SlideShare a Scribd company logo

Code to Cloud Workshop

Download as PPTX, PDF
J
Jamie Coleman

This document summarizes a workshop on shifting security left in the development process. It discusses evaluating applications and infrastructure for security risks early using techniques like threat modeling. It emphasizes integrating security practices like dependency management, static analysis, and infrastructure as code throughout development. The mantra of "Does this touch the internet? Does it take untrusted input? Does it handle sensitive data?" is presented to help evaluate features for security needs. Automating these practices with tools is encouraged.

Software
1 of 23
To the Left, to the Left: All your Security Shifted to the Left
Jamie Lee Coleman ● Role: Developer Advocate @ Sonatype, previously @ IBM ● Experience: Developer in Mainframe Software (CICS), WebSphere & OpenJ9 @ IBM linkedin.com/in/jamie-coleman @Jamie_Lee_C
Theresa Mammarella ● Software Engineer @ IBM ● Eclipse OpenJ9 JVM ● Native image prototyping ● Supply chain security ● Open source developer, community member and speaker linkedin.com/in/tmammarella @t_mammarella
Eddie Knight ● Sonatype Office of the CTO ● Maintainer @ FINOS ○ Compliant Financial Infrastructure ● Organizer @ CNCF ○ Cloud Native Security Slam ● Author of Nix (July 2023) linkedin.com/in/knight1776 @the_eddieknight https://eddieknight.dev
You Are Here Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD
Diverse security efforts are valuable! ● Security Training ● Architecture Review ● Threat Modelling ● And more… But they’re out of scope for this workshop. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
“Shift left is the practice of moving testing, quality, and performance evaluation early in the development process” https://www.dynatrace.com/news/blog/what-is-shift-left-and-what-is-shift-right Introduction Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
● Plan for Secure Development ○ Time ○ Talent ○ Tools ● Build for Secure Development ○ The Mantra ● Test for Secure Development ○ SCA ○ *AST Let’s put our security in the box to the left: Get over it I think you left some out Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
Cloud Infrastructure App Deployment CI/CD Pipelines Application Dependencies SCA, SAST, and Homebrew Tests CI/CD Pipelines Dev Environment Application Code Infrastructure as Code Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
1. Does this touch the internet? 2. Does this take untrusted input? 3. Does this handle sensitive data? The Mantra Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
#1 - Does this touch the internet? ● Dependency Fetching ● User Input ● External API Calls ● Third-party Integrations ● Messaging, MQQT, Websockets ● Uploads & Downloads ● etc... If a feature touches the internet, we need to ensure end-to-end security from the supplier to the consumer. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
#2 - Does this take untrusted input? ● UI Forms ● Calls to a Shared Database ● Cookies and HTTP Headers ● External API Responses ● And more… If a feature takes untrusted input, we need to validate it’s integrity before use. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
#3 - Does this handle sensitive data? ● Personally Identifiable Information ● Authentication / Authorization ● Private Communications ● Intellectual Property ● Location, Medical or Financial Data ● And more… If a feature handles sensitive data, we must pay special care to encryption, handling, and storage. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
1. Does this touch the internet? 1. Does this take untrusted input? 1. Does this handle sensitive data? Ensure end-to-end security from the supplier to the consumer Validate it’s integrity before use Pay special care to encryption, handling, and storage Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
Secure Development is Achievable! Let’s Practice: https://github.com/sonatype-nexus-community/codetocloud-workshop 1. Review application code using the Mantra 2. Identify any un-mitigated risks 3. Create a GitHub Issue to discuss the risk Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
Dependency Management Calls for Automation! (Begin tooling demonstration now) Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
Secure IaC is Difficult! This section is not hands on, because Secure IaC is more nuanced. 1. IaC tools have dependencies too 2. Infrastructure has the largest surface area 3. Defaults are the devil in the details Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
IaC External Dependencies 1. Ansible Roles 2. CloudFormation Resources 3. Terraform Providers 4. Pulumi Resource Providers Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
Devil in the Details 1. Investigate Defaults for Every Resource 2. Parameterize ONLY Where Necessary 3. Remember The Mantra Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
Secure CI/CD 1. Pipeline permissions 2. Secret handling 3. Pipeline dependencies a. (containers, actions, etc) Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD Weakness & Vulnerability Triage 1. What is the vulnerability rating? a. Place a higher priority on higher ratings 2. Does this cause breaking changes? a. Reduce priority for more complex implementations (depending on how critical the rating is) 3. Do we have the skills/resources immediately available to implement this upgrade? a. If not, mark as blocked until you do @the_eddieknight @t_mammarella
The Mantra Introduction Software Dev Dependencies IaC CI/CD Threat Triage Conclusion 1. Does this touch the internet? 1. Does this take untrusted input? 1. Does this handle sensitive data? Ensure end-to-end security from the supplier to the consumer Validate it’s integrity before use Pay special care to encryption, handling, and storage @the_eddieknight @t_mammarella
More Security Content @ KCDC Hidden security features of the JVM - everything you didn’t know and more Theresa Mammarella Thursday, 11:15am Room 2203 CVE 101: The Unfolding Of A Zero Day Attack Theresa Mammarella Friday, 11:00am Room 2201 @the_eddieknight @t_mammarella

