Here is the small presentation on DevOps to DevSecOps Journey..
- What is DevOps and their best practices.
- Practical Scenario of DevOps practices.
- DevOps transformation Journey.
- Transition to DevSecOps and why we need it.
- Enterprise CI/CD Pipeline.
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
Organizations continue to adopt container orchestration to drive efficiencies in their CI/CD pipelines. Given the current business climate with more employees working from home and consumers transacting more online, how can development and operations teams release at increasing velocity with protection baked in?
Connecting operations and security teams have not always been a smooth process: developers and operations staff are charged with site reliability, availability, and uptime while security staff is held responsible for securing an organization’s always-moving perimeter and valuable web layer assets. But the lines have started to blur between DevOps teams and security: you can’t guarantee uptime without baking effective application security tooling into your processes and infrastructure configurations.
A true next-generation, holistic web application and API protection platform does just that: operations teams can integrate security into their workflows and ensure new infrastructure and app code released to production is both effective and secure. Join application security experts Aneel Dadani and Orlando Barerra II from Signal Sciences to learn how your team can deploy at scale safely while gaining layer 7 visibility in production environments. Attendees will learn:
How to inspect web traffic in containers, at the API gateway, or the ingress
How DevOps teams can scale their application footprint to meet demand while securing your codebase in production
How development teams can gain visibility into how their apps and APIs are being used in production and what vulnerabilities may exist that they overlooked
Demo these application security concepts with Ansible, a simple yet powerful IT automation engine that companies use to accelerate DevOps initiatives, including baking application security into their infrastructure.
Continuous integration has gone mainstream. It has helped development teams move quicker, and has disrupted build management and put additional pressures on deployment groups. In this presentation, we look at how CI achieved such a disruptive, positive impact, how it is turning into Continuous Delivery, and where DevOps fits into the picture (And how DevOps will be just as disruptive).
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
Avishkar Nikale who is Senior Technical Architect at LTI took a Session on "DevSecOps with GitLab" at Global Testing Retreat #ATAGTR2019
Please refer our following post for session details:
https://atablogs.agiletestingalliance.org/2019/12/06/global-testing-retreat-atagtr2019-welcomes-avishkar-nikale-as-our-esteemed-speaker/
Here is the small presentation on DevOps to DevSecOps Journey..
- What is DevOps and their best practices.
- Practical Scenario of DevOps practices.
- DevOps transformation Journey.
- Transition to DevSecOps and why we need it.
- Enterprise CI/CD Pipeline.
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
Organizations continue to adopt container orchestration to drive efficiencies in their CI/CD pipelines. Given the current business climate with more employees working from home and consumers transacting more online, how can development and operations teams release at increasing velocity with protection baked in?
Connecting operations and security teams have not always been a smooth process: developers and operations staff are charged with site reliability, availability, and uptime while security staff is held responsible for securing an organization’s always-moving perimeter and valuable web layer assets. But the lines have started to blur between DevOps teams and security: you can’t guarantee uptime without baking effective application security tooling into your processes and infrastructure configurations.
A true next-generation, holistic web application and API protection platform does just that: operations teams can integrate security into their workflows and ensure new infrastructure and app code released to production is both effective and secure. Join application security experts Aneel Dadani and Orlando Barerra II from Signal Sciences to learn how your team can deploy at scale safely while gaining layer 7 visibility in production environments. Attendees will learn:
How to inspect web traffic in containers, at the API gateway, or the ingress
How DevOps teams can scale their application footprint to meet demand while securing your codebase in production
How development teams can gain visibility into how their apps and APIs are being used in production and what vulnerabilities may exist that they overlooked
Demo these application security concepts with Ansible, a simple yet powerful IT automation engine that companies use to accelerate DevOps initiatives, including baking application security into their infrastructure.
Continuous integration has gone mainstream. It has helped development teams move quicker, and has disrupted build management and put additional pressures on deployment groups. In this presentation, we look at how CI achieved such a disruptive, positive impact, how it is turning into Continuous Delivery, and where DevOps fits into the picture (And how DevOps will be just as disruptive).
