The document discusses securing container environments. It outlines tactics for securing the host, containers, and pipeline. Specific areas of focus include securing AWS EC2 and ECS hosts, restricting IAM roles, adding security controls to the development pipeline like scanning for vulnerabilities and secrets, and educating developers on secure coding practices. The goal is to deliver applications quickly using containers while ensuring security is maintained throughout the development and deployment process.
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...Skybox Security
Systematically combine network data and intelligence sources to create a working model of the attack surface. Perform attack simulation to easily identify weak points in your defenses. Target vulnerability concentrations with streamlined actions and fix risky firewall rules and changes with automated risk assessment. With comprehensive network data at your fingertips, SOC analysts and incident response teams can achieve same-day response to cyber attacks.
Take your enterprise network security to the next level. Prevent, analyze, and respond to cyber attacks in real time.
What's Wrong with Vulnerability Management & How Can We Fix ItSkybox Security
Learn what nearly 1000 IT security professionals have to say about vulnerability management. Based on the findings of a Skybox global survey, see what works and what doesn't in vulnerability assessment, prioritization, and remediation, and how you can improve your program today. Learn the benefits of creating a formal policy that fits your organization, how to assess risk within the context of your organization, and how to create a mature program with continuous security to neutralize risk every day.
Secure application deployment in Apache CloudStackTim Mackey
At the Apache CloudStack Collaboration Conference in Montreal, I presented a potential pathway to secure template management in CloudStack. Under this model, cloud providers can assess the templates their users have and potentially advise if deployed instances have application security issues which have either public disclosures, or better still remediation.
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Digital Bond
I will never forget my assignment for a vulnerability assessment against a control systems network. “Hey, can you go somewhere, run “scans” against this system, and oh by the way don’t crash it or a large portion of the USA could lose power”. Needless to say, I turned down that assignment, as they required that a traditional network-based “scan” be run. There has to be a better way to preform assessments in such environments!
Fast forward 10 years later and I’ve worked with much safer techniques for assessing the security of SCADA/Control systems infrastructure. Working for Tenable Network Security has also provided me great insights into several techniques, including:
- Using credentials to login to systems and audit for missing patches and configuration changes
- Tuning vulnerability scans to be less intrusive yet still accurate and providing useful information
- Implementing passive vulnerability scanning to discover hosts on the network and enumerate vulnerabilities, without sending a single packet to the end-user system
You need to establish clear operational and security processes around your app and container usage. Join this session to see how enterprise IT can use accelerate business agility, implement DevOps processes, and achieve greater security and control.
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...Skybox Security
Systematically combine network data and intelligence sources to create a working model of the attack surface. Perform attack simulation to easily identify weak points in your defenses. Target vulnerability concentrations with streamlined actions and fix risky firewall rules and changes with automated risk assessment. With comprehensive network data at your fingertips, SOC analysts and incident response teams can achieve same-day response to cyber attacks.
Take your enterprise network security to the next level. Prevent, analyze, and respond to cyber attacks in real time.
What's Wrong with Vulnerability Management & How Can We Fix ItSkybox Security
Learn what nearly 1000 IT security professionals have to say about vulnerability management. Based on the findings of a Skybox global survey, see what works and what doesn't in vulnerability assessment, prioritization, and remediation, and how you can improve your program today. Learn the benefits of creating a formal policy that fits your organization, how to assess risk within the context of your organization, and how to create a mature program with continuous security to neutralize risk every day.
Secure application deployment in Apache CloudStackTim Mackey
At the Apache CloudStack Collaboration Conference in Montreal, I presented a potential pathway to secure template management in CloudStack. Under this model, cloud providers can assess the templates their users have and potentially advise if deployed instances have application security issues which have either public disclosures, or better still remediation.
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Digital Bond
I will never forget my assignment for a vulnerability assessment against a control systems network. “Hey, can you go somewhere, run “scans” against this system, and oh by the way don’t crash it or a large portion of the USA could lose power”. Needless to say, I turned down that assignment, as they required that a traditional network-based “scan” be run. There has to be a better way to preform assessments in such environments!
