SlideShare a Scribd company logo

Code to Cloud Workshop

Download as PPTX, PDF
J
Jamie Coleman

The slides for my workshop, to the left, to the left, all your security shifted to the left.

Software
1 of 23
To the Left, to the Left: All your Security Shifted to the Left
Jamie Lee Coleman ● Role: Developer Advocate @ Sonatype, previously @ IBM ● Experience: Developer in Mainframe Software (CICS), WebSphere & OpenJ9 @ IBM linkedin.com/in/jamie-coleman @Jamie_Lee_C
Theresa Mammarella ● Software Engineer @ IBM ● Eclipse OpenJ9 JVM ● Native image prototyping ● Supply chain security ● Open source developer, community member and speaker linkedin.com/in/tmammarella @t_mammarella
Eddie Knight ● Sonatype Office of the CTO ● Maintainer @ FINOS ○ Compliant Financial Infrastructure ● Organizer @ CNCF ○ Cloud Native Security Slam ● Author of Nix (July 2023) linkedin.com/in/knight1776 @the_eddieknight https://eddieknight.dev
You Are Here Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD
Diverse security efforts are valuable! ● Security Training ● Architecture Review ● Threat Modelling ● And more… But they’re out of scope for this workshop. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
“Shift left is the practice of moving testing, quality, and performance evaluation early in the development process” https://www.dynatrace.com/news/blog/what-is-shift-left-and-what-is-shift-right Introduction Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
● Plan for Secure Development ○ Time ○ Talent ○ Tools ● Build for Secure Development ○ The Mantra ● Test for Secure Development ○ SCA ○ *AST Let’s put our security in the box to the left: Get over it I think you left some out Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
Cloud Infrastructure App Deployment CI/CD Pipelines Application Dependencies SCA, SAST, and Homebrew Tests CI/CD Pipelines Dev Environment Application Code Infrastructure as Code Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
1. Does this touch the internet? 2. Does this take untrusted input? 3. Does this handle sensitive data? The Mantra Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
#1 - Does this touch the internet? ● Dependency Fetching ● User Input ● External API Calls ● Third-party Integrations ● Messaging, MQQT, Websockets ● Uploads & Downloads ● etc... If a feature touches the internet, we need to ensure end-to-end security from the supplier to the consumer. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
#2 - Does this take untrusted input? ● UI Forms ● Calls to a Shared Database ● Cookies and HTTP Headers ● External API Responses ● And more… If a feature takes untrusted input, we need to validate it’s integrity before use. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
#3 - Does this handle sensitive data? ● Personally Identifiable Information ● Authentication / Authorization ● Private Communications ● Intellectual Property ● Location, Medical or Financial Data ● And more… If a feature handles sensitive data, we must pay special care to encryption, handling, and storage. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
1. Does this touch the internet? 1. Does this take untrusted input? 1. Does this handle sensitive data? Ensure end-to-end security from the supplier to the consumer Validate it’s integrity before use Pay special care to encryption, handling, and storage Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
Secure Development is Achievable! Let’s Practice: https://github.com/sonatype-nexus-community/codetocloud-workshop 1. Review application code using the Mantra 2. Identify any un-mitigated risks 3. Create a GitHub Issue to discuss the risk Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
Dependency Management Calls for Automation! (Begin tooling demonstration now) Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
Secure IaC is Difficult! This section is not hands on, because Secure IaC is more nuanced. 1. IaC tools have dependencies too 2. Infrastructure has the largest surface area 3. Defaults are the devil in the details Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
IaC External Dependencies 1. Ansible Roles 2. CloudFormation Resources 3. Terraform Providers 4. Pulumi Resource Providers Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
Devil in the Details 1. Investigate Defaults for Every Resource 2. Parameterize ONLY Where Necessary 3. Remember The Mantra Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
Secure CI/CD 1. Pipeline permissions 2. Secret handling 3. Pipeline dependencies a. (containers, actions, etc) Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD Weakness & Vulnerability Triage 1. What is the vulnerability rating? a. Place a higher priority on higher ratings 2. Does this cause breaking changes? a. Reduce priority for more complex implementations (depending on how critical the rating is) 3. Do we have the skills/resources immediately available to implement this upgrade? a. If not, mark as blocked until you do @the_eddieknight @t_mammarella
The Mantra Introduction Software Dev Dependencies IaC CI/CD Threat Triage Conclusion 1. Does this touch the internet? 1. Does this take untrusted input? 1. Does this handle sensitive data? Ensure end-to-end security from the supplier to the consumer Validate it’s integrity before use Pay special care to encryption, handling, and storage @the_eddieknight @t_mammarella
More Security Content @ KCDC Hidden security features of the JVM - everything you didn’t know and more Theresa Mammarella Thursday, 11:15am Room 2203 CVE 101: The Unfolding Of A Zero Day Attack Theresa Mammarella Friday, 11:00am Room 2201 @the_eddieknight @t_mammarella

