Stay safe, grab a drink and join us virtually for our upcoming "Sailing Through The Storm of Kubernetes CVEs" meetup to hear about ways to incorporate security into your software development process and how vulnerabilities make their way into your infrastructure via public images and the CVEs you should focus on fixing.
11. Zero-day vulnerability, CVSS score 10/10
Made public on Dec 9th, 2021
Patch available Dec 13th, 2021
Widely used and a fundamental feature of
many systems but hard to pinpoint
/History and context_
24. Using public images exposes you to vulnerabilities
The results of vulnerability scans may cause CVE Shock
Relevant vulnerabilities point to the small
subset that should be addressed first
/Conclusion_
27. B.Sc. at Software Engineering
JCT Institution, Campus Lev
• Released Android Game App
• Lectured for highschoolers
Israeli Air Force (5 Years)
• Software Development – Avionics
• Cybersecurity – Blue Team
Amdocs (2 Years)
• Application Security Architect
Ori Frish
–
Application
Security
Architect
29. Introduction
• Spark of an idea
• Showcase
• Impress others
• Fulfill the vision
• Jump into coding
“Don’t wait for inspiration.
It comes while working."
Henri Matisse
30. SDLC Overview – Quality
Software Development
LifeCycle
Agile
Waterfall
Less Bugs -> Saving Money = Greater Value
31. Why SSDLC?
• Development rushes towards its goals
• Sensitive Information Considered (?)
• Small manpower, lack of security knowledge, …
• Regulations
• ISO27000
• GDPR
• NIST
• SOC2
• PCI DSS
• …
SDLC = Less Bugs -> Saving Money = Greater Value
SSDLC = Less Risks -> Saving Money = Greater Value
32. Secure SDLC Framework
Build Software /
System &
Design with
security
awareness
Test & verify
artifacts
produced
throughout
development
Manage the
product
release &
maintenance
Security Services
(DevSecOps /
SecOps)
assisting and
supporting in the
S-SDLC process to
development
departments
Manage and
measure the
S-SDLC Process
Governance
Construction Verification Deployment
Support
33. Secure SDLC Framework - Detailed
• Define PII
• Secure Design
RBAC/ABAC | S-HLD
• Threat Modelling
• Using Secured
Infrastructure
• Security Code
Reviews
SCA | SAST | IAST | FUZZ
• Design Review
• Penetration Testing
• Risk Assessment
Before Release
• Security
Guidelines
ROLES | Cleanup
• Security Patch
Management
• Secure Coding Best
Practices & Lectures
• SCA | SAST | IAST | DAST
Onboarding Support
• Research new security
tools
• Release
certification
• Risk Management
Regulations BP Checklist
Policies
• Review Security
Tools Status
• Training &
Awareness
Governance
Construction Verification Deployment
Support
35. Challenges & Takeaways
• How to build trust between security and development?
• Be simple & direct -> how can you help, not how you can demand
• Don’t overdo security -> devs are deterred from security
• Everything can be breached -> stick to the statistics & regulations ->
find the ‘middle ground’, understand the risks
• How to decide the R&R?
• Understand the security gaps
• Understand the required effort
• Both sides need to understand that they WANT security -> Greater value
• Politics?
• Involve management
37. Raising Awareness
• Go & Learn
• Developers
• Team Leads
• Architects
• Managers
• Security Awareness ->
Less Risks + Saving Money =
Greater Value
• OWASP Top 10 & Cheatsheet
“I am always ready to learn
although I do not always like
being taught.” — Winston
Churchill
38. CREDITS: This presentation template was created by
Slidesgo, and includes icons by Flaticon, and
infographics & images by Freepik
Do you have any questions?
orifrish@gmail.com
Social Networks -> Ori Frish
Thanks!
47. Scan container images content
Libraries
Operating system packages
Application dependencies
Compare image contents against known vulnerability database
Flag known vulnerabilities associated with the image
/How does a vulnerability scanner work_
48. /Intro to SBOM_
Enhance software
supply chain
security
Better management
of software
assets
Support incident response efforts
Increase transparency and accountability
Identify and address vulnerabilities
Facilitate maintenance and updates
57. /Relevancy detection_
● Used - If a software package is used, the files it contains are
used in the container
● Not used - it is not relevant for vulnerabilities
67. /Thank you_
If you’d like to learn more or keep in touch with us, you can
catch up with us on the ARMO website or our socials.
If you’d like to learn more about Kubescape, or contribute, visit
Kubescape’s GitHub repo or join the conversation on the
Kubescape channel on the CNCF Slack.