Fast forward 10 years later and I’ve worked with much safer techniques for assessing the security of SCADA/Control systems infrastructure. Working for Tenable Network Security has also provided me great insights into several techniques, including:
- Using credentials to login to systems and audit for missing patches and configuration changes
- Tuning vulnerability scans to be less intrusive yet still accurate and providing useful information
- Implementing passive vulnerability scanning to discover hosts on the network and enumerate vulnerabilities, without sending a single packet to the end-user system
You need to establish clear operational and security processes around your app and container usage. Join this session to see how enterprise IT can use accelerate business agility, implement DevOps processes, and achieve greater security and control.
Continuous Compliance is achievable, provided you leverage the cloud infrastructure APIs and applying Continuous Monitoring to your deployed resources. Here's how Evident.io is doing cloud security right.
DevSecOps is propelling forward-thinking organizations by doing something simple – fostering collaboration of seemingly contradictory teams to align their disparate goals into a singular effort.
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Digital Bond
Technology in ICS environments lags the Enterprise by 10-15yr. This often leads to ICS companies having to stand by while other more nimble institutions are able to take advantage of new technology. What few people realize, is that our industry gets to watch the future happen out on the Internet and then pick and choose the best techniques to adapt and bring back in time. In this session Mr. Kitchel will look at what is new in the IT world and forecast what should and will be applied to OT.
A research and security tool that allow to apply different exploits to test the systems and networks security with purpose to improve the level of security.
While vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization's attack surface: known vulnerabilities in applications that are built in-house.
Mobile apps are the main source of security concerns in every software solution nowadays. But it doesn't have to be like that: In this session we will explore best practices, tips and tricks from OWASP MASVS that will take your app to a next level! Just remember: You don't need to be an expert to make an app secure.
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
As presented at LinuxCon/ContainerCon 2016:
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications.
Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it’s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment.
Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.
The How and Why of Container Vulnerability ManagementTim Mackey
As presented at OpenShift Commons Sept 8, 2016.
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform.
In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.
Quality of software code for a given product shipped effectively translates not only to its functional quality but as well to its non functional aspects say security. Many of the issues in code can be addressed much before they reach SCM.
Implementing Fast IT Deploying Applications at the Pace of Innovation Cisco DevNet
Fast innovation requires Fast IT: the new model for IT that transforms the way we deliver new business application capabilities to our clients.
Cisco IT has created solutions that enable automated provisioning of environments and fast deployment of cloud applications through “Software Development-as-a-Service”.
In this session, we’ll provide a hands-on experience of how application teams use an automated toolset to combine quality and agility, while reducing operational expense. We’ll also provide a view of the key technologies that enable this solution.
Finally, there’s a quick glimpse into what’s next: containerization and IOE Application Enablement.
Applying formal methods to existing software by B.MonateMahaut Gouhier
"Applying formal methods to existing software: what can you expect?" Talk by Benjamin Monate, Co-founder and CTO of TrustInSoft, at the 2018 Sound Static Analysis for Security Workshop, in the NIST, USA, on June 27th.
This work has been supported by the Core Infrastructure Initiative of the Linux foundation.
Learn more about TrustInSoft
https://trust-in-soft.com/
AWS Community Day - Vitaliy Shtym - Pragmatic Container SecurityAWS Chicago
Vitaliy Shtym - Pragmatic Container Security
We'll use practical examples to understand the security strategy and tactics needed to accelerate development while meeting security goals no matter where you deploying containers.
AWS Community Day
aws community day | midwest 2019
Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit SydneyAmazon Web Services
Containers accelerate development. They address the very real challenge of application packaging and delivery. Thanks to containers, teams can quickly and reliably deploy their applications in a variety of environments. But solutions always come with a cost. Containers simplify the developer experience by pushing complexity down into the infrastructure. This shift requires a change in the security approach in order to preserve the advantages containers bring. In this talk, we'll use practical examples to understand the security strategy and tactics you need to continue to accelerate development while meeting your security goals no matter where you're deploying containers.
