Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
Securing your code
when you don’t even know where it is
...
2@lizrice
3@lizrice
4@lizrice
Traditional process
Create
software
Deploy Patch
Provision
servers
5@lizrice
Server drift
time
state
6@lizrice
DevOps happened!
■ Infrastructure as code
■ Containers
■ CI / CD
7@lizrice
Cattle not pets
8@lizrice
Pipeline process builds “cattle”
Create
software
Build
images
Deploy
9@lizrice
Security is a concern
when deploying containers
88% agree
Sonatype 2017 DevSecOps Survey
10@lizrice
Hundreds of microservicesThousands of containersAverage container life ~ 2.5 days
11@lizrice
/bin
/lib
/usr
/opt
/var
/bin
/lib
/usr
/var
/bin
/opt
/usr
/var
Dependencies in every container
13@lizrice
Applying patches
to containers?
14@lizrice
15@lizrice
Pipeline process
Create
software
Build
images
Deploy
Immutable
Never
modify
Always move in this direction
16@lizrice
Scan for vulnerabilities
Create
software
Build
images
Deploy
17@lizrice
Image policies
Create
software
Build
images
Deploy
✓ ✓
18@lizrice
What about the
hosts?
19@lizrice
Hosts
Host OS
Automated
testing
Recycling
Intrusion
detection
20@lizrice
Wait, there’s more!
Reducing images
22@lizrice
Reducing image size
■ Few tools needed in
containers
■ Smaller attack surface
FROM scratch
EXPOSE 8080
COPY hel...
23@lizrice
Microservice network segmentation
■ Restrict communication
between microservices
■ Encrypted connections
24@lizrice
Runtime protection
■ Restrict container activity
■ Prevent anomalous /
suspicious behaviour
Shellshock demo
What about Serverless?
27@lizrice
Serverless security
■ If you don’t have to worry about the servers
do you have to worry about server security?
28@lizrice
Serverless
■ Managed services
■ Functions
29@lizrice
Functions in containers
Cloud Native Security Advantages
31@lizrice
Container security advantages
■ Decomposition of the problem
■ Additional layers of defence
■ Continuous deploy...
32@lizrice
Room for improvement in
container security
80% agree
Aqua Security 2017 Survey
33@lizrice
“Containers … require a more collaborative
approach by security and DevOps teams.”
34@lizrice
“Organizations would do well to embed
security early into the process”
35@lizrice
Continuous integration
Continuous deployment
Continuous security
Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.
@lizrice | @aquasecteam
aquasec.com/survey
github.com/aq...
Upcoming SlideShare
Loading in …5
×

Securing your code when you don't even know where it is - Liz Rice - DevOpsDays Tel Aviv 2017

48 views

Published on

DevOpsDays Tel Aviv 2017

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Securing your code when you don't even know where it is - Liz Rice - DevOpsDays Tel Aviv 2017

  1. 1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Securing your code when you don’t even know where it is Liz Rice @lizrice | @aquasecteam
  2. 2. 2@lizrice
  3. 3. 3@lizrice
  4. 4. 4@lizrice Traditional process Create software Deploy Patch Provision servers
  5. 5. 5@lizrice Server drift time state
  6. 6. 6@lizrice DevOps happened! ■ Infrastructure as code ■ Containers ■ CI / CD
  7. 7. 7@lizrice Cattle not pets
  8. 8. 8@lizrice Pipeline process builds “cattle” Create software Build images Deploy
  9. 9. 9@lizrice Security is a concern when deploying containers 88% agree Sonatype 2017 DevSecOps Survey
  10. 10. 10@lizrice Hundreds of microservicesThousands of containersAverage container life ~ 2.5 days
  11. 11. 11@lizrice /bin /lib /usr /opt /var /bin /lib /usr /var /bin /opt /usr /var Dependencies in every container
  12. 12. 13@lizrice Applying patches to containers?
  13. 13. 14@lizrice
  14. 14. 15@lizrice Pipeline process Create software Build images Deploy Immutable Never modify Always move in this direction
  15. 15. 16@lizrice Scan for vulnerabilities Create software Build images Deploy
  16. 16. 17@lizrice Image policies Create software Build images Deploy ✓ ✓
  17. 17. 18@lizrice What about the hosts?
  18. 18. 19@lizrice Hosts Host OS Automated testing Recycling Intrusion detection
  19. 19. 20@lizrice Wait, there’s more!
  20. 20. Reducing images
  21. 21. 22@lizrice Reducing image size ■ Few tools needed in containers ■ Smaller attack surface FROM scratch EXPOSE 8080 COPY hello / COPY templates templates CMD ["/hello"]
  22. 22. 23@lizrice Microservice network segmentation ■ Restrict communication between microservices ■ Encrypted connections
  23. 23. 24@lizrice Runtime protection ■ Restrict container activity ■ Prevent anomalous / suspicious behaviour
  24. 24. Shellshock demo
  25. 25. What about Serverless?
  26. 26. 27@lizrice Serverless security ■ If you don’t have to worry about the servers do you have to worry about server security?
  27. 27. 28@lizrice Serverless ■ Managed services ■ Functions
  28. 28. 29@lizrice Functions in containers
  29. 29. Cloud Native Security Advantages
  30. 30. 31@lizrice Container security advantages ■ Decomposition of the problem ■ Additional layers of defence ■ Continuous deployment ■ Shorter attack window ■ Community best practices ■ Dedicated container security tools
  31. 31. 32@lizrice Room for improvement in container security 80% agree Aqua Security 2017 Survey
  32. 32. 33@lizrice “Containers … require a more collaborative approach by security and DevOps teams.”
  33. 33. 34@lizrice “Organizations would do well to embed security early into the process”
  34. 34. 35@lizrice Continuous integration Continuous deployment Continuous security
  35. 35. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. @lizrice | @aquasecteam aquasec.com/survey github.com/aquasecurity/kube-bench

×