SlideShare a Scribd company logo
© 2018 Aqua Security Software Ltd., All Rights Reserved
Aqua Security
Cloud Native Security
2
The Leading Cloud Native Security Company
Aqua helps the world’s leading enterprises to modernize
security for their container-based, serverless and cloud native
applications, from development to production
Open Source Leadership
Maintaining the industry-standard tools
for container, Kubernetes and cloud
security
We “wrote the book” on K8s
security, and chair the CNCF
Technical Oversight Committee
Community Leadership
CloudSploit
Agenda
n Aqua’s Open Source Tools
n Kubernetes config with Kube-Bench
n Kubernetes penetration testing tool with Kube-Hunter
n Image scanning and CI integration with Trivvy
n Aqua Enterprise called Aqua CSP
n Runtime protection
n Container firewall
4
Aqua’s Open Source Tools
n Scans Kubernetes nodes
against the CIS
benchmark checks
n github.com/aquasecuri
ty/kube-bench
n Scan images for known
vulnerabilities
n Works within CI tools
n github.com/aquasecuri
ty/trivy
CIS benchmark for K8S
Image vulnerability
scanner K8S penetration-testing
n Tests K8s clusters
against known attack
vectors, both remote
and internal
n github.com/aquasecurit
y/kube-hunter
5
….and more Aqua Open Source Tools….
n CloudSploit is a cloud security auditing and monitoring product that
scans IaaS and SaaS accounts for security risks, including
misconfigurations, malicious API calls and insider threats.
CloudSploit is a CSPM (Cloud Security Posture Management) service.
n github.com/cloudsploit
n Tracee is a lightweight, easy
to use container and system
tracing tool. After launching
the tool, it will start collecting
traces of newly created
containers (container mode)
or processes (system mode).
n github.com/aquasecuri
ty/tracee
System Tracing Tool
Tracee
CloudSploit
Cloud Security Posture Management
CSPM
Kubernetes Configuration Assessment for Security
7
Kubernetes components
■ Kubernetes components
installed on your servers
■ Master & node components
■ Many configuration settings
have a security impact
■ Example: open Kubelet port =
root access
■ Defaults depend on the
installer
Scheduler Controllers Etcd
Kubernetes Master Node
Node
Kubelet
Kube-
proxy
Pod
Node
Kubelet
Kube-
proxy
Pod
Node
Kubelet
Kube-
proxy
Pod
Node
Kubelet
Kube-
proxy
Pod
API Server
CIS Kubernetes benchmark
■ Open source automated tests for CIS Kubernetes Benchmark
■ Tests for Kubernetes Masters and Nodes
■ Available as a container
kube-bench
github.com/aquasecurity/kube-bench
Kubernetes penetration testing
■ Open source penetration tests for Kubernetes
■ See what an attacker would see
■ github.com/aquasecurity/kube-hunter
■ Online report viewer
■ kube-hunter.aquasec.com
kube-hunter
How do I know the
config is working to
secure my cluster?
kube-hunter.aquasec.com
14
15
Image scanning and CI integration – Trivy
Common Vulnerabilities & Exposures
Known
Vulnerabilities
Unknown
Vulnerabilities
Vulnerabilities
l Static scanning
l Scanner identifying components
with known vulnerabilities
l e.g. Trivy, Clair, Aqua
l Dynamic Threat Analysis
• Identify advanced threats that
try to hide their purpose
• Aqua
Designed by vvstudio / Freepik
19
CentOS OS
Nginx Application
(package)
Binaries
Scanning Container Images
Alpine OS
NodeJS (NPMs)
20
Vulnerability sources
■ Vulnerabilities are
published on different
security advisories
■ NVD – national
vulnerability database
■ Vendors will have
their own advisories
l NVD reports this in Varnish HTTP Cache versions 4.0.0 - 5.2.0
Case study: Debian / CVE-2017-8807
Debian applied
patch to 5.0.0
l System Package
Manager
l apt
l yum
l apk
Detect comprehensive vulnerabilities
● Application Package Manager
● Bundler
● Composer
● Pipenv
● Poetry
● npm
● yarn
● Cargo
Not all scanners are created equal
Information sources / advisories
• NVD
• Distributions
• Vendors
• (Commercial DBs)
Scanning techniques
• Layer-by-layer or image
Detection techniques
• Version comparison
• Hash comparison
Functionality
• Malware
• File scanning
• Windows
script:
- ./trivy --exit-code 0 --severity HIGH --no-progress --auto-refresh [YOUR_IMAGE]
- ./trivy --exit-code 1 --severity CRITICAL --no-progress --auto-refresh [YOUR_IMAGE]
...
DevSecOps
With Travis CI
With CircleCI
- run:
name: Scan the local image with trivy
command: trivy --exit-code 0 --no-progress --auto-refresh [YOUR_IMAGE]
...
Aqua Enterprise….we call this CSP….Cloud-Native
Security Platform
28
Aqua Cloud Native Security
Cloud IaaS
Orchestration
Workloads
Kubernetes Security
Cloud Security Posture Management
Container &
CaaS
Security
FaaS
Security
VM
Security PAS
SecurityCI/CD,Registries
SIEM,Analytics,Monitoring
LDAP / AD /
SAML
Secrets Vaults Collaboration
Cyber
Intelligence
29
Automatic learning of pod/container behavior and then runtime enforcement
DevSecOps
ContainerContainer
l Immutable containers are easier to
protect
l Any change in runtime is not legit
l If a change is detected, it’s blocked
= No code injection into
containers
Image Container
bin
user
etc
bin
user
etc
?
=
Container Firewall that learns network traffic and then allows granular control of all
inbound and outbound traffic. Policy is enforced regardless where the orchestrator
places the pod/container
Jenkins Aqua Plugin for container images and serverless functions (Lambda)
© 2018 Aqua Security Software Ltd., All Rights Reserved
github.com/aquasecurity/kube-bench
github.com/aquasecurity/kube-hunter
github.com/aquasecurity/trivy
github.com/aquasecurity/tracee
github.com/cloudsploit