Continuous Compliance is achievable, provided you leverage the cloud infrastructure APIs and applying Continuous Monitoring to your deployed resources. Here's how Evident.io is doing cloud security right.
DevSecOps is propelling forward-thinking organizations by doing something simple – fostering collaboration of seemingly contradictory teams to align their disparate goals into a singular effort.
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Digital Bond
Technology in ICS environments lags the Enterprise by 10-15yr. This often leads to ICS companies having to stand by while other more nimble institutions are able to take advantage of new technology. What few people realize, is that our industry gets to watch the future happen out on the Internet and then pick and choose the best techniques to adapt and bring back in time. In this session Mr. Kitchel will look at what is new in the IT world and forecast what should and will be applied to OT.
A research and security tool that allow to apply different exploits to test the systems and networks security with purpose to improve the level of security.
While vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization's attack surface: known vulnerabilities in applications that are built in-house.
Mobile apps are the main source of security concerns in every software solution nowadays. But it doesn't have to be like that: In this session we will explore best practices, tips and tricks from OWASP MASVS that will take your app to a next level! Just remember: You don't need to be an expert to make an app secure.
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
As presented at LinuxCon/ContainerCon 2016:
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications.
Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it’s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment.
Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.
The How and Why of Container Vulnerability ManagementTim Mackey
As presented at OpenShift Commons Sept 8, 2016.
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and associated network defenses. Since those defenses are reactive to application issues attackers choose to exploit, it’s critical to have visibility into both what is in your container library, but also what the current state of vulnerability activity might be. Current vulnerability information for container images can readily be obtained by using the scan action on Atomic hosts in your OpenShift Container Platform.
In this session we’ll cover how an issue becomes a disclosed vulnerability, how to determine the risk associated with your container usage, and potential mitigation patterns you might choose to utilize to limit any potential scope of compromise.
Quality of software code for a given product shipped effectively translates not only to its functional quality but as well to its non functional aspects say security. Many of the issues in code can be addressed much before they reach SCM.
Implementing Fast IT Deploying Applications at the Pace of Innovation Cisco DevNet
Fast innovation requires Fast IT: the new model for IT that transforms the way we deliver new business application capabilities to our clients.
Cisco IT has created solutions that enable automated provisioning of environments and fast deployment of cloud applications through “Software Development-as-a-Service”.
In this session, we’ll provide a hands-on experience of how application teams use an automated toolset to combine quality and agility, while reducing operational expense. We’ll also provide a view of the key technologies that enable this solution.
Finally, there’s a quick glimpse into what’s next: containerization and IOE Application Enablement.
Applying formal methods to existing software by B.MonateMahaut Gouhier
"Applying formal methods to existing software: what can you expect?" Talk by Benjamin Monate, Co-founder and CTO of TrustInSoft, at the 2018 Sound Static Analysis for Security Workshop, in the NIST, USA, on June 27th.
This work has been supported by the Core Infrastructure Initiative of the Linux foundation.
Learn more about TrustInSoft
https://trust-in-soft.com/
AWS Community Day - Vitaliy Shtym - Pragmatic Container SecurityAWS Chicago
Vitaliy Shtym - Pragmatic Container Security
We'll use practical examples to understand the security strategy and tactics needed to accelerate development while meeting security goals no matter where you deploying containers.
AWS Community Day
aws community day | midwest 2019
Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit SydneyAmazon Web Services
Containers accelerate development. They address the very real challenge of application packaging and delivery. Thanks to containers, teams can quickly and reliably deploy their applications in a variety of environments. But solutions always come with a cost. Containers simplify the developer experience by pushing complexity down into the infrastructure. This shift requires a change in the security approach in order to preserve the advantages containers bring. In this talk, we'll use practical examples to understand the security strategy and tactics you need to continue to accelerate development while meeting your security goals no matter where you're deploying containers.
Are Your Containers as Secure as You Think?DevOps.com
With the growing popularity of Container technology comes the growth of container-based attacks – but understanding your security needs will keep you ahead of the game.
