock CLI / Docker image scanning as part of your Codefresh pipelines.
● Steelcase is a 106 year old furniture company. ● Steelcase also offers a various services like Workplace Advisor. ● Thousands of IOT devices deployed. ● Fortune 500 Customers. Privacy is critical!
Introducing the Platform
Security scanning is a critical part of vulnerability management: Reduce cost compared to fixing flaws in production Eliminate high or critical vulnerabilities as soon as possible Improved code quality helps avoid costly breaches 1 2 3
Advantage of scanning with Twistlock Accuracy: Fewer false positives and negatives Control: Set thresholds based on vulnerability or compliance status Fix status: Put remediation information in developers’ fingertips
What thresholds can I set with Twistlock? Alert or block specific package based on specific vulnerability level Example 1: Block all High vulnerabilities in XXXX library Alert or block specific builds based on compliance issues Example 2: Alert on builds that have Medium or higher compliance issues Incorporate status of fixes for added control Example 3: Block all builds Medium or higher that have a known fix
Where does Twistlock integrate with Codefresh?
Adopting Kubernetes by cobbling together lots of tools and scripts is costly and time consuming ● Build servers ● Staging servers ● Build automation ● Webhooks ● Docker registry ● Kubectl ● Helm ● CI Tests ● Integration Tests ● UI Tests ● Performance Tests ● Security Scans ● Deployment tools ● Secrets management ● Configuration testing ● Traceability Dashboards Why Codefresh?
Codefresh is a DevOps Platform Built for Kubernetes Kubernetes CI/CD Pipelines Self-Service Test Environments Docker & Helm Registry Release Management
Steelcase Use Cases Before/Why? • how much security is enough security? • No security implementation in code and docker container configuration? • Hard to control what security standards and practices are followed when there are multiple developer teams working on different applications. • Get unified security standards for all the microservices. • ?Secure application from within. Why Automate: • Catch up with Security ask! • Doesn't satisfy the laws of DevOps speed. • Scan the images before they go to production or even master. • Fast and Secure development with continued feedback. • In microservice model, faster onboarding of a secure microservice with no compromise in security standards. • Less security patch releases to production.
Now • Automated security scan in protected branches. • Logical conditions to run it in other specific branches. • All new microservices have to have security steps configured in CI build. Next • Fail the CI build if the results cross threshold. • Block the merge or PR to protected branch when results crosses thresholds for security and compliance.
DEMO
Twistlock / Codefresh Integration ➢ Docker image containing Twistlock CLI, Codefresh CLI and Python scripting to tie the two together. ➢ Runs locally and on Codefresh (Docker Swarm or K8S) ➢ Adds Docker image metadata (Annotations) • Compliance and Vulnerability counts for each level [ critical, high, medium, low ] • Security Scan results Pass/Fail • Twistlock Report URL ➢ Determine Build Success or Failure based on exit code of the Twistlock scan and pass that back to Version Control System https://github.com/SC-TechDev/docker-twistcli
CHECK OUT OUR BLOG POST: codefresh.io/blog Talk to Twistlock Sign up for a Free Trial! @ Twistlock.com Get a Codefresh Demo Schedule 1:1 @ Codefresh.io

Recommended

Security at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockSecurity at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockAmazon Web Services
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Cloud Native Day Tel Aviv
 
Container Security: What Enterprises Need to Know
Container Security: What Enterprises Need to KnowContainer Security: What Enterprises Need to Know
Container Security: What Enterprises Need to KnowDevOps.com
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowDevOps.com
 
Twistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityTwistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityMighty Guides, Inc.
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecopsVeritis Group, Inc
 
The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOpsStefan Streichsbier
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 

Recommended

Security at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockSecurity at the Speed of Software - Twistlock
Security at the Speed of Software - TwistlockAmazon Web Services
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Cloud Native Day Tel Aviv
 
