DevOps Indonesia, profile picture
Uploaded byDevOps Indonesia
PDF, PPTX165 views

Securing an NGINX deployment for K8s

This document summarizes steps for securing an NGINX deployment on Kubernetes. It begins by outlining the challenge of securing a website hosted on NGINX without vulnerabilities. The plan is then described in three steps: 1) Use NGINX and get example code, 2) Wrap the code in a Kubernetes Deployment, and 3) Check for security issues using Checkov. Key aspects of securing the deployment discussed are applying the principle of least privilege through profiles, capabilities, and users, ensuring immutability with read-only filesystems and unmounting service account tokens, and increasing resilience with liveness/readiness probes and resource limits. The importance of using secure defaults, open source scanning tools, and an overall Dev

Embed presentation

Download as PDF, PPTX
PAGE 1 DEVOPS INDONESIA PAGE 1 DEVOPS INDONESIA Steve Giguere Palo ALto Jakarta, 8 Maret 2022 Securing an NGINX deployment for Kubernetes
Securing an Deployment for Kubernetes Featuring: ● Checkov: Open Source IaC Scanning Your guide: Steve Giguere @_SteveGiguere_
● Developer Advocate - Bridgecrew ● DevSecOp s Enthusiast ● DevSecOps London - Organiser ● Raspberry Pi Geek ● Formerly: Aqua Security, StackRox, Synopsys Software Integrity Group ● Twitch show: https://Clust3rF8ck (.com) ● Podcaster: BeerSecOps, CoSeCast (.com) ● Beer Taster: BeerNative (.tv) ● More Steve: https://stevegiguere.com W h o is… Steve Giguere (shig-air)
T H E C H A L L E N G E
T H E C H A L L E N G E ● NEED WEBSITE FOR TWITCH SHOW ● HOST ON RASPBERRY PI ● CREATED WITH HUGO ● USE NGINX TRY NOT TO L O O K L I KE TOTAL IDIOT WO R KI N G F O R A N IAC SECURITY COMPAN Y BY DEPLOYI NG A N NGINX W E B S I T E F O R A TWITCH S H O W A B O U T C L O U D NATIVE SECURITY THAT DOESN’ T PA S S O U R C H E C KO V YAML S C A N
● A01:2021-Broken A cce ss Control ● A02:2021-Cryptographic Failures ● A03:2021-Injection ● A04:2021-Insecure De sig n ● A05:2021-Security Misconfiguration ● A06:2021-Vulnerable a n d Outdated C omponents ● A07:2021-Identification and Authentication Failures ● A08:2021-Software and Data Integrity Failures ● A09:2021-Security L o g g i n g and Monitoring Failures ● A10:2021-Server-Side Request Forgery Coding issues like input sanitization have been replaced by misconfigurations and dependency (supply chain) risks
The Problem Defaults are bad! Misconfigurations are bad! ● Unintended behaviour ● Outage ● Data Breach ● Lateral movement ● Supply Chain Compromise ● PII Exposure Security best practices are important!
IF COMPROMISED ● T HE NGINX DEFAULT IMAGE HAS… ○ NSENTER ○ CURL ○ APT ○ And much much more!! ● T HE NGINX IMAGE CAN... ○ Enumerate the network ○ Breakout to the host ■ EG. CVE-2021-22555 ○ Serve malicious content
T H E P L A N
ST E P 1 - U S E NGINX ● B T W NGINX RECENTLY HIT #1
ST E P 1 ● GET CODE FROM SOMEBODY ELSE
S T E P 2 - W R A P IT IN A K8s D E P L O Y M E N T ● Get the code (from somebody else) ○ SEARCH GOOGLE/DUCKDUCKGO? ● Go to the source (kubernetes.io)
S T E P 3 - C H E C K IT IS S E C U R E ● Checkov ○ DEPLOYMENT ■ Are my defaults secure and what happens when they are not? ○ IMAGE ■ Can I use the default image or should I make changes?
W H A T D O E S S E C U R E MEAN?
W H A T D O E S S E C U R E MEAN ● CIA ○ Confidentiality ■ Least Privilege ○ Integrity ■ Immutability ○ Availability ■ Resilience
What is ? Open source (Apache 2.0) misconfiguration scanner for IaC, intended to be used in CI/CD pipelines 1.1000+ built in checks 2. Supports extensions 3. Built in best practices and security