Container adoption is skyrocketing, growing 40% in the last year. And it makes sense – the agility, operational efficiencies and cost savings of containerized environments are huge benefits. But as more organizations rush to leverage containers, security is increasingly becoming a major concern and is the top roadblock to container deployment. What do you need to know (and do) to keep your container environments safe?
Achieving DevSecOps Outcomes with Tanzu Advanced- May 25, 2021VMware Tanzu
Achieving DevSecOps Outcomes with Tanzu Advanced
Speakers:
David Zendzian, Global Field CISCO, VMware Tanzu
James Urquhart, Strategic Executive Advisor, VMware Tanzu
Mike Koleno, Chief Architect, AHEAD
Secure Application Development in the Age of Continuous DeliveryTim Mackey
As delivered at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
Application security meetup k8_s security with zero trust_29072021lior mazor
The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.
(SEC202) Best Practices for Securely Leveraging the CloudAmazon Web Services
Cloud adoption is driving digital business growth and enabling companies to shift to processes and practices that make innovation continual. As with any paradigm shift, cloud computing requires different rules and a different way of thinking. This presentation will highlight best practices to build and secure scalable systems in the cloud and capitalize on the cloud with confidence and clarity.
In this session we will cover:
Key market drivers and advantages for leveraging cloud architectures.
Foundational design principles to guide strategy for securely leveraging the cloud.
The “Defense in Depth” approach to building secure services in the cloud, whether it’s private, public, or hybrid.
Real-world customer insights from organizations who have successfully adopted the ""Defense in Depth"" approach.
Session sponsored by Sumo Logic.
Containers accelerate development and address the challenges of application packaging and delivery. Thanks to containers, teams can quickly and reliably deploy their applications. But solutions always come with a cost. Containers simplify the developer experience by pushing complexity down into the infrastructure. This shift requires a change in the security approach in order to preserve the advantages that containers bring. In this talk, we use practical examples to understand the security strategy using the AWS shared responsibility model, and we cover tactics that you need to continue accelerating development while meeting your container deployment security goals on AWS.
Containers continue to mystify security practitioners, mostly because they don’t know how securing them fits into their existing vulnerability program. Is it a virtual machine that gets scanned by the same tools used for over a decade? Or is it an application package that should be tested by SCA, SAST and DAST tools? How do you manage the image or runtime vulnerabilities vs. the application security issues? This talk will focus on container security as a supply chain lifecycle problem and how to integrate validation at multiple points to achieve the ultimate goal of *assurance.* The talk is tool agnostic, because security of the supply chain is more about a alignment with the software development process than the integration of a single, magical tool.
AWS live hack: Docker + Snyk Container on AWSEric Smalling
Slides from session 3 of the Snyk AWS live hack series
Dec 15, 2021 with Eric Smalling, Dev Advocate at Snyk, and Peter McKee, Head of Dev Relations & Community at Docker.
With 73% of all cyber attacks happening on web applications* last year, there’s little doubt application layers and web-related attacks pose a significant risk to most organizations. However typical investment to protect common attack targets (content management systems and ecommerce platforms) don’t correspond.
This webinar examines the growth of applications in enterprise architecture and the risks associated with agile development, plus expert advice and real world examples on how to scope and build an successful application security program that will maximize coverage and optimize your limited resource
"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
Waterfall is based on the concept of sequential software development—from conception to ongoing maintenance—where each of the many steps flowed logically into the next.
Join this webinar presentation to learn:
- Why DevOps cannot effectively work in waterfall
- How to use DevOps tools to optimize processes in either development or operations through automation
We will also discuss what is needed to support full DevOps
Security in the cloud is fundamentally different. Not so much due to the technology--though there's plenty of differences there--but more with respect to the way that security is applied and how it's run.
Over the past few years, we've seen a radical shift in how development and operational teams work together. Security teams have been left out in the cold and are still viewed as the "No" team.
It doesn't have to be that way.
