SlideShare a Scribd company logo

Develop quickly without inviting The Nefarious

Download as PPTX, PDF
I
IvanMilchev1

This document discusses securing Kubernetes and the software supply chain. It outlines how to implement a DevSecOps lifecycle using tools like cnquery and cnspec to continuously check for vulnerabilities and misconfigurations during development and the CI/CD pipeline. The goal is to automate security testing and remediation to validate infrastructure and applications are secure.

Software
1 of 54
Ivan Milchev ivan@mondoo.com Supply chain security Develop quickly without inviting The Nefarious 1
About me 2 Ivan Milchev Senior Software Engineer ivan@mondoo.com ● Mondoo Kubernetes Operator ● Kubernetes, containers and Linux integration ● Tech Lead Operations ● Architect of the in-house Manufacturing Execution System (MES) ● Created a Kubernetes scheduler extension for network-aware scheduling ● Developed a customized managed Kubernetes platform
Innovation
How did it start? 4
How did it start? 5 You
How did it start? 6 You 2
How did it start? 7 You
The Nefarious
Who are they? 9 Smart Omnipotent Rich Organized
How do they operate? 10 Sales Quotas Playbooks Customer Support Affiliate Programs
What do they want? 11
The defense line
How you think it is? 13
How the CTO thinks it is? 14
How the security engineer thinks it is? 15
How it really is? 16
But seriously…
18 Kubernetes is complex cloud provider API node node node control plane
Businesses are choosing the cloud for K8s 2022 RedHat State of Kubernetes Security self managed 19
Securing Kubernetes
Security for Kubernetes runtime 21 Cloud Services Cluster Nodes Workloads (Deployments / Pods) Control Plane Application Containers Kubernetes is a complex system requiring deep inspection across multiple layers of infrastructure and services to ensure security
22 Cloud Services Cluster Nodes Workloads (Deployments / Pods) Cluster Configuration Application Containers Cloud Services Cluster Nodes Workloads (Deployments / Pods) Control Plane Application Containers ● Identity and access management ● Network and compute security ● Storage security ● Encryption keys and certificates ● Logging self managed
23 Cluster Nodes Cloud Services Workloads (Deployments / Pods) Cluster Configuration Application Containers Cluster Nodes Cloud Services Workloads (Deployments / Pods) Control Plane Application Containers Are my cluster nodes secure? ● Operating system end-of-life? ● Operating system patched? ● Operating system hardened? ● Is the container runtime hardened? ● Is the Kubelet hardened? node node node
24 Cloud Services Cluster Nodes Workloads (Deployments / Pods) Control Plane Application Containers Control Plane Cloud Services Cluster Nodes Workloads (Deployments / Pods) Application Containers Is the Kubernetes API secure? ● Use TLS for all API traffic ● API authentication ● API authorization ● Audit logging Is etcd secure? ● Restrict access to etcd ● Encryption at rest
25 Workloads (Deployments / Pods) Cloud Services Cluster Nodes Cluster Configuration Application Containers Workloads Cloud Services Cluster Nodes Control Plane Application Containers Are the Kubernetes workloads secure? ● Limiting resource usage on a cluster ● Limit privileges ● Restrict network access
26 Workloads (Deployments / Pods) Cloud Services Cluster Nodes Cluster Configuration Application Containers Application Containers Are the containers running in Kubernetes secure? ● Container vulnerability scanning ● Provenance and attestation ● Disallow privileged users Workloads (Deployments / Pods) Cloud Services Cluster Nodes Control Plane
Secure Development
DevOps lifecycle 28
GitOps workflow 29 ci / cd runtime Cloud Services Control Plane Workloads (Deployments / Pods) Cluster Configuration Application Containers source control local development
Securing the GitOps workflow 30 ci / cd runtime Cloud Services Control Plane Workloads (Deployments / Pods) Cluster Configuration Application Containers source control local development ● Are my developer’s workstations secure? ● Can developers find vulnerabilities in containers before pushing changes? ● Can developers evaluate risk of an open source project they want to use? ● Are there misconfigurations in IaC code (Terraform, K8s manifests, CloudFormation)? ? ? ● Are developers using MFA? ● Do the correct developers have access to the repository? ● Who can review/approve/merge changes to the code base? ● Is branch protection configured? ● Are we running automated security tests on each pull request? ● Do we test for security misconfigurations before deploying? ● Do we test for known vulnerabilities before deploying? ● Does our CI/CD tooling have known vulnerabilities? ?
The current situation in numbers
Software supply chain attacks (2015-2021) 32 State of the Software Supply Chain by Sonatype - 2021
Time to remediate OSS vulnerabilities 33 State of the Software Supply Chain by Sonatype - 2020
The solution
The solution The improvements
DevSecOps lifecycle 36
Check automatically and continuously 37 ci / cd runtime Cloud Services Control Plane Workloads (Deployments / Pods) Cluster Configuration Application Containers source control local development ● Are my developer’s workstations secure? ● Can developers find vulnerabilities in containers before pushing changes? ● Can developers evaluate risk of an open source project they want to use? ● Are there misconfigurations in IaC code (Terraform, K8s manifests, CloudFormation)? ? ? ● Are developers using MFA? ● Do the correct developers have access to the repository? ● Who can review/approve/merge changes to the code base? ● Is branch protection configured? ● Are we running automated security tests on each pull request? ? ● Do we test for security misconfigurations before deploying? ● Do we test for known vulnerabilities before deploying? ● Does our CI/CD tooling have known vulnerabilities?
The challenge
A developer’s day 39 ● Design ● Code ● Test ● Deploy ● Maintain
Security auditing 40
Security responsibility 41 Dev Ops Sec IT CEO CISO CTO
Tooling
Welcome cnquery and cnspec Search within your infrastructure https://cnquery.io Scan for vulnerabilities and misconfiguration https://cnspec.io 43
CI / CD Runtime Cloud Services Cluster Nodes Workloads (Deployments / Pods) Cluster Configuration Application Containers Source Control Automate Security Local Dev 44
Cloud Services Cluster Nodes Workloads (Deployments / Pods) Cluster Configuration Application Containers cnquery cloudquery kubequery osquery Unified Query Language 45
Cloud Services Cluster Nodes Workloads (Deployments / Pods) Cluster Configuration Application Containers cnspec OPA/ rego inspec Unified Security Language 46
Demo
Conclusion
Security is complicated 49
Security is complicated 50
Security is a shared responsibility Dev Sec Ops 51
Validate everything 52
Check for CVE-2022-3602 53
54

