SlideShare a Scribd company logo

Securing an NGINX deployment for K8s

DevOps Indonesia
DevOps Indonesia

Securing an NGINX deployment for K8s by Steve Giguere

Technology
1 of 34
Download to read offline
PAGE 1 DEVOPS INDONESIA PAGE 1 DEVOPS INDONESIA Steve Giguere Palo ALto Jakarta, 8 Maret 2022 Securing an NGINX deployment for Kubernetes
Securing an Deployment for Kubernetes Featuring: ● Checkov: Open Source IaC Scanning Your guide: Steve Giguere @_SteveGiguere_
● Developer Advocate - Bridgecrew ● DevSecOp s Enthusiast ● DevSecOps London - Organiser ● Raspberry Pi Geek ● Formerly: Aqua Security, StackRox, Synopsys Software Integrity Group ● Twitch show: https://Clust3rF8ck (.com) ● Podcaster: BeerSecOps, CoSeCast (.com) ● Beer Taster: BeerNative (.tv) ● More Steve: https://stevegiguere.com W h o is… Steve Giguere (shig-air)
T H E C H A L L E N G E
T H E C H A L L E N G E ● NEED WEBSITE FOR TWITCH SHOW ● HOST ON RASPBERRY PI ● CREATED WITH HUGO ● USE NGINX TRY NOT TO L O O K L I KE TOTAL IDIOT WO R KI N G F O R A N IAC SECURITY COMPAN Y BY DEPLOYI NG A N NGINX W E B S I T E F O R A TWITCH S H O W A B O U T C L O U D NATIVE SECURITY THAT DOESN’ T PA S S O U R C H E C KO V YAML S C A N
● A01:2021-Broken A cce ss Control ● A02:2021-Cryptographic Failures ● A03:2021-Injection ● A04:2021-Insecure De sig n ● A05:2021-Security Misconfiguration ● A06:2021-Vulnerable a n d Outdated C omponents ● A07:2021-Identification and Authentication Failures ● A08:2021-Software and Data Integrity Failures ● A09:2021-Security L o g g i n g and Monitoring Failures ● A10:2021-Server-Side Request Forgery Coding issues like input sanitization have been replaced by misconfigurations and dependency (supply chain) risks
The Problem Defaults are bad! Misconfigurations are bad! ● Unintended behaviour ● Outage ● Data Breach ● Lateral movement ● Supply Chain Compromise ● PII Exposure Security best practices are important!
IF COMPROMISED ● T HE NGINX DEFAULT IMAGE HAS… ○ NSENTER ○ CURL ○ APT ○ And much much more!! ● T HE NGINX IMAGE CAN... ○ Enumerate the network ○ Breakout to the host ■ EG. CVE-2021-22555 ○ Serve malicious content
T H E P L A N
ST E P 1 - U S E NGINX ● B T W NGINX RECENTLY HIT #1
ST E P 1 ● GET CODE FROM SOMEBODY ELSE
S T E P 2 - W R A P IT IN A K8s D E P L O Y M E N T ● Get the code (from somebody else) ○ SEARCH GOOGLE/DUCKDUCKGO? ● Go to the source (kubernetes.io)
S T E P 3 - C H E C K IT IS S E C U R E ● Checkov ○ DEPLOYMENT ■ Are my defaults secure and what happens when they are not? ○ IMAGE ■ Can I use the default image or should I make changes?
W H A T D O E S S E C U R E MEAN?
W H A T D O E S S E C U R E MEAN ● CIA ○ Confidentiality ■ Least Privilege ○ Integrity ■ Immutability ○ Availability ■ Resilience
What is ? Open source (Apache 2.0) misconfiguration scanner for IaC, intended to be used in CI/CD pipelines 1.1000+ built in checks 2. Supports extensions 3. Built in best practices and security
W h a t is Checkov ● Open source ● Analyze infrastructure as code (IaC) ● Terraform, CloudFormation, Kubernetes, Helm, ARM Templates and Serverless framework ● > 500 rules ● VSCode Plugin ● Optional config file ○ .checkov.yaml *
L E A S T PRIVILEGE
Add S e c c o m p Profile ● Disables > 44 system calls ○ Expelliarmus ● Eg. ○ Mount (host filesystems) ○ Ptrace (watch everything) ○ Reboot (the host!) ○ Setns (change linux namespace) ○ Quotactl (mess with cpu limits) ● Default defence in depth ○ Many of these overlap with blocking CAP_SYS_ADMIN
Set allowPrivilegeEscalation to false setuid ● Prevents binaries from changing the effective user ID ○ Blocks enabling of extra capabilities, ○ Even blocks the use of ping.
D o not run as root (the default) ● Seems obvious but ● Assign a UID and GID > 10000 to avoid conflict I a m root!
Drop all capabilities ● Add them back as required
IMMUTABILITY
Read-only filesystem ● Prevents the creation, installation or downloading of malicious code ● Containers should be immutable CAN’T TOUCH THIS
Unmount Service Account Token ● Uses the default service account ● Can impersonate the service account ● Abuse the K8s RESTAPIs.
Avoid Supply Chain Attacks ● Use the digest for your image NOT tags
RE S I LI E N CE
Liveness/Readiness Probes ● Let kubernetes know you’re there and it will keep you alive and kicking Can be difficult to come up with methods to determine a ready and live state. Not the case for NGINX however.
C P U / Memory Requests and Limits ● Prevents self induced DoS ● Ensures weighted scheduling of pods ● Limits losses from crypto-mining attacks Can be difficult to determine up front but defaults can be quickly derived from the K8s metrics server. MO RE P OWE R!
Key Takeaways ● Finding Secure Examples Is Difficult ● Basic Best Practices Can Be Easy ● Tools are Available To Help ● Many Defaults Aren’t Secure Checkov: https://www.checkov.io/ Our blog: https://bridgecrew.io/blog T H A N KS ! DEPLOYMENTS SERVICES JOBS DEFAULTS OUR BATTERED POD COMES FROM A SECURE SUPPLY CHAIN
30 | ©2020 Palo Alto Networks, Inc. All rights reserved. Sca n to register >> When: 24 March 2022 (Thu) Time: 7.00am Indonesia Time Spea kers: W h a t topics will be covered? Code to Cloud is dedicated to covering security best practices W h o should join: Relevant job titles include but are not Code to Cloud Virtual Su mmi t Block your calendar now! limited to DevOps engineers and team leads, infrastructure and platform engineers, security engineers, SREs, CTOs, engineering and InfoSec managers. across cloud native tech stacks and the development lifecycle — from IaC and open source packages to containers and workloads.
Survey Form We hope you’ve found our session beneficial. Please help us in answering a short 5 questions survey. A small INR200,000 Grab thank you token awaits. https://forms.gle/bGzk2ntgCmuHCuRg7 Please scan the Q R code or use clickable link in Chatbox
Stay Connected With Us! t.me/iddevops DevOps Indonesia DevOps Indonesia DevOps Indonesia @iddevops @iddevops DevOps Indonesia Scan here
PAGE 34 DEVOPS INDONESIA Alone Wearesmart,togetherWearebrilliant THANKYOU! Quote by Steve Anderson