Cloud technologies have enabled new work flows and models for businesses and other teams...security is no different. We just have to wake up and take advantage of the new ecosystem.
When security teams embrace change, the boundaries start to dissolve and security can finally be built in instead of bolted on.
In this session, we'll look at some of the challenges involved in this shift, how it impacts your teams, your skill set, and how a modern approach to defence will improve your security posture.
Presented at BC Aware Day, 31-Jan-2017
Introducing a Security Feedback Loop to your CI PipelinesCodefresh
Watch the webinar here: https://codefresh.io/security-feedback-loop-lp/
Sign up for a FREE Codefresh account today: https://codefresh.io/codefresh-signup/
We're all looking at ways to prevent vulnerabilities from escaping into our production environments. Why not require scans of your Docker images before they're even uploaded to your production Docker registry? SHIFT LEFT!
Codefresh has worked with Twistlock to run Twist CLI using a Docker image as a build step in CI pipelines.
Join Codefresh, Twistlock, and Steelcase as we demonstrate setting up vulnerability and compliance thresholds in a CI pipeline. We will show you how to give your teams access to your Docker images' security reports & trace back to your report from your production Kubernetes cluster using Codefresh.
Continuous Compliance in the Cloud - Best Practices from Sumo Logic, Coalfire...Sumo Logic
For many businesses, security, compliance and data protection in the cloud have been a major challenge due to the shared responsibility model and automation of public cloud infrastructure. Ensuring consistent security controls across hybrid environments requires new methodologies for security and auditing teams. Good news is, forward thinking Cloud Service Providers, Software Vendors and Audit Services Firms have overcome many of these challenges. You can now be in the cloud and have full visibility, control and compliance posture you have always desired. Join AWS, Coalfire and Sumo Logic to discuss best practices for addressing compliance in the AWS cloud:
Understanding the shared responsibility model
Auditors' view of compliance in the new cloud era
Role of security analytics in organizations' compliance posture
Speakers:
Bill Shinn, Principal Security Solutions Architect, Amazon Web Services
Tim Winston, PCI Practice Director, Coalfire
George Gerchow, Director of Product Management, Sumo Logic
Similar to AWS Summit Singapore 2019 | Pragmatic Container Security (20)
AWS Summit Singapore 2019 | The Smart Way to Build an AI & ML Strategy for Yo...AWS Summits
Speaker: Barnam Bora, Head of AI/ML, APAC, AWS
In this session, we will share tips to help you jumpstart your journey with machine learning and artificial intelligence. You will learn what workloads the best start-ups are running on AWS and how we can help you easily integrate Artificial Intelligence in your applications.
AWS Summit Singapore 2019 | Hiring a Global Rock Star Team: Tips and TricksAWS Summits
Speaker: Santanu Dutt, Senior Manager, Solutions Architect, ASEAN, AWS
Customer Speaker: Emmanuel Frenehard, CTO, iFlix
In this session, we will discuss why your hiring process and company culture are strategic for your startup growth. You will learn practical and proven mechanisms from some of the best startups together with tips from Amazon.
AWS Summit Singapore 2019 | A Founder's Journey to ExitAWS Summits
Customer Speaker:
Nandu Madhava, General Manager - S.E. Asia, India, Australia at Twitch
Discover Twitch's early days until Amazon's acquisition for $970 million. Learn how the team transformed this startup into the world's leading video game streaming site, empowering 2 million creators each month and engaging with more than 15 million viewers every day.
AWS Summit Singapore 2019 | Realising Business Value with AWS Analytics ServicesAWS Summits
Speaker: Yu Hua Lim, Solutions Architect, ASEAN, AWS
Customer Speaker: Vasanth Kumar, Head of Software Engineering, NTUC Link Pte Ltd
Hear how local enterprise customers deliver business impact with AWS Analytics and Big Data services. We will cover data monetisation, creation of net new revenue streams, and agility in experimentation.
