SlideShare a Scribd company logo

Security Testing for Containerized Applications

Download as PPTX, PDF
Soluto
Soluto

The document discusses security testing for containerized applications. It outlines different layers of containerized apps including code, dependencies, and Docker images. It then describes various security testing techniques that can be applied to each layer, including static analysis tools for code scanning, dependency scanning, and Docker image scanning. It also covers dynamic/runtime testing using passive and active scanning with tools like OWASP Zap. The document advocates building these security tests into the CI/CD pipeline and only deploying container images that pass all tests through a process of image certification. It demonstrates some of these techniques on a sample Lolcode application.

Technology
1 of 46
Join the conversation #DevSecCon Security Testing for Containerized Apps @omerlh @SolutoEng
http://lolcode.org/
- Helping people get the most out of their technology https://www.solutotlv.com/
You Can’t Do it Alone
Letting Go Responsibly AppSec @ Soluto: ● Threat Modeling ● Empowering ● Education ● Automation
Our Quest: Securing Containerized Apps
Code Dependencies Docker Image Layers of Containerized App
What kind of security tests? ● Static ● Dynamic ● Integrated (which will be ignored) By Using ONLY FOSS tools
Static Analysis
What? ● Scanning static assets (e.g. source code) ● Language aware ● Different Tools for different layer ● Point where is the issue Code Dependencies Docker Image
Code Layer ● Scan the code for vulnerabilities ● Different tools for different languages ● Bandit – Python ● Brakeman – Ruby on Rails ● Find Security Bug - Java ● TSLint - TypeScript ● OWASP Source Code Analyzers list Code Dependencies Docker Image
Example https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
Dependencies Layer ● 3rd party code used by the app ● Usually installed by a package manager ● PyPi, Gem, NuGet, NPM ● Each dependency might include known vulnerability ● OWASP Top 10 A9 ● OWASP Dependency Track Code Dependencies Docker Image
https://snyk.io/stateofossecurity/
NPQ
Docker Image Layer ● Contains the “OS” ● 3rd party software installed ● App engine (NodeJS/.NET Core etc) ● Each one could contain known vulnerabilities ● Multiple open source solutions ● Clair, Anchore, OWASP Dependency Track Code Dependencies Docker Image
https://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf
Playing with Anchore-Engine
Dynamic Analysis
What? ● Scanning live app ● Language agnostic, protocol aware ● Only detect issues, not what cause to them ● Simple by using OWASP Zap ● Passive ● Active ● Leveraging Docker for local run Code Dependencies Docker Image
Passive Scan ● Proxy black box tests ● Scan HTTP requests/responses ● HTTP static analysis ● Looks for security issues ● Fast, not risky Code Dependencies Docker Image
Active Scan ● Discover all endpoint ● Craft malicious requests ● Test that the server can handle those request ● Slow, could cause damage Code Dependencies Docker Image
Bringing it All Together
Building our CI/CD Pipeline ❑ Break the build or it didn’t happen ❑ False positives ❑ Keep it DRY ❑ Ownership
Let’s add some Glue The ”DevSecOps Tool”
Building our CI/CD Pipeline ✓ Break the build or it didn’t happen ✓ False positives ✓ Keep it DRY ✓ Ownership
Image Certification Only images that passed all the tests should be used on production ● Build dependency ● Image labels ● Image signing ● Image policy
What we have @ Soluto? ● Static analysis ✓ Source code scan ❑ Dependencies scan (in progress) ❑ Image scan ● Dynamic analysis ✓ Passive ❑ Active (in progress)
Demo Time All the code is on GitHub
Testing LolCode App ● Static analysis? ✕ Nothing for source code ✕ No package manager (which is good?) ❑ Image scanning ● Dynamic analysis ✓ Passive ❑ Active
Let’s see it Live! Hope it will work … else I’ll show you slides with screenshots 
Wrapping Up
What we discussed ● Layers of Containerized Applications ● Kind of Tests & FOSS Tools ○ Static (OWASP Dependency Track) ○ Dynamic (OWASP Zap) ● Building the pipeline ○ OWASP Glue ○ Image Certification
Where Do I Start?
Our Quest: Securing Containerized Apps
Questions?
Resources • TechBeacon: Security Tests for Containarized Applications • Guide: Dynamic Security Testing with OWASP Zap • Post: Dynamic Security Testing Made Easy • Slides: Getting Started with OWASP Glue
Join the conversation #DevSecCon Thank You! @omerlh @SolutoEng