Container Security: What Enterprises Need to Know
Container Security: What Enterprises Need to KnowContainer Security: What Enterprises Need to Know
Container Security: What Enterprises Need to KnowDevOps.com
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowDevOps.com
 
Twistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityTwistlock: 7 Experts on Cloud-Native Security
Twistlock: 7 Experts on Cloud-Native SecurityMighty Guides, Inc.
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecopsVeritis Group, Inc
 
The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOpsStefan Streichsbier
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
DevSecOps outline
DevSecOps outlineDevSecOps outline
DevSecOps outlineNickleus Jimenez
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...centralohioissa
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021Archana Joshi
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingAarno Aukia
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020Sohini Mukherjee
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
 
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
 
Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security Outpost24
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Eric Smalling
 
Chefdevseccon2015
Chefdevseccon2015Chefdevseccon2015
Chefdevseccon2015sc0ttruss
 

More Related Content

What's hot

DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...centralohioissa
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021Archana Joshi
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingAarno Aukia
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020Sohini Mukherjee
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
 
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
 
Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security Outpost24
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 

What's hot (20)

DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
 
DevSecOps outline
DevSecOps outlineDevSecOps outline
DevSecOps outline
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Security
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
 
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk scoreOutpost24 webinar: Security Analytics: what's in a risk score
Outpost24 webinar: Security Analytics: what's in a risk score
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management Teams
 
Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security Outpost24 webinar - Busting the myths of cloud security
Outpost24 webinar - Busting the myths of cloud security
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
 

Similar to Introducing a Security Feedback Loop to your CI Pipelines

Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Eric Smalling
 
Chefdevseccon2015
Chefdevseccon2015Chefdevseccon2015
Chefdevseccon2015sc0ttruss
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfEric Smalling
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityEric Smalling
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfEric Smalling
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainMichele Chubirka
 
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsYou Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsDevOps.com
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
GDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdfGDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdfJames Anderson
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?DevOps.com
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorLFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorEric Smalling
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool sangam biradar
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Weaveworks
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 

Similar to Introducing a Security Feedback Loop to your CI Pipelines (20)

Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
 
Chefdevseccon2015
Chefdevseccon2015Chefdevseccon2015
Chefdevseccon2015
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdf
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container security
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdf
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chain
 
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsYou Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
GDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdfGDG SLK - Why should devs care about container security.pdf
GDG SLK - Why should devs care about container security.pdf
 
BlueHat v18 || Scaling security scanning
BlueHat v18 || Scaling security scanningBlueHat v18 || Scaling security scanning
BlueHat v18 || Scaling security scanning
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorLFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
 
Código Seguro
Código SeguroCódigo Seguro
Código Seguro
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 

More from Codefresh

Detect, debug, deploy with Codefresh and Lightstep
Detect, debug, deploy with Codefresh and LightstepDetect, debug, deploy with Codefresh and Lightstep
Detect, debug, deploy with Codefresh and LightstepCodefresh
 
CICD Pipelines for Microservices: Lessons from the Trenches
CICD Pipelines for Microservices: Lessons from the TrenchesCICD Pipelines for Microservices: Lessons from the Trenches
CICD Pipelines for Microservices: Lessons from the TrenchesCodefresh
 
Simplify Your Code with Helmfile
Simplify Your Code with HelmfileSimplify Your Code with Helmfile
Simplify Your Code with HelmfileCodefresh
 
Making the Most of Helm 3 with Codefresh
Making the Most of Helm 3 with CodefreshMaking the Most of Helm 3 with Codefresh
Making the Most of Helm 3 with CodefreshCodefresh
 
5 Simple Tips for Troubleshooting Your Kubernetes Pods
5 Simple Tips for Troubleshooting Your Kubernetes Pods5 Simple Tips for Troubleshooting Your Kubernetes Pods
5 Simple Tips for Troubleshooting Your Kubernetes PodsCodefresh
 
