SlideShare a Scribd company logo

A Developer’s Guide to Kubernetes Security

Gene Gotimer
Gene Gotimer

Kubernetes is spreading like crazy across our industry, but most of us are just thrown into the deep end and expected to learn it ourselves. And we do, sort of. We figure out just enough to get our job done, but we don’t have the experience to know if we are doing it right. There is a lot to learn in a technology that is rapidly evolving. The good news is that there are tools and practices to help show us the way. Join Gene as he shows you what you need to know as a developer to use Kubernetes safely and effectively. He’ll show you some tools you can use to ensure your containers are available, resilient, and secure. They won’t slow you down, won’t cost an arm and a leg, and won’t need you to be a security expert or experienced cloud architect. We’ll use Kubernetes to help us deploy software, not worrying if it will get us fired.

Software
1 of 39
Download to read offline
A Developer’s Guide to Kubernetes Security Gene Gotimer DevOps Engineer at Praeses, LLC @OtherDevOpsGene @OtherDevOpsGene #AllThingsOpen 1
Define and Design the Optimal Survey Experience​ SECURITY CIA 2 @OtherDevOpsGene #AllThingsOpen Availability
Define and Design the Optimal Survey Experience​ SECURITY Least privilege • Don’t grant privileges unless needed • Reduce blast radius 3 @OtherDevOpsGene #AllThingsOpen
4 @OtherDevOpsGene #AllThingsOpen KUBERNETES Layers Hosts Cluster Deployments Container images Application code
Code Images Deployment Maintenance Wrap-up 5 @OtherDevOpsGene #AllThingsOpen Hosts Cluster Deployment Image Code
Define and Design the Optimal Survey Experience​ CODE Threat modeling • What are we protecting? • Why are we protecting it? • How might it be compromised? • What happens if we fail to protect it? • How will we react/respond and move on? 6 @OtherDevOpsGene #AllThingsOpen
7 @OtherDevOpsGene #AllThingsOpen
Define and Design the Optimal Survey Experience​ CODE Threat modeling • STRIDE • OWASP Threat Dragon • PASTA • CAIRIS • Threagile 8 @OtherDevOpsGene #AllThingsOpen
Define and Design the Optimal Survey Experience​ CODE SAST Static application security testing Scan our source code • Look for risky/dangerous practices • Memory leaks • SQL injections • Race conditions • Untrusted inputs • Unfiltered outputs 9 @OtherDevOpsGene #AllThingsOpen
SAST CODE 10 Semgrep • Supports 30+ languages • Python, Docker, and cloud versions • Code stays local in all three $ pip install -U semgrep $ semgrep scan --config auto $ docker pull returntocorp/semgrep $ docker run --rm –v "$(pwd):/src" returntocorp/semgrep semgrep scan --config auto @OtherDevOpsGene #AllThingsOpen
Static code analysis CODE 11 $ semgrep scan --config auto … ┌──────────────────┐ │ 29 Code Findings │ └──────────────────┘ app/routes/contributions.js javascript.browser.security.eval-detected.eval-detected Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. Details: https://sg.run/7ope 32┆ const preTax = eval(req.body.preTax); ⋮┆---------------------------------------- 33┆ const afterTax = eval(req.body.afterTax); ⋮┆---------------------------------------- 34┆ const roth = eval(req.body.roth); ⋮┆---------------------------------------- javascript.lang.security.audit.code-string-concat.code-string-concat Found data from an Express or Next web request flowing to `eval`. If this data is user- controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible. Details: https://sg.run/96Yk @OtherDevOpsGene #AllThingsOpen
Define and Design the Optimal Survey Experience​ CODE SCA Software composition analysis Scan our dependencies • and their transitive dependencies • 6/7 vulns come from transitive dependencies 12 @OtherDevOpsGene #AllThingsOpen
SCA CODE 13 Trivy • Filesystems • Git repos • Container images $ docker pull aquasec/trivy $ docker run --rm –v "$(pwd):/work" –workdir /work aquasec/trivy filesystem . @OtherDevOpsGene #AllThingsOpen
SCA CODE 14 $ trivy filesystem . … package-lock.json (npm) ======================= Total: 39 (UNKNOWN: 0, LOW: 2, MEDIUM: 9, HIGH: 21, CRITICAL: 7) ┌──────────────────────┬─────────────────────┬──────────┬──────────┬───────────────────┬──────────────── │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version ├──────────────────────┼─────────────────────┼──────────┼──────────┼───────────────────┼──────────────── │ bson │ CVE-2020-7610 │ CRITICAL │ fixed │ 1.0.9 │ 1.1.4 │ │ │ │ │ │ │ │ │ │ │ │ │ ├─────────────────────┼──────────┤ │ │ │ │ CVE-2019-2391 │ MEDIUM │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├──────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼──────────────── │ decode-uri-component │ CVE-2022-38900 │ HIGH │ │ 0.2.0 │ 0.2.1 │ │ │ │ │ │ ├──────────────────────┼─────────────────────┤ │ ├───────────────────┼──────────────── │ glob-parent │ CVE-2020-28469 │ │ │ 3.1.0 │ 5.1.2 │ │ │ │ │ │ ├──────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼──────────────── │ helmet-csp │ GHSA-c3m8-x3cg-qm2c │ MEDIUM │ │ 1.2.2 │ 2.9.1 @OtherDevOpsGene #AllThingsOpen
SCA CODE 15 Grype • Filesystems • Container images • Finds some different vulns than Trivy $ docker pull anchore/grype $ docker run --rm -v "$(pwd):/work" -workdir /work anchore/grype dir:. @OtherDevOpsGene #AllThingsOpen