Recommended

DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf Hadiwinata
Hananto Wibowo Soenarto
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
Agile Testing Alliance
 
Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.
Vitaly Balashov
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
Dag Rowe
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 

Recommended

DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf Hadiwinata
Hananto Wibowo Soenarto
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
Agile Testing Alliance
 
Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.
Vitaly Balashov
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
Dag Rowe
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
VMware Tanzu
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
WhiteSource
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Cheah Eng Soon
 
DevSecOps OWASP
DevSecOps OWASPDevSecOps OWASP
DevSecOps OWASP
Priyanka Raghavan
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Owasp glue
Owasp glueOwasp glue
Owasp glue
Soluto
 
Painless DevSecOps: Building Security Into Your DevOps Pipeline
Painless DevSecOps: Building Security Into Your DevOps PipelinePainless DevSecOps: Building Security Into Your DevOps Pipeline
Painless DevSecOps: Building Security Into Your DevOps Pipeline
Tasktop
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer LeviDevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 
Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CD
Daniel Garcia (a.k.a cr0hn)
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 

More Related Content

What's hot

Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
WhiteSource
 
Owasp glue
Owasp glueOwasp glue
Owasp glue
Soluto
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 

What's hot (20)

Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecOps OWASP
DevSecOps OWASPDevSecOps OWASP
DevSecOps OWASP
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
Owasp glue
Owasp glueOwasp glue
Owasp glue
 
Painless DevSecOps: Building Security Into Your DevOps Pipeline
Painless DevSecOps: Building Security Into Your DevOps PipelinePainless DevSecOps: Building Security Into Your DevOps Pipeline
Painless DevSecOps: Building Security Into Your DevOps Pipeline
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer LeviDevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
 
Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
 

Similar to Security Testing for Containerized Applications

Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
Black Duck by Synopsys
 
Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023
Greg Castle
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 

Similar to Security Testing for Containerized Applications (20)

Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CD
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
Creating a reasonable project boilerplate
Creating a reasonable project boilerplateCreating a reasonable project boilerplate
Creating a reasonable project boilerplate
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
Software Testing Basic Concepts
Software Testing Basic ConceptsSoftware Testing Basic Concepts
Software Testing Basic Concepts
 
Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
 
Code, ci, infrastructure - the gophers way
Code, ci, infrastructure - the gophers wayCode, ci, infrastructure - the gophers way
Code, ci, infrastructure - the gophers way
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
 
Nascenia: Road to Software Industry
Nascenia: Road to Software IndustryNascenia: Road to Software Industry
Nascenia: Road to Software Industry
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 

More from Soluto

Solving trust issues at scale - AppSec California
Solving trust issues at scale - AppSec CaliforniaSolving trust issues at scale - AppSec California
Solving trust issues at scale - AppSec California
Soluto
 
Solving trust issues at scale
Solving trust issues at scaleSolving trust issues at scale
Solving trust issues at scale
Soluto
 
Can Kubernetes Keep a Secret? - Women in AppSec Webinar
Can Kubernetes Keep a Secret? - Women in AppSec WebinarCan Kubernetes Keep a Secret? - Women in AppSec Webinar
Can Kubernetes Keep a Secret? - Women in AppSec Webinar
Soluto
 
FTRD - Can Kubernetes Keep a Secret?
FTRD - Can Kubernetes Keep a Secret?FTRD - Can Kubernetes Keep a Secret?
FTRD - Can Kubernetes Keep a Secret?
Soluto
 
Hacking like a FED
Hacking like a FEDHacking like a FED
Hacking like a FED
Soluto
 