Best Practices for Microservice CI/CD: Lessons from Expedia and Codefresh
Best Practices for Microservice CI/CD: Lessons from Expedia and CodefreshBest Practices for Microservice CI/CD: Lessons from Expedia and Codefresh
Best Practices for Microservice CI/CD: Lessons from Expedia and CodefreshCodefresh
 
Hybrid CI/CD with Kubernetes & Codefresh
Hybrid CI/CD with Kubernetes & Codefresh Hybrid CI/CD with Kubernetes & Codefresh
Hybrid CI/CD with Kubernetes & CodefreshCodefresh
 
VM vs Docker-Based Pipelines
VM vs Docker-Based PipelinesVM vs Docker-Based Pipelines
VM vs Docker-Based PipelinesCodefresh
 
Why You Should be Using Multi-stage Docker Builds in 2019
Why You Should be Using Multi-stage Docker Builds in 2019Why You Should be Using Multi-stage Docker Builds in 2019
Why You Should be Using Multi-stage Docker Builds in 2019Codefresh
 
Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast Codefresh
 
CICD Pipelines for Microservices Best Practices
CICD Pipelines for Microservices Best Practices CICD Pipelines for Microservices Best Practices
CICD Pipelines for Microservices Best Practices Codefresh
 
Codefresh CICD New Features Launch! May 2019
Codefresh CICD New Features Launch! May 2019Codefresh CICD New Features Launch! May 2019
Codefresh CICD New Features Launch! May 2019Codefresh
 
Terraform GitOps on Codefresh
Terraform GitOps on CodefreshTerraform GitOps on Codefresh
Terraform GitOps on CodefreshCodefresh
 
Adding Container Image Scanning to Your Codefresh Pipelines with Anchore
Adding Container Image Scanning to Your Codefresh Pipelines with AnchoreAdding Container Image Scanning to Your Codefresh Pipelines with Anchore
Adding Container Image Scanning to Your Codefresh Pipelines with AnchoreCodefresh
 
Image scanning using Clair
Image scanning using Clair Image scanning using Clair
Image scanning using Clair Codefresh
 
Updating Kubernetes With Helm Charts: Build, Test, Deploy with Codefresh and...
Updating Kubernetes With Helm Charts: Build, Test, Deploy with Codefresh and... Updating Kubernetes With Helm Charts: Build, Test, Deploy with Codefresh and...
Updating Kubernetes With Helm Charts: Build, Test, Deploy with Codefresh and...Codefresh
 
Docker based-Pipelines with Codefresh
Docker based-Pipelines with CodefreshDocker based-Pipelines with Codefresh
Docker based-Pipelines with CodefreshCodefresh
 
Automated Serverless Pipelines with #GitOps on Codefresh
Automated Serverless Pipelines with #GitOps on CodefreshAutomated Serverless Pipelines with #GitOps on Codefresh
Automated Serverless Pipelines with #GitOps on CodefreshCodefresh
 
Discovering and Fixing Dependency Vulnerabilities for Kubernetes apps with Sn...
Discovering and Fixing Dependency Vulnerabilities for Kubernetes apps with Sn...Discovering and Fixing Dependency Vulnerabilities for Kubernetes apps with Sn...
Discovering and Fixing Dependency Vulnerabilities for Kubernetes apps with Sn...Codefresh
 
Net Pipeline on Windows Kubernetes
Net Pipeline on Windows KubernetesNet Pipeline on Windows Kubernetes
Net Pipeline on Windows KubernetesCodefresh
 

More from Codefresh (20)

Detect, debug, deploy with Codefresh and Lightstep
Detect, debug, deploy with Codefresh and LightstepDetect, debug, deploy with Codefresh and Lightstep
Detect, debug, deploy with Codefresh and Lightstep
 
CICD Pipelines for Microservices: Lessons from the Trenches
CICD Pipelines for Microservices: Lessons from the TrenchesCICD Pipelines for Microservices: Lessons from the Trenches
CICD Pipelines for Microservices: Lessons from the Trenches
 
Simplify Your Code with Helmfile
Simplify Your Code with HelmfileSimplify Your Code with Helmfile
Simplify Your Code with Helmfile
 