SCA CODE 16 $ grype dir:. NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY adm-zip 0.4.4 0.4.11 npm GHSA-3v6h-hqm4-2rg6 Medium ajv 6.10.0 6.12.3 npm GHSA-v88g-cgmw-v5xw Medium ansi-regex 3.0.0 3.0.1 npm GHSA-93q8-gq69-wqmw High async 2.6.1 2.6.4 npm GHSA-fwr7-v2mv-hh25 High bl 1.0.3 1.2.3 npm GHSA-pp7h-53gx-mx7r Medium bl 1.1.2 1.2.3 npm GHSA-pp7h-53gx-mx7r Medium brace-expansion 1.1.6 1.1.7 npm GHSA-832h-xg76-4gv6 High braces 1.8.5 2.3.1 npm GHSA-g95f-p29q-9xw4 Low braces 1.8.5 2.3.1 npm GHSA-cwfw-4gq5-mrqx Low bson 1.0.9 1.1.4 npm GHSA-v8w9-2789-6hhr Critical bson 1.0.9 1.1.4 npm GHSA-4jwp-vfvf-657p Medium chownr 1.0.1 1.1.0 npm GHSA-c6rq-rjc2-86v2 Low cryptiles 0.2.2 4.1.2 npm GHSA-rq8g-5pc5-wrhr Critical cryptiles 2.0.5 4.1.2 npm GHSA-rq8g-5pc5-wrhr Critical debug 2.2.0 2.6.9 npm GHSA-9vvw-cc9w-f27h High debug 2.2.0 2.6.9 npm GHSA-gxpj-cx7g-858c Medium decode-uri-component 0.2.0 0.2.1 npm GHSA-w573-4hg7-7wgq High diff 1.4.0 3.5.0 npm GHSA-h6ch-v84p-w6p9 High dot-prop 4.2.0 4.2.1 npm GHSA-ff7x-qrg7-qggm High extend 3.0.0 3.0.2 npm GHSA-qrmc-fj45-qfc2 Medium fsevents 1.2.9 1.2.11 npm GHSA-xv2f-5jw4-v95m Critical fstream 1.0.10 1.0.12 npm GHSA-xf7w-r453-m56c High @OtherDevOpsGene #AllThingsOpen
Code Image Deployment Maintenance Wrap-up 17 @OtherDevOpsGene #AllThingsOpen Hosts Cluster Deployment Image Code
Define and Design the Optimal Survey Experience​ IMAGE Base images • Include the minimal supporting software • Reduce the blast radius Base image choices • scratch (nothing but the application) • Distroless (minimal supporting files) • Small image (Alpine or BusyBox) • Minimal Linux (Slim or UBI Micro) • Anything else (you have made a mistake) 18 @OtherDevOpsGene #AllThingsOpen
Define and Design the Optimal Survey Experience​ IMAGE Automated builds • Builds should be repeatable and reliable • That means automated • Dockerfile and/or pipeline • GitHub Actions • GitLab CI/CD • Infrastructure-as-code (IaC) 19 @OtherDevOpsGene #AllThingsOpen
IaC analysis IMAGE 20 Checkov • Dockerfiles • Kubernetes manifests $ pip install -U checkov $ checkov -d . $ docker pull bridgecrew/checkov $ docker run --rm --tty -v "$(pwd):/work" -workdir /work bridgecrew/checkov checkov -d . @OtherDevOpsGene #AllThingsOpen
IaC analysis IMAGE 21 $ checkov -d . --quiet --compact dockerfile scan results: Passed checks: 57, Failed checks: 1, Skipped checks: 0 Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images" FAILED for resource: /Dockerfile. File: /Dockerfile:1-18 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud- code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions- have-been-added-to-container-images.html github_actions scan results: Passed checks: 56, Failed checks: 2, Skipped checks: 0 Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all" FAILED for resource: on(E2E Test) File: /.github/workflows/e2e-test.yml:0-1 Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all" FAILED for resource: on(Lint) File: /.github/workflows/lint.yml:0-1 @OtherDevOpsGene #AllThingsOpen
SCA IMAGE 22 $ trivy image nodegoat:dev … nodegoat:dev (alpine 3.15.4) ============================ Total: 21 (UNKNOWN: 0, LOW: 0, MEDIUM: 12, HIGH: 8, CRITICAL: 1) ┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────── │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title ├──────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────── │ libcrypto1.1 │ CVE-2022-4450 │ HIGH │ fixed │ 1.1.1n-r0 │ 1.1.1t-r0 │ double free af │ │ │ │ │ │ │ https://avd.aq │ ├────────────────┤ │ │ │ ├─────────────── │ │ CVE-2023-0215 │ │ │ │ │ use-after-free │ │ │ │ │ │ │ https://avd.aq │ ├────────────────┤ │ │ │ ├─────────────── │ │ CVE-2023-0286 │ │ │ │ │ X.400 address │ │ │ │ │ │ │ https://avd.aq │ ├────────────────┤ │ │ ├───────────────┼─────────────── │ │ CVE-2023-0464 │ │ │ │ 1.1.1t-r2 │ Denial of serv │ │ │ │ │ │ │ X509 policy co │ │ │ │ │ │ │ https://avd.aq │ ├────────────────┼──────────┤ │ ├───────────────┼─────────────── │ │ CVE-2022-2097 │ MEDIUM │ │ │ 1.1.1q-r0 │ AES OCB fails │ │ │ │ │ │ │ https://avd.aq @OtherDevOpsGene #AllThingsOpen
SCA IMAGE 23 $ grype docker:nodegoat:dev NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY ansi-regex 3.0.0 3.0.1 npm GHSA-93q8-gq69-wqmw High ansi-regex 4.1.0 4.1.1 npm GHSA-93q8-gq69-wqmw High bson 1.0.9 1.1.4 npm GHSA-v8w9-2789-6hhr Critical bson 1.0.9 1.1.4 npm GHSA-4jwp-vfvf-657p Medium busybox 1.34.1-r5 apk CVE-2022-48174 Critical debug 2.2.0 2.6.9 npm GHSA-9vvw-cc9w-f27h High debug 2.2.0 2.6.9 npm GHSA-gxpj-cx7g-858c Medium decode-uri-component 0.2.0 0.2.1 npm GHSA-w573-4hg7-7wgq High glob-parent 3.1.0 5.1.2 npm GHSA-ww39-953v-wcq6 High got 6.7.1 11.8.5 npm GHSA-pfrx-2q88-qq97 Medium helmet-csp 1.2.2 2.9.1 npm GHSA-c3m8-x3cg-qm2c Medium http-cache-semantics 3.8.1 4.1.1 npm GHSA-rc47-6667-2j5j High i 0.3.6 0.3.7 npm GHSA-x55w-vjjp-222r High ini 1.3.5 1.3.6 npm GHSA-qqgx-2p2h-9c37 High kind-of 6.0.2 6.0.3 npm GHSA-6c8f-qphg-qjgp High libcrypto1.1 1.1.1n-r0 1.1.1t-r2 apk CVE-2023-0464 High libcrypto1.1 1.1.1n-r0 1.1.1t-r0 apk CVE-2023-0286 High libcrypto1.1 1.1.1n-r0 1.1.1t-r0 apk CVE-2023-0215 High libcrypto1.1 1.1.1n-r0 1.1.1t-r0 apk CVE-2022-4450 High libcrypto1.1 1.1.1n-r0 1.1.1v-r0 apk CVE-2023-3817 Medium libcrypto1.1 1.1.1n-r0 1.1.1u-r2 apk CVE-2023-3446 Medium libcrypto1.1 1.1.1n-r0 1.1.1u-r0 apk CVE-2023-2650 Medium @OtherDevOpsGene #AllThingsOpen
Code Image Deployment Maintenance Wrap-up 24 @OtherDevOpsGene #AllThingsOpen Hosts Cluster Deployment Image Code
