SlideShare a Scribd company logo
Posture Vs Runtime
APPLICATION RELEASE CYCLE
Security Assessment
K8S WHO, WHY AND HOW?
How often are you release cycles?
What role at your organization is
most responsible for container
and Kubernetes security?
K8S WHO, WHY AND HOW?
• Compliance is a priority
• Lack of K8s knowledge, uses:
• Network security (NGFW) for North-
South sanitation
• WAF/API gateways for application-level
vulnerabilities
• Willing to purchase a standalone
solution for K8s security
• Looking for solution that covers A-Z
(runtime, posture etc)
• Security is not priority
• Hates adding tools to his pipeline
• Bottle neck in the organization
• “Don’t touch my production!” -
shift left
• Everything is code/API
• Visibility is very
important, but not as
a standalone offering
• Secret management
is a headache
Deliver code as fast as possible
Risk Mitigation, Compliance
and avoid data breach
K8S CUSTOMERS POINT OF VIEW
K8S CUSTOMERS POINT OF VIEW
SHIFT LEFT
CAN WE SECURE USING ONLY SHIFT LEFT?
Others can claim:
IMO, NO!!!
Micro Services are predictable
Pro: Watch for abnormal behavior
Con: Not really the case with many types
of workloads -> a lot of false positive
Immutability
Pro: you scan for vulnerabilities and deliver new image
every time
Con: if the attacker knows how to insert a malware he
can do it every time + maybe he is already on the
host/other workload
POSTURE VS RUNTIME
K8S SECURITY REQUIREMENTS
WHERE AND WHY EXISTING SOLUTIONS FAIL
Endless chase
No single source of truth for K8s
Configuration
Thousands of potential
misconfigurations
Inability to build a reliable
normal baseline
False Positives, Complexity, and
performance impact
Resources intensive
Find Vulnerabilities &
Misconfigurations
Anomaly Behavioral Analysis
and Network Segmentation
K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION
LOOKING TO SECURE KUBERNETES?
K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION
kubernetes
A WHOLE
NEW WAY
TO SECURE
KUBERNETES
Infusing Visibility,
Control, and Security
Seamlessly into
Every Workload
ARMO BRINGS K8S POSTURE AND
RUNTIME TOGETHER -
SEAMLESSLY
Enrich finding with runtime deep
visibility information
Shrink the attack surface based
on field proven best practices
Continuous compliance
validation and auditing
From Zero to Zero-Trust in 10
minutes
No need to change policies
when microservices change
Resiliency by design, even
against the most advanced
attacks
Add Context and Relevancy to
posture findings
Patented one-YAML deterministic
ZERO-TRUST
K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION
ARMO Kubernetes
Fabric™
KEY TAKEAWAYS
• You need both posture and
runtime protection
• Scan your posture as soon
as possible (shift left)
• Apply runtime protection
on dev/staging/production
Stay Safe!
Questions?
The greatest risk
is the one you are not aware of
zvika.ronen@fossaware.com
TEL: +972-(0)52-426-5306
All right reserved © FOSSAware LTD
• I am 48
• L.L.B law degree - Ono academic college
• I am the CTO of FOSSAware
• I specialized in FOSS technologies and software audits
• I help organizations to implement a risk management program to manage their OSS usage, lower
the remediation costs and comply with ISO standards
• I also perform tech due-diligence audits and escort such process for target companies
18
Who am I
18
19
Few Words on Open Source
19
20
freely accessed, used, changed, and shared
FSF
four essential freedoms of the
Free Software Definition
OSI
Ten criteria of the Open Source
Software Definition
20
FOSS Definition
Legal risk
• Losing IP protection
• Paying Monetary Damages
• Block product shipment/distribution (Injunction)
• Negative press and damaged relationship with customers
Cyber security vulnerabilities
• Denial of service, taking a service offline
• Business intelligence and Client information theft
• Hacker remote access
• Ransom attacks