Making the Most of Helm 3 with Codefresh
Making the Most of Helm 3 with CodefreshMaking the Most of Helm 3 with Codefresh
Making the Most of Helm 3 with Codefresh
 
5 Simple Tips for Troubleshooting Your Kubernetes Pods
5 Simple Tips for Troubleshooting Your Kubernetes Pods5 Simple Tips for Troubleshooting Your Kubernetes Pods
5 Simple Tips for Troubleshooting Your Kubernetes Pods
 
Best Practices for Microservice CI/CD: Lessons from Expedia and Codefresh
Best Practices for Microservice CI/CD: Lessons from Expedia and CodefreshBest Practices for Microservice CI/CD: Lessons from Expedia and Codefresh
Best Practices for Microservice CI/CD: Lessons from Expedia and Codefresh
 
Hybrid CI/CD with Kubernetes & Codefresh
Hybrid CI/CD with Kubernetes & Codefresh Hybrid CI/CD with Kubernetes & Codefresh
Hybrid CI/CD with Kubernetes & Codefresh
 
VM vs Docker-Based Pipelines
VM vs Docker-Based PipelinesVM vs Docker-Based Pipelines
VM vs Docker-Based Pipelines
 
Why You Should be Using Multi-stage Docker Builds in 2019
Why You Should be Using Multi-stage Docker Builds in 2019Why You Should be Using Multi-stage Docker Builds in 2019
Why You Should be Using Multi-stage Docker Builds in 2019
 
Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast Deploy Secure Cloud-Native Apps Fast
Deploy Secure Cloud-Native Apps Fast
 
CICD Pipelines for Microservices Best Practices
CICD Pipelines for Microservices Best Practices CICD Pipelines for Microservices Best Practices
CICD Pipelines for Microservices Best Practices
 
Codefresh CICD New Features Launch! May 2019
Codefresh CICD New Features Launch! May 2019Codefresh CICD New Features Launch! May 2019
Codefresh CICD New Features Launch! May 2019
 
Terraform GitOps on Codefresh
Terraform GitOps on CodefreshTerraform GitOps on Codefresh
Terraform GitOps on Codefresh
 
Adding Container Image Scanning to Your Codefresh Pipelines with Anchore
Adding Container Image Scanning to Your Codefresh Pipelines with AnchoreAdding Container Image Scanning to Your Codefresh Pipelines with Anchore
Adding Container Image Scanning to Your Codefresh Pipelines with Anchore
 
Image scanning using Clair
Image scanning using Clair Image scanning using Clair
Image scanning using Clair
 
Updating Kubernetes With Helm Charts: Build, Test, Deploy with Codefresh and...
Updating Kubernetes With Helm Charts: Build, Test, Deploy with Codefresh and... Updating Kubernetes With Helm Charts: Build, Test, Deploy with Codefresh and...
Updating Kubernetes With Helm Charts: Build, Test, Deploy with Codefresh and...
 
Docker based-Pipelines with Codefresh
Docker based-Pipelines with CodefreshDocker based-Pipelines with Codefresh
Docker based-Pipelines with Codefresh
 
Automated Serverless Pipelines with #GitOps on Codefresh
Automated Serverless Pipelines with #GitOps on CodefreshAutomated Serverless Pipelines with #GitOps on Codefresh
Automated Serverless Pipelines with #GitOps on Codefresh
 
Discovering and Fixing Dependency Vulnerabilities for Kubernetes apps with Sn...
Discovering and Fixing Dependency Vulnerabilities for Kubernetes apps with Sn...Discovering and Fixing Dependency Vulnerabilities for Kubernetes apps with Sn...
Discovering and Fixing Dependency Vulnerabilities for Kubernetes apps with Sn...
 