AWS Summit Singapore 2019 | Amazon Digital User Engagement SolutionsAWS Summits
Speakers:
Zach Barbitta, Sr. Digital User Engagement Product Manager, AWS
John Burry, Principal Digital User Engagement Specialist Solutions Architect, AWS
We describe how AWS provides the Amazon customer-centric culture of innovation, key technology building blocks, and a user engagement platform to help companies better engage their users. You will also learn how Disney Streaming Services is utilising the Amazon approach to engage its users. The intended audience is developers and business professionals who are responsible for digitally transforming their company.
AWS Summit Singapore 2019 | Big Data Analytics Architectural Patterns and Bes...AWS Summits
Speaker: Renee Lo, Head of Big Data, Analytics, and AI, ASEAN, AWS
Customer Speaker: Natalia Kozyura, Head of Innovation Center, FWD Group
We discuss architectural principles that simplify big data analytics. We'll apply these principles to various stages of big data processing: collect, store, process, analyse, and visualise. We'll discuss how to choose the right technology in each stage based on criteria such as data structure, query latency, cost, request rate, item size, data volume, durability, and so on. Finally, we provide reference architectures, design patterns, and best practices for assembling these technologies to solve your big data problems at the right cost.
AWS Summit Singapore 2019 | Microsoft DevOps on AWSAWS Summits
Speaker: Sriwantha Attanayake, Solutions Architect, APAC, AWS
Developers building applications targeting the Windows platform or using Microsoft .NET are used to high-quality tools like Team Foundation Server (TFS) and Azure DevOps. Did you know you can easily integrate these with AWS services to create fully managed CI/CD pipelines that scale easily? Did you know you could use these pipelines to deploy your applications anywhere in an automated fashion? In this session, you will learn how to do hybrid-deployments to cloud and on-premises environments using TFS and AWS CodeDeploy and explore methods to automatically build and deploy ASP.NET/MVC applications to managed IIS environments on AWS using TFS. You will also learn how to automate container deployment with the help of Microsoft TFS and Amazon Elastic Container Service and the art of maintaining your infrastructure as code on TFS.
AWS Summit Singapore 2019 | The Serverless Lifecycle: Development and Operati...AWS Summits
Speaker: Arthi Jaganathan, Solutions Architect, ASEAN, AWS
AWS Lambda and Amazon API Gateway have changed how developers build and run their applications or services. While building simple, individual serverless functions is easy, what are the best practices when your entire application is serverless? How should we go about tasks such as deployment, monitoring, and debugging in a serverless world? In this session, we'll dive into best practices that serverless developers can use for application lifecycle management, CI/CD, monitoring, and diagnostics.
AWS Summit Singapore 2019 | Operating Microservices at HyperscaleAWS Summits
Speaker: Donnie Prakoso, Technology Evangelist, ASEAN, AWS
Most developers today are adopting a micro-services based application design. Microservices can provide higher system reliability, fine-grained scalability and faster development cycles. At hyperscale (thousands to millions of requests per second), however, additional thought, careful design, and greater operational rigor is required. In this session, learn from AWS experts who have extracted four fundamental design principles and best practices for hyperscale applications from the experiences of our customer globally. Aided by live demos, presenters will show how event driven architectures, asynchronous communication, service discover and service orchestration are the pillars of hyperscale systems.
AWS Summit Singapore 2019 | Realising Business ValueAWS Summits
Enterprises are moving to the cloud for more than just saving costs. AWS ever-expanding platform of services delivers business value that extends to Business Agility, Operational Resilience, Increased Staff productivity and an Improved Security posture. Creating a holistic business case that encompasses all these elements is critical, and this session will show how to quantify the other business benefits that your organization can expect with the move to AWS.
AWS Summit Singapore 2019 | Transformation Towards a Digital Native EnterpriseAWS Summits
Speaker: Jon Austin, Enterprise Solutions Architect, ASEAN, AWS
Customer Speakers:
DP Prakash, Global Head of Innovation, CIO Office, GLOBAL FOUNDRIES
Satish Kumar, Infrastructure Engineeer, Autodesk Inc
This session showcases traditional Enterprise businesses that have substantially transformed to become digitally native where technology is a differentiator rather than a overhead. Learn how you can start your business on this journey and unlock the agility, speed to market and innovation that your customers demand.