Recommended

Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksWeaveworks
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOpsWeaveworks
 
Integration in the Cloud, by Rob Davies
Integration in the Cloud, by Rob DaviesIntegration in the Cloud, by Rob Davies
Integration in the Cloud, by Rob DaviesJudy Breedlove
 
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Weaveworks
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdWeaveworks
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityWeaveworks
 
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...Ambassador Labs
 

Recommended

Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksWeaveworks
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOpsWeaveworks
 
Integration in the Cloud, by Rob Davies
Integration in the Cloud, by Rob DaviesIntegration in the Cloud, by Rob Davies
Integration in the Cloud, by Rob DaviesJudy Breedlove
 
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Weaveworks
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdWeaveworks
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityWeaveworks
 
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...Ambassador Labs
 
[Global logic] container runtimes and kubernetes
[Global logic] container runtimes and kubernetes[Global logic] container runtimes and kubernetes
[Global logic] container runtimes and kubernetesGlobalLogic Ukraine
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
Free GitOps Workshop
Free GitOps WorkshopFree GitOps Workshop
Free GitOps WorkshopWeaveworks
 
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...Mirantis
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)QAware GmbH
 
Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Patrick Chanezon
 
Cont0519
Cont0519Cont0519
Cont0519Samuel Dratwa
 
Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10MagaliDavidCruz
 
Tampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday DockerTampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday DockerSakari Hoisko
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsOpsta
 
Docker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationDocker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationAlex Vranceanu
 
Anatomy of a Build Server Attack
Anatomy of a Build Server AttackAnatomy of a Build Server Attack
Anatomy of a Build Server AttackDevOps.com
 
Operator Framework Overview
Operator Framework OverviewOperator Framework Overview
Operator Framework OverviewRob Szumski
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Continuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sContinuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sQAware GmbH
 
Balaji Resume
Balaji ResumeBalaji Resume
Balaji ResumeBalaji Ommudali
 
Red Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayRed Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayJohannes Brännström
 
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius SchumacherOSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius SchumacherNETWAYS
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfssuser31375f
 
Why and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud futureWhy and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud futureStefan van Oirschot
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 

More Related Content

Similar to Develop quickly without inviting The Nefarious

[Global logic] container runtimes and kubernetes
[Global logic] container runtimes and kubernetes[Global logic] container runtimes and kubernetes
[Global logic] container runtimes and kubernetesGlobalLogic Ukraine
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
Free GitOps Workshop
Free GitOps WorkshopFree GitOps Workshop
Free GitOps WorkshopWeaveworks
 
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...Mirantis
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)QAware GmbH
 
Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Patrick Chanezon
 
Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10MagaliDavidCruz
 
Tampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday DockerTampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday DockerSakari Hoisko
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsOpsta
 
Docker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationDocker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationAlex Vranceanu
 
Anatomy of a Build Server Attack
Anatomy of a Build Server AttackAnatomy of a Build Server Attack
Anatomy of a Build Server AttackDevOps.com
 