Recommended

Code to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftCode to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the Left
Jamie Coleman
 
Code to Cloud Workshop.pptx
Code to Cloud Workshop.pptxCode to Cloud Workshop.pptx
Code to Cloud Workshop.pptx
Jamie Coleman
 
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application SecurityJavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
Theresa Mammarella
 
JacksonvilleJUG_CVE101.pdf
JacksonvilleJUG_CVE101.pdfJacksonvilleJUG_CVE101.pdf
JacksonvilleJUG_CVE101.pdf
Theresa Mammarella
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
IoT Security
IoT SecurityIoT Security
IoT Security
Narudom Roongsiriwong, CISSP
 
How to Build a Basic Edge Cloud
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge Cloud
Mirantis
 
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfiotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
KerimBozkanli
 

Recommended

Code to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftCode to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the Left
Jamie Coleman
 
Code to Cloud Workshop.pptx
Code to Cloud Workshop.pptxCode to Cloud Workshop.pptx
Code to Cloud Workshop.pptx
Jamie Coleman
 
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application SecurityJavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
Theresa Mammarella
 
JacksonvilleJUG_CVE101.pdf
JacksonvilleJUG_CVE101.pdfJacksonvilleJUG_CVE101.pdf
JacksonvilleJUG_CVE101.pdf
Theresa Mammarella
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
IoT Security
IoT SecurityIoT Security
IoT Security
Narudom Roongsiriwong, CISSP
 
How to Build a Basic Edge Cloud
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge Cloud
Mirantis
 
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfiotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
KerimBozkanli
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
Precisely
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
Imperva
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industryRoberto Sponchioni
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Chris Gates
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
ThreatReel Podcast
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
lior mazor
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
Eric Smalling
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
Peter Wood
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2016
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
Satria Ady Pradana
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdf
Savinder Puri
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
Eric Vétillard
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud Attacks
Imperva
 
IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and Methods
Leonardo De Moura Rocha Lima
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
Chris Gates
 
Open Source Licence to Kill in Software Development
Open Source Licence to Kill in Software DevelopmentOpen Source Licence to Kill in Software Development
Open Source Licence to Kill in Software Development
Jamie Coleman
 
The Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptxThe Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptx
Jamie Coleman
 

More Related Content

Similar to Code to Cloud Workshop

Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
Precisely
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
Imperva
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industryRoberto Sponchioni
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Chris Gates
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
ThreatReel Podcast
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
lior mazor
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
Eric Smalling
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
Peter Wood
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2016
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
Satria Ady Pradana
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdf
Savinder Puri
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
Eric Vétillard
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud Attacks
Imperva
 
IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and Methods
Leonardo De Moura Rocha Lima
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
Chris Gates
 

Similar to Code to Cloud Workshop (20)

Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Microfestival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
festival ICT 2013: Gli attacchi mirati e la Difesa Personalizzata Trend Micro
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdf
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Man in the Cloud Attacks
Man in the Cloud AttacksMan in the Cloud Attacks
Man in the Cloud Attacks
 
IoT Security: Cases and Methods
IoT Security: Cases and MethodsIoT Security: Cases and Methods
IoT Security: Cases and Methods
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 

More from Jamie Coleman

Open Source Licence to Kill in Software Development
Open Source Licence to Kill in Software DevelopmentOpen Source Licence to Kill in Software Development
Open Source Licence to Kill in Software Development
Jamie Coleman
 
The Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptxThe Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptx
Jamie Coleman
 
The Death Star & The Ultimate Vulnerability.pptx
The Death Star & The Ultimate Vulnerability.pptxThe Death Star & The Ultimate Vulnerability.pptx
The Death Star & The Ultimate Vulnerability.pptx
Jamie Coleman
 
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptxWhy Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Jamie Coleman
 
Magic of Automation and Everyday Chores.pptx
Magic of Automation and Everyday Chores.pptxMagic of Automation and Everyday Chores.pptx
Magic of Automation and Everyday Chores.pptx
Jamie Coleman
 
Using Static Analysis Tools to Become a Superhero Programmer.pptx
Using Static Analysis Tools to Become a Superhero Programmer.pptxUsing Static Analysis Tools to Become a Superhero Programmer.pptx
Using Static Analysis Tools to Become a Superhero Programmer.pptx
Jamie Coleman
 
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptxDeploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
Jamie Coleman
 
Microservices made easy JavaCro 2021
Microservices made easy JavaCro 2021Microservices made easy JavaCro 2021
Microservices made easy JavaCro 2021
Jamie Coleman
 
Replicating production on your laptop using the magic of containers v2
Replicating production on your laptop using the magic of containers v2Replicating production on your laptop using the magic of containers v2
Replicating production on your laptop using the magic of containers v2
Jamie Coleman
 
Simple tweaks to get the most out of your JVM
Simple tweaks to get the most out of your JVMSimple tweaks to get the most out of your JVM
Simple tweaks to get the most out of your JVM
Jamie Coleman
 
Open Source In The World Of Java
Open Source In The World Of JavaOpen Source In The World Of Java
Open Source In The World Of Java
Jamie Coleman
 
Replicating production on your laptop using the magic of containers
Replicating production on your laptop using the magic of containersReplicating production on your laptop using the magic of containers
Replicating production on your laptop using the magic of containers
Jamie Coleman
 
Simple tweaks to get the most out of your jvm
Simple tweaks to get the most out of your jvmSimple tweaks to get the most out of your jvm
Simple tweaks to get the most out of your jvm
Jamie Coleman
 
Codecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshopCodecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshop
Jamie Coleman
 
Cloud native java workshop
Cloud native java workshopCloud native java workshop
Cloud native java workshop
Jamie Coleman
 
Seriously Open Cloud Native Java Microservices
Seriously Open Cloud Native Java MicroservicesSeriously Open Cloud Native Java Microservices
Seriously Open Cloud Native Java Microservices
Jamie Coleman
 
The new java developers kit bag
The new java developers kit bagThe new java developers kit bag
The new java developers kit bag
Jamie Coleman
 
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at JavanturaHands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
Jamie Coleman
 
Are you ready for cloud-native java JavaCro2019
Are you ready for cloud-native java JavaCro2019Are you ready for cloud-native java JavaCro2019
Are you ready for cloud-native java JavaCro2019
Jamie Coleman
 

More from Jamie Coleman (19)

Open Source Licence to Kill in Software Development
Open Source Licence to Kill in Software DevelopmentOpen Source Licence to Kill in Software Development
Open Source Licence to Kill in Software Development
 
The Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptxThe Secret Life of Maven Central - LJC 2022.pptx
The Secret Life of Maven Central - LJC 2022.pptx
 
The Death Star & The Ultimate Vulnerability.pptx
The Death Star & The Ultimate Vulnerability.pptxThe Death Star & The Ultimate Vulnerability.pptx
The Death Star & The Ultimate Vulnerability.pptx
 
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptxWhy Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
 
Magic of Automation and Everyday Chores.pptx
Magic of Automation and Everyday Chores.pptxMagic of Automation and Everyday Chores.pptx
Magic of Automation and Everyday Chores.pptx
 
Using Static Analysis Tools to Become a Superhero Programmer.pptx
Using Static Analysis Tools to Become a Superhero Programmer.pptxUsing Static Analysis Tools to Become a Superhero Programmer.pptx
Using Static Analysis Tools to Become a Superhero Programmer.pptx
 
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptxDeploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
Deploy and Update Jakarta EE & MicroProfile applications with Paketo.pptx
 
Microservices made easy JavaCro 2021
Microservices made easy JavaCro 2021Microservices made easy JavaCro 2021
Microservices made easy JavaCro 2021
 
Replicating production on your laptop using the magic of containers v2
Replicating production on your laptop using the magic of containers v2Replicating production on your laptop using the magic of containers v2
Replicating production on your laptop using the magic of containers v2
 
Simple tweaks to get the most out of your JVM
Simple tweaks to get the most out of your JVMSimple tweaks to get the most out of your JVM
Simple tweaks to get the most out of your JVM
 
Open Source In The World Of Java
Open Source In The World Of JavaOpen Source In The World Of Java
Open Source In The World Of Java
 
Replicating production on your laptop using the magic of containers
Replicating production on your laptop using the magic of containersReplicating production on your laptop using the magic of containers
Replicating production on your laptop using the magic of containers
 
Simple tweaks to get the most out of your jvm
Simple tweaks to get the most out of your jvmSimple tweaks to get the most out of your jvm
Simple tweaks to get the most out of your jvm
 
Codecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshopCodecamp 2020 microservices made easy workshop
Codecamp 2020 microservices made easy workshop
 
Cloud native java workshop
Cloud native java workshopCloud native java workshop
Cloud native java workshop
 
Seriously Open Cloud Native Java Microservices
Seriously Open Cloud Native Java MicroservicesSeriously Open Cloud Native Java Microservices
Seriously Open Cloud Native Java Microservices
 
The new java developers kit bag
The new java developers kit bagThe new java developers kit bag
The new java developers kit bag
 
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at JavanturaHands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
Hands-on cloud-native Java with MicroProfile, Kubernetes and Istio at Javantura
 
Are you ready for cloud-native java JavaCro2019
Are you ready for cloud-native java JavaCro2019Are you ready for cloud-native java JavaCro2019
Are you ready for cloud-native java JavaCro2019
 

Recently uploaded

Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
e20449
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
Srikant77
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Jay Das
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 

Recently uploaded (20)

Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 

Code to Cloud Workshop

  • 1. To the Left, to the Left: All your Security Shifted to the Left
  • 2. Jamie Lee Coleman ● Role: Developer Advocate @ Sonatype, previously @ IBM ● Experience: Developer in Mainframe Software (CICS), WebSphere & OpenJ9 @ IBM linkedin.com/in/jamie-coleman @Jamie_Lee_C
  • 3. Theresa Mammarella ● Software Engineer @ IBM ● Eclipse OpenJ9 JVM ● Native image prototyping ● Supply chain security ● Open source developer, community member and speaker linkedin.com/in/tmammarella @t_mammarella
  • 4. Eddie Knight ● Sonatype Office of the CTO ● Maintainer @ FINOS ○ Compliant Financial Infrastructure ● Organizer @ CNCF ○ Cloud Native Security Slam ● Author of Nix (July 2023) linkedin.com/in/knight1776 @the_eddieknight https://eddieknight.dev
  • 5. You Are Here Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD
  • 6. Diverse security efforts are valuable! ● Security Training ● Architecture Review ● Threat Modelling ● And more… But they’re out of scope for this workshop. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 7. “Shift left is the practice of moving testing, quality, and performance evaluation early in the development process” https://www.dynatrace.com/news/blog/what-is-shift-left-and-what-is-shift-right Introduction Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 8. ● Plan for Secure Development ○ Time ○ Talent ○ Tools ● Build for Secure Development ○ The Mantra ● Test for Secure Development ○ SCA ○ *AST Let’s put our security in the box to the left: Get over it I think you left some out Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 10. 1. Does this touch the internet? 2. Does this take untrusted input? 3. Does this handle sensitive data? The Mantra Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 11. #1 - Does this touch the internet? ● Dependency Fetching ● User Input ● External API Calls ● Third-party Integrations ● Messaging, MQQT, Websockets ● Uploads & Downloads ● etc... If a feature touches the internet, we need to ensure end-to-end security from the supplier to the consumer. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 12. #2 - Does this take untrusted input? ● UI Forms ● Calls to a Shared Database ● Cookies and HTTP Headers ● External API Responses ● And more… If a feature takes untrusted input, we need to validate it’s integrity before use. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 13. #3 - Does this handle sensitive data? ● Personally Identifiable Information ● Authentication / Authorization ● Private Communications ● Intellectual Property ● Location, Medical or Financial Data ● And more… If a feature handles sensitive data, we must pay special care to encryption, handling, and storage. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 14. 1. Does this touch the internet? 1. Does this take untrusted input? 1. Does this handle sensitive data? Ensure end-to-end security from the supplier to the consumer Validate it’s integrity before use Pay special care to encryption, handling, and storage Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 15. Secure Development is Achievable! Let’s Practice: https://github.com/sonatype-nexus-community/codetocloud-workshop 1. Review application code using the Mantra 2. Identify any un-mitigated risks 3. Create a GitHub Issue to discuss the risk Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 16. Dependency Management Calls for Automation! (Begin tooling demonstration now) Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 17. Secure IaC is Difficult! This section is not hands on, because Secure IaC is more nuanced. 1. IaC tools have dependencies too 2. Infrastructure has the largest surface area 3. Defaults are the devil in the details Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 18. IaC External Dependencies 1. Ansible Roles 2. CloudFormation Resources 3. Terraform Providers 4. Pulumi Resource Providers Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 19. Devil in the Details 1. Investigate Defaults for Every Resource 2. Parameterize ONLY Where Necessary 3. Remember The Mantra Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 20. Secure CI/CD 1. Pipeline permissions 2. Secret handling 3. Pipeline dependencies a. (containers, actions, etc) Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD @the_eddieknight @t_mammarella
  • 21. Threat Triage The Mantra Introduction Software Dev Dependencies IaC CI/CD Weakness & Vulnerability Triage 1. What is the vulnerability rating? a. Place a higher priority on higher ratings 2. Does this cause breaking changes? a. Reduce priority for more complex implementations (depending on how critical the rating is) 3. Do we have the skills/resources immediately available to implement this upgrade? a. If not, mark as blocked until you do @the_eddieknight @t_mammarella
  • 22. The Mantra Introduction Software Dev Dependencies IaC CI/CD Threat Triage Conclusion 1. Does this touch the internet? 1. Does this take untrusted input? 1. Does this handle sensitive data? Ensure end-to-end security from the supplier to the consumer Validate it’s integrity before use Pay special care to encryption, handling, and storage @the_eddieknight @t_mammarella
  • 23. More Security Content @ KCDC Hidden security features of the JVM - everything you didn’t know and more Theresa Mammarella Thursday, 11:15am Room 2203 CVE 101: The Unfolding Of A Zero Day Attack Theresa Mammarella Friday, 11:00am Room 2201 @the_eddieknight @t_mammarella

Editor's Notes

  1. Greetings slide