Recommended

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia
 
Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systemsDevOps Indonesia
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgileNetwork
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 

Recommended

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia
 
Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systemsDevOps Indonesia
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgileNetwork
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
DevSecOps for you Full Stack
DevSecOps for you Full StackDevSecOps for you Full Stack
DevSecOps for you Full StackRon Nixon
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOpsMichelangelo van Dam
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to meMichelle Ribeiro
 
Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge WhiteSource
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingAarno Aukia
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Cloud Native Day Tel Aviv
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureWhiteSource
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCIWhiteSource
 
DevSecOps Everything You Need To Know
DevSecOps Everything You Need To KnowDevSecOps Everything You Need To Know
DevSecOps Everything You Need To KnowCentextech
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
Securing the Pipeline
Securing the PipelineSecuring the Pipeline
Securing the PipelineThoughtworks
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsOpsta
 

More Related Content

What's hot

Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
DevSecOps for you Full Stack
DevSecOps for you Full StackDevSecOps for you Full Stack
DevSecOps for you Full StackRon Nixon
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge WhiteSource
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingAarno Aukia
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Cloud Native Day Tel Aviv
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureWhiteSource
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCIWhiteSource
 
DevSecOps Everything You Need To Know
DevSecOps Everything You Need To KnowDevSecOps Everything You Need To Know
DevSecOps Everything You Need To KnowCentextech
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 

What's hot (20)

Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
 
DevSecOps for you Full Stack
DevSecOps for you Full StackDevSecOps for you Full Stack
DevSecOps for you Full Stack
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
 
Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge 
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management Teams
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
 
DevSecOps Everything You Need To Know
DevSecOps Everything You Need To KnowDevSecOps Everything You Need To Know
DevSecOps Everything You Need To Know
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 