Operational risk
• Losing ability to build your software due to missing web based components
• Losing community support due to open source project with low contribution
activities
• Using outdated open source components (less secure, more complex to
upgrade)
Open Source Risks
21
https://www.theregister.com/2001/06/02/ballmer_linux_is_a_cancer/
Steve Ballmer Former Microsoft CEO
22
23
Today Everyone loves
Open Source
23
24
https://www.zdnet.com/article/ballmer-i-may-have-called-linux-a-cancer-but-now-i-love-it/
25
Source: Synopsys OSSRA 2021
26
Source: Synopsys OSSRA 2021
Industry Sectors and Open Source
27
Own Proprietary
Software
3rd Party Commercial
Software
Open Source
Commercial Software
Dependencies
Open Source
Dependencies
28
Open Source in Commercial Software
29
Hackers also Love Open Source
29
dateutil vs python3-dateutil 350 FORKS
jellyfish vs jeIlyfish (“L” is an “I”) 122 FORKS
Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks
30
OSS Malicious Package Analysis by the Academy
Hundreds of open
source packages were
used in real cyber
events
61% malicious
packages used
typosquatting
2nd most common –
injection to existing
package
Source: Dustico Blog, https://dusti.co/blog/unsafe-to-download-pip/
31
Downloaded FOSS may include hidden setup
Source: WhiteSource, 2021
32
Open Source Vulnerabilities Continue To Increase
#1 Lodash
#2 FasterXML jackson-databind
#3 HtmlUnit
#4 Handlebars
#5 http-proxy
33
Source: WhiteSource, Top 10 Open Source Vulnerabilities In 2020
33
Top 10 Open Source Vulnerabilities In 2020
34
Source: Sonatype, devsecops community survey 2020
35
Open Source related breaches
occur much too often
35
Source: Sonatype, devsecops community survey 2020
1 in 5 breaches is Open Source related
36
Open Source Component - Apache Struts (CVE-2017-5638)
37
Equifax breach was 100% preventable
• Popularity: 2 million downloads per week
• Dependency: “flatmap-stream” has malicious code
• The action: Harvest the victim’s “copay” private keys
• Intention: Steal Bitcoin
• Result: 7000 stollen bitcoins
38
The “Event-Stream” incident
https://github.com/dominictarr/event-stream/issues/116
• Open Source Component - Mozjpeg (CVE-2020-13790)
• Mozjpeg weekly downloads from NPM - 650k
Instagram Hack core reason – Mozjpeg
39
40
40
Source: reddit.com
CODECOV
Source: medium.com/@alex.birsan/dependency-confusion
41
42
42
PyPI and NPM Flooded with over 5,000 Dependency Confusion Copycats
Source: securityreport.com
Copycat behavior (Dependency Confusion based)
• Human factor (training)
• Proprietary code (static analysis)
• Supply chain 3rd party (liability &
support)
• Open Source?
• White/Black-box (testing)
What is the weakest / unknown link of the chain?
43
44
Top 10 Web Application Security Risks
“Developers often use available open source and third-party
software components to create a product; an SBOM allows the
builder to make sure those components are up to date and to
respond quickly to new vulnerabilities. Buyers can use an SBOM to
perform vulnerability or license analysis, both of which can be used
to evaluate risk in a product.”
What Biden has to say on Open Source?
45
46
What Should We Do?
46
47
1. Know Your Product
47
Homegrown code
3rd Party Commercial
Software
Open Source
Commercial Software
Dependencies
Open Source
Dependencies
48
Open Source in Commercial Software
49
2. Manage your Open Source
49
3rd Party Commercial
Software
Open Source
Dependencies
Open Source
Dependencies
50
Choosing right
Manage your
software supply
chain in “critical
software”
Manage your Open Source
“critical software” — software that performs functions critical to trust (such as affording or
requiring elevated system privileges or direct access to networking and computing resources)
51
CII Best Practices badge program
End User License Agreement
BSD Open Source License
52
Manage risks from 3rd party (Supply Chain)