More Related Content

What's hot

DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
Don’t have a Meltdown! Practical Steps for Defending Your Apps
Don’t have a Meltdown! Practical Steps for Defending Your AppsDon’t have a Meltdown! Practical Steps for Defending Your Apps
Don’t have a Meltdown! Practical Steps for Defending Your Apps
Docker, Inc.
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelines
Vandana Verma
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
Eric Smalling
 
Policy as code what helm developers need to know about security
Policy as code  what helm developers need to know about securityPolicy as code  what helm developers need to know about security
Policy as code what helm developers need to know about security
LibbySchulze
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
Michelle Ribeiro
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf Hadiwinata
Hananto Wibowo Soenarto
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorLFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.
Vitaly Balashov
 
Automated Testing in Continuous Change Management
Automated Testing in Continuous Change ManagementAutomated Testing in Continuous Change Management
Automated Testing in Continuous Change Management
Perforce
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOps
James Wickett
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
Mohammed Ahmed
 
Infrastructure automation with .NET
Infrastructure automation with .NETInfrastructure automation with .NET
Infrastructure automation with .NET
Swaminathan Vetri
 
Microsoft DevOps Forum 2021 – DevOps & Security
 Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
use case ibm k8s_service+devops
use case ibm k8s_service+devopsuse case ibm k8s_service+devops
use case ibm k8s_service+devops
Shoichiro Sakaigawa
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
VMware Tanzu
 
Hybrid Cloud Networking
Hybrid Cloud NetworkingHybrid Cloud Networking
Hybrid Cloud Networking
SVForum Cloud SIG
 
Cloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOpsCloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOps
Weaveworks
 

What's hot (20)

DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
Don’t have a Meltdown! Practical Steps for Defending Your Apps
Don’t have a Meltdown! Practical Steps for Defending Your AppsDon’t have a Meltdown! Practical Steps for Defending Your Apps
Don’t have a Meltdown! Practical Steps for Defending Your Apps
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelines
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
 
Policy as code what helm developers need to know about security
Policy as code  what helm developers need to know about securityPolicy as code  what helm developers need to know about security
Policy as code what helm developers need to know about security
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf Hadiwinata
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorLFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
 
Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.
 