W h a t is Checkov ● Open source ● Analyze infrastructure as code (IaC) ● Terraform, CloudFormation, Kubernetes, Helm, ARM Templates and Serverless framework ● > 500 rules ● VSCode Plugin ● Optional config file ○ .checkov.yaml *
L E A S T PRIVILEGE
Add S e c c o m p Profile ● Disables > 44 system calls ○ Expelliarmus ● Eg. ○ Mount (host filesystems) ○ Ptrace (watch everything) ○ Reboot (the host!) ○ Setns (change linux namespace) ○ Quotactl (mess with cpu limits) ● Default defence in depth ○ Many of these overlap with blocking CAP_SYS_ADMIN
Set allowPrivilegeEscalation to false setuid ● Prevents binaries from changing the effective user ID ○ Blocks enabling of extra capabilities, ○ Even blocks the use of ping.
D o not run as root (the default) ● Seems obvious but ● Assign a UID and GID > 10000 to avoid conflict I a m root!
Drop all capabilities ● Add them back as required
IMMUTABILITY
Read-only filesystem ● Prevents the creation, installation or downloading of malicious code ● Containers should be immutable CAN’T TOUCH THIS
Unmount Service Account Token ● Uses the default service account ● Can impersonate the service account ● Abuse the K8s RESTAPIs.
Avoid Supply Chain Attacks ● Use the digest for your image NOT tags
RE S I LI E N CE
Liveness/Readiness Probes ● Let kubernetes know you’re there and it will keep you alive and kicking Can be difficult to come up with methods to determine a ready and live state. Not the case for NGINX however.
C P U / Memory Requests and Limits ● Prevents self induced DoS ● Ensures weighted scheduling of pods ● Limits losses from crypto-mining attacks Can be difficult to determine up front but defaults can be quickly derived from the K8s metrics server. MO RE P OWE R!
Key Takeaways ● Finding Secure Examples Is Difficult ● Basic Best Practices Can Be Easy ● Tools are Available To Help ● Many Defaults Aren’t Secure Checkov: https://www.checkov.io/ Our blog: https://bridgecrew.io/blog T H A N KS ! DEPLOYMENTS SERVICES JOBS DEFAULTS OUR BATTERED POD COMES FROM A SECURE SUPPLY CHAIN
30 | ©2020 Palo Alto Networks, Inc. All rights reserved. Sca n to register >> When: 24 March 2022 (Thu) Time: 7.00am Indonesia Time Spea kers: W h a t topics will be covered? Code to Cloud is dedicated to covering security best practices W h o should join: Relevant job titles include but are not Code to Cloud Virtual Su mmi t Block your calendar now! limited to DevOps engineers and team leads, infrastructure and platform engineers, security engineers, SREs, CTOs, engineering and InfoSec managers. across cloud native tech stacks and the development lifecycle — from IaC and open source packages to containers and workloads.
Survey Form We hope you’ve found our session beneficial. Please help us in answering a short 5 questions survey. A small INR200,000 Grab thank you token awaits. https://forms.gle/bGzk2ntgCmuHCuRg7 Please scan the Q R code or use clickable link in Chatbox
Stay Connected With Us! t.me/iddevops DevOps Indonesia DevOps Indonesia DevOps Indonesia @iddevops @iddevops DevOps Indonesia Scan here
PAGE 34 DEVOPS INDONESIA Alone Wearesmart,togetherWearebrilliant THANKYOU! Quote by Steve Anderson

More Related Content

PPTX
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PDF
DevSecOps Implementation Journey
byDevOps Indonesia
 
PDF
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
byDevOps Indonesia
 
PDF
AWS live hack: Docker + Snyk Container on AWS
byEric Smalling
 
PPTX
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
PPTX
DevSecOps
byJoel Divekar
 