Common Default in Commercial Software Agreements
Homegrown code Open Source 3rd Party Proprietary SW
Cost
All type of software
requires some level of
compliance and/or
vulnerability
monitoring
Possible
Vulnerabilities
IP rights Owned Licensed Licensed
License
Requirements
Procurement is
being done by
Homegrown The developers Procurement people
Monitoring is being
done using different
tools, processes, and
policies
Who is
responsible?
The developer The developer The vendor
Support By the developer Community/Developer By the vendor
Additional
Dependencies
Access to Source
Code
Analysis tools
Static Code Analysis
Software Composition
Analysis
Penetration Test
53
53
Homegrown vs. Open Source vs. 3rd Party Proprietary SW
54
54
1. Risk management program (ISO-5230)
• Policy
• Process
• Tools
• Training
2. Early detection = Lower remediation cost
3. Ongoing management (pre-> post production)
OSS in Commercial Software Development
55
3. Do not invent the wheel
55
International Standard for open source license compliance
56
Questions?
zvika.ronen@fossaware.com
TEL: +972-(0)52-426-5306
The greatest risk
is the one you are not aware of
zvika.ronen@fossaware.com
TEL: +972-(0)52-426-5306
Automated Red-Team for Managing Attack Surface
Alex Peleg
CEO | Hacker
AI and Community powered
Attack Surface and Operations
Management For SMEs
Reducing Time From Breach to Fix
Recover From Incidents Offensive
Engineering
Cynergy.app
Agenda
Kesaya breach story
Attack Surface 101
Why AI?
Continuous Red-Team, the good the bad and the ugly.
Open topics for further research and innovation
1
2
3
4
5
What has gone wrong?
A server was exposed....
Attack Surface 101
Attackers need only one
hole in the defense
Attack Surface 101
External Attack Surface
Attack Surface 101
Web & Mobile Apps
Attack Surface 101
Infrastructure
Attack Surface 101
Cloud
Attack Surface 101
Employees
Attack Surface 101
3rd & 4th Parties
Attack Surface 101
Subsidiaries
Why AI?
Context Scale Stupidity
Continuous Red-Team
Additional Research...
1 Faster and Better Context
2 Threat Intelligence to
Improve Prioritization
3 AI based mitigation - GPT3
4 Integration with CICD
Q&A
Thanks and Questions! Alex@cynergy.app
Type text
Turn any Kubernetes solution into
Zero-Trust by design
FROM ZERO to ZERO-TRUST
WHAT ARE WE UP AGAINST?
What hackers are looking for? What do they do inside?
• Data
 Business & customer’s data
• Keys
 Encryption & Authentication
• Resources
 CPU (coin miners)
 Storage
 Network (bots)
• Damage & Extortion
 Ransome
 DDoS, UI/UX harm
• Intellectual Property
 Algorithms
 APIs
• Use existing software in
inappropriate way
• Change behavior of existing
software
 Change configuration
• Inject new software
 Corrupt existing software
 Add new software
How do they break in?
• Misconfigurations
• Credential abuse
• Software vulnerability
KNOCK-KNOCK, WHO IS THERE?
Who is calling my APIs? Who is reading my
Data?
DON’T TRUST, VERIFY!
Protect customer solutions
even if infrastructure is
compromised
Genuine Software
Identity – like DNA
Automated Zero-Trust
Network Policy
Transparent Data
Signing & Encryption
SOFTWARE DNA – WHAT DOES THIS MEAN?
Executable
DLL/SO
DLL/SO
ARMOGuard
DLL/SO
Python/Java/JS/.NET
ConfigFile/ConfigMap
Environment Variables
Command Line
ARMO
Back-End
Prove DNA validity
Receive Cryptographic Materials
Protect process memory while it runs:
• Validate cryptographic digest of every relevant
artifact
• Prevent unsigned artifacts from loading
• Keep containers immutable
• Use Kubernetes for automation
INTENTION
POD A
Secret Volume
POD B
Server
Legit App
Container Container
REALITY
POD A
Secret Volume
POD B
Injected App
Server
Legit App
Container Container
WITH ARMO ZERO-TRUST
POD A
Secret Volume
POD B
Injected App
Server
Legit App
Container Container
DEMO
Questions?
• Thank You!
• Questions?
• To be continued…

