Download as PDF, PPTX
![Security Pipelines [ SAST ]
Static Application Security
Testing (SAST) .](https://image.slidesharecdn.com/meetupwithamroseckubesecurityshiftingleft-221130153351-d4320887/85/Kube-Security-Shifting-left-Scanners-OPA-26-320.jpg)
Uploaded byHaggai Philip Zagury
Kube Security Shifting left | Scanners & OPA
The document discusses the evolution of software development and the importance of integrating security measures into the DevOps process, particularly through shifting security left and utilizing developer portals. It emphasizes the role of tools like Open Policy Agent and various security scanning methods to manage vulnerabilities in applications and infrastructures, especially within Kubernetes environments. Additionally, the document highlights the need for effective onboarding and continuous security education for developers to enhance overall security protocols.
More Related Content
Similar to Kube Security Shifting left | Scanners & OPA
![[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps](https://cdn.slidesharecdn.com/ss_thumbnails/mucon2017devsecopshowtocontinuouslyintegratesecurityintodevops-171106193735-thumbnail.jpg?width=640&height=640&fit=bounds)
![Modern Monitoring [ with Prometheus ]](https://cdn.slidesharecdn.com/ss_thumbnails/modernmonitoringv1-171124143735-thumbnail.jpg?width=640&height=640&fit=bounds)
Kube Security Shifting left | Scanners & OPA
- 1. Kube Security Shifting left HaggaiPhilip Zagury DevOps BP, GL & TL
- 2. Open thinking andopen techniques ideology - driven by Open Source technologies My Solution driven approach is based on hands-on and deep understanding of Operating Systems, applications stacks software languages and frameworks, Networking, Cloud and Cloud Native solutions. Haggai Philip Zagury DevOps BP, GL & TL
- 3. Tikal is aleading Israeli hands-on tech consultancy, scaling R&D teams with cutting-edge technologies. Our experts join development teams across the tech industry and help them make a tech Impact on their product. Tikal - Home of Tech Experts
- 4. An Opinionated mapof the latest technologies and trends in the Israeli Tech industry. The 6th edition of the Tech Radar was built in collaboration with leading tech companies such as: Playtika, Taboola, Intel, and more. The Tech Radar
- 5. Building a platform brickby brick The evolution of Software Development
- 6. The evolution of SoftwareDevelopment
- 7. The evolution of SoftwareDevelopment Reducing the TOIL’s of Software Development - It’s a long process
- 8. The evolution of SoftwareDevelopment Reducing the TOIL’s of Software Development - It’s a long process
- 9. A long longtime ago … - When servers were related to as pizza-boxes - When the cloud was in the sky ;)
- 10. We asked forit ;) - SOA - Microservices - Serverless - Saas, PaaS, IaaS, MaaS … - Multiple architectures for different Goals
- 11. We asked forit ;) - SOA - Microservices - Serverless - Saas, PaaS, IaaS, MaaS … - Multiple architectures for different Goals - Polyglot Programming
- 12. We asked forit ;) - SOA - Microservices - Serverless - Saas, PaaS, IaaS, MaaS … - Multiple architectures for different Goals - Polyglot Programming - Multi Cloud
- 13. We have someAnswers ! - Untangle systems complexity - Identify common patterns - Small (Micro Teams) -> Micro Services
- 14. Answers! - DeclarativeProgramming - Be Declarative - There is no chance we know all the Bells and Whistles in every subsystem - We don’t have the time for imperative
- 15. Answers! - Pipelines -Be Declarative - There is no chance we know all the Bells and Whistles in every subsystem - We don’t have the time for imperative - Bells and Whistles ? - we have a pipeline for that !
- 16. Use the samemethods for security | shift left - Be Declarative - There is no chance we know all the Bells and Whistles in every subsystem - We don’t have the time for imperative - Bells and Whistles ? - we have a pipeline for that !
- 17. Security -> Onboarding❓ -In many cases a few questioners 😉 - And in some cases some videos to watch on security and your Good2Go …
- 18. - Security Onboarding -Where do I understand what security measures were taken - Tooling - Focus on that today - Sharing information - dev portal - How do we start shifting left?
- 19. Developer Portals - Oneplace to store product information - About our project - About our microservice - Our proven security rank || rate
- 20. Developer Experience - Oneplace to store product information - About our project - About our microservice - Our proven security rank || rate - Changes the way we developer - Introducces new tooling - Learn more about security
- 21. The developer approachto security ● Scanning ● From the developer -> ci process -> runtime environment scanning
- 22. Security related Operators -~32 operators related to security - What is there to secure you ask ? - RBAC - Network policies - Image vulnerabilities - Network Access - Libraries & third party threats
- 23. Kube what ? -For kubernetes everything starts with kube ;) - Kubernetes Security - Portable, Declarative, Extensible - Automatable - Another DevOps spin-off = DevSecOps
- 24. Types of Securityscans (traditional) ● Vulnerability Scanning ● Compliance Scanning ● Misconfigurations Scanning ● Spot all operating system, third-party + zero-day vulnerabilities.
- 25. Security Pipelines - Partof the Development lifecycle in the CI phase
- 26. Security Pipelines [SAST ] Static Application Security Testing (SAST) .
- 27. Many Cloud NativeUnder the hood https://geekflare.com/kubernetes-security-scanner/ ● Kube Hunter ● Kube Bench ● Checkov ● MKIT ● Kubei ● Kube Scan ● Kubeaudit ● Kubesec
- 28. Security related Operators -Active / Periodic scan - Scheduled scan - Customize rules to apply to your companies policy
- 29. What is OpenPolicy Agent ? - Rule engine (not only for Kubernetes) - Which users can access which resources. - Which subnets egress traffic is allowed to. - Which clusters a workload must be deployed to. - Which registries binaries can be downloaded from. - Which OS capabilities a container can execute with. - Which times of day the system can be accessed at.
- 30. What is OpenPolicy Agent - on Kubernetes ? - OPA-Gatekeeper e.g. - Duplicate Ingress urls - Unused secrets - Owner of resource (required labels) - …
- 31.
- 32. Evaluating & Testingpolicies - OPA-Gatekeeper - ensure image is from a well known source repository https://play.openpolicyagent.org/
- 33. Evaluating & Testingpolicies - OPA-Gatekeeper - ensure we don’t have 2 ingress resources with the same url https://play.openpolicyagent.org/
- 34. Evaluating & Testingpolicies - OPA-Gatekeeper - ensure we don’t have 2 ingress resources with the same url https://play.openpolicyagent.org/
- 35.
- 36. Boosting developer experience -Boosting developer experience - Reducing the Toil - OPA - not only for k8s … - Terraform Configuration as Code - Application realtime policy engine - Rego as configuration language - Rego playground
- 37. Thank you! Haggai PhilipZagury DevOps BP, GL & TL
- 38. References ● https://play.openpolicyagent.org/ ● https://github.com/kubescape/regolibrary ●https://github.com/open-policy-agent/gatekeeper ● https://www.nist.gov/programs-projects/national-vulnerability-database-nvd ● https://geekflare.com/kubernetes-security-scanner/ ● https://www.fissionlabs.com/blog-posts/what-is-devsecops-types-of-security-scans ● https://insights.sei.cmu.edu/blog/the-current-state-of-devsecops-metrics/ ● https://kondukto.io/blog/5-circular-phases-of-sec-in-devsecops ● https://dt-cdn.net/images/devsecops-image-2000-6557ba1b00.png