Similar to Securing an NGINX deployment for K8s

Securing the Pipeline
Securing the PipelineSecuring the Pipeline
Securing the PipelineThoughtworks
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsOpsta
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
 
Cloud Native Practice
Cloud Native PracticeCloud Native Practice
Cloud Native PracticePhilip Zheng
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Developing High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxDeveloping High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxElvin Gentiles
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKawimbaLofgrens
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...NoNameCon
 
Implementing data and databases on K8s within the Dutch government
Implementing data and databases on K8s within the Dutch governmentImplementing data and databases on K8s within the Dutch government
Implementing data and databases on K8s within the Dutch governmentDoKC
 
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...Integrate IoT cloud analytics and over the-air (ota) updates with google and ...
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...Mender.io
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFoholiab
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...Puppet
 
Kubernetes at (Organizational) Scale
Kubernetes at (Organizational) ScaleKubernetes at (Organizational) Scale
Kubernetes at (Organizational) ScaleJeff Zellner
 
Building a Small Datacenter
Building a Small DatacenterBuilding a Small Datacenter
Building a Small Datacenterssuser4b98f0
 
Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenSonatype
 

Similar to Securing an NGINX deployment for K8s (20)

Securing the Pipeline
Securing the PipelineSecuring the Pipeline
Securing the Pipeline
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOps
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
 
Cloud Native Practice
Cloud Native PracticeCloud Native Practice
Cloud Native Practice
 
IPsec on Mikrotik
IPsec on MikrotikIPsec on Mikrotik
IPsec on Mikrotik
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Developing High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxDeveloping High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptx
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdf
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
 
Implementing data and databases on K8s within the Dutch government
Implementing data and databases on K8s within the Dutch governmentImplementing data and databases on K8s within the Dutch government
Implementing data and databases on K8s within the Dutch government
 
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...Integrate IoT cloud analytics and over the-air (ota) updates with google and ...
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
 
Kubernetes at (Organizational) Scale
Kubernetes at (Organizational) ScaleKubernetes at (Organizational) Scale
Kubernetes at (Organizational) Scale
 
Building a Small Datacenter
Building a Small DatacenterBuilding a Small Datacenter
Building a Small Datacenter
 
Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/Green
 

More from DevOps Indonesia

DevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcementDevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcementDevOps Indonesia
 
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - AnnouncementDev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - AnnouncementDevOps Indonesia
 
DevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - AnnouncementDevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - AnnouncementDevOps Indonesia
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armorDevOps Indonesia
 
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps IndonesiaDevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps IndonesiaDevOps Indonesia
 
Operate Containers with AWS Copilot
Operate Containers with AWS CopilotOperate Containers with AWS Copilot
Operate Containers with AWS CopilotDevOps Indonesia
 
Continuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barusContinuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barusDevOps Indonesia
 
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...DevOps Indonesia
 
Securing Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB CredentialsSecuring Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB CredentialsDevOps Indonesia
 
DevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - AnnouncementDevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - AnnouncementDevOps Indonesia
 
The Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOpsThe Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOpsDevOps Indonesia
 
API Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingAPI Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingDevOps Indonesia
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIsAPI Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIsDevOps Indonesia
 
API Security Webinar - Hendra Tanto
API Security Webinar - Hendra TantoAPI Security Webinar - Hendra Tanto
API Security Webinar - Hendra TantoDevOps Indonesia
 
API Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingAPI Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingDevOps Indonesia
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIsAPI Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIsDevOps Indonesia
 
Feature Scoring in Green Field Application Development and DevOps
Feature Scoring in Green Field Application Development and DevOpsFeature Scoring in Green Field Application Development and DevOps
Feature Scoring in Green Field Application Development and DevOpsDevOps Indonesia
 
DevOps indonesia (Online) Meetup #44 - Announcement
DevOps indonesia (Online) Meetup #44 - AnnouncementDevOps indonesia (Online) Meetup #44 - Announcement
DevOps indonesia (Online) Meetup #44 - AnnouncementDevOps Indonesia
 
Introduction to SaltStack (An Event-Based Configuration Management)
Introduction to SaltStack (An Event-Based Configuration Management)Introduction to SaltStack (An Event-Based Configuration Management)
Introduction to SaltStack (An Event-Based Configuration Management)DevOps Indonesia
 

More from DevOps Indonesia (20)

DevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcementDevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcement
 
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - AnnouncementDev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
 
DevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - AnnouncementDevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - Announcement
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armor
 
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps IndonesiaDevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
 
Operate Containers with AWS Copilot
Operate Containers with AWS CopilotOperate Containers with AWS Copilot
Operate Containers with AWS Copilot
 
Continuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barusContinuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barus
 
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
 
Securing Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB CredentialsSecuring Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB Credentials
 
DevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - AnnouncementDevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - Announcement
 
The Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOpsThe Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOps
 
API Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingAPI Security Webinar - Credential Stuffing
API Security Webinar - Credential Stuffing
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIsAPI Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIs
 
API Security Webinar - Hendra Tanto
API Security Webinar - Hendra TantoAPI Security Webinar - Hendra Tanto
API Security Webinar - Hendra Tanto
 
API Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingAPI Security Webinar : Credential Stuffing
API Security Webinar : Credential Stuffing
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIsAPI Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIs
 
Feature Scoring in Green Field Application Development and DevOps
Feature Scoring in Green Field Application Development and DevOpsFeature Scoring in Green Field Application Development and DevOps
Feature Scoring in Green Field Application Development and DevOps
 
DevOps indonesia (Online) Meetup #44 - Announcement
DevOps indonesia (Online) Meetup #44 - AnnouncementDevOps indonesia (Online) Meetup #44 - Announcement
DevOps indonesia (Online) Meetup #44 - Announcement
 
Introduction to SaltStack (An Event-Based Configuration Management)
Introduction to SaltStack (An Event-Based Configuration Management)Introduction to SaltStack (An Event-Based Configuration Management)
Introduction to SaltStack (An Event-Based Configuration Management)
 

Recently uploaded

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 

Recently uploaded (20)