More Related Content

What's hot

Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
LabSharegroup
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS Solutions
Digital Bond
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
centralohioissa
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Digital Bond
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
Overload: Critical Lessons from 15 Years of ICS VulnerabilitiesOverload: Critical Lessons from 15 Years of ICS Vulnerabilities
Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
Tripwire
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
Synopsys Software Integrity Group
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
Post Wannacry Update
Post Wannacry UpdatePost Wannacry Update
Post Wannacry Update
Thomas Springer
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
Application Asset Management with ThreadFix
 Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
Cisco Advanced Services
Cisco Advanced ServicesCisco Advanced Services
Cisco Advanced Services
Cisco do Brasil
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
Digital Bond
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Digital Bond
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
Priyanka Aash
 

What's hot (20)

Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS Solutions
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
Overload: Critical Lessons from 15 Years of ICS VulnerabilitiesOverload: Critical Lessons from 15 Years of ICS Vulnerabilities
Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
Post Wannacry Update
Post Wannacry UpdatePost Wannacry Update
Post Wannacry Update
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Application Asset Management with ThreadFix
 Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Cisco Advanced Services
Cisco Advanced ServicesCisco Advanced Services
Cisco Advanced Services
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
 

Similar to Application security meetup k8_s security with zero trust_29072021

Certes webinar securing the frictionless enterprise
Certes webinar   securing the frictionless enterpriseCertes webinar   securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
Jason Bloomberg
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
Adrian Sanabria
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
North Texas Chapter of the ISSA
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays
 
Open source iam value, benefits, and risks
Open source iam  value, benefits, and risksOpen source iam  value, benefits, and risks
Open source iam value, benefits, and risks
WSO2
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
Precisely
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
sparkfabrik
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
LibbySchulze
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 

Similar to Application security meetup k8_s security with zero trust_29072021 (20)

Certes webinar securing the frictionless enterprise
Certes webinar   securing the frictionless enterpriseCertes webinar   securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
 
Open source iam value, benefits, and risks
Open source iam  value, benefits, and risksOpen source iam  value, benefits, and risks
Open source iam value, benefits, and risks
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 

More from lior mazor

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
lior mazor
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
lior mazor
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
lior mazor
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
lior mazor
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
lior mazor
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
lior mazor
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
lior mazor
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
lior mazor
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
lior mazor
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
lior mazor
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
lior mazor
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
lior mazor
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
lior mazor
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
lior mazor
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021
lior mazor
 

More from lior mazor (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021
 

Recently uploaded

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
jpupo2018
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 

Recently uploaded (20)

