SlideShare a Scribd company logo
1 of 35
Download to read offline
Snyk.io
Building security into your pipelines
Matt Jarvis | Senior Developer Advocate | matt.jarvis@snyk.io
Continuous Security
1
Snyk.io
● Matt Jarvis
○ Senior Developer Advocate @ Snyk
● Building stuff with open source for ~20 years
● Ops, Dev, DevOps and now Security
$whoami
@mattj_io
mattj-io
mattjarvis.org.uk
What is an application?
Networking
Virtual Machines
Your application
Pre-Cloud era
Developers wrote the application
IT Operations had the rest of the stack
Security was a step in the process
Virtual Infrastructure
Physical Hardware
What is an application?
Networking
Virtual Machines
Your application
Pre-Cloud era
Developers wrote the application
IT Operations had the rest of the stack
Security was a step in the process
Cloud Era
Developers write the code
and deploy, network and provision
This is now your application
So where does security fit?
Virtual Infrastructure
Physical Hardware Cloud Infrastructure
Terraform
Kubernetes
Your application
Container Image
Shifting security
Your application code
Are my open source dependencies up to date? Do I
have any vulnerabilities?
Cloud Infrastructure
Terraform
Kubernetes
Your application
Container Image
Deploying your code
Have I configured my containers correctly? Do I need
a root user? What is this load balancer?
Provision your infrastructure
Is my blobstore readable by the world? Have I setup
my permissions appropriately?
Snyk.io
Your App
Snyk.io
Your App
Your Code
Snyk.io
source: https://snyk.io/opensourcesecurity-2019
Snyk.io
source: https://snyk.io/opensourcesecurity-2019
Snyk.io
Jan 2015
rimrafall
Jan 2017
crossenv
May 2018
getcookies
Jul 2018
eslint-scope
Nov 2018
event-stream
Snyk.io
May 2018
getcookies
Parse HTTP headers for cookie data
Snyk.io
May 2018
getcookies
Parse HTTP headers for cookie data
or does it...?
Snyk.io
Snyk.io
getcookies
express-cookies
http-fetch-cookies
Snyk.io
getcookies
express-cookies
http-fetch-cookies
mailparser 440,000 downloads/month
Developer
owned
68%
Developers own
the security of container images
Snyk.io
source: https://snyk.io/opensourcesecurity-2019
Snyk.io
source: https://snyk.io/opensourcesecurity-2019
Snyk.io
source: https://snyk.io/opensourcesecurity-2019
Snyk.io
44%
of docker image vulnerabilities can
be fixed with newer base images
Snyk.io
20%
of docker image vulnerabilities can
be fixed just by rebuilding them
Configuration is increasingly in code
Configuration is everywhere
Azure ARM
250k+
Terraform
200k+
Kubernetes
2m+
AWS CF
90k+
Serverless
40k+
Compose
600k+
Sense of scale of infrastructure as code in public repositories on GitHub
Security misconfiguration is the
most commonly seen issue.
This is commonly a result of
insecure default configurations,
incomplete or ad hoc
configurations, open cloud
storage...
“
“
Configuration is a security risk
https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration
CI/CD
Git repository
Traditional/PaaS
Serverless
Production
Container Security Spectrum
Securing development and operations
Registry
deploy
Security
gate
Code
Test & fix Test, fix,
monitor
build
Kubernetes
Monitor & fix
submit
Test, fix,
monitor
Developer First ...
Integrated workflows - IDE, CLI
$ snyk container test garethr/snyky --file=Dockerfile
Testing garethr/snyky...
✗ High severity vulnerability found in libpng
Description: Out-of-Bounds
Info: https://snyk.io/vuln/SNYK-LINUX-LIBPNG-172022
Introduced through: libpng@1.6.34-