Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing your code when you don't even know where it is - Liz Rice - DevOpsDays Tel Aviv 2017

61 views

Published on

DevOpsDays Tel Aviv 2017

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Securing your code when you don't even know where it is - Liz Rice - DevOpsDays Tel Aviv 2017

  1. 1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Securing your code when you don’t even know where it is Liz Rice @lizrice | @aquasecteam
  2. 2. 2@lizrice
  3. 3. 3@lizrice
  4. 4. 4@lizrice Traditional process Create software Deploy Patch Provision servers
  5. 5. 5@lizrice Server drift time state
  6. 6. 6@lizrice DevOps happened! ■ Infrastructure as code ■ Containers ■ CI / CD
  7. 7. 7@lizrice Cattle not pets
  8. 8. 8@lizrice Pipeline process builds “cattle” Create software Build images Deploy
  9. 9. 9@lizrice Security is a concern when deploying containers 88% agree Sonatype 2017 DevSecOps Survey
  10. 10. 10@lizrice Hundreds of microservicesThousands of containersAverage container life ~ 2.5 days
  11. 11. 11@lizrice /bin /lib /usr /opt /var /bin /lib /usr /var /bin /opt /usr /var Dependencies in every container
  12. 12. 13@lizrice Applying patches to containers?
  13. 13. 14@lizrice
  14. 14. 15@lizrice Pipeline process Create software Build images Deploy Immutable Never modify Always move in this direction
  15. 15. 16@lizrice Scan for vulnerabilities Create software Build images Deploy
  16. 16. 17@lizrice Image policies Create software Build images Deploy ✓ ✓
  17. 17. 18@lizrice What about the hosts?
  18. 18. 19@lizrice Hosts Host OS Automated testing Recycling Intrusion detection
  19. 19. 20@lizrice Wait, there’s more!
  20. 20. Reducing images
  21. 21. 22@lizrice Reducing image size ■ Few tools needed in containers ■ Smaller attack surface FROM scratch EXPOSE 8080 COPY hello / COPY templates templates CMD ["/hello"]
  22. 22. 23@lizrice Microservice network segmentation ■ Restrict communication between microservices ■ Encrypted connections
  23. 23. 24@lizrice Runtime protection ■ Restrict container activity ■ Prevent anomalous / suspicious behaviour
  24. 24. Shellshock demo
  25. 25. What about Serverless?
  26. 26. 27@lizrice Serverless security ■ If you don’t have to worry about the servers do you have to worry about server security?
  27. 27. 28@lizrice Serverless ■ Managed services ■ Functions
  28. 28. 29@lizrice Functions in containers
  29. 29. Cloud Native Security Advantages
  30. 30. 31@lizrice Container security advantages ■ Decomposition of the problem ■ Additional layers of defence ■ Continuous deployment ■ Shorter attack window ■ Community best practices ■ Dedicated container security tools
  31. 31. 32@lizrice Room for improvement in container security 80% agree Aqua Security 2017 Survey
  32. 32. 33@lizrice “Containers … require a more collaborative approach by security and DevOps teams.”
  33. 33. 34@lizrice “Organizations would do well to embed security early into the process”
  34. 34. 35@lizrice Continuous integration Continuous deployment Continuous security
  35. 35. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. @lizrice | @aquasecteam aquasec.com/survey github.com/aquasecurity/kube-bench

×