Define and Design the Optimal Survey Experience​ DEPLOYMENT Recommended practices Principle of least privilege • Prevent privileged containers • Require the file system to be read-only Protect the image supply chain • Use a specific version of an image Ensure availability • Set memory and CPU requests/limits • Liveness and readiness probes 25 @OtherDevOpsGene #AllThingsOpen
IaC analysis DEPLOYMENT 26 $ checkov -d . --quiet --compact kubernetes scan results: Passed checks: 1066, Failed checks: 180, Skipped checks: 0 Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation" FAILED for resource: Deployment.sock-shop.front-end File: /09-front-end-dep.yaml:2-52 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud- code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html Check: CKV_K8S_43: "Image should use digest" FAILED for resource: Deployment.sock-shop.front-end File: /09-front-end-dep.yaml:2-52 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud- code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary" FAILED for resource: Deployment.sock-shop.front-end File: /09-front-end-dep.yaml:2-52 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud- code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html Check: CKV_K8S_29: "Apply security context to your pods and containers" FAILED for resource: Deployment.sock-shop.front-end File: /09-front-end-dep.yaml:2-52 @OtherDevOpsGene #AllThingsOpen
Code Image Deployment Maintenance Wrap-up 27 @OtherDevOpsGene #AllThingsOpen
Dependency updates MAINTENANCE 28 Renovate • Checks dependencies and transitive deps • Checks base images • Runs as GitHub Action • Runs in GitLab CI/CD • Creates PRs for available updates • Can automerge (e.g., high test coverage) @OtherDevOpsGene #AllThingsOpen
Dependency updates MAINTENANCE 29 @OtherDevOpsGene #AllThingsOpen
Define and Design the Optimal Survey Experience​ MAINTENANCE Frequent builds • Latest patches • Latest base images • Frequent pipeline scans for vulnerabilities • Repeated testing • It’s automated anyway, so why not? 30 @OtherDevOpsGene #AllThingsOpen
Define and Design the Optimal Survey Experience​ MAINTENANCE Clean code • Keep code quality high • You are scanning anyway • Use a consistent style • Fewer mistakes • Fewer misunderstandings • Easier code reviews • Can focus on content, not style 31 @OtherDevOpsGene #AllThingsOpen
Code Image Deployment Maintenance Wrap-up 32 @OtherDevOpsGene #AllThingsOpen
Define and Design the Optimal Survey Experience​ WRAP-UP Key takeaways • Scan your code. • Scan your dependencies and keep them updated. • Use the smallest base image you can. • Scan your images and keep them updated. • Use automation and scan your IaC. • Rebuild frequently and keep everything updated. 33 @OtherDevOpsGene #AllThingsOpen
Define and Design the Optimal Survey Experience​ WRAP-UP Single biggest win Keep everything up-to-date. 34 @OtherDevOpsGene #AllThingsOpen
Define and Design the Optimal Survey Experience​ WRAP-UP Tools OWASP NodeGoat: https://github.com/OWASP/NodeGoat Semgrep: https://github.com/returntocorp/semgrep Aqua Security Trivy: https://github.com/aquasecurity/trivy Anchore Grype: https://github.com/anchore/grype Checkov by Bridgecrew: https://github.com/bridgecrewio/checkov Google Distroless: https://github.com/GoogleContainerTools/distroless Chainguard Distroless: https://github.com/chainguard-images Sock Shop: https://github.com/microservices-demo/microservices-demo Renovate: https://github.com/renovatebot/renovate 35 @OtherDevOpsGene #AllThingsOpen
Define and Design the Optimal Survey Experience​ WRAP-UP Threat modeling STRIDE https://learn.microsoft.com/en- us/azure/security/develop/threat-modeling-tool-threats OWASP Threat Dragon https://www.threatdragon.com/ PASTA https://versprite.com/blog/what-is-pasta-threat-modeling/ CAIRIS https://cairis.org/ Threagile https://threagile.io/ 36 @OtherDevOpsGene #AllThingsOpen
Define and Design the Optimal Survey Experience​ WRAP-UP More talks and info Keeping Your Kubernetes Cluster Secure Castle Defense 101 (aka Threat Modeling) Trivy and Grype demos https://www.youtube.com/@otherdevopsgene Kubernetes tool wrappers https://github.com/OtherDevOpsGene/k8s-tool-wrappers 37 @OtherDevOpsGene #AllThingsOpen
Innovative Technology Firm based in Shreveport, LA and founded in 1987 2018 - 2019 Louisiana SBIR Company of the Year Praeses has worked with the US Federal Government for almost 20 Years Small business with 85+ Employees WHO WE ARE Hiring Software Engineers We are seeking talented software engineers to maintain, update, and build user interfaces centered on data visualization. This engineering role requires strong development chops, a good eye for the aesthetics, and the ability to think through the user experience on both data visualization and interactivity. • Mithril.js • Rust • Actix • Ruby on Rails • HTML/CSS • JavaScript • SQL • C# • SSIS • SSRS • MongoDB • SQL Server • Rancher • Kubernetes • Helm • Docker • GRPC • 2-6 years exp in software dev/eng in multiple software languages • Willingness to learn new languages and technologies • Motivated by solving challenging problems and continuously learning • U.S. Citizenship required by government contract
Questions? Gene Gotimer DevOps Engineer at Praeses, LLC @OtherDevOpsGene @OtherDevOpsGene #AllThingsOpen 39