Operator Framework Overview
Operator Framework OverviewOperator Framework Overview
Operator Framework OverviewRob Szumski
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Continuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sContinuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sQAware GmbH
 
Red Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayRed Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayJohannes Brännström
 
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius SchumacherOSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius SchumacherNETWAYS
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfssuser31375f
 
Why and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud futureWhy and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud futureStefan van Oirschot
 

Similar to Develop quickly without inviting The Nefarious (20)

[Global logic] container runtimes and kubernetes
[Global logic] container runtimes and kubernetes[Global logic] container runtimes and kubernetes
[Global logic] container runtimes and kubernetes
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Free GitOps Workshop
Free GitOps WorkshopFree GitOps Workshop
Free GitOps Workshop
 
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
 
Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Develop and deploy Kubernetes applications with Docker - IBM Index 2018
 
Cont0519
Cont0519Cont0519
Cont0519
 
Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10
 
Tampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday DockerTampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday Docker
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOps
 
Docker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationDocker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - Presentation
 
Anatomy of a Build Server Attack
Anatomy of a Build Server AttackAnatomy of a Build Server Attack
Anatomy of a Build Server Attack
 
Operator Framework Overview
Operator Framework OverviewOperator Framework Overview
Operator Framework Overview
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Continuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sContinuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8s
 
Balaji Resume
Balaji ResumeBalaji Resume
Balaji Resume
 
Red Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayRed Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your way
 
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius SchumacherOSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
 
Why and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud futureWhy and how are containers the foundation for a hybrid cloud future
Why and how are containers the foundation for a hybrid cloud future
 

Recently uploaded

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 

Recently uploaded (20)

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 

Develop quickly without inviting The Nefarious

  • 1. Ivan Milchev ivan@mondoo.com Supply chain security Develop quickly without inviting The Nefarious 1
  • 2. About me 2 Ivan Milchev Senior Software Engineer ivan@mondoo.com ● Mondoo Kubernetes Operator ● Kubernetes, containers and Linux integration ● Tech Lead Operations ● Architect of the in-house Manufacturing Execution System (MES) ● Created a Kubernetes scheduler extension for network-aware scheduling ● Developed a customized managed Kubernetes platform
  • 4. How did it start? 4
  • 5. How did it start? 5 You
  • 6. How did it start? 6 You 2
  • 7. How did it start? 7 You
  • 10. How do they operate? 10 Sales Quotas Playbooks Customer Support Affiliate Programs
  • 11. What do they want? 11
  • 13. How you think it is? 13
  • 14. How the CTO thinks it is? 14
  • 15. How the security engineer thinks it is? 15
  • 16. How it really is? 16
  • 19. Businesses are choosing the cloud for K8s 2022 RedHat State of Kubernetes Security self managed 19
  • 21. Security for Kubernetes runtime 21 Cloud Services Cluster Nodes Workloads (Deployments / Pods) Control Plane Application Containers Kubernetes is a complex system requiring deep inspection across multiple layers of infrastructure and services to ensure security
  • 22. 22 Cloud Services Cluster Nodes Workloads (Deployments / Pods) Cluster Configuration Application Containers Cloud Services Cluster Nodes Workloads (Deployments / Pods) Control Plane Application Containers ● Identity and access management ● Network and compute security ● Storage security ● Encryption keys and certificates ● Logging self managed
  • 23. 23 Cluster Nodes Cloud Services Workloads (Deployments / Pods) Cluster Configuration Application Containers Cluster Nodes Cloud Services Workloads (Deployments / Pods) Control Plane Application Containers Are my cluster nodes secure? ● Operating system end-of-life? ● Operating system patched? ● Operating system hardened? ● Is the container runtime hardened? ● Is the Kubelet hardened? node node node
  • 24. 24 Cloud Services Cluster Nodes Workloads (Deployments / Pods) Control Plane Application Containers Control Plane Cloud Services Cluster Nodes Workloads (Deployments / Pods) Application Containers Is the Kubernetes API secure? ● Use TLS for all API traffic ● API authentication ● API authorization ● Audit logging Is etcd secure? ● Restrict access to etcd ● Encryption at rest
  • 25. 25 Workloads (Deployments / Pods) Cloud Services Cluster Nodes Cluster Configuration Application Containers Workloads Cloud Services Cluster Nodes Control Plane Application Containers Are the Kubernetes workloads secure? ● Limiting resource usage on a cluster ● Limit privileges ● Restrict network access
  • 26. 26 Workloads (Deployments / Pods) Cloud Services Cluster Nodes Cluster Configuration Application Containers Application Containers Are the containers running in Kubernetes secure? ● Container vulnerability scanning ● Provenance and attestation ● Disallow privileged users Workloads (Deployments / Pods) Cloud Services Cluster Nodes Control Plane
  • 29. GitOps workflow 29 ci / cd runtime Cloud Services Control Plane Workloads (Deployments / Pods) Cluster Configuration Application Containers source control local development
  • 30. Securing the GitOps workflow 30 ci / cd runtime Cloud Services Control Plane Workloads (Deployments / Pods) Cluster Configuration Application Containers source control local development ● Are my developer’s workstations secure? ● Can developers find vulnerabilities in containers before pushing changes? ● Can developers evaluate risk of an open source project they want to use? ● Are there misconfigurations in IaC code (Terraform, K8s manifests, CloudFormation)? ? ? ● Are developers using MFA? ● Do the correct developers have access to the repository? ● Who can review/approve/merge changes to the code base? ● Is branch protection configured? ● Are we running automated security tests on each pull request? ● Do we test for security misconfigurations before deploying? ● Do we test for known vulnerabilities before deploying? ● Does our CI/CD tooling have known vulnerabilities? ?
  • 31. The current situation in numbers
  • 32. Software supply chain attacks (2015-2021) 32 State of the Software Supply Chain by Sonatype - 2021
  • 33. Time to remediate OSS vulnerabilities 33 State of the Software Supply Chain by Sonatype - 2020
  • 37. Check automatically and continuously 37 ci / cd runtime Cloud Services Control Plane Workloads (Deployments / Pods) Cluster Configuration Application Containers source control local development ● Are my developer’s workstations secure? ● Can developers find vulnerabilities in containers before pushing changes? ● Can developers evaluate risk of an open source project they want to use? ● Are there misconfigurations in IaC code (Terraform, K8s manifests, CloudFormation)? ? ? ● Are developers using MFA? ● Do the correct developers have access to the repository? ● Who can review/approve/merge changes to the code base? ● Is branch protection configured? ● Are we running automated security tests on each pull request? ? ● Do we test for security misconfigurations before deploying? ● Do we test for known vulnerabilities before deploying? ● Does our CI/CD tooling have known vulnerabilities?
  • 39. A developer’s day 39 ● Design ● Code ● Test ● Deploy ● Maintain
  • 43. Welcome cnquery and cnspec Search within your infrastructure https://cnquery.io Scan for vulnerabilities and misconfiguration https://cnspec.io 43
  • 44. CI / CD Runtime Cloud Services Cluster Nodes Workloads (Deployments / Pods) Cluster Configuration Application Containers Source Control Automate Security Local Dev 44
  • 45. Cloud Services Cluster Nodes Workloads (Deployments / Pods) Cluster Configuration Application Containers cnquery cloudquery kubequery osquery Unified Query Language 45
  • 46. Cloud Services Cluster Nodes Workloads (Deployments / Pods) Cluster Configuration Application Containers cnspec OPA/ rego inspec Unified Security Language 46
  • 47. Demo
  • 51. Security is a shared responsibility Dev Sec Ops 51
  • 54. 54