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 

Securing an NGINX deployment for K8s

  • 1. PAGE 1 DEVOPS INDONESIA PAGE 1 DEVOPS INDONESIA Steve Giguere Palo ALto Jakarta, 8 Maret 2022 Securing an NGINX deployment for Kubernetes
  • 2. Securing an Deployment for Kubernetes Featuring: ● Checkov: Open Source IaC Scanning Your guide: Steve Giguere @_SteveGiguere_
  • 3. ● Developer Advocate - Bridgecrew ● DevSecOp s Enthusiast ● DevSecOps London - Organiser ● Raspberry Pi Geek ● Formerly: Aqua Security, StackRox, Synopsys Software Integrity Group ● Twitch show: https://Clust3rF8ck (.com) ● Podcaster: BeerSecOps, CoSeCast (.com) ● Beer Taster: BeerNative (.tv) ● More Steve: https://stevegiguere.com W h o is… Steve Giguere (shig-air)
  • 4. T H E C H A L L E N G E
  • 5. T H E C H A L L E N G E ● NEED WEBSITE FOR TWITCH SHOW ● HOST ON RASPBERRY PI ● CREATED WITH HUGO ● USE NGINX TRY NOT TO L O O K L I KE TOTAL IDIOT WO R KI N G F O R A N IAC SECURITY COMPAN Y BY DEPLOYI NG A N NGINX W E B S I T E F O R A TWITCH S H O W A B O U T C L O U D NATIVE SECURITY THAT DOESN’ T PA S S O U R C H E C KO V YAML S C A N
  • 6. ● A01:2021-Broken A cce ss Control ● A02:2021-Cryptographic Failures ● A03:2021-Injection ● A04:2021-Insecure De sig n ● A05:2021-Security Misconfiguration ● A06:2021-Vulnerable a n d Outdated C omponents ● A07:2021-Identification and Authentication Failures ● A08:2021-Software and Data Integrity Failures ● A09:2021-Security L o g g i n g and Monitoring Failures ● A10:2021-Server-Side Request Forgery Coding issues like input sanitization have been replaced by misconfigurations and dependency (supply chain) risks
  • 7. The Problem Defaults are bad! Misconfigurations are bad! ● Unintended behaviour ● Outage ● Data Breach ● Lateral movement ● Supply Chain Compromise ● PII Exposure Security best practices are important!
  • 8. IF COMPROMISED ● T HE NGINX DEFAULT IMAGE HAS… ○ NSENTER ○ CURL ○ APT ○ And much much more!! ● T HE NGINX IMAGE CAN... ○ Enumerate the network ○ Breakout to the host ■ EG. CVE-2021-22555 ○ Serve malicious content
  • 9. T H E P L A N
  • 10. ST E P 1 - U S E NGINX ● B T W NGINX RECENTLY HIT #1
  • 11. ST E P 1 ● GET CODE FROM SOMEBODY ELSE
  • 12. S T E P 2 - W R A P IT IN A K8s D E P L O Y M E N T ● Get the code (from somebody else) ○ SEARCH GOOGLE/DUCKDUCKGO? ● Go to the source (kubernetes.io)
  • 13. S T E P 3 - C H E C K IT IS S E C U R E ● Checkov ○ DEPLOYMENT ■ Are my defaults secure and what happens when they are not? ○ IMAGE ■ Can I use the default image or should I make changes?
  • 14. W H A T D O E S S E C U R E MEAN?
  • 15. W H A T D O E S S E C U R E MEAN ● CIA ○ Confidentiality ■ Least Privilege ○ Integrity ■ Immutability ○ Availability ■ Resilience
  • 16. What is ? Open source (Apache 2.0) misconfiguration scanner for IaC, intended to be used in CI/CD pipelines 1.1000+ built in checks 2. Supports extensions 3. Built in best practices and security
  • 17. W h a t is Checkov ● Open source ● Analyze infrastructure as code (IaC) ● Terraform, CloudFormation, Kubernetes, Helm, ARM Templates and Serverless framework ● > 500 rules ● VSCode Plugin ● Optional config file ○ .checkov.yaml *
  • 18. L E A S T PRIVILEGE
  • 19. Add S e c c o m p Profile ● Disables > 44 system calls ○ Expelliarmus ● Eg. ○ Mount (host filesystems) ○ Ptrace (watch everything) ○ Reboot (the host!) ○ Setns (change linux namespace) ○ Quotactl (mess with cpu limits) ● Default defence in depth ○ Many of these overlap with blocking CAP_SYS_ADMIN
  • 20. Set allowPrivilegeEscalation to false setuid ● Prevents binaries from changing the effective user ID ○ Blocks enabling of extra capabilities, ○ Even blocks the use of ping.
  • 21. D o not run as root (the default) ● Seems obvious but ● Assign a UID and GID > 10000 to avoid conflict I a m root!
  • 22. Drop all capabilities ● Add them back as required
  • 24. Read-only filesystem ● Prevents the creation, installation or downloading of malicious code ● Containers should be immutable CAN’T TOUCH THIS
  • 25. Unmount Service Account Token ● Uses the default service account ● Can impersonate the service account ● Abuse the K8s RESTAPIs.
  • 26. Avoid Supply Chain Attacks ● Use the digest for your image NOT tags
  • 27. RE S I LI E N CE
  • 28. Liveness/Readiness Probes ● Let kubernetes know you’re there and it will keep you alive and kicking Can be difficult to come up with methods to determine a ready and live state. Not the case for NGINX however.
  • 29. C P U / Memory Requests and Limits ● Prevents self induced DoS ● Ensures weighted scheduling of pods ● Limits losses from crypto-mining attacks Can be difficult to determine up front but defaults can be quickly derived from the K8s metrics server. MO RE P OWE R!
  • 30. Key Takeaways ● Finding Secure Examples Is Difficult ● Basic Best Practices Can Be Easy ● Tools are Available To Help ● Many Defaults Aren’t Secure Checkov: https://www.checkov.io/ Our blog: https://bridgecrew.io/blog T H A N KS ! DEPLOYMENTS SERVICES JOBS DEFAULTS OUR BATTERED POD COMES FROM A SECURE SUPPLY CHAIN
  • 31. 30 | ©2020 Palo Alto Networks, Inc. All rights reserved. Sca n to register >> When: 24 March 2022 (Thu) Time: 7.00am Indonesia Time Spea kers: W h a t topics will be covered? Code to Cloud is dedicated to covering security best practices W h o should join: Relevant job titles include but are not Code to Cloud Virtual Su mmi t Block your calendar now! limited to DevOps engineers and team leads, infrastructure and platform engineers, security engineers, SREs, CTOs, engineering and InfoSec managers. across cloud native tech stacks and the development lifecycle — from IaC and open source packages to containers and workloads.
  • 32. Survey Form We hope you’ve found our session beneficial. Please help us in answering a short 5 questions survey. A small INR200,000 Grab thank you token awaits. https://forms.gle/bGzk2ntgCmuHCuRg7 Please scan the Q R code or use clickable link in Chatbox
  • 33. Stay Connected With Us! t.me/iddevops DevOps Indonesia DevOps Indonesia DevOps Indonesia @iddevops @iddevops DevOps Indonesia Scan here