The document discusses securing modern applications in AWS. It begins with an overview of the risk profile of modern applications, noting that they often incorporate a large amount of open source code and are deployed rapidly using containers and infrastructure as code. It then demonstrates how to "live hack" an application running on AWS. Next, it discusses how Snyk can help prevent such exploits by empowering developers, automating fixes, and providing security throughout the entire codebase. It also outlines additional security practices like minimizing container footprints, using secrets safely, and implementing network policies. Finally, it promotes attending additional security sessions and provides references for further reading.

1. Live-Hacking your AWS Workloads

2. Senior Developer Advocate at Snyk
@ericsmalling
Eric Smalling
Today’s Speakers
Brian Clark
Senior Developer Advocate at Snyk
@_clarkio

3. Agenda
Introductions
Application risk profiles
Live hack demonstrations
Proactive exploit prevention
Wrap up / Q&A

4. The modern application
A New Risk Profile
● Software deployed daily - ‘waterfall’ approach doesn’t
scale. Scans can’t take hours.
● 10-20% of code is custom - and digital transformation
increases pressure to deliver more and faster.
Code

5. The modern application
A New Risk Profile
● 80-90% of codebase is Open Source
● 80% of vulnerabilities found in indirect dependencies
● Software deployed daily - ‘waterfall’ approach doesn’t
scale. Scans can’t take hours.
● 10-20% of code is custom - and digital transformation
increases pressure to deliver more and faster.
Code
Open Source

6. The modern application
A New Risk Profile
● 80-90% of codebase is Open Source
● 80% of vulnerabilities found in indirect dependencies
● 100s of Linux packages inherited from public sources
● Built, deployed & scaled in seconds
● Software deployed daily - ‘waterfall’ approach doesn’t
scale. Scans can’t take hours.
● 10-20% of code is custom - and digital transformation
increases pressure to deliver more and faster.
Code
Open Source
Containers

7. The modern application
A New Risk Profile
● 80-90% of codebase is Open Source
● 80% of vulnerabilities found in indirect dependencies
● 100s of Linux packages inherited from public sources
● Built, deployed & scaled in seconds
● #1 cloud vulnerability is misconfiguration [NSA]
● Network access, storage, servers - deployed
as fast as code
● Software deployed daily - ‘waterfall’ approach doesn’t
scale. Scans can’t take hours.
● 10-20% of code is custom - and digital transformation
increases pressure to deliver more and faster.
Code
Open Source
Containers
Infrastructure
as Code

8. CodeBuild
or various others
CodeCommit
or various others
ECS
Production
How Snyk fits in w/ industry
leading solutions
ECR
deploy
Security
gate
Any
Source Code
Editor
Test & fix
Test, fix,
monitor
EKS
Test & Monitor
build
submit
Test, fix,
monitor
Test, fix,
monitor
Ticketing
CodePipeline
or various others
Fargate
Integrated from development to
production Lambda
Inspector

9. Live Demonstration
Let’s Hack an application on AWS!

10. How could we prevent this?

11. Custom Code
Open Source Code
Containers
Infrastructure
as Code
First off...
Empower developers
Developer adoption requires a frictionless and intuitive solution to
enable security without impacting pace.
Automate fixes
The solution can’t just report on what vulnerabilities exist. It must make
it easy to fix the problems quickly.
Be security deep
The solution must leverage complete, timely, and accurate vulnerability
data and cannot rely solely on publicly available sources.

12. Defence in
Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes

13. Defence in
Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Minimize Footprint
Don’t give hackers more tools to expand their exploits
Layer Housekeeping
Understand how layers work at build and run-time
Build strategies
Multi-Stage, repeatable builds, standardized labeling,
alternative tools
Secure Supply Chain
Know where images come from.
Only CI should push to registries.

14. Defence in
Depth
Further practices and
tech to
consider.
Images
Runtime
Kubernetes
Don’t run as root
You probably don’t need it.
Privileged Containers
You almost definitely don’t need it.
Drop capabilities
Most apps don’t need even Linux capabilities;
dropping all and allow only what’s needed.
Read Only Root Filesystem
Immutability makes exploiting your container harder.
Deploy from known sources
Pull from known registries only.

15. Defence in
Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Secrets
Use them but make sure they’re encrypted and have
RBAC applied
RBAC
Hopefully everybody is using this.
SecurityContext
Much of the Runtime practices mentioned can be
enforced via SC
Network Policy
Start with zero-trust and add allow rules only as
necessary.
Enforcement
Use OPA (Gatekeeper), Kyverno, etc

16. Other Key
Learnings

17. PROTECTED BY SNYK
Snyk helps companies
develop fast & stay secure
Developers
Using Snyk
3M
Snyk
Employees
+900
Happy
Customers
1000+
Funding
Raised
$850M
Strategic
AWS Partner
Advanced
Technology
Partner & ISV
Accelerate
Tested and
Trusted
DevOps & Sec
Competencies &
Service Ready
Designations
Marketplace
Seller
Enabled for
Private Offers
CPPO & SPPO
Quick Start
Contributor
Automated
Reference
Deployments

18. Key Takeaways
Just like unit tests, fast, actionable
security feedback is critical.
Working security into a developer’s
workflow without slowing them
down drives adoption.
Feedback Loop
Giving developers tools that
provide actionable information can
allow them to deal with security
issues as they are introduced.
Empower developers
to be proactive
Implementing known secure
practices for building and running
your container images and IaC
configurations can mitigate
vulnerabilities that slip into
deployments as well as zero-day
vulnerabilities that may exist.
Defence in depth

19. Remember to Attend all 4 sessions!
Dec 13 Snyk + Atlassian
Dec 14 Snyk + StackHawk
Dec 15 Snyk + Docker
Dec 16 Snyk Terrafform + EKS
Register now!
https://snyk.co/ud4Ap

20. Thank You!
References:
● DevOps Pipeline with Bitbucket Cloud and Kubernetes: https://snyk.co/ud4AN
● Snyk blog on Fixing “marked” XSS vulnerability: https://snyk.co/ud4AV
● Snyk Learn: https://learn.snyk.io
● Kubernetes SecurityContext Cheatsheet: https://snyk.co/ud4AK
● OPA Gatekeeper: https://open-policy-agent.github.io/gatekeeper/website/docs
● Kyverno: https://kyverno.io
● PodSecurityPolicy Deprecation: Past, Present, and Future: https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future
● Snyk Kubernetes “Quick hit” videos: https://youtube.com/playlist?list=PLQ6IC7glz4-UA4uKQOhmAxh6Mhvr3m4g-