Recommended

Code to Cloud Workshop.pptx
Code to Cloud Workshop.pptxCode to Cloud Workshop.pptx
Code to Cloud Workshop.pptxJamie Coleman
 
Code to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftCode to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftJamie Coleman
 
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application SecurityJavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application SecurityTheresa Mammarella
 
JacksonvilleJUG_CVE101.pdf
JacksonvilleJUG_CVE101.pdfJacksonvilleJUG_CVE101.pdf
JacksonvilleJUG_CVE101.pdfTheresa Mammarella
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
IoT Security
IoT SecurityIoT Security
IoT SecurityNarudom Roongsiriwong, CISSP
 
How to Build a Basic Edge Cloud
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge CloudMirantis
 
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfiotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfKerimBozkanli
 

Recommended

Code to Cloud Workshop.pptx
Code to Cloud Workshop.pptxCode to Cloud Workshop.pptx
Code to Cloud Workshop.pptxJamie Coleman
 
Code to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftCode to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftJamie Coleman
 
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application SecurityJavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application SecurityTheresa Mammarella
 
JacksonvilleJUG_CVE101.pdf
JacksonvilleJUG_CVE101.pdfJacksonvilleJUG_CVE101.pdf
JacksonvilleJUG_CVE101.pdfTheresa Mammarella
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
IoT Security
IoT SecurityIoT Security
IoT SecurityNarudom Roongsiriwong, CISSP
 
How to Build a Basic Edge Cloud
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge CloudMirantis
 
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfiotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfKerimBozkanli
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industryRoberto Sponchioni
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021lior mazor
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Eric Smalling
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2016
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to ExploitationSatria Ady Pradana
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud AttacksImperva
 
IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and MethodsLeonardo De Moura Rocha Lima
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modelingPrabath Siriwardena
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsChris Gates
 
Prakhar Sood-Resume-CV
Prakhar Sood-Resume-CVPrakhar Sood-Resume-CV
Prakhar Sood-Resume-CVPrakhar Sood
 
Open Source Licence to Kill in Software Development
Open Source Licence to Kill in Software DevelopmentOpen Source Licence to Kill in Software Development
Open Source Licence to Kill in Software DevelopmentJamie Coleman
 
The Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptxThe Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptxJamie Coleman
 

More Related Content

Similar to Code to Cloud Workshop

Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industryRoberto Sponchioni
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021lior mazor
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Eric Smalling
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2016
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to ExploitationSatria Ady Pradana
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud AttacksImperva
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsChris Gates
 
Prakhar Sood-Resume-CV
Prakhar Sood-Resume-CVPrakhar Sood-Resume-CV
Prakhar Sood-Resume-CVPrakhar Sood
 

Similar to Code to Cloud Workshop (20)

Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud Attacks
 
IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and Methods
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 
Prakhar Sood-Resume-CV
Prakhar Sood-Resume-CVPrakhar Sood-Resume-CV
Prakhar Sood-Resume-CV
 

More from Jamie Coleman

Open Source Licence to Kill in Software Development
Open Source Licence to Kill in Software DevelopmentOpen Source Licence to Kill in Software Development
Open Source Licence to Kill in Software DevelopmentJamie Coleman
 
The Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptxThe Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptxJamie Coleman
 
The Death Star & The Ultimate Vulnerability.pptx
The Death Star & The Ultimate Vulnerability.pptxThe Death Star & The Ultimate Vulnerability.pptx
The Death Star & The Ultimate Vulnerability.pptxJamie Coleman
 
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptxWhy Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptxJamie Coleman
 
Magic of Automation and Everyday Chores.pptx
Magic of Automation and Everyday Chores.pptxMagic of Automation and Everyday Chores.pptx
Magic of Automation and Everyday Chores.pptxJamie Coleman
 
Using Static Analysis Tools to Become a Superhero Programmer.pptx
Using Static Analysis Tools to Become a Superhero Programmer.pptxUsing Static Analysis Tools to Become a Superhero Programmer.pptx
Using Static Analysis Tools to Become a Superhero Programmer.pptxJamie Coleman
 
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptxDeploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptxJamie Coleman
 
Microservices made easy JavaCro 2021
Microservices made easy JavaCro 2021Microservices made easy JavaCro 2021
Microservices made easy JavaCro 2021Jamie Coleman
 