Speaker: Sanjay Yadave, Head of Enterprise & Migrations Acceleration Team, ASEAN, AWS
This session takes the learnings and best practices from AWS's enterprise cloud migrations and combines them into a prescriptive model (roadmap) to accelerate the cloud journey. It describes streams of activities and deliverables that are required to drive a successful migration. This roadmap is targeted to help all enterprise customers irrespective of where they are at in their cloud transformation journey.
1. S U M M I T
Pragmatic Container
Security
Paul Hidalgo
Solutions Architect
Trend Micro
2. S U M M I T
It worked on my machine
…every developer ever
3. S U M M I T
The problem
It’s hard to deploy an
application with all of it’s
dependencies
4. S U M M I T
The problem
It’s hard to deploy an
application with all of it’s
dependencies
The solution
Containers package the app and
it’s dependencies in a portable
format
6. S U M M I T
Containers accelerate the
developer experience
7. S U M M I T
Containers provide the
ability to package and run
an application in a loosely
isolated environment
Docker Inc. on the goal of containers
8. S U M M I T
…loosely isolated…
Docker Inc. on the goal of containers
17. S U M M I T
ATTACKS ARE POCs
The following features stunts performed by
either professionals or under the supervision of
professionals
DO NOT TRY THIS AT HOME
19. S U M M I T
• Check the environment for other assets
• Look at file and network activity,
• Look at Credentials
• Did the user have any other credentials to database
• Plant a Callback to control the container
• To learn application activity if files are being downloaded
• Use as a launching pad to exploit other vulnerable applications
• Knowing applications, servers and credentials, it would be easier to jump and look for data
• Exfiltration Point
• Connect to a Data Dump Server
The guy has root access to the container, what can he do
The bad guy was able to go in, Now what?
25. S U M M I T
EC2
• Patch regularly
• Software updates often contain critical security patches and should be applied as quickly as possible
• Restrict the IAM role
• Apply the principle of least privilege
• Add critical security controls like application control, integrity monitoring,
anti-malware
• Using an “allow list” for applications that can be run on the host is highly effective given their specific workloads.
Similar integrity monitoring and anti-malware controls make sure any changes to the host are expected and not
malicious
Specific areas of focus
26. S U M M I T
ECS
• Same as EC2 for any AMI that meets the Amazon ECS AMI specification
• Use one of the AWS provided AMIs as a starting point
Specific areas of focus
27. S U M M I T
Fargate
• IAM policies and roles
• Runs on AWS-managed infrastructure, no Amazon EC2
instances to manage
Specific areas of focus
33. S U M M I T
Code
• IAM roles and permissions
• Make sure to restrict access appropriately. No “Full Access” policies!
• Add scanning and sanity checks at appropriate stages
• Automating security steps like static code analysis, vulnerability scanning, malware scanning and secrets management is key
• Add security tests alongside integration and unit tests
• Never assume, always verify. Adding security tests makes it simple to validate your security assumptions each time a build is
deployed
• If you are running your own pipeline, apply the same principles as the EC2
section to those systems
Specific areas of focus
34. S U M M I T
• Deploy strong endpoint controls to developers workstations
• Phishing accounts for 92% of all malware infections and attackers are shifting focus to attack developers in
order to compromise the systems they build
• Educate developers on strong security coding practices and help
breakdown the barriers between teams
• Security traditionally struggles with getting controls built in and settles for “bolt on” controls which are
more expensive and less effective. Anything you can do to reduce the divide between teams will benefit
everyone involved
Specific areas of focus
Builders
35. S U M M I T
Containers accelerate the developer experience
Security makes sure they stay on track
36. S U M M I T
Container Security
6 areas to focus on…
37. S U M M I T
Container-aware protection for your
EC2 instances and ECS container hosts
Deep Security
Deep Security
Smart Check
Automated container image scanning
to detect vulnerabilities, malware, and
exposed secrets
Available on AWS
Marketplace