Recommended

[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Community
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureSergey Gordeychik
 
Keeping Your Kubernetes Cluster Secure
Keeping Your Kubernetes Cluster SecureKeeping Your Kubernetes Cluster Secure
Keeping Your Kubernetes Cluster SecureGene Gotimer
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
RSA NetWitness Log Decoder
RSA NetWitness Log DecoderRSA NetWitness Log Decoder
RSA NetWitness Log DecoderSusam Pal
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)Jooho Lee
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 

Recommended

[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Community
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureSergey Gordeychik
 
Keeping Your Kubernetes Cluster Secure
Keeping Your Kubernetes Cluster SecureKeeping Your Kubernetes Cluster Secure
Keeping Your Kubernetes Cluster SecureGene Gotimer
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
RSA NetWitness Log Decoder
RSA NetWitness Log DecoderRSA NetWitness Log Decoder
RSA NetWitness Log DecoderSusam Pal
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)Jooho Lee
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
4Developers 2015: Continuous Security in DevOps - Maciej Lasyk
4Developers 2015: Continuous Security in DevOps - Maciej Lasyk4Developers 2015: Continuous Security in DevOps - Maciej Lasyk
4Developers 2015: Continuous Security in DevOps - Maciej LasykPROIDEA
 
Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOpsMaciej Lasyk
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Macdoored
MacdooredMacdoored
MacdooredShakacon
 
Engineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the CloudEngineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloudrandomuserid
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierCarlos Sanchez
 
Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Keisuke Takahashi
 
Through the firewall with miniCRAN
Through the firewall with miniCRANThrough the firewall with miniCRAN
Through the firewall with miniCRANRevolution Analytics
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
 
FreeBSD: Dev to Prod
FreeBSD: Dev to ProdFreeBSD: Dev to Prod
FreeBSD: Dev to ProdSean Chittenden
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CDSimon Bennetts
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Research
 
Be Mean to Your Code
Be Mean to Your CodeBe Mean to Your Code
Be Mean to Your CodeJames Wickett
 
SUSE - performance analysis-with_ceph
SUSE - performance analysis-with_cephSUSE - performance analysis-with_ceph
SUSE - performance analysis-with_cephinwin stack
 
Audit
AuditAudit
AuditMark Ellzey Thomas
 
Testing Terraform
Testing TerraformTesting Terraform
Testing TerraformNathen Harvey
 
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE Platforms
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE PlatformsFIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE Platforms
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE PlatformsFIWARE
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
How I Learned to Stop Worrying and Love Legacy Code
How I Learned to Stop Worrying and Love Legacy CodeHow I Learned to Stop Worrying and Love Legacy Code
How I Learned to Stop Worrying and Love Legacy CodeGene Gotimer
 
Ten Ways To Doom Your DevOps
Ten Ways To Doom Your DevOpsTen Ways To Doom Your DevOps
Ten Ways To Doom Your DevOpsGene Gotimer
 

More Related Content

Similar to A Developer’s Guide to Kubernetes Security

4Developers 2015: Continuous Security in DevOps - Maciej Lasyk
4Developers 2015: Continuous Security in DevOps - Maciej Lasyk4Developers 2015: Continuous Security in DevOps - Maciej Lasyk
4Developers 2015: Continuous Security in DevOps - Maciej LasykPROIDEA
 
Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOpsMaciej Lasyk
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Engineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the CloudEngineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloudrandomuserid
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierCarlos Sanchez
 
Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Keisuke Takahashi
 
Through the firewall with miniCRAN
Through the firewall with miniCRANThrough the firewall with miniCRAN
Through the firewall with miniCRANRevolution Analytics
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CDSimon Bennetts
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Research
 
Be Mean to Your Code
Be Mean to Your CodeBe Mean to Your Code
Be Mean to Your CodeJames Wickett
 
SUSE - performance analysis-with_ceph
SUSE - performance analysis-with_cephSUSE - performance analysis-with_ceph
SUSE - performance analysis-with_cephinwin stack
 
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE Platforms
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE PlatformsFIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE Platforms
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE PlatformsFIWARE
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 

Similar to A Developer’s Guide to Kubernetes Security (20)

4Developers 2015: Continuous Security in DevOps - Maciej Lasyk
4Developers 2015: Continuous Security in DevOps - Maciej Lasyk4Developers 2015: Continuous Security in DevOps - Maciej Lasyk
4Developers 2015: Continuous Security in DevOps - Maciej Lasyk
 
Continuous Security in DevOps
Continuous Security in DevOpsContinuous Security in DevOps
Continuous Security in DevOps
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Macdoored
MacdooredMacdoored
Macdoored
 
Engineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the CloudEngineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloud
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
 
Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5Trying and evaluating the new features of GlusterFS 3.5
Trying and evaluating the new features of GlusterFS 3.5
 
Through the firewall with miniCRAN
Through the firewall with miniCRANThrough the firewall with miniCRAN
Through the firewall with miniCRAN
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
FreeBSD: Dev to Prod
FreeBSD: Dev to ProdFreeBSD: Dev to Prod
FreeBSD: Dev to Prod
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
 