Net Pipeline on Windows Kubernetes
Net Pipeline on Windows KubernetesNet Pipeline on Windows Kubernetes
Net Pipeline on Windows Kubernetes
 

Recently uploaded

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

Recently uploaded (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Introducing a Security Feedback Loop to your CI Pipelines

  • 1. Introducing a Security Feedback Loop to your CI Pipelines Matthew Barker ⎸Twistlock Dustin Van Buskirk ⎸Codefresh Varun Tagore Korrapati ⎸Steelcase
  • 3. Dustin Van Buskirk Senior Solutions Architect
  • 5. How to Implement Security Scanning with Codefresh and Twistlock ➢How Twistlock Improves Security ➢Why Steelcase uses Security Scanning in their CI Pipelines ➢How Codefresh Automation Works ➢DEMO! Twistlock CLI / Docker image scanning as part of your Codefresh pipelines.
  • 6. ● Steelcase is a 106 year old furniture company. ● Steelcase also offers a various services like Workplace Advisor. ● Thousands of IOT devices deployed. ● Fortune 500 Customers. Privacy is critical!
  • 7.
  • 9. Security scanning is a critical part of vulnerability management: Reduce cost compared to fixing flaws in production Eliminate high or critical vulnerabilities as soon as possible Improved code quality helps avoid costly breaches 1 2 3
  • 10. Advantage of scanning with Twistlock Accuracy: Fewer false positives and negatives Control: Set thresholds based on vulnerability or compliance status Fix status: Put remediation information in developers’ fingertips
  • 11. What thresholds can I set with Twistlock? Alert or block specific package based on specific vulnerability level Example 1: Block all High vulnerabilities in XXXX library Alert or block specific builds based on compliance issues Example 2: Alert on builds that have Medium or higher compliance issues Incorporate status of fixes for added control Example 3: Block all builds Medium or higher that have a known fix
  • 12. Where does Twistlock integrate with Codefresh?
  • 13. Adopting Kubernetes by cobbling together lots of tools and scripts is costly and time consuming ● Build servers ● Staging servers ● Build automation ● Webhooks ● Docker registry ● Kubectl ● Helm ● CI Tests ● Integration Tests ● UI Tests ● Performance Tests ● Security Scans ● Deployment tools ● Secrets management ● Configuration testing ● Traceability Dashboards Why Codefresh?
  • 14. Codefresh is a DevOps Platform Built for Kubernetes Kubernetes CI/CD Pipelines Self-Service Test Environments Docker & Helm Registry Release Management
  • 15. Steelcase Use Cases Before/Why? • how much security is enough security? • No security implementation in code and docker container configuration? • Hard to control what security standards and practices are followed when there are multiple developer teams working on different applications. • Get unified security standards for all the microservices. • ?Secure application from within. Why Automate: • Catch up with Security ask! • Doesn't satisfy the laws of DevOps speed. • Scan the images before they go to production or even master. • Fast and Secure development with continued feedback. • In microservice model, faster onboarding of a secure microservice with no compromise in security standards. • Less security patch releases to production.
  • 16. Now • Automated security scan in protected branches. • Logical conditions to run it in other specific branches. • All new microservices have to have security steps configured in CI build. Next • Fail the CI build if the results cross threshold. • Block the merge or PR to protected branch when results crosses thresholds for security and compliance.
  • 17. DEMO
  • 18. Twistlock / Codefresh Integration ➢ Docker image containing Twistlock CLI, Codefresh CLI and Python scripting to tie the two together. ➢ Runs locally and on Codefresh (Docker Swarm or K8S) ➢ Adds Docker image metadata (Annotations) • Compliance and Vulnerability counts for each level [ critical, high, medium, low ] • Security Scan results Pass/Fail • Twistlock Report URL ➢ Determine Build Success or Failure based on exit code of the Twistlock scan and pass that back to Version Control System https://github.com/SC-TechDev/docker-twistcli
  • 19. CHECK OUT OUR BLOG POST: codefresh.io/blog Talk to Twistlock Sign up for a Free Trial! @ Twistlock.com Get a Codefresh Demo Schedule 1:1 @ Codefresh.io