Can Kubernetes Keep a Secret?
Can Kubernetes Keep a Secret?Can Kubernetes Keep a Secret?
Can Kubernetes Keep a Secret?
Soluto
 
Languages don't matter anymore!
Languages don't matter anymore!Languages don't matter anymore!
Languages don't matter anymore!
Soluto
 

More from Soluto (20)

Solving trust issues at scale - AppSec California
Solving trust issues at scale - AppSec CaliforniaSolving trust issues at scale - AppSec California
Solving trust issues at scale - AppSec California
 
Solving trust issues at scale
Solving trust issues at scaleSolving trust issues at scale
Solving trust issues at scale
 
Things I wish someone had told me about Istio, Omer Levi Hevroni
Things I wish someone had told me about Istio, Omer Levi HevroniThings I wish someone had told me about Istio, Omer Levi Hevroni
Things I wish someone had told me about Istio, Omer Levi Hevroni
 
Can Kubernetes Keep a Secret? - Women in AppSec Webinar
Can Kubernetes Keep a Secret? - Women in AppSec WebinarCan Kubernetes Keep a Secret? - Women in AppSec Webinar
Can Kubernetes Keep a Secret? - Women in AppSec Webinar
 
FTRD - Can Kubernetes Keep a Secret?
FTRD - Can Kubernetes Keep a Secret?FTRD - Can Kubernetes Keep a Secret?
FTRD - Can Kubernetes Keep a Secret?
 
The Dark Side of Monitoring
The Dark Side of MonitoringThe Dark Side of Monitoring
The Dark Side of Monitoring
 
Hacking like a FED
Hacking like a FEDHacking like a FED
Hacking like a FED
 
Monitoria@Icinga camp berlin
Monitoria@Icinga camp berlinMonitoria@Icinga camp berlin
Monitoria@Icinga camp berlin
 
Can Kubernetes Keep a Secret?
Can Kubernetes Keep a Secret?Can Kubernetes Keep a Secret?
Can Kubernetes Keep a Secret?
 
Kamus intro
Kamus introKamus intro
Kamus intro
 
Secure Your Pipeline
Secure Your PipelineSecure Your Pipeline
Secure Your Pipeline
 
React new features and intro to Hooks
React new features and intro to HooksReact new features and intro to Hooks
React new features and intro to Hooks
 
Secure the Pipeline - OWASP Poland Day 2018
Secure the Pipeline - OWASP Poland Day 2018Secure the Pipeline - OWASP Poland Day 2018
Secure the Pipeline - OWASP Poland Day 2018
 
Monitoria@reversim
Monitoria@reversimMonitoria@reversim
Monitoria@reversim
 
Languages don't matter anymore!
Languages don't matter anymore!Languages don't matter anymore!
Languages don't matter anymore!
 
Unify logz with fluentd
Unify logz with fluentdUnify logz with fluentd
Unify logz with fluentd
 
Storing data in Redis like a pro
Storing data in Redis like a proStoring data in Redis like a pro
Storing data in Redis like a pro
 
Monitor all the thingz slideshare
Monitor all the thingz slideshareMonitor all the thingz slideshare
Monitor all the thingz slideshare
 
Authentication without Authentication - AppSec California
Authentication without Authentication - AppSec CaliforniaAuthentication without Authentication - AppSec California
Authentication without Authentication - AppSec California
 
Authentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetupAuthentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetup
 

Recently uploaded

Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 

Recently uploaded (20)

"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 

Security Testing for Containerized Applications

Editor's Notes

  1. Thank the organizers Who here is doing AppSec for her living? Who here is willing to help me with code review?
  2. How we help with technology
  3. Emphasis this is the plan we started with, and it’s WIP
  4. https://www.owasp.org/index.php/Source_Code_Analysis_Tools
  5. A real example of timing attack due to insecure equals Something easy to miss, but easy to spot using static analysis We had real issue at Soluto that caught by using TSLint 
  6. Show how many packages available Say something about the rise
  7. Specify that not use it for now
  8. Openapi/swagger