Editor's Notes

  1. A story about innovation Everyone likes new technologies and new approaches We want speed and efficiency
  2. Write your code, setup your server, load balancer, got a deployment script
  3. I know you are the best at what you do but there is a better way A tool that can do it all for you. No need to manage infra, failover, autoscaling, etc.
  4. Body, hair, shave, Brush your teeth, wash the car, mop the floor,
  5. Obviously, the bad guys
  6. They operate as a business Quotas, negotiations, live chat Referrals Manuals, playbooks
  7. How secure is your infrastructure? Do you know for a fact that the nice and secure configuration you applied yesterday is still there? Did someone modify it?
  8. Fort Knox
  9. Lots of moving parts
  10. Take away the complexity Reduce maintenance
  11. Digital innovation is the ultimate source of competitiveness and value creation for almost every type of business. As a result, three things are increasingly common among corporate software engineering teams and the 20 million software developers that work for them: They seek faster innovation They seek improved security They utilize a massive volume of open source libraries The universal desire for faster innovation demands efficient reuse of code, which in turn has led to a growing dependence on open source and third- party software libraries. These artifacts serve as reusable building blocks, which are fed into public repositories (npm, Maven Central, PyPI, NuGet Gallery, RubyGems, etc.) where they are freely borrowed by millions of developers in the pursuit of faster innovation. This is the definition of the modern software supply chain.
  12. Answer a list of questions How often? How certain?
  13. Exponentially higher - codecov, solarwinds, uber
  14. How does it look? Summary Scary?
  15. No magical/universal solution If there is one question 42 cannot answer, it is this
  16. It is a thing. Just knowing the word and talking about it doesn’t make you more secure
  17. First security audit ever (or in a year) and you see this… Is everything really relevant? Where do you start from? Smallest effort with the highest gain?
  18. No magical/universal solution If there is one question 42 cannot answer, it is this