Be Mean to Your Code
Be Mean to Your CodeBe Mean to Your Code
Be Mean to Your Code
 
SUSE - performance analysis-with_ceph
SUSE - performance analysis-with_cephSUSE - performance analysis-with_ceph
SUSE - performance analysis-with_ceph
 
Audit
AuditAudit
Audit
 
Testing Terraform
Testing TerraformTesting Terraform
Testing Terraform
 
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE Platforms
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE PlatformsFIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE Platforms
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE Platforms
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 

More from Gene Gotimer

How I Learned to Stop Worrying and Love Legacy Code
How I Learned to Stop Worrying and Love Legacy CodeHow I Learned to Stop Worrying and Love Legacy Code
How I Learned to Stop Worrying and Love Legacy CodeGene Gotimer
 
Ten Ways To Doom Your DevOps
Ten Ways To Doom Your DevOpsTen Ways To Doom Your DevOps
Ten Ways To Doom Your DevOpsGene Gotimer
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureGene Gotimer
 
Explain DevOps To Me Like I’m Five: DevOps for Managers
Explain DevOps To Me Like I’m Five: DevOps for ManagersExplain DevOps To Me Like I’m Five: DevOps for Managers
Explain DevOps To Me Like I’m Five: DevOps for ManagersGene Gotimer
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureGene Gotimer
 
Creative Solutions to Already Solved Problems II
Creative Solutions to Already Solved Problems IICreative Solutions to Already Solved Problems II
Creative Solutions to Already Solved Problems IIGene Gotimer
 
Creative Solutions to Already Solved Problems
Creative Solutions to Already Solved ProblemsCreative Solutions to Already Solved Problems
Creative Solutions to Already Solved ProblemsGene Gotimer
 
Get to Green: How to Safely Refactor Legacy Code
Get to Green: How to Safely Refactor Legacy CodeGet to Green: How to Safely Refactor Legacy Code
Get to Green: How to Safely Refactor Legacy CodeGene Gotimer
 
DevOps for Leadership
DevOps for LeadershipDevOps for Leadership
DevOps for LeadershipGene Gotimer
 
Pyramid Discussion: DevOps Adoption in Large, Slow Organizations
Pyramid Discussion: DevOps Adoption in Large, Slow OrganizationsPyramid Discussion: DevOps Adoption in Large, Slow Organizations
Pyramid Discussion: DevOps Adoption in Large, Slow OrganizationsGene Gotimer
 
A better faster pipeline for software delivery, even in the government
A better faster pipeline for software delivery, even in the governmentA better faster pipeline for software delivery, even in the government
A better faster pipeline for software delivery, even in the governmentGene Gotimer
 
Building the Pipeline of My Dreams
Building the Pipeline of My DreamsBuilding the Pipeline of My Dreams
Building the Pipeline of My DreamsGene Gotimer
 
Tests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be MissingTests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be MissingGene Gotimer
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOpsGene Gotimer
 
A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryGene Gotimer
 
Open Source Security Tools for the Pipeline
Open Source Security Tools for the PipelineOpen Source Security Tools for the Pipeline
Open Source Security Tools for the PipelineGene Gotimer
 
Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?Gene Gotimer
 
Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineGene Gotimer
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectGene Gotimer
 

More from Gene Gotimer (20)

How I Learned to Stop Worrying and Love Legacy Code
How I Learned to Stop Worrying and Love Legacy CodeHow I Learned to Stop Worrying and Love Legacy Code
How I Learned to Stop Worrying and Love Legacy Code
 
Ten Ways To Doom Your DevOps
Ten Ways To Doom Your DevOpsTen Ways To Doom Your DevOps
Ten Ways To Doom Your DevOps
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
 
Explain DevOps To Me Like I’m Five: DevOps for Managers
Explain DevOps To Me Like I’m Five: DevOps for ManagersExplain DevOps To Me Like I’m Five: DevOps for Managers
Explain DevOps To Me Like I’m Five: DevOps for Managers
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
 
Creative Solutions to Already Solved Problems II
Creative Solutions to Already Solved Problems IICreative Solutions to Already Solved Problems II
Creative Solutions to Already Solved Problems II
 
Creative Solutions to Already Solved Problems
Creative Solutions to Already Solved ProblemsCreative Solutions to Already Solved Problems
Creative Solutions to Already Solved Problems
 
Get to Green: How to Safely Refactor Legacy Code
Get to Green: How to Safely Refactor Legacy CodeGet to Green: How to Safely Refactor Legacy Code
Get to Green: How to Safely Refactor Legacy Code
 
DevOps for Leadership
DevOps for LeadershipDevOps for Leadership
DevOps for Leadership
 
Pyramid Discussion: DevOps Adoption in Large, Slow Organizations
Pyramid Discussion: DevOps Adoption in Large, Slow OrganizationsPyramid Discussion: DevOps Adoption in Large, Slow Organizations
Pyramid Discussion: DevOps Adoption in Large, Slow Organizations
 
A better faster pipeline for software delivery, even in the government
A better faster pipeline for software delivery, even in the governmentA better faster pipeline for software delivery, even in the government
A better faster pipeline for software delivery, even in the government
 
Building the Pipeline of My Dreams
Building the Pipeline of My DreamsBuilding the Pipeline of My Dreams
Building the Pipeline of My Dreams
 
Tests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be MissingTests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be Missing
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOps
 
A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software Delivery
 
Open Source Security Tools for the Pipeline
Open Source Security Tools for the PipelineOpen Source Security Tools for the Pipeline
Open Source Security Tools for the Pipeline
 
Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?Which Development Metrics Should I Watch?
Which Development Metrics Should I Watch?
 
Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery Pipeline
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD Project
 

Recently uploaded

WSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million PeopleWSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million PeopleWSO2
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Eraconfluent
 
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfAzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfryanfarris8
 
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
WSO2Con2024 - Software Delivery in Hybrid Environments
WSO2Con2024 - Software Delivery in Hybrid EnvironmentsWSO2Con2024 - Software Delivery in Hybrid Environments
WSO2Con2024 - Software Delivery in Hybrid EnvironmentsWSO2
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 

Recently uploaded (20)

WSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration Tooling
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million PeopleWSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfAzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
 
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
WSO2Con2024 - Software Delivery in Hybrid Environments
WSO2Con2024 - Software Delivery in Hybrid EnvironmentsWSO2Con2024 - Software Delivery in Hybrid Environments
WSO2Con2024 - Software Delivery in Hybrid Environments
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 

A Developer’s Guide to Kubernetes Security

  • 1. A Developer’s Guide to Kubernetes Security Gene Gotimer DevOps Engineer at Praeses, LLC @OtherDevOpsGene @OtherDevOpsGene #AllThingsOpen 1
  • 2. Define and Design the Optimal Survey Experience​ SECURITY CIA 2 @OtherDevOpsGene #AllThingsOpen Availability
  • 3. Define and Design the Optimal Survey Experience​ SECURITY Least privilege • Don’t grant privileges unless needed • Reduce blast radius 3 @OtherDevOpsGene #AllThingsOpen
  • 6. Define and Design the Optimal Survey Experience​ CODE Threat modeling • What are we protecting? • Why are we protecting it? • How might it be compromised? • What happens if we fail to protect it? • How will we react/respond and move on? 6 @OtherDevOpsGene #AllThingsOpen
  • 8. Define and Design the Optimal Survey Experience​ CODE Threat modeling • STRIDE • OWASP Threat Dragon • PASTA • CAIRIS • Threagile 8 @OtherDevOpsGene #AllThingsOpen
  • 9. Define and Design the Optimal Survey Experience​ CODE SAST Static application security testing Scan our source code • Look for risky/dangerous practices • Memory leaks • SQL injections • Race conditions • Untrusted inputs • Unfiltered outputs 9 @OtherDevOpsGene #AllThingsOpen
  • 10. SAST CODE 10 Semgrep • Supports 30+ languages • Python, Docker, and cloud versions • Code stays local in all three $ pip install -U semgrep $ semgrep scan --config auto $ docker pull returntocorp/semgrep $ docker run --rm –v "$(pwd):/src" returntocorp/semgrep semgrep scan --config auto @OtherDevOpsGene #AllThingsOpen
  • 11. Static code analysis CODE 11 $ semgrep scan --config auto … ┌──────────────────┐ │ 29 Code Findings │ └──────────────────┘ app/routes/contributions.js javascript.browser.security.eval-detected.eval-detected Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. Details: https://sg.run/7ope 32┆ const preTax = eval(req.body.preTax); ⋮┆---------------------------------------- 33┆ const afterTax = eval(req.body.afterTax); ⋮┆---------------------------------------- 34┆ const roth = eval(req.body.roth); ⋮┆---------------------------------------- javascript.lang.security.audit.code-string-concat.code-string-concat Found data from an Express or Next web request flowing to `eval`. If this data is user- controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible. Details: https://sg.run/96Yk @OtherDevOpsGene #AllThingsOpen
  • 12. Define and Design the Optimal Survey Experience​ CODE SCA Software composition analysis Scan our dependencies • and their transitive dependencies • 6/7 vulns come from transitive dependencies 12 @OtherDevOpsGene #AllThingsOpen
  • 13. SCA CODE 13 Trivy • Filesystems • Git repos • Container images $ docker pull aquasec/trivy $ docker run --rm –v "$(pwd):/work" –workdir /work aquasec/trivy filesystem . @OtherDevOpsGene #AllThingsOpen
  • 14. SCA CODE 14 $ trivy filesystem . … package-lock.json (npm) ======================= Total: 39 (UNKNOWN: 0, LOW: 2, MEDIUM: 9, HIGH: 21, CRITICAL: 7) ┌──────────────────────┬─────────────────────┬──────────┬──────────┬───────────────────┬──────────────── │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version ├──────────────────────┼─────────────────────┼──────────┼──────────┼───────────────────┼──────────────── │ bson │ CVE-2020-7610 │ CRITICAL │ fixed │ 1.0.9 │ 1.1.4 │ │ │ │ │ │ │ │ │ │ │ │ │ ├─────────────────────┼──────────┤ │ │ │ │ CVE-2019-2391 │ MEDIUM │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├──────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼──────────────── │ decode-uri-component │ CVE-2022-38900 │ HIGH │ │ 0.2.0 │ 0.2.1 │ │ │ │ │ │ ├──────────────────────┼─────────────────────┤ │ ├───────────────────┼──────────────── │ glob-parent │ CVE-2020-28469 │ │ │ 3.1.0 │ 5.1.2 │ │ │ │ │ │ ├──────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼──────────────── │ helmet-csp │ GHSA-c3m8-x3cg-qm2c │ MEDIUM │ │ 1.2.2 │ 2.9.1 @OtherDevOpsGene #AllThingsOpen