Replicating production on your laptop using the magic of containers v2
Replicating production on your laptop using the magic of containers v2Replicating production on your laptop using the magic of containers v2
Replicating production on your laptop using the magic of containers v2Jamie Coleman
 
Simple tweaks to get the most out of your JVM
Simple tweaks to get the most out of your JVMSimple tweaks to get the most out of your JVM
Simple tweaks to get the most out of your JVMJamie Coleman
 
Open Source In The World Of Java
Open Source In The World Of JavaOpen Source In The World Of Java
Open Source In The World Of JavaJamie Coleman
 
Replicating production on your laptop using the magic of containers
Replicating production on your laptop using the magic of containersReplicating production on your laptop using the magic of containers
Replicating production on your laptop using the magic of containersJamie Coleman
 
Simple tweaks to get the most out of your jvm
Simple tweaks to get the most out of your jvmSimple tweaks to get the most out of your jvm
Simple tweaks to get the most out of your jvmJamie Coleman
 
Codecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshopCodecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshopJamie Coleman
 
Cloud native java workshop
Cloud native java workshopCloud native java workshop
Cloud native java workshopJamie Coleman
 
Seriously Open Cloud Native Java Microservices
Seriously Open Cloud Native Java MicroservicesSeriously Open Cloud Native Java Microservices
Seriously Open Cloud Native Java MicroservicesJamie Coleman
 
The new java developers kit bag
The new java developers kit bagThe new java developers kit bag
The new java developers kit bagJamie Coleman
 
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at JavanturaHands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at JavanturaJamie Coleman
 
Are you ready for cloud-native java JavaCro2019
Are you ready for cloud-native java JavaCro2019Are you ready for cloud-native java JavaCro2019
Are you ready for cloud-native java JavaCro2019Jamie Coleman
 

More from Jamie Coleman (19)

Open Source Licence to Kill in Software Development
Open Source Licence to Kill in Software DevelopmentOpen Source Licence to Kill in Software Development
Open Source Licence to Kill in Software Development
 
The Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptxThe Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptx
 
The Death Star & The Ultimate Vulnerability.pptx
The Death Star & The Ultimate Vulnerability.pptxThe Death Star & The Ultimate Vulnerability.pptx
The Death Star & The Ultimate Vulnerability.pptx
 
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptxWhy Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
 
Magic of Automation and Everyday Chores.pptx
Magic of Automation and Everyday Chores.pptxMagic of Automation and Everyday Chores.pptx
Magic of Automation and Everyday Chores.pptx
 
Using Static Analysis Tools to Become a Superhero Programmer.pptx
Using Static Analysis Tools to Become a Superhero Programmer.pptxUsing Static Analysis Tools to Become a Superhero Programmer.pptx
Using Static Analysis Tools to Become a Superhero Programmer.pptx
 
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptxDeploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
 
Microservices made easy JavaCro 2021
Microservices made easy JavaCro 2021Microservices made easy JavaCro 2021
Microservices made easy JavaCro 2021
 
Replicating production on your laptop using the magic of containers v2
Replicating production on your laptop using the magic of containers v2Replicating production on your laptop using the magic of containers v2
Replicating production on your laptop using the magic of containers v2
 
Simple tweaks to get the most out of your JVM
Simple tweaks to get the most out of your JVMSimple tweaks to get the most out of your JVM
Simple tweaks to get the most out of your JVM
 
Open Source In The World Of Java
Open Source In The World Of JavaOpen Source In The World Of Java
Open Source In The World Of Java
 
Replicating production on your laptop using the magic of containers
Replicating production on your laptop using the magic of containersReplicating production on your laptop using the magic of containers
Replicating production on your laptop using the magic of containers
 
Simple tweaks to get the most out of your jvm
Simple tweaks to get the most out of your jvmSimple tweaks to get the most out of your jvm
Simple tweaks to get the most out of your jvm
 
Codecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshopCodecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshop
 
Cloud native java workshop
Cloud native java workshopCloud native java workshop
Cloud native java workshop
 
Seriously Open Cloud Native Java Microservices
Seriously Open Cloud Native Java MicroservicesSeriously Open Cloud Native Java Microservices
Seriously Open Cloud Native Java Microservices
 
The new java developers kit bag
The new java developers kit bagThe new java developers kit bag
The new java developers kit bag
 
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at JavanturaHands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
 
Are you ready for cloud-native java JavaCro2019
Are you ready for cloud-native java JavaCro2019Are you ready for cloud-native java JavaCro2019
Are you ready for cloud-native java JavaCro2019
 

Recently uploaded

ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 

Recently uploaded (20)

ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 

Code to Cloud Workshop

  • 1. To the Left, to the Left: All your Security Shifted to the Left
  • 2. Jamie Lee Coleman ● Role: Developer Advocate @ Sonatype, previously @ IBM ● Experience: Developer in Mainframe Software (CICS), WebSphere & OpenJ9 @ IBM linkedin.com/in/jamie-coleman @Jamie_Lee_C
  • 3. Theresa Mammarella ● Software Engineer @ IBM ● Eclipse OpenJ9 JVM ● Native image prototyping ● Supply chain security ● Open source developer, community member and speaker linkedin.com/in/tmammarella @t_mammarella
  • 4. Eddie Knight ● Sonatype Office of the CTO ● Maintainer @ FINOS ○ Compliant Financial Infrastructure ● Organizer @ CNCF ○ Cloud Native Security Slam ● Author of Nix (July 2023) linkedin.com/in/knight1776 @the_eddieknight https://eddieknight.dev
  • 5. You Are Here Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD
  • 6. Diverse security efforts are valuable! ● Security Training ● Architecture Review ● Threat Modelling ● And more… But they’re out of scope for this workshop. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 7. “Shift left is the practice of moving testing, quality, and performance evaluation early in the development process” https://www.dynatrace.com/news/blog/what-is-shift-left-and-what-is-shift-right Introduction Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 8. ● Plan for Secure Development ○ Time ○ Talent ○ Tools ● Build for Secure Development ○ The Mantra ● Test for Secure Development ○ SCA ○ *AST Let’s put our security in the box to the left: Get over it I think you left some out Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 10. 1. Does this touch the internet? 2. Does this take untrusted input? 3. Does this handle sensitive data? The Mantra Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 11. #1 - Does this touch the internet? ● Dependency Fetching ● User Input ● External API Calls ● Third-party Integrations ● Messaging, MQQT, Websockets ● Uploads & Downloads ● etc... If a feature touches the internet, we need to ensure end-to-end security from the supplier to the consumer. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 12. #2 - Does this take untrusted input? ● UI Forms ● Calls to a Shared Database ● Cookies and HTTP Headers ● External API Responses ● And more… If a feature takes untrusted input, we need to validate it’s integrity before use. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 13. #3 - Does this handle sensitive data? ● Personally Identifiable Information ● Authentication / Authorization ● Private Communications ● Intellectual Property ● Location, Medical or Financial Data ● And more… If a feature handles sensitive data, we must pay special care to encryption, handling, and storage. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 14. 1. Does this touch the internet? 1. Does this take untrusted input? 1. Does this handle sensitive data? Ensure end-to-end security from the supplier to the consumer Validate it’s integrity before use Pay special care to encryption, handling, and storage Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 15. Secure Development is Achievable! Let’s Practice: https://github.com/sonatype-nexus-community/codetocloud-workshop 1. Review application code using the Mantra 2. Identify any un-mitigated risks 3. Create a GitHub Issue to discuss the risk Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 16. Dependency Management Calls for Automation! (Begin tooling demonstration now) Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 17. Secure IaC is Difficult! This section is not hands on, because Secure IaC is more nuanced. 1. IaC tools have dependencies too 2. Infrastructure has the largest surface area 3. Defaults are the devil in the details Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 18. IaC External Dependencies 1. Ansible Roles 2. CloudFormation Resources 3. Terraform Providers 4. Pulumi Resource Providers Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 19. Devil in the Details 1. Investigate Defaults for Every Resource 2. Parameterize ONLY Where Necessary 3. Remember The Mantra Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 20. Secure CI/CD 1. Pipeline permissions 2. Secret handling 3. Pipeline dependencies a. (containers, actions, etc) Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 21. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD Weakness & Vulnerability Triage 1. What is the vulnerability rating? a. Place a higher priority on higher ratings 2. Does this cause breaking changes? a. Reduce priority for more complex implementations (depending on how critical the rating is) 3. Do we have the skills/resources immediately available to implement this upgrade? a. If not, mark as blocked until you do @the_eddieknight @t_mammarella
  • 22. The Mantra Introduction Software Dev Dependencies IaC CI/CD Threat Triage Conclusion 1. Does this touch the internet? 1. Does this take untrusted input? 1. Does this handle sensitive data? Ensure end-to-end security from the supplier to the consumer Validate it’s integrity before use Pay special care to encryption, handling, and storage @the_eddieknight @t_mammarella
  • 23. More Security Content @ KCDC Hidden security features of the JVM - everything you didn’t know and more Theresa Mammarella Thursday, 11:15am Room 2203 CVE 101: The Unfolding Of A Zero Day Attack Theresa Mammarella Friday, 11:00am Room 2201 @the_eddieknight @t_mammarella

Editor's Notes

  1. Greetings slide