Automated Testing in Continuous Change Management
Automated Testing in Continuous Change ManagementAutomated Testing in Continuous Change Management
Automated Testing in Continuous Change Management
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOps
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
 
Infrastructure automation with .NET
Infrastructure automation with .NETInfrastructure automation with .NET
Infrastructure automation with .NET
 
Microsoft DevOps Forum 2021 – DevOps & Security
 Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security
 
use case ibm k8s_service+devops
use case ibm k8s_service+devopsuse case ibm k8s_service+devops
use case ibm k8s_service+devops
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
 
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
 
Hybrid Cloud Networking
Hybrid Cloud NetworkingHybrid Cloud Networking
Hybrid Cloud Networking
 
Cloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOpsCloud Native Engineering with SRE and GitOps
Cloud Native Engineering with SRE and GitOps
 

Similar to Embacing service-level-objectives of your microservices in your Cl/CD

La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)
La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)
La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)
Alexandre Roman
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
Karthik Gaekwad
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
Jimmy Mesta
 
Mihai Criveti - PyCon Ireland - Automate Everything
Mihai Criveti - PyCon Ireland - Automate EverythingMihai Criveti - PyCon Ireland - Automate Everything
Mihai Criveti - PyCon Ireland - Automate Everything
Mihai Criveti
 
Kubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDKubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CD
Stfalcon Meetups
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
Kubernetes Intro
Kubernetes IntroKubernetes Intro
Kubernetes Intro
Antonio Ojea Garcia
 
DevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for KubernetesDevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for Kubernetes
Ambassador Labs
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
QAware GmbH
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
Hendri Karisma
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
Continuous Delivery to Kubernetes Using Helm
Continuous Delivery to Kubernetes Using HelmContinuous Delivery to Kubernetes Using Helm
Continuous Delivery to Kubernetes Using Helm
Adnan Abdulhussein
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New Reality
Carlos Andrés García
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native Security
VMware Tanzu
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
Patrick Chanezon
 
DevOps Workflow: A Tutorial on Linux Containers
DevOps Workflow: A Tutorial on Linux ContainersDevOps Workflow: A Tutorial on Linux Containers
DevOps Workflow: A Tutorial on Linux Containers
inside-BigData.com
 
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
Oleg Shalygin
 
Making your app soar without a container manifest
Making your app soar without a container manifestMaking your app soar without a container manifest
Making your app soar without a container manifest
LibbySchulze
 

Similar to Embacing service-level-objectives of your microservices in your Cl/CD (20)

La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)
La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)
La sécurité avec Kubernetes et les conteneurs Docker (June 19th, 2019)
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
 
Mihai Criveti - PyCon Ireland - Automate Everything
Mihai Criveti - PyCon Ireland - Automate EverythingMihai Criveti - PyCon Ireland - Automate Everything
Mihai Criveti - PyCon Ireland - Automate Everything
 
Kubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CDKubernetes: від знайомства до використання у CI/CD
Kubernetes: від знайомства до використання у CI/CD
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Kubernetes Intro
Kubernetes IntroKubernetes Intro
Kubernetes Intro
 
DevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for KubernetesDevOps Days Boston 2017: Developer first workflows for Kubernetes
DevOps Days Boston 2017: Developer first workflows for Kubernetes
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 
Continuous Delivery to Kubernetes Using Helm
Continuous Delivery to Kubernetes Using HelmContinuous Delivery to Kubernetes Using Helm
Continuous Delivery to Kubernetes Using Helm
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New Reality
 
Cloud-Native Security
Cloud-Native SecurityCloud-Native Security
Cloud-Native Security
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
 
DevOps Workflow: A Tutorial on Linux Containers
DevOps Workflow: A Tutorial on Linux ContainersDevOps Workflow: A Tutorial on Linux Containers
DevOps Workflow: A Tutorial on Linux Containers
 
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
 
Making your app soar without a container manifest
Making your app soar without a container manifestMaking your app soar without a container manifest
Making your app soar without a container manifest
 

More from Nebulaworks

Dynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice EnvironmentsDynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice Environments
Nebulaworks
 
Overcoming scalability issues in your prometheus ecosystem
Overcoming scalability issues in your prometheus ecosystemOvercoming scalability issues in your prometheus ecosystem
Overcoming scalability issues in your prometheus ecosystem
Nebulaworks
 