  • 15. SCA CODE 15 Grype • Filesystems • Container images • Finds some different vulns than Trivy $ docker pull anchore/grype $ docker run --rm -v "$(pwd):/work" -workdir /work anchore/grype dir:. @OtherDevOpsGene #AllThingsOpen
  • 16. SCA CODE 16 $ grype dir:. NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY adm-zip 0.4.4 0.4.11 npm GHSA-3v6h-hqm4-2rg6 Medium ajv 6.10.0 6.12.3 npm GHSA-v88g-cgmw-v5xw Medium ansi-regex 3.0.0 3.0.1 npm GHSA-93q8-gq69-wqmw High async 2.6.1 2.6.4 npm GHSA-fwr7-v2mv-hh25 High bl 1.0.3 1.2.3 npm GHSA-pp7h-53gx-mx7r Medium bl 1.1.2 1.2.3 npm GHSA-pp7h-53gx-mx7r Medium brace-expansion 1.1.6 1.1.7 npm GHSA-832h-xg76-4gv6 High braces 1.8.5 2.3.1 npm GHSA-g95f-p29q-9xw4 Low braces 1.8.5 2.3.1 npm GHSA-cwfw-4gq5-mrqx Low bson 1.0.9 1.1.4 npm GHSA-v8w9-2789-6hhr Critical bson 1.0.9 1.1.4 npm GHSA-4jwp-vfvf-657p Medium chownr 1.0.1 1.1.0 npm GHSA-c6rq-rjc2-86v2 Low cryptiles 0.2.2 4.1.2 npm GHSA-rq8g-5pc5-wrhr Critical cryptiles 2.0.5 4.1.2 npm GHSA-rq8g-5pc5-wrhr Critical debug 2.2.0 2.6.9 npm GHSA-9vvw-cc9w-f27h High debug 2.2.0 2.6.9 npm GHSA-gxpj-cx7g-858c Medium decode-uri-component 0.2.0 0.2.1 npm GHSA-w573-4hg7-7wgq High diff 1.4.0 3.5.0 npm GHSA-h6ch-v84p-w6p9 High dot-prop 4.2.0 4.2.1 npm GHSA-ff7x-qrg7-qggm High extend 3.0.0 3.0.2 npm GHSA-qrmc-fj45-qfc2 Medium fsevents 1.2.9 1.2.11 npm GHSA-xv2f-5jw4-v95m Critical fstream 1.0.10 1.0.12 npm GHSA-xf7w-r453-m56c High @OtherDevOpsGene #AllThingsOpen
  • 18. Define and Design the Optimal Survey Experience​ IMAGE Base images • Include the minimal supporting software • Reduce the blast radius Base image choices • scratch (nothing but the application) • Distroless (minimal supporting files) • Small image (Alpine or BusyBox) • Minimal Linux (Slim or UBI Micro) • Anything else (you have made a mistake) 18 @OtherDevOpsGene #AllThingsOpen
  • 19. Define and Design the Optimal Survey Experience​ IMAGE Automated builds • Builds should be repeatable and reliable • That means automated • Dockerfile and/or pipeline • GitHub Actions • GitLab CI/CD • Infrastructure-as-code (IaC) 19 @OtherDevOpsGene #AllThingsOpen
  • 20. IaC analysis IMAGE 20 Checkov • Dockerfiles • Kubernetes manifests $ pip install -U checkov $ checkov -d . $ docker pull bridgecrew/checkov $ docker run --rm --tty -v "$(pwd):/work" -workdir /work bridgecrew/checkov checkov -d . @OtherDevOpsGene #AllThingsOpen
  • 21. IaC analysis IMAGE 21 $ checkov -d . --quiet --compact dockerfile scan results: Passed checks: 57, Failed checks: 1, Skipped checks: 0 Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images" FAILED for resource: /Dockerfile. File: /Dockerfile:1-18 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud- code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions- have-been-added-to-container-images.html github_actions scan results: Passed checks: 56, Failed checks: 2, Skipped checks: 0 Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all" FAILED for resource: on(E2E Test) File: /.github/workflows/e2e-test.yml:0-1 Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all" FAILED for resource: on(Lint) File: /.github/workflows/lint.yml:0-1 @OtherDevOpsGene #AllThingsOpen
  • 22. SCA IMAGE 22 $ trivy image nodegoat:dev … nodegoat:dev (alpine 3.15.4) ============================ Total: 21 (UNKNOWN: 0, LOW: 0, MEDIUM: 12, HIGH: 8, CRITICAL: 1) ┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────── │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title ├──────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────── │ libcrypto1.1 │ CVE-2022-4450 │ HIGH │ fixed │ 1.1.1n-r0 │ 1.1.1t-r0 │ double free af │ │ │ │ │ │ │ https://avd.aq │ ├────────────────┤ │ │ │ ├─────────────── │ │ CVE-2023-0215 │ │ │ │ │ use-after-free │ │ │ │ │ │ │ https://avd.aq │ ├────────────────┤ │ │ │ ├─────────────── │ │ CVE-2023-0286 │ │ │ │ │ X.400 address │ │ │ │ │ │ │ https://avd.aq │ ├────────────────┤ │ │ ├───────────────┼─────────────── │ │ CVE-2023-0464 │ │ │ │ 1.1.1t-r2 │ Denial of serv │ │ │ │ │ │ │ X509 policy co │ │ │ │ │ │ │ https://avd.aq │ ├────────────────┼──────────┤ │ ├───────────────┼─────────────── │ │ CVE-2022-2097 │ MEDIUM │ │ │ 1.1.1q-r0 │ AES OCB fails │ │ │ │ │ │ │ https://avd.aq @OtherDevOpsGene #AllThingsOpen
  • 23. SCA IMAGE 23 $ grype docker:nodegoat:dev NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY ansi-regex 3.0.0 3.0.1 npm GHSA-93q8-gq69-wqmw High ansi-regex 4.1.0 4.1.1 npm GHSA-93q8-gq69-wqmw High bson 1.0.9 1.1.4 npm GHSA-v8w9-2789-6hhr Critical bson 1.0.9 1.1.4 npm GHSA-4jwp-vfvf-657p Medium busybox 1.34.1-r5 apk CVE-2022-48174 Critical debug 2.2.0 2.6.9 npm GHSA-9vvw-cc9w-f27h High debug 2.2.0 2.6.9 npm GHSA-gxpj-cx7g-858c Medium decode-uri-component 0.2.0 0.2.1 npm GHSA-w573-4hg7-7wgq High glob-parent 3.1.0 5.1.2 npm GHSA-ww39-953v-wcq6 High got 6.7.1 11.8.5 npm GHSA-pfrx-2q88-qq97 Medium helmet-csp 1.2.2 2.9.1 npm GHSA-c3m8-x3cg-qm2c Medium http-cache-semantics 3.8.1 4.1.1 npm GHSA-rc47-6667-2j5j High i 0.3.6 0.3.7 npm GHSA-x55w-vjjp-222r High ini 1.3.5 1.3.6 npm GHSA-qqgx-2p2h-9c37 High kind-of 6.0.2 6.0.3 npm GHSA-6c8f-qphg-qjgp High libcrypto1.1 1.1.1n-r0 1.1.1t-r2 apk CVE-2023-0464 High libcrypto1.1 1.1.1n-r0 1.1.1t-r0 apk CVE-2023-0286 High libcrypto1.1 1.1.1n-r0 1.1.1t-r0 apk CVE-2023-0215 High libcrypto1.1 1.1.1n-r0 1.1.1t-r0 apk CVE-2022-4450 High libcrypto1.1 1.1.1n-r0 1.1.1v-r0 apk CVE-2023-3817 Medium libcrypto1.1 1.1.1n-r0 1.1.1u-r2 apk CVE-2023-3446 Medium libcrypto1.1 1.1.1n-r0 1.1.1u-r0 apk CVE-2023-2650 Medium @OtherDevOpsGene #AllThingsOpen