PPTX
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
byAgileNetwork
 
PDF
Why should developers care about container security?
byEric Smalling
 
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps Implementation Journey
byDevOps Indonesia
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
byDevOps Indonesia
 
AWS live hack: Docker + Snyk Container on AWS
byEric Smalling
 
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
DevSecOps
byJoel Divekar
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
byAgileNetwork
 
Why should developers care about container security?
byEric Smalling
 

What's hot

PDF
DevSecOps for you Full Stack
byRon Nixon
 
PDF
DevOps or DevSecOps
byMichelangelo van Dam
 
PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PDF
Introduction to DevSecOps
bySetu Parimi
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PDF
Talk DevSecOps to me
byMichelle Ribeiro
 
PDF
Open Source Security at Scale- The DevOps Challenge 
byWhiteSource
 
PDF
DevOps & DevSecOps in Swiss Banking
byAarno Aukia
 
PPTX
Continuous security: Bringing agility to the secure development lifecycle
byRogue Wave Software
 
PPTX
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
byCloud Native Day Tel Aviv
 
PPTX
Elizabeth Lawler - Devops, security, and compliance working in unison
byDevSecCon
 
PDF
Top 10 Practices of Highly Successful DevOps Incident Management Teams
byDeborah Schalm
 
PDF
Open Source Security: How to Lay the Groundwork for a Secure Culture
byWhiteSource
 
PDF
Integrating DevOps and Security
byStijn Muylle
 
PPTX
Integrate Security into DevOps - SecDevOps
byUlf Mattsson
 
PDF
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
PDF
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
byWhiteSource
 
PDF
DevSecOps Everything You Need To Know
byCentextech
 
PPTX
AllDayDevOps 2019 AppSensor
byjtmelton
 
DOCX
Kaspersky Security center 10 documentation
byTarek Amer
 
DevSecOps for you Full Stack
byRon Nixon
 
DevOps or DevSecOps
byMichelangelo van Dam
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
Introduction to DevSecOps
bySetu Parimi
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
Talk DevSecOps to me
byMichelle Ribeiro
 
Open Source Security at Scale- The DevOps Challenge 
byWhiteSource
 
DevOps & DevSecOps in Swiss Banking
byAarno Aukia
 
Continuous security: Bringing agility to the secure development lifecycle
byRogue Wave Software
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
byCloud Native Day Tel Aviv
 
Elizabeth Lawler - Devops, security, and compliance working in unison
byDevSecCon
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
byDeborah Schalm
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
byWhiteSource
 
Integrating DevOps and Security
byStijn Muylle
 
Integrate Security into DevOps - SecDevOps
byUlf Mattsson
 
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
byWhiteSource
 
DevSecOps Everything You Need To Know
byCentextech
 
AllDayDevOps 2019 AppSensor
byjtmelton
 
Kaspersky Security center 10 documentation
byTarek Amer
 

Similar to Securing an NGINX deployment for K8s

ODP
Continuous Security
bySysdig
 
PDF
Deploying Kubernetes without scaring off your security team - KubeCon 2017
byMajor Hayden
 
PDF
A Developer’s Guide to Kubernetes Security
byGene Gotimer
 
PDF
Deploy 22 microservices from scratch in 30 mins with GitOps
byOpsta
 
PDF
CI / CD / CS - Continuous Security in Kubernetes
bySysdig
 
PPTX
Keeping Your Kubernetes Cluster Secure
byGene Gotimer
 
PDF
Developer-Friendly CI / CD for Kubernetes
byDevOps Indonesia
 
PDF
5 Kubernetes Security Tools You Should Use
byDevOps.com
 
PDF
Cncf checkov and bridgecrew
byLibbySchulze
 
PPTX
Unlocking DevOps Secuirty :Vault & Keylock
byHusseinMalikMammadli
 
PDF
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
byNico Meisenzahl
 
PDF
Security as Code: DevSecOps Patterns with AWS Bk Sarthak Das
bylsangmushie
 
PDF
Continuous Security for GitOps
byWeaveworks
 
PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PDF
The Hacker's Guide to Kubernetes
byPatrycja Wegrzynowicz
 