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 

Application security meetup k8_s security with zero trust_29072021

  • 1.
  • 4. K8S WHO, WHY AND HOW? How often are you release cycles? What role at your organization is most responsible for container and Kubernetes security?
  • 5. K8S WHO, WHY AND HOW? • Compliance is a priority • Lack of K8s knowledge, uses: • Network security (NGFW) for North- South sanitation • WAF/API gateways for application-level vulnerabilities • Willing to purchase a standalone solution for K8s security • Looking for solution that covers A-Z (runtime, posture etc) • Security is not priority • Hates adding tools to his pipeline • Bottle neck in the organization • “Don’t touch my production!” - shift left • Everything is code/API • Visibility is very important, but not as a standalone offering • Secret management is a headache Deliver code as fast as possible Risk Mitigation, Compliance and avoid data breach
  • 9. CAN WE SECURE USING ONLY SHIFT LEFT? Others can claim: IMO, NO!!! Micro Services are predictable Pro: Watch for abnormal behavior Con: Not really the case with many types of workloads -> a lot of false positive Immutability Pro: you scan for vulnerabilities and deliver new image every time Con: if the attacker knows how to insert a malware he can do it every time + maybe he is already on the host/other workload
  • 12. WHERE AND WHY EXISTING SOLUTIONS FAIL Endless chase No single source of truth for K8s Configuration Thousands of potential misconfigurations Inability to build a reliable normal baseline False Positives, Complexity, and performance impact Resources intensive Find Vulnerabilities & Misconfigurations Anomaly Behavioral Analysis and Network Segmentation K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION
  • 13. LOOKING TO SECURE KUBERNETES? K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION kubernetes
  • 14. A WHOLE NEW WAY TO SECURE KUBERNETES Infusing Visibility, Control, and Security Seamlessly into Every Workload
  • 15. ARMO BRINGS K8S POSTURE AND RUNTIME TOGETHER - SEAMLESSLY Enrich finding with runtime deep visibility information Shrink the attack surface based on field proven best practices Continuous compliance validation and auditing From Zero to Zero-Trust in 10 minutes No need to change policies when microservices change Resiliency by design, even against the most advanced attacks Add Context and Relevancy to posture findings Patented one-YAML deterministic ZERO-TRUST K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION ARMO Kubernetes Fabric™
  • 16. KEY TAKEAWAYS • You need both posture and runtime protection • Scan your posture as soon as possible (shift left) • Apply runtime protection on dev/staging/production Stay Safe! Questions?
  • 17. The greatest risk is the one you are not aware of zvika.ronen@fossaware.com TEL: +972-(0)52-426-5306 All right reserved © FOSSAware LTD
  • 18. • I am 48 • L.L.B law degree - Ono academic college • I am the CTO of FOSSAware • I specialized in FOSS technologies and software audits • I help organizations to implement a risk management program to manage their OSS usage, lower the remediation costs and comply with ISO standards • I also perform tech due-diligence audits and escort such process for target companies 18 Who am I 18
  • 19. 19 Few Words on Open Source 19
  • 20. 20 freely accessed, used, changed, and shared FSF four essential freedoms of the Free Software Definition OSI Ten criteria of the Open Source Software Definition 20 FOSS Definition
  • 21. Legal risk • Losing IP protection • Paying Monetary Damages • Block product shipment/distribution (Injunction) • Negative press and damaged relationship with customers Cyber security vulnerabilities • Denial of service, taking a service offline • Business intelligence and Client information theft • Hacker remote access • Ransom attacks Operational risk • Losing ability to build your software due to missing web based components • Losing community support due to open source project with low contribution activities • Using outdated open source components (less secure, more complex to upgrade) Open Source Risks 21
  • 25. 25
  • 27. Source: Synopsys OSSRA 2021 Industry Sectors and Open Source 27
  • 28. Own Proprietary Software 3rd Party Commercial Software Open Source Commercial Software Dependencies Open Source Dependencies 28 Open Source in Commercial Software
  • 29. 29 Hackers also Love Open Source 29
  • 30. dateutil vs python3-dateutil 350 FORKS jellyfish vs jeIlyfish (“L” is an “I”) 122 FORKS Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks 30 OSS Malicious Package Analysis by the Academy Hundreds of open source packages were used in real cyber events 61% malicious packages used typosquatting 2nd most common – injection to existing package
  • 31. Source: Dustico Blog, https://dusti.co/blog/unsafe-to-download-pip/ 31 Downloaded FOSS may include hidden setup
  • 32. Source: WhiteSource, 2021 32 Open Source Vulnerabilities Continue To Increase
  • 33. #1 Lodash #2 FasterXML jackson-databind #3 HtmlUnit #4 Handlebars #5 http-proxy 33 Source: WhiteSource, Top 10 Open Source Vulnerabilities In 2020 33 Top 10 Open Source Vulnerabilities In 2020
  • 34. 34 Source: Sonatype, devsecops community survey 2020
  • 35. 35 Open Source related breaches occur much too often 35
  • 36. Source: Sonatype, devsecops community survey 2020 1 in 5 breaches is Open Source related 36