Why we chose Argo Workflow to scale DevOps at InVision
Why we chose Argo Workflow to scale DevOps at InVisionWhy we chose Argo Workflow to scale DevOps at InVision
Why we chose Argo Workflow to scale DevOps at InVision
Nebulaworks
 
Methods to stay focused & productive amidst COVID-19!
Methods to stay focused & productive amidst COVID-19!Methods to stay focused & productive amidst COVID-19!
Methods to stay focused & productive amidst COVID-19!
Nebulaworks
 
Embracing service-level-objectives of your microservices in your Cl/CD
Embracing service-level-objectives of your microservices in your Cl/CDEmbracing service-level-objectives of your microservices in your Cl/CD
Embracing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 
Deploying to Day N Operations of Kubernetes and Containerized Apps
Deploying to Day N Operations of Kubernetes and Containerized AppsDeploying to Day N Operations of Kubernetes and Containerized Apps
Deploying to Day N Operations of Kubernetes and Containerized Apps
Nebulaworks
 
Trunk based development for Beginners
Trunk based development for BeginnersTrunk based development for Beginners
Trunk based development for Beginners
Nebulaworks
 
Distributed tracing with service meshes and tracing spans across polyglot Mic...
Distributed tracing with service meshes and tracing spans across polyglot Mic...Distributed tracing with service meshes and tracing spans across polyglot Mic...
Distributed tracing with service meshes and tracing spans across polyglot Mic...
Nebulaworks
 
Managing Terraform Module Versioning and Dependencies
Managing Terraform Module Versioning and Dependencies Managing Terraform Module Versioning and Dependencies
Managing Terraform Module Versioning and Dependencies
Nebulaworks
 
Kubernetes for Beginners
Kubernetes for BeginnersKubernetes for Beginners
Kubernetes for Beginners
Nebulaworks
 
End to End immutable infrastructure testing
End to End immutable infrastructure testingEnd to End immutable infrastructure testing
End to End immutable infrastructure testing
Nebulaworks
 
Building Modern Teams and Software
Building Modern Teams and SoftwareBuilding Modern Teams and Software
Building Modern Teams and Software
Nebulaworks
 
Kuberntes Ingress with Kong
Kuberntes Ingress with KongKuberntes Ingress with Kong
Kuberntes Ingress with Kong
Nebulaworks
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices
Nebulaworks
 
The App Developer's Kubernetes Toolbox
The App Developer's Kubernetes ToolboxThe App Developer's Kubernetes Toolbox
The App Developer's Kubernetes Toolbox
Nebulaworks
 
Building a Container Platform with docker swarm
Building a Container Platform with docker swarmBuilding a Container Platform with docker swarm
Building a Container Platform with docker swarm
Nebulaworks
 
Effective Micoservice Design & Containers
Effective Micoservice Design & Containers Effective Micoservice Design & Containers
Effective Micoservice Design & Containers
Nebulaworks
 
Fast Tracking Dev Teams to Container Adoption
Fast Tracking Dev Teams to Container AdoptionFast Tracking Dev Teams to Container Adoption
Fast Tracking Dev Teams to Container Adoption
Nebulaworks
 
Nebulaworks | Optimize Your DevOps Game
Nebulaworks | Optimize Your DevOps GameNebulaworks | Optimize Your DevOps Game
Nebulaworks | Optimize Your DevOps Game
Nebulaworks
 

More from Nebulaworks (19)

Dynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice EnvironmentsDynamic Policy Enforcement for Microservice Environments
Dynamic Policy Enforcement for Microservice Environments
 
Overcoming scalability issues in your prometheus ecosystem
Overcoming scalability issues in your prometheus ecosystemOvercoming scalability issues in your prometheus ecosystem
Overcoming scalability issues in your prometheus ecosystem
 
Why we chose Argo Workflow to scale DevOps at InVision
Why we chose Argo Workflow to scale DevOps at InVisionWhy we chose Argo Workflow to scale DevOps at InVision
Why we chose Argo Workflow to scale DevOps at InVision
 
Methods to stay focused & productive amidst COVID-19!
Methods to stay focused & productive amidst COVID-19!Methods to stay focused & productive amidst COVID-19!
Methods to stay focused & productive amidst COVID-19!
 