PDF
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
bysmalltown
 
PDF
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
byCodemotion
 
PDF
Introduction to Kubernetes Security (Aqua & Weaveworks)
byWeaveworks
 
PDF
Slide DevSecOps Microservices
byHendri Karisma
 
PDF
How to Prevent Your Kubernetes Cluster From Being Hacked
byNico Meisenzahl
 
Continuous Security
bySysdig
 
Deploying Kubernetes without scaring off your security team - KubeCon 2017
byMajor Hayden
 
A Developer’s Guide to Kubernetes Security
byGene Gotimer
 
Deploy 22 microservices from scratch in 30 mins with GitOps
byOpsta
 
CI / CD / CS - Continuous Security in Kubernetes
bySysdig
 
Keeping Your Kubernetes Cluster Secure
byGene Gotimer
 
Developer-Friendly CI / CD for Kubernetes
byDevOps Indonesia
 
5 Kubernetes Security Tools You Should Use
byDevOps.com
 
Cncf checkov and bridgecrew
byLibbySchulze
 
Unlocking DevOps Secuirty :Vault & Keylock
byHusseinMalikMammadli
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
byNico Meisenzahl
 
Security as Code: DevSecOps Patterns with AWS Bk Sarthak Das
bylsangmushie
 
Continuous Security for GitOps
byWeaveworks
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
The Hacker's Guide to Kubernetes
byPatrycja Wegrzynowicz
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
bysmalltown
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
byCodemotion
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
byWeaveworks
 
Slide DevSecOps Microservices
byHendri Karisma
 
How to Prevent Your Kubernetes Cluster From Being Hacked
byNico Meisenzahl
 

More from DevOps Indonesia

PDF
DevOps Indonesia Meetup #52 - announcement
byDevOps Indonesia
 
PDF
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
byDevOps Indonesia
 
PDF
Securing DevOps Lifecycle
byDevOps Indonesia
 
PDF
DevOps Meetup 50 : Securing your Application - Announcement
byDevOps Indonesia
 
PDF
Secure your Application with Google cloud armor
byDevOps Indonesia
 
PDF
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
byDevOps Indonesia
 
PDF
Operate Containers with AWS Copilot
byDevOps Indonesia
 
PDF
Continuously Deploy Your CDK Application by Petra novandi barus
byDevOps Indonesia
 
PDF
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
byDevOps Indonesia
 
PDF
Securing Your Database Dynamic DB Credentials
byDevOps Indonesia
 
PDF
DevOps Indonesia (online) meetup 45 - Announcement
byDevOps Indonesia
 
PDF
The Death and Rise of Enterprise DevOps
byDevOps Indonesia
 
PDF
API Security Webinar - Credential Stuffing
byDevOps Indonesia
 
PDF
API Security Webinar - Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
PDF
API Security Webinar - Hendra Tanto
byDevOps Indonesia
 
PDF
API Security Webinar : Credential Stuffing
byDevOps Indonesia
 
PDF
API Security Webinar : Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
PDF
Feature Scoring in Green Field Application Development and DevOps
byDevOps Indonesia
 
PDF
DevOps indonesia (Online) Meetup #44 - Announcement
byDevOps Indonesia
 
PDF
Introduction to SaltStack (An Event-Based Configuration Management)
byDevOps Indonesia
 
DevOps Indonesia Meetup #52 - announcement
byDevOps Indonesia
 
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
byDevOps Indonesia
 
Securing DevOps Lifecycle
byDevOps Indonesia
 
DevOps Meetup 50 : Securing your Application - Announcement
byDevOps Indonesia
 
Secure your Application with Google cloud armor
byDevOps Indonesia
 
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
byDevOps Indonesia
 
Operate Containers with AWS Copilot
byDevOps Indonesia
 
Continuously Deploy Your CDK Application by Petra novandi barus
byDevOps Indonesia
 
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
byDevOps Indonesia
 
Securing Your Database Dynamic DB Credentials
byDevOps Indonesia
 
DevOps Indonesia (online) meetup 45 - Announcement
byDevOps Indonesia
 
The Death and Rise of Enterprise DevOps
byDevOps Indonesia
 
API Security Webinar - Credential Stuffing
byDevOps Indonesia
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
API Security Webinar - Hendra Tanto
byDevOps Indonesia
 
