Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Testing for Containerized Applications

110 views

Published on

Everybody wants to run their code on Kubernetes these days, but it requires a radical change to your deployment process. You want to make sure you don’t create new vulnerabilities when you take this leap. What kind of security tests can you run in this pipeline to assert that this code does not contain any known vulnerabilities?

At Soluto, we started to migrate services to Kubernetes in the recent months, and we would like to share with you what we did. In this session I’m planning to cover our CI/CD pipeline, and give extra attention to the following points:

Scanning code dependencies
Scanning containers
Testing for insecure Kubernetes configurations
Securely deploy to Kubernetes cluster
Join this session to hear our story and learn about many useful tools you can start using today to deploy secure apps to your Kubernetes cluster. All the tools I’ll present are open source tools, so using them should be as simple as possible.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security Testing for Containerized Applications

  1. 1. Join the conversation #DevSecCon Security Testing for Containerized Apps @omerlh @SolutoEng
  2. 2. http://lolcode.org/
  3. 3. - Helping people get the most out of their technology https://www.solutotlv.com/
  4. 4. You Can’t Do it Alone
  5. 5. Letting Go Responsibly AppSec @ Soluto: ● Threat Modeling ● Empowering ● Education ● Automation
  6. 6. Our Quest: Securing Containerized Apps
  7. 7. Code Dependencies Docker Image Layers of Containerized App
  8. 8. What kind of security tests? ● Static ● Dynamic ● Integrated (which will be ignored) By Using ONLY FOSS tools
  9. 9. Static Analysis
  10. 10. What? ● Scanning static assets (e.g. source code) ● Language aware ● Different Tools for different layer ● Point where is the issue Code Dependencies Docker Image
  11. 11. Code Layer ● Scan the code for vulnerabilities ● Different tools for different languages ● Bandit – Python ● Brakeman – Ruby on Rails ● Find Security Bug - Java ● TSLint - TypeScript ● OWASP Source Code Analyzers list Code Dependencies Docker Image
  12. 12. Example https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
  13. 13. Dependencies Layer ● 3rd party code used by the app ● Usually installed by a package manager ● PyPi, Gem, NuGet, NPM ● Each dependency might include known vulnerability ● OWASP Top 10 A9 ● OWASP Dependency Track Code Dependencies Docker Image
  14. 14. https://snyk.io/stateofossecurity/
  15. 15. NPQ
  16. 16. Docker Image Layer ● Contains the “OS” ● 3rd party software installed ● App engine (NodeJS/.NET Core etc) ● Each one could contain known vulnerabilities ● Multiple open source solutions ● Clair, Anchore, OWASP Dependency Track Code Dependencies Docker Image
  17. 17. https://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf
  18. 18. Playing with Anchore-Engine
  19. 19. Dynamic Analysis
  20. 20. What? ● Scanning live app ● Language agnostic, protocol aware ● Only detect issues, not what cause to them ● Simple by using OWASP Zap ● Passive ● Active ● Leveraging Docker for local run Code Dependencies Docker Image
  21. 21. Passive Scan ● Proxy black box tests ● Scan HTTP requests/responses ● HTTP static analysis ● Looks for security issues ● Fast, not risky Code Dependencies Docker Image
  22. 22. Active Scan ● Discover all endpoint ● Craft malicious requests ● Test that the server can handle those request ● Slow, could cause damage Code Dependencies Docker Image
  23. 23. Bringing it All Together
  24. 24. Building our CI/CD Pipeline ❑ Break the build or it didn’t happen ❑ False positives ❑ Keep it DRY ❑ Ownership
  25. 25. Let’s add some Glue The ”DevSecOps Tool”
  26. 26. Building our CI/CD Pipeline ✓ Break the build or it didn’t happen ✓ False positives ✓ Keep it DRY ✓ Ownership
  27. 27. Image Certification Only images that passed all the tests should be used on production ● Build dependency ● Image labels ● Image signing ● Image policy
  28. 28. What we have @ Soluto? ● Static analysis ✓ Source code scan ❑ Dependencies scan (in progress) ❑ Image scan ● Dynamic analysis ✓ Passive ❑ Active (in progress)
  29. 29. Demo Time All the code is on GitHub
  30. 30. Testing LolCode App ● Static analysis? ✕ Nothing for source code ✕ No package manager (which is good?) ❑ Image scanning ● Dynamic analysis ✓ Passive ❑ Active
  31. 31. Let’s see it Live! Hope it will work … else I’ll show you slides with screenshots 
  32. 32. Wrapping Up
  33. 33. What we discussed ● Layers of Containerized Applications ● Kind of Tests & FOSS Tools ○ Static (OWASP Dependency Track) ○ Dynamic (OWASP Zap) ● Building the pipeline ○ OWASP Glue ○ Image Certification
  34. 34. Where Do I Start?
  35. 35. Our Quest: Securing Containerized Apps
  36. 36. Questions?
  37. 37. Resources • TechBeacon: Security Tests for Containarized Applications • Guide: Dynamic Security Testing with OWASP Zap • Post: Dynamic Security Testing Made Easy • Slides: Getting Started with OWASP Glue
  38. 38. Join the conversation #DevSecCon Thank You! @omerlh @SolutoEng

×