Embracing service-level-objectives of your microservices in your Cl/CD
Embracing service-level-objectives of your microservices in your Cl/CDEmbracing service-level-objectives of your microservices in your Cl/CD
Embracing service-level-objectives of your microservices in your Cl/CD
 
Deploying to Day N Operations of Kubernetes and Containerized Apps
Deploying to Day N Operations of Kubernetes and Containerized AppsDeploying to Day N Operations of Kubernetes and Containerized Apps
Deploying to Day N Operations of Kubernetes and Containerized Apps
 
Trunk based development for Beginners
Trunk based development for BeginnersTrunk based development for Beginners
Trunk based development for Beginners
 
Distributed tracing with service meshes and tracing spans across polyglot Mic...
Distributed tracing with service meshes and tracing spans across polyglot Mic...Distributed tracing with service meshes and tracing spans across polyglot Mic...
Distributed tracing with service meshes and tracing spans across polyglot Mic...
 
Managing Terraform Module Versioning and Dependencies
Managing Terraform Module Versioning and Dependencies Managing Terraform Module Versioning and Dependencies
Managing Terraform Module Versioning and Dependencies
 
Kubernetes for Beginners
Kubernetes for BeginnersKubernetes for Beginners
Kubernetes for Beginners
 
End to End immutable infrastructure testing
End to End immutable infrastructure testingEnd to End immutable infrastructure testing
End to End immutable infrastructure testing
 
Building Modern Teams and Software
Building Modern Teams and SoftwareBuilding Modern Teams and Software
Building Modern Teams and Software
 
Kuberntes Ingress with Kong
Kuberntes Ingress with KongKuberntes Ingress with Kong
Kuberntes Ingress with Kong
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices
 
The App Developer's Kubernetes Toolbox
The App Developer's Kubernetes ToolboxThe App Developer's Kubernetes Toolbox
The App Developer's Kubernetes Toolbox
 
Building a Container Platform with docker swarm
Building a Container Platform with docker swarmBuilding a Container Platform with docker swarm
Building a Container Platform with docker swarm
 
Effective Micoservice Design & Containers
Effective Micoservice Design & Containers Effective Micoservice Design & Containers
Effective Micoservice Design & Containers
 
Fast Tracking Dev Teams to Container Adoption
Fast Tracking Dev Teams to Container AdoptionFast Tracking Dev Teams to Container Adoption
Fast Tracking Dev Teams to Container Adoption
 
Nebulaworks | Optimize Your DevOps Game
Nebulaworks | Optimize Your DevOps GameNebulaworks | Optimize Your DevOps Game
Nebulaworks | Optimize Your DevOps Game
 

Recently uploaded

JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
AlexanderRichford
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Ukraine
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
Ortus Solutions, Corp
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
Sunil Jagani
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 

Recently uploaded (20)

JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 

Embacing service-level-objectives of your microservices in your Cl/CD

  • 1. © 2018 Aqua Security Software Ltd., All Rights Reserved Aqua Security Cloud Native Security
  • 2. 2 The Leading Cloud Native Security Company Aqua helps the world’s leading enterprises to modernize security for their container-based, serverless and cloud native applications, from development to production Open Source Leadership Maintaining the industry-standard tools for container, Kubernetes and cloud security We “wrote the book” on K8s security, and chair the CNCF Technical Oversight Committee Community Leadership CloudSploit
  • 3. Agenda n Aqua’s Open Source Tools n Kubernetes config with Kube-Bench n Kubernetes penetration testing tool with Kube-Hunter n Image scanning and CI integration with Trivvy n Aqua Enterprise called Aqua CSP n Runtime protection n Container firewall
  • 4. 4 Aqua’s Open Source Tools n Scans Kubernetes nodes against the CIS benchmark checks n github.com/aquasecuri ty/kube-bench n Scan images for known vulnerabilities n Works within CI tools n github.com/aquasecuri ty/trivy CIS benchmark for K8S Image vulnerability scanner K8S penetration-testing n Tests K8s clusters against known attack vectors, both remote and internal n github.com/aquasecurit y/kube-hunter
  • 5. 5 ….and more Aqua Open Source Tools…. n CloudSploit is a cloud security auditing and monitoring product that scans IaaS and SaaS accounts for security risks, including misconfigurations, malicious API calls and insider threats. CloudSploit is a CSPM (Cloud Security Posture Management) service. n github.com/cloudsploit n Tracee is a lightweight, easy to use container and system tracing tool. After launching the tool, it will start collecting traces of newly created containers (container mode) or processes (system mode). n github.com/aquasecuri ty/tracee System Tracing Tool Tracee CloudSploit Cloud Security Posture Management CSPM
  • 7. 7 Kubernetes components ■ Kubernetes components installed on your servers ■ Master & node components ■ Many configuration settings have a security impact ■ Example: open Kubelet port = root access ■ Defaults depend on the installer Scheduler Controllers Etcd Kubernetes Master Node Node Kubelet Kube- proxy Pod Node Kubelet Kube- proxy Pod Node Kubelet Kube- proxy Pod Node Kubelet Kube- proxy Pod API Server
  • 9. ■ Open source automated tests for CIS Kubernetes Benchmark ■ Tests for Kubernetes Masters and Nodes ■ Available as a container kube-bench github.com/aquasecurity/kube-bench
  • 10.
  • 12. ■ Open source penetration tests for Kubernetes ■ See what an attacker would see ■ github.com/aquasecurity/kube-hunter ■ Online report viewer ■ kube-hunter.aquasec.com kube-hunter How do I know the config is working to secure my cluster?
  • 14. 14
  • 15. 15
  • 16. Image scanning and CI integration – Trivy
  • 18. Known Vulnerabilities Unknown Vulnerabilities Vulnerabilities l Static scanning l Scanner identifying components with known vulnerabilities l e.g. Trivy, Clair, Aqua l Dynamic Threat Analysis • Identify advanced threats that try to hide their purpose • Aqua Designed by vvstudio / Freepik
  • 19. 19 CentOS OS Nginx Application (package) Binaries Scanning Container Images Alpine OS NodeJS (NPMs)
  • 20. 20 Vulnerability sources ■ Vulnerabilities are published on different security advisories ■ NVD – national vulnerability database ■ Vendors will have their own advisories
  • 21. l NVD reports this in Varnish HTTP Cache versions 4.0.0 - 5.2.0 Case study: Debian / CVE-2017-8807
  • 23. l System Package Manager l apt l yum l apk Detect comprehensive vulnerabilities ● Application Package Manager ● Bundler ● Composer ● Pipenv ● Poetry ● npm ● yarn ● Cargo
  • 24. Not all scanners are created equal Information sources / advisories • NVD • Distributions • Vendors • (Commercial DBs) Scanning techniques • Layer-by-layer or image Detection techniques • Version comparison • Hash comparison Functionality • Malware • File scanning • Windows
  • 25.
  • 26. script: - ./trivy --exit-code 0 --severity HIGH --no-progress --auto-refresh [YOUR_IMAGE] - ./trivy --exit-code 1 --severity CRITICAL --no-progress --auto-refresh [YOUR_IMAGE] ... DevSecOps With Travis CI With CircleCI - run: name: Scan the local image with trivy command: trivy --exit-code 0 --no-progress --auto-refresh [YOUR_IMAGE] ...
  • 27. Aqua Enterprise….we call this CSP….Cloud-Native Security Platform
  • 28. 28 Aqua Cloud Native Security Cloud IaaS Orchestration Workloads Kubernetes Security Cloud Security Posture Management Container & CaaS Security FaaS Security VM Security PAS SecurityCI/CD,Registries SIEM,Analytics,Monitoring LDAP / AD / SAML Secrets Vaults Collaboration Cyber Intelligence
  • 29. 29 Automatic learning of pod/container behavior and then runtime enforcement
  • 30. DevSecOps ContainerContainer l Immutable containers are easier to protect l Any change in runtime is not legit l If a change is detected, it’s blocked = No code injection into containers Image Container bin user etc bin user etc ? =
  • 31. Container Firewall that learns network traffic and then allows granular control of all inbound and outbound traffic. Policy is enforced regardless where the orchestrator places the pod/container
  • 32. Jenkins Aqua Plugin for container images and serverless functions (Lambda)
  • 33. © 2018 Aqua Security Software Ltd., All Rights Reserved github.com/aquasecurity/kube-bench github.com/aquasecurity/kube-hunter github.com/aquasecurity/trivy github.com/aquasecurity/tracee github.com/cloudsploit