API Security Webinar : Credential Stuffing
byDevOps Indonesia
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
byDevOps Indonesia
 
Feature Scoring in Green Field Application Development and DevOps
byDevOps Indonesia
 
DevOps indonesia (Online) Meetup #44 - Announcement
byDevOps Indonesia
 
Introduction to SaltStack (An Event-Based Configuration Management)
byDevOps Indonesia
 

Recently uploaded

PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
Designing a Blog Using Wordpress
bymarkzubi50
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 

Securing an NGINX deployment for K8s

  • 1.
    PAGE 1 DEVOPS INDONESIA PAGE 1 DEVOPS INDONESIA SteveGiguere Palo ALto Jakarta, 8 Maret 2022 Securing an NGINX deployment for Kubernetes
  • 2.
    Securing an Deployment for Kubernetes Featuring: ●Checkov: Open Source IaC Scanning Your guide: Steve Giguere @_SteveGiguere_
  • 3.
    ● Developer Advocate- Bridgecrew ● DevSecOp s Enthusiast ● DevSecOps London - Organiser ● Raspberry Pi Geek ● Formerly: Aqua Security, StackRox, Synopsys Software Integrity Group ● Twitch show: https://Clust3rF8ck (.com) ● Podcaster: BeerSecOps, CoSeCast (.com) ● Beer Taster: BeerNative (.tv) ● More Steve: https://stevegiguere.com W h o is… Steve Giguere (shig-air)
  • 4.
    T H EC H A L L E N G E
  • 5.
    T H EC H A L L E N G E ● NEED WEBSITE FOR TWITCH SHOW ● HOST ON RASPBERRY PI ● CREATED WITH HUGO ● USE NGINX TRY NOT TO L O O K L I KE TOTAL IDIOT WO R KI N G F O R A N IAC SECURITY COMPAN Y BY DEPLOYI NG A N NGINX W E B S I T E F O R A TWITCH S H O W A B O U T C L O U D NATIVE SECURITY THAT DOESN’ T PA S S O U R C H E C KO V YAML S C A N
  • 6.
    ● A01:2021-Broken Acce ss Control ● A02:2021-Cryptographic Failures ● A03:2021-Injection ● A04:2021-Insecure De sig n ● A05:2021-Security Misconfiguration ● A06:2021-Vulnerable a n d Outdated C omponents ● A07:2021-Identification and Authentication Failures ● A08:2021-Software and Data Integrity Failures ● A09:2021-Security L o g g i n g and Monitoring Failures ● A10:2021-Server-Side Request Forgery Coding issues like input sanitization have been replaced by misconfigurations and dependency (supply chain) risks
  • 7.
    The Problem Defaults arebad! Misconfigurations are bad! ● Unintended behaviour ● Outage ● Data Breach ● Lateral movement ● Supply Chain Compromise ● PII Exposure Security best practices are important!
  • 8.
    IF COMPROMISED ● THE NGINX DEFAULT IMAGE HAS… ○ NSENTER ○ CURL ○ APT ○ And much much more!! ● T HE NGINX IMAGE CAN... ○ Enumerate the network ○ Breakout to the host ■ EG. CVE-2021-22555 ○ Serve malicious content
  • 9.
    T H EP L A N
  • 10.
    ST E P1 - U S E NGINX ● B T W NGINX RECENTLY HIT #1
  • 11.
    ST E P1 ● GET CODE FROM SOMEBODY ELSE
  • 12.
    S T EP 2 - W R A P IT IN A K8s D E P L O Y M E N T ● Get the code (from somebody else) ○ SEARCH GOOGLE/DUCKDUCKGO? ● Go to the source (kubernetes.io)
  • 13.
    S T EP 3 - C H E C K IT IS S E C U R E ● Checkov ○ DEPLOYMENT ■ Are my defaults secure and what happens when they are not? ○ IMAGE ■ Can I use the default image or should I make changes?
  • 14.
    W H AT D O E S S E C U R E MEAN?
  • 15.
    W H AT D O E S S E C U R E MEAN ● CIA ○ Confidentiality ■ Least Privilege ○ Integrity ■ Immutability ○ Availability ■ Resilience
  • 16.