  • 37. Open Source Component - Apache Struts (CVE-2017-5638) 37 Equifax breach was 100% preventable
  • 38. • Popularity: 2 million downloads per week • Dependency: “flatmap-stream” has malicious code • The action: Harvest the victim’s “copay” private keys • Intention: Steal Bitcoin • Result: 7000 stollen bitcoins 38 The “Event-Stream” incident https://github.com/dominictarr/event-stream/issues/116
  • 39. • Open Source Component - Mozjpeg (CVE-2020-13790) • Mozjpeg weekly downloads from NPM - 650k Instagram Hack core reason – Mozjpeg 39
  • 42. 42 42 PyPI and NPM Flooded with over 5,000 Dependency Confusion Copycats Source: securityreport.com Copycat behavior (Dependency Confusion based)
  • 43. • Human factor (training) • Proprietary code (static analysis) • Supply chain 3rd party (liability & support) • Open Source? • White/Black-box (testing) What is the weakest / unknown link of the chain? 43
  • 44. 44 Top 10 Web Application Security Risks
  • 45. “Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product.” What Biden has to say on Open Source? 45
  • 47. 47 1. Know Your Product 47
  • 48. Homegrown code 3rd Party Commercial Software Open Source Commercial Software Dependencies Open Source Dependencies 48 Open Source in Commercial Software
  • 49. 49 2. Manage your Open Source 49
  • 50. 3rd Party Commercial Software Open Source Dependencies Open Source Dependencies 50 Choosing right Manage your software supply chain in “critical software” Manage your Open Source “critical software” — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources)
  • 51. 51 CII Best Practices badge program
  • 52. End User License Agreement BSD Open Source License 52 Manage risks from 3rd party (Supply Chain) Common Default in Commercial Software Agreements
  • 53. Homegrown code Open Source 3rd Party Proprietary SW Cost All type of software requires some level of compliance and/or vulnerability monitoring Possible Vulnerabilities IP rights Owned Licensed Licensed License Requirements Procurement is being done by Homegrown The developers Procurement people Monitoring is being done using different tools, processes, and policies Who is responsible? The developer The developer The vendor Support By the developer Community/Developer By the vendor Additional Dependencies Access to Source Code Analysis tools Static Code Analysis Software Composition Analysis Penetration Test 53 53 Homegrown vs. Open Source vs. 3rd Party Proprietary SW
  • 54. 54 54 1. Risk management program (ISO-5230) • Policy • Process • Tools • Training 2. Early detection = Lower remediation cost 3. Ongoing management (pre-> post production) OSS in Commercial Software Development
  • 55. 55 3. Do not invent the wheel 55
  • 56. International Standard for open source license compliance 56
  • 58. The greatest risk is the one you are not aware of zvika.ronen@fossaware.com TEL: +972-(0)52-426-5306
  • 59. Automated Red-Team for Managing Attack Surface Alex Peleg CEO | Hacker
  • 60. AI and Community powered Attack Surface and Operations Management For SMEs Reducing Time From Breach to Fix Recover From Incidents Offensive Engineering Cynergy.app
  • 61. Agenda Kesaya breach story Attack Surface 101 Why AI? Continuous Red-Team, the good the bad and the ugly. Open topics for further research and innovation 1 2 3 4 5
  • 62. What has gone wrong? A server was exposed....
  • 63. Attack Surface 101 Attackers need only one hole in the defense
  • 64. Attack Surface 101 External Attack Surface
  • 65. Attack Surface 101 Web & Mobile Apps
  • 69. Attack Surface 101 3rd & 4th Parties
  • 73. Additional Research... 1 Faster and Better Context 2 Threat Intelligence to Improve Prioritization 3 AI based mitigation - GPT3 4 Integration with CICD
  • 74. Q&A
  • 75. Thanks and Questions! Alex@cynergy.app Type text
  • 76. Turn any Kubernetes solution into Zero-Trust by design FROM ZERO to ZERO-TRUST
  • 77. WHAT ARE WE UP AGAINST? What hackers are looking for? What do they do inside? • Data  Business & customer’s data • Keys  Encryption & Authentication • Resources  CPU (coin miners)  Storage  Network (bots) • Damage & Extortion  Ransome  DDoS, UI/UX harm • Intellectual Property  Algorithms  APIs • Use existing software in inappropriate way • Change behavior of existing software  Change configuration • Inject new software  Corrupt existing software  Add new software How do they break in? • Misconfigurations • Credential abuse • Software vulnerability
  • 78. KNOCK-KNOCK, WHO IS THERE? Who is calling my APIs? Who is reading my Data?
  • 79. DON’T TRUST, VERIFY! Protect customer solutions even if infrastructure is compromised Genuine Software Identity – like DNA Automated Zero-Trust Network Policy Transparent Data Signing & Encryption
  • 80. SOFTWARE DNA – WHAT DOES THIS MEAN? Executable DLL/SO DLL/SO ARMOGuard DLL/SO Python/Java/JS/.NET ConfigFile/ConfigMap Environment Variables Command Line ARMO Back-End Prove DNA validity Receive Cryptographic Materials Protect process memory while it runs: • Validate cryptographic digest of every relevant artifact • Prevent unsigned artifacts from loading • Keep containers immutable • Use Kubernetes for automation
  • 81. INTENTION POD A Secret Volume POD B Server Legit App Container Container
  • 82. REALITY POD A Secret Volume POD B Injected App Server Legit App Container Container
  • 83. WITH ARMO ZERO-TRUST POD A Secret Volume POD B Injected App Server Legit App Container Container
  • 85. • Thank You! • Questions? • To be continued…