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
Avishkar Nikale who is Senior Technical Architect at LTI took a Session on "DevSecOps with GitLab" at Global Testing Retreat #ATAGTR2019
Please refer our following post for session details:
https://atablogs.agiletestingalliance.org/2019/12/06/global-testing-retreat-atagtr2019-welcomes-avishkar-nikale-as-our-esteemed-speaker/
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
Have you ever needed to wrestle a legacy application onto a modern, scalable cloud platform, while increasing security test coverage? Sometimes real applications are not easily stuffed into a Docker container and deployed in a container orchestration system. In this talk, Modus Create Principal Architect Richard Bullington-McGuire will show how to compose Jenkins, Docker, Terraform, Packer, Ansible, Packer, Vagrant, Gauntlt, OpenSCAP, the CIS Benchmark for Linux, AWS CodeDeploy, Auto Scaling Groups, Application Load Balancers, and other AWS services to create a performant and scalable solution for deploying applications. A local development environment using Vagrant mirrors the cloud deployment environment to minimize surprises upon deployment.
Security Implications for a DevOps TransformationDeborah Schalm
If your organization is undergoing a DevOps transformation, you’re probably thinking about where security fits in. All too often, we tack on security testing at the end of the delivery process, which means significant problems go undetected until development is complete. As we adopt DevOps principles and practices, we enable a natural solution to this problem: ensure that security experts are involved throughout the delivery process.
In this webinar, DevOps.com and Puppet defined a reference implementation of DevOps from the ground up, by illustrating how the software delivery process evolves at a hypothetical startup. Once we've laid a technical foundation for DevOps, we discussed the implications for security. We also discussed:
Benefits for and challenges to security during a DevOps transformation
How to craft a DevOps-ready security practice
Refinements of a standard DevOps workflow to address security needs
For federal agencies, accomplishing in just a matter of weeks IT tasks that typically take months or years may seem like a pipe dream. That’s the promise of the DevSecOps methodology. DevSecOps is a way of thinking that encourages software developers to work collaboratively with IT operations and security staff on development, testing and quality assurance to develop and deploy software more quickly and automate deployment of code, security and infrastructure changes.
Commercial Cloud provides a comprehensive platform of tools, technologies and services that can enable federal agencies to realize this promise.
The VA Digital Services Team (DSVA) has been leading the Department of Veterans Affairs on their journey to the cloud for the past 4 years. The initial DSVA cloud deployment was vets.gov and Caseflow on AWS. Vets.gov and Caseflow are real world examples of how modern devsecops techniques be used with existing federal ATO security requirements.
In this talk, AWS and DSVA will present DevSecOps principles, best practices and lessons learned. DSVA will discuss how Vets.gov and Caseflow have implemented these techniques inside the VA. This includes applying continuous integration and continuous deployment (CI/CD) to the software development process where security checks are performed and automated to ensure compliance and ATO conformance with VA's security standards.
Enterprise DevOps Series: Using VS Code & ZoweDevOps.com
Imagine onboarding a next-generation developer with no mainframe experience who successfully debugs COBOL code on their first day. By equipping them with mainframe-specific extensions to common tools like Visual Studio Code combined with the Zowe framework, new talent can be productive immediately - all without disrupting colleagues using traditional tools.
Join this session to learn how mainframe application development is merging with enterprise IT toolchains and processes, including CI/CD pipelines. The presentation will include a demonstration of a mainframe developer cockpit designed for productivity and ready for shift-left automation. Make “Day 1 Debug” a reality.
In this session we will take an introduction look to Continuous Integration and Continuous Delivery workflow.
This is an introduction session to CI/CD and is best for people new to the CI/CD concepts, or looking to brush up on benefits of using these approaches.
* What CI & CD actually are
* What good looks like
* A method for tracking confidence
* The business value from CI/CD
Security Testing for Containerized ApplicationsSoluto
Everybody wants to run their code on Kubernetes these days, but it requires a radical change to your deployment process. You want to make sure you don’t create new vulnerabilities when you take this leap. What kind of security tests can you run in this pipeline to assert that this code does not contain any known vulnerabilities?
At Soluto, we started to migrate services to Kubernetes in the recent months, and we would like to share with you what we did. In this session I’m planning to cover our CI/CD pipeline, and give extra attention to the following points:
Scanning code dependencies
Scanning containers
Testing for insecure Kubernetes configurations
Securely deploy to Kubernetes cluster
Join this session to hear our story and learn about many useful tools you can start using today to deploy secure apps to your Kubernetes cluster. All the tools I’ll present are open source tools, so using them should be as simple as possible.
Are you looking to build Cloud-based application using DevOps methodlogy but worried that the traditional security methods may not adapt to the modern development techniques? Azure Secure DevOps Kit
Embacing service-level-objectives of your microservices in your Cl/CDNebulaworks
Shifting left - How to use Continuous Integration tools to bring security into the DevOps world
In today's modern software factories, organizations are shifting security to the left. No longer just the purview of firewalls, security needs to be built in during development and deployment processes. By doing so, organizations can ensure they are limiting vulnerabilities getting into production while cutting costs of both downtime and code rework.
Key Takeaways:
○ How to ensure that the use of open source doesn’t introduce vulnerabilities and other security risks
○ How to automate the delivery of trusted images using a policy-driven approach
○ Empowering developers to secure their applications, while maintaining segregation of duties
○ Ensuring the consistent flow of images through the pipeline, with no side-doors or introduction of unvetted images
○ Enforcing immutability of containers, preventing container-image drift
In this session you will learn how BNY Mellon is tackling the challenges of DevSecOps at scale by unifying static/dynamic source code scanning, audit and risk analysis tools into a unified workflow by utilizing JIRA. BNY Mellon’s ability to generate reports from multiple sources had become a time consuming manual process. JIRA, having demonstrated the ability to deliver efficiency at reporting, was an ideal solution for tracking the security aspects of the SDLC process.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
DevOps Will Save The World! : Public Safety, Public Policy, and DevOps In Context
Joshua Corman, CTO, Sonatype
Link to video: https://www.youtube.com/watch?v=K-hskShNyoo
In this session, we will learn about Teamcity CI Server. We will look at the different options available and how we can set a CI pipeline using Teamcity.
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Why should developers care about container security?Eric Smalling
Slides from my talk at SF Bay Cloud Native Containers Meetup Feb 2022 and SnykLive Stranger Danger on April 27, 2022.
https://www.meetup.com/cloudnativecontainers/events/283721735/
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
Have you ever needed to wrestle a legacy application onto a modern, scalable cloud platform, while increasing security test coverage? Sometimes real applications are not easily stuffed into a Docker container and deployed in a container orchestration system. In this talk, Modus Create Principal Architect Richard Bullington-McGuire will show how to compose Jenkins, Docker, Terraform, Packer, Ansible, Packer, Vagrant, Gauntlt, OpenSCAP, the CIS Benchmark for Linux, AWS CodeDeploy, Auto Scaling Groups, Application Load Balancers, and other AWS services to create a performant and scalable solution for deploying applications. A local development environment using Vagrant mirrors the cloud deployment environment to minimize surprises upon deployment.
Security Implications for a DevOps TransformationDeborah Schalm
If your organization is undergoing a DevOps transformation, you’re probably thinking about where security fits in. All too often, we tack on security testing at the end of the delivery process, which means significant problems go undetected until development is complete. As we adopt DevOps principles and practices, we enable a natural solution to this problem: ensure that security experts are involved throughout the delivery process.
In this webinar, DevOps.com and Puppet defined a reference implementation of DevOps from the ground up, by illustrating how the software delivery process evolves at a hypothetical startup. Once we've laid a technical foundation for DevOps, we discussed the implications for security. We also discussed:
Benefits for and challenges to security during a DevOps transformation
How to craft a DevOps-ready security practice
Refinements of a standard DevOps workflow to address security needs
For federal agencies, accomplishing in just a matter of weeks IT tasks that typically take months or years may seem like a pipe dream. That’s the promise of the DevSecOps methodology. DevSecOps is a way of thinking that encourages software developers to work collaboratively with IT operations and security staff on development, testing and quality assurance to develop and deploy software more quickly and automate deployment of code, security and infrastructure changes.
Commercial Cloud provides a comprehensive platform of tools, technologies and services that can enable federal agencies to realize this promise.
The VA Digital Services Team (DSVA) has been leading the Department of Veterans Affairs on their journey to the cloud for the past 4 years. The initial DSVA cloud deployment was vets.gov and Caseflow on AWS. Vets.gov and Caseflow are real world examples of how modern devsecops techniques be used with existing federal ATO security requirements.
In this talk, AWS and DSVA will present DevSecOps principles, best practices and lessons learned. DSVA will discuss how Vets.gov and Caseflow have implemented these techniques inside the VA. This includes applying continuous integration and continuous deployment (CI/CD) to the software development process where security checks are performed and automated to ensure compliance and ATO conformance with VA's security standards.
Enterprise DevOps Series: Using VS Code & ZoweDevOps.com
Imagine onboarding a next-generation developer with no mainframe experience who successfully debugs COBOL code on their first day. By equipping them with mainframe-specific extensions to common tools like Visual Studio Code combined with the Zowe framework, new talent can be productive immediately - all without disrupting colleagues using traditional tools.
Join this session to learn how mainframe application development is merging with enterprise IT toolchains and processes, including CI/CD pipelines. The presentation will include a demonstration of a mainframe developer cockpit designed for productivity and ready for shift-left automation. Make “Day 1 Debug” a reality.
In this session we will take an introduction look to Continuous Integration and Continuous Delivery workflow.
This is an introduction session to CI/CD and is best for people new to the CI/CD concepts, or looking to brush up on benefits of using these approaches.
* What CI & CD actually are
* What good looks like
* A method for tracking confidence
* The business value from CI/CD
Security Testing for Containerized ApplicationsSoluto
Everybody wants to run their code on Kubernetes these days, but it requires a radical change to your deployment process. You want to make sure you don’t create new vulnerabilities when you take this leap. What kind of security tests can you run in this pipeline to assert that this code does not contain any known vulnerabilities?
At Soluto, we started to migrate services to Kubernetes in the recent months, and we would like to share with you what we did. In this session I’m planning to cover our CI/CD pipeline, and give extra attention to the following points:
Scanning code dependencies
Scanning containers
Testing for insecure Kubernetes configurations
Securely deploy to Kubernetes cluster
Join this session to hear our story and learn about many useful tools you can start using today to deploy secure apps to your Kubernetes cluster. All the tools I’ll present are open source tools, so using them should be as simple as possible.
Are you looking to build Cloud-based application using DevOps methodlogy but worried that the traditional security methods may not adapt to the modern development techniques? Azure Secure DevOps Kit
Embacing service-level-objectives of your microservices in your Cl/CDNebulaworks
Shifting left - How to use Continuous Integration tools to bring security into the DevOps world
In today's modern software factories, organizations are shifting security to the left. No longer just the purview of firewalls, security needs to be built in during development and deployment processes. By doing so, organizations can ensure they are limiting vulnerabilities getting into production while cutting costs of both downtime and code rework.
Key Takeaways:
○ How to ensure that the use of open source doesn’t introduce vulnerabilities and other security risks
○ How to automate the delivery of trusted images using a policy-driven approach
○ Empowering developers to secure their applications, while maintaining segregation of duties
○ Ensuring the consistent flow of images through the pipeline, with no side-doors or introduction of unvetted images
○ Enforcing immutability of containers, preventing container-image drift
In this session you will learn how BNY Mellon is tackling the challenges of DevSecOps at scale by unifying static/dynamic source code scanning, audit and risk analysis tools into a unified workflow by utilizing JIRA. BNY Mellon’s ability to generate reports from multiple sources had become a time consuming manual process. JIRA, having demonstrated the ability to deliver efficiency at reporting, was an ideal solution for tracking the security aspects of the SDLC process.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
DevOps Will Save The World! : Public Safety, Public Policy, and DevOps In Context
Joshua Corman, CTO, Sonatype
Link to video: https://www.youtube.com/watch?v=K-hskShNyoo
In this session, we will learn about Teamcity CI Server. We will look at the different options available and how we can set a CI pipeline using Teamcity.
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
Why should developers care about container security?Eric Smalling
Slides from my talk at SF Bay Cloud Native Containers Meetup Feb 2022 and SnykLive Stranger Danger on April 27, 2022.
https://www.meetup.com/cloudnativecontainers/events/283721735/
Why Should Developers Care About Container Security?All Things Open
Presenting at All Things Open 2022
Presented by Eric Smalling
Title: Why Should Developers Care About Container Security?
Abstract: Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don’t have an appsec background to fully understand why they are important.
In this session, we will:
- go over several of the most common practices to best containerize applications
- show examples of how your application can be exploited in a container
- and most importantly, how to easily spot issues and fix your Dockerfiles and deployment manifests before you commit your code
Python Web Conference 2022 - Why should devs care about container security.pdfEric Smalling
https://2022.pythonwebconf.com/presentations/why-should-developers-care-about-container-security
Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don't have an appsec background to fully understand why they are important.
In this session, we will:
go over several of the most common practices to best containerize Python applications
show examples of how your application can be exploited in a container
and most importantly, how to easily spot issues and fix your Dockerfiles and deployment manifests before you commit your code
GDG SLK - Why should devs care about container security.pdfJames Anderson
Title: Why should developers care about container security?
Abstract: Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don’t have an appsec background to fully understand why they are important. In this session, we will go over several of the most common practices, show examples of how your workloads can be exploited if not followed and, most importantly, how to easily find and fix your Dockerfiles and deployment manifests (i.e. Kubernetes config's) before you commit your code.
Speaker: Eric is a 30+ year enterprise software developer, architect, and consultant with a focus on CI/CD, DevOps, and container-based solutions over the last decade. He is a Docker Captain, is certified in Kubernetes (CKA, CKAD, CKS), and has been a Docker user since 2013. As a Senior Developer Advocate at Snyk, Eric helps developers implement proactive and scalable security practices with a focus on container and cloud-native technologies.
Catch the video: https://youtu.be/lBNcUBdY-VM
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...Eric Smalling
Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don’t have an appsec background to fully understand why they are important. In this session, we will go over several of the most common practices, show examples of how your workloads can be exploited if not followed and, most importantly, how to easily find and fix your Dockerfiles and deployment manifests before you commit your code.
Presented at KubeHuddle NA 2023 in Toronto, ON May 18th 2023
AWS live hack: Docker + Snyk Container on AWSEric Smalling
Slides from session 3 of the Snyk AWS live hack series
Dec 15, 2021 with Eric Smalling, Dev Advocate at Snyk, and Peter McKee, Head of Dev Relations & Community at Docker.
Tampere Docker meetup - Happy 5th Birthday DockerSakari Hoisko
Part of official docker meetup events by Docker Inc.
https://events.docker.com/events/docker-bday-5/
Meetup event:
https://www.meetup.com/Docker-Tampere/events/248566945/
Security is tough and is even tougher to do, in complex environments with lots of dependencies and monolithic architecture. With emergence of Microservice architecture, security has become a bit easier however it introduces its own set of security challenges. This talk will showcase how we can leverage DevSecOps techniques to secure APIs/Microservices using free and open source software. We will also discuss how emerging technologies like Docker, Kubernetes, Clair, ansible, consul, vault, etc., can be used to scale/strengthen the security program for free.
More details here - https://www.practical-devsecops.com/
Introducing a Security Feedback Loop to your CI PipelinesCodefresh
Watch the webinar here: https://codefresh.io/security-feedback-loop-lp/
Sign up for a FREE Codefresh account today: https://codefresh.io/codefresh-signup/
We're all looking at ways to prevent vulnerabilities from escaping into our production environments. Why not require scans of your Docker images before they're even uploaded to your production Docker registry? SHIFT LEFT!
Codefresh has worked with Twistlock to run Twist CLI using a Docker image as a build step in CI pipelines.
Join Codefresh, Twistlock, and Steelcase as we demonstrate setting up vulnerability and compliance thresholds in a CI pipeline. We will show you how to give your teams access to your Docker images' security reports & trace back to your report from your production Kubernetes cluster using Codefresh.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
Enterprise-Grade DevOps Solutions for a Start Up BudgetDevOps.com
Even though you’re a small startup or medium-sized business and just beginning your product journey, it doesn’t mean you can’t have a robust and scalable DevOps environment like the enterprise experts. It is always a good practice when building a startup or a new company to have a solid foundation and start implementing efficient and scalable solutions early. Join and learn how having a limited budget doesn’t mean you can’t have enterprise quality tools.
Similar to LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door (20)
DockerCon 2023 - Live Demo_Hardening Against Kubernetes Hacks.pdfEric Smalling
Vulnerability exploits too often seem like empty threats that our security teams warn us about, but not something that would ever happen to my code! Join me in this hands-on workshop, where we will walk through a remote code execution exploit and how it can be used to expand to take over an entire Kubernetes cluster along with steps you can employ that would mitigate the attack.
Slides from live presentation at DockerCon, October 4, 2023
Look Ma' - Building Java and Go based container images without DockerfilesEric Smalling
As a developer, learning to write well-formed Dockerfiles can be challenging, especially for those new to containers. These builds can also can require specific build tools or container runtime access that might not be available in your build environments. Architects also often face the challenges of providing governance on image standards across their organization’s teams and the various applications they support. In this lightning talk, you will see a couple of open-source tools in action that can make it easier to meet all of these challenges as well as references to other tools and techniques for varying requirements.
SCaLE 19x - Eric Smalling - Hardening against Kubernetes HacksEric Smalling
Presented at SCaLE 19x, Los Angeles 2022
Misconfigurations in your Kubernetes deployments can create unforeseen security vulnerabilities that can give bad actors leverage to exploit containers, nodes or even the entire control plane of your cluster. In this talk I'll show how easy it can be to break into a cluster and why using tools to find issues and enforce governance around them can make your clusters a less attractive target.
DockerCon 2022 - From legacy to Kubernetes, securely & quicklyEric Smalling
You’ve been developing software for years and now your team is ready to take the plunge into orchestrated containers and Kubernetes. You’ve learned about containers, images, and Dockerfiles, but standing up a Kubernetes cluster and actually running your app in it seems like a daunting task.
In this session, we’ll go over the basics to get your app up and running in Kubernetes right on your own workstation using Docker Desktop. On the way, we’ll cover some of the security aspects you need to keep in mind and show you how to implement them in your Kubernetes manifests.
We’ll go over:
1.) Kubernetes basics, including pods, deployments, and services
2.) Moving a legacy app into a container and running it in Kubernetes
3.) Some security best practices to watch out for — and what can happen if you don’t
4.) Implementing those best practices to defend against and limit the blast radius of an attack
So. many. vulnerabilities. Why are containers such a mess and what to do abou...Eric Smalling
What’s with all of these container image vulnerabilities? I’m a developer, not a security analyst! Whether you’re a solo dev or a large team embracing DevSecOps, join me to learn practices I’ve seen successful teams using to build safer container images & avoid the mistakes they made along the way.
If you’ve even run a vulnerability scan on a container you’ve probably seen it: the dreaded list with 100s, maybe even 1000s of issues on it. Containers have made life simpler in so many ways, but security sometimes doesn’t feel like one of them. So what can we do about it?
In this talk, I’ll share what I’ve learned working with users and companies and the best practices I’ve picked up along the way to builds safer container images. I’ll also share what not to do, because there are many rabbit holes you can go down that end up wasting time and energy.
I’ll share the processes and patterns that you can use whether you’re working on an individual project, or you’re part of a bigger team embracing DevSecOps.
IBM Index 2018 Conference Workshop: Modernizing Traditional Java App's with D...Eric Smalling
Slides from my 2.5 hour hands-on workshop covering Docker basics, the Docker MTA program and how it applies to legacy Java applications and some tips on running those apps in containers in production.
Simply your Jenkins Projects with Docker Multi-Stage BuildsEric Smalling
This is a a talk I presented at Jenkins World 2017.
Abstract:
When building Docker images we often use multiple build steps and Dockerfiles to keep the image size down. Using multi-stage Docker builds we can eliminate this complexity, bringing all of the instructions back into a single Dockerfile while still keeping those images nice and small.
One of the most challenging things about building images is keeping the image size down. Each instruction in the Dockerfile adds a layer to the image, and you need to remember to clean up any artifacts you don’t need before moving on to the next layer. To write a really efficient Dockerfile, you have traditionally needed to employ shell tricks and other logic to keep the layers as small as possible and to ensure that each layer has the artifacts it needs from the previous layer and nothing else. It was actually very common to have multiple Jenkins pipeline steps and/or projects with unique Dockerfiles for different elements of the final build. Maintaining multiple sets of instructions to build your image is complicated and hard to maintain.
With multi-stage builds, you use multiple FROM statements in your Dockerfile. Each FROM instruction can use a different base, and each of them begins a new stage of the build. You can selectively copy artifacts from one stage to another, leaving behind everything you don’t want in the final image and simplifying the both the Dockerfile and Jenkins configurations needed to produce your images.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Accelerate your Kubernetes clusters with Varnish Caching
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
1. Find Vulnerabilities Before
Security Knocks on Your Door
Marco Morales | Partner Solutions Architect @ Snyk
Eric Smalling | Sr. Developer Advocate @ Snyk
2. Marco Morales
● Partner Solutions Architect @ Snyk
● Based in Philadelphia, PA
● 10+ years embedded software development
● Long-time (15 years) CI/CD Pipeline automation
● 10+ years field operations (PS, Sales, Partners)
@mrmarcoamorales
3. Eric Smalling
● Senior Developer Advocate @ Snyk
● Based in Dallas/Fort Worth, Texas
● 20+ years enterprise software development
● 10+ years build/test/deploy automation (CI/CD)
● Docker user since 2013 (v0.6)
● 2018 Jenkins Ambassador
● Docker Captain
● CKA, CKAD & CKS Certified
@ericsmalling
6. Coding
Test & Fix
Branch Repo
Test, Fix
Monitor
CI/CD
Test & Fix
Production
Test, Fix
Monitor
Test
Registry
Build Deploy
Get artifacts
Ge public & private artifacts
SDLC Pipeline
8. Container Challenges
Historically, developers have owned
the security posture of their own
code and the libraries used.
Containers add security concerns
at the operating-system level such
as base-image selection, package
installation, user and file
permissions, and more.
Increased Scope of
Responsibility
These additional technologies used
to be owned by other teams such
as system engineers or middleware
teams. Many developers have
never had to deal with securing
these layers of the stack.
Lack of Expertise
While shifting security left adds
responsibilities to developer teams,
the business owners have
expectations that pipeline velocity
will not be negatively impacted.
Maintaining Velocity
9. Ownership of
developers
What does my service contain?
● Source code of my app
● 3rd party dependencies
● Dockerfile
● IaC files (eg. Terraform)
● K8s files
10. Demo Time!
● Scanning a repository
○ Review vulnerabilities
○ Docker Files
○ Kubernetes
● Software vulnerabilities
○ Exploit the software
○ Fix Software
○ Verify Fixes
● Evidence of multiple tools, and developer-friendly behaviors
11. Coding
Test & Fix
Branch Repo
Test, Fix
Monitor
CI/CD
Test & Fix
Production
Test, Fix
Monitor
Test
Registry
Build Deploy
Get artifacts
Ge public & private artifacts
SDLC Pipeline
14. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Minimize Footprint
Don’t give hackers more tools to expand their exploits
Layer Housekeeping
Understand how layers work at build and run-time
Build strategies
Multi-Stage, repeatable builds, standardized labeling,
alternative tools
Secure Supply Chain
Know where images come from.
Only CI should push to registries.
15. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Don’t run as root
You probably don’t need it.
Privileged Containers
You almost definitely don’t need it.
Drop capabilities
Most apps don’t need even Linux capabilities;
dropping all and allow only what’s needed.
Read Only Root Filesystem
Immutability makes exploiting your container harder.
Deploy from known sources
Pull from known registries only.
16. Defence
in Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Secrets
Use them but make sure they’re encrypted and have
RBAC applied
RBAC
Hopefully everybody is using this.
SecurityContext
Much of the Runtime practices mentioned can be
enforced via SC
Network Policy
Start with zero-trust and add allow rules only as
necessary.
Enforcement
Use OPA (Gatekeeper), Kyverno, etc
17. Key Takeaways
Just like unit tests, fast, actionable
security feedback is critical.
Working security into a developer’s
workflow without slowing them
down drives adoption.
Feedback Loop
Giving developers tools that
provide actionable information can
allow them to deal with security
issues as they are introduced.
Empower developers
to be proactive
Implementing known secure
practices for building and running
your container images and IaC
configurations can mitigate
vulnerabilities that slip into
deployments as well as zero-day
vulnerabilities that may exist.
Defense in depth