  • 25. Define and Design the Optimal Survey Experience​ DEPLOYMENT Recommended practices Principle of least privilege • Prevent privileged containers • Require the file system to be read-only Protect the image supply chain • Use a specific version of an image Ensure availability • Set memory and CPU requests/limits • Liveness and readiness probes 25 @OtherDevOpsGene #AllThingsOpen
  • 26. IaC analysis DEPLOYMENT 26 $ checkov -d . --quiet --compact kubernetes scan results: Passed checks: 1066, Failed checks: 180, Skipped checks: 0 Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation" FAILED for resource: Deployment.sock-shop.front-end File: /09-front-end-dep.yaml:2-52 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud- code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html Check: CKV_K8S_43: "Image should use digest" FAILED for resource: Deployment.sock-shop.front-end File: /09-front-end-dep.yaml:2-52 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud- code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary" FAILED for resource: Deployment.sock-shop.front-end File: /09-front-end-dep.yaml:2-52 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud- code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html Check: CKV_K8S_29: "Apply security context to your pods and containers" FAILED for resource: Deployment.sock-shop.front-end File: /09-front-end-dep.yaml:2-52 @OtherDevOpsGene #AllThingsOpen
  • 28. Dependency updates MAINTENANCE 28 Renovate • Checks dependencies and transitive deps • Checks base images • Runs as GitHub Action • Runs in GitLab CI/CD • Creates PRs for available updates • Can automerge (e.g., high test coverage) @OtherDevOpsGene #AllThingsOpen
  • 30. Define and Design the Optimal Survey Experience​ MAINTENANCE Frequent builds • Latest patches • Latest base images • Frequent pipeline scans for vulnerabilities • Repeated testing • It’s automated anyway, so why not? 30 @OtherDevOpsGene #AllThingsOpen
  • 31. Define and Design the Optimal Survey Experience​ MAINTENANCE Clean code • Keep code quality high • You are scanning anyway • Use a consistent style • Fewer mistakes • Fewer misunderstandings • Easier code reviews • Can focus on content, not style 31 @OtherDevOpsGene #AllThingsOpen
  • 33. Define and Design the Optimal Survey Experience​ WRAP-UP Key takeaways • Scan your code. • Scan your dependencies and keep them updated. • Use the smallest base image you can. • Scan your images and keep them updated. • Use automation and scan your IaC. • Rebuild frequently and keep everything updated. 33 @OtherDevOpsGene #AllThingsOpen
  • 34. Define and Design the Optimal Survey Experience​ WRAP-UP Single biggest win Keep everything up-to-date. 34 @OtherDevOpsGene #AllThingsOpen
  • 35. Define and Design the Optimal Survey Experience​ WRAP-UP Tools OWASP NodeGoat: https://github.com/OWASP/NodeGoat Semgrep: https://github.com/returntocorp/semgrep Aqua Security Trivy: https://github.com/aquasecurity/trivy Anchore Grype: https://github.com/anchore/grype Checkov by Bridgecrew: https://github.com/bridgecrewio/checkov Google Distroless: https://github.com/GoogleContainerTools/distroless Chainguard Distroless: https://github.com/chainguard-images Sock Shop: https://github.com/microservices-demo/microservices-demo Renovate: https://github.com/renovatebot/renovate 35 @OtherDevOpsGene #AllThingsOpen
  • 36. Define and Design the Optimal Survey Experience​ WRAP-UP Threat modeling STRIDE https://learn.microsoft.com/en- us/azure/security/develop/threat-modeling-tool-threats OWASP Threat Dragon https://www.threatdragon.com/ PASTA https://versprite.com/blog/what-is-pasta-threat-modeling/ CAIRIS https://cairis.org/ Threagile https://threagile.io/ 36 @OtherDevOpsGene #AllThingsOpen
  • 37. Define and Design the Optimal Survey Experience​ WRAP-UP More talks and info Keeping Your Kubernetes Cluster Secure Castle Defense 101 (aka Threat Modeling) Trivy and Grype demos https://www.youtube.com/@otherdevopsgene Kubernetes tool wrappers https://github.com/OtherDevOpsGene/k8s-tool-wrappers 37 @OtherDevOpsGene #AllThingsOpen
  • 38. Innovative Technology Firm based in Shreveport, LA and founded in 1987 2018 - 2019 Louisiana SBIR Company of the Year Praeses has worked with the US Federal Government for almost 20 Years Small business with 85+ Employees WHO WE ARE Hiring Software Engineers We are seeking talented software engineers to maintain, update, and build user interfaces centered on data visualization. This engineering role requires strong development chops, a good eye for the aesthetics, and the ability to think through the user experience on both data visualization and interactivity. • Mithril.js • Rust • Actix • Ruby on Rails • HTML/CSS • JavaScript • SQL • C# • SSIS • SSRS • MongoDB • SQL Server • Rancher • Kubernetes • Helm • Docker • GRPC • 2-6 years exp in software dev/eng in multiple software languages • Willingness to learn new languages and technologies • Motivated by solving challenging problems and continuously learning • U.S. Citizenship required by government contract
  • 39. Questions? Gene Gotimer DevOps Engineer at Praeses, LLC @OtherDevOpsGene @OtherDevOpsGene #AllThingsOpen 39