    What is ? Open source(Apache 2.0) misconfiguration scanner for IaC, intended to be used in CI/CD pipelines 1.1000+ built in checks 2. Supports extensions 3. Built in best practices and security
  • 17.
    W h at is Checkov ● Open source ● Analyze infrastructure as code (IaC) ● Terraform, CloudFormation, Kubernetes, Helm, ARM Templates and Serverless framework ● > 500 rules ● VSCode Plugin ● Optional config file ○ .checkov.yaml *
  • 18.
    L E AS T PRIVILEGE
  • 19.
    Add S ec c o m p Profile ● Disables > 44 system calls ○ Expelliarmus ● Eg. ○ Mount (host filesystems) ○ Ptrace (watch everything) ○ Reboot (the host!) ○ Setns (change linux namespace) ○ Quotactl (mess with cpu limits) ● Default defence in depth ○ Many of these overlap with blocking CAP_SYS_ADMIN
  • 20.
    Set allowPrivilegeEscalation tofalse setuid ● Prevents binaries from changing the effective user ID ○ Blocks enabling of extra capabilities, ○ Even blocks the use of ping.
  • 21.
    D o notrun as root (the default) ● Seems obvious but ● Assign a UID and GID > 10000 to avoid conflict I a m root!
  • 22.
    Drop all capabilities ●Add them back as required
  • 23.
  • 24.
    Read-only filesystem ● Preventsthe creation, installation or downloading of malicious code ● Containers should be immutable CAN’T TOUCH THIS
  • 25.
    Unmount Service AccountToken ● Uses the default service account ● Can impersonate the service account ● Abuse the K8s RESTAPIs.
  • 26.
    Avoid Supply ChainAttacks ● Use the digest for your image NOT tags
  • 27.
    RE S ILI E N CE
  • 28.
    Liveness/Readiness Probes ● Letkubernetes know you’re there and it will keep you alive and kicking Can be difficult to come up with methods to determine a ready and live state. Not the case for NGINX however.
  • 29.
    C P U/ Memory Requests and Limits ● Prevents self induced DoS ● Ensures weighted scheduling of pods ● Limits losses from crypto-mining attacks Can be difficult to determine up front but defaults can be quickly derived from the K8s metrics server. MO RE P OWE R!
  • 30.
    Key Takeaways ● FindingSecure Examples Is Difficult ● Basic Best Practices Can Be Easy ● Tools are Available To Help ● Many Defaults Aren’t Secure Checkov: https://www.checkov.io/ Our blog: https://bridgecrew.io/blog T H A N KS ! DEPLOYMENTS SERVICES JOBS DEFAULTS OUR BATTERED POD COMES FROM A SECURE SUPPLY CHAIN
  • 31.
    30 | ©2020Palo Alto Networks, Inc. All rights reserved. Sca n to register >> When: 24 March 2022 (Thu) Time: 7.00am Indonesia Time Spea kers: W h a t topics will be covered? Code to Cloud is dedicated to covering security best practices W h o should join: Relevant job titles include but are not Code to Cloud Virtual Su mmi t Block your calendar now! limited to DevOps engineers and team leads, infrastructure and platform engineers, security engineers, SREs, CTOs, engineering and InfoSec managers. across cloud native tech stacks and the development lifecycle — from IaC and open source packages to containers and workloads.
  • 32.
    Survey Form We hopeyou’ve found our session beneficial. Please help us in answering a short 5 questions survey. A small INR200,000 Grab thank you token awaits. https://forms.gle/bGzk2ntgCmuHCuRg7 Please scan the Q R code or use clickable link in Chatbox
  • 33.
    Stay Connected WithUs! t.me/iddevops DevOps Indonesia DevOps Indonesia DevOps Indonesia @iddevops @iddevops DevOps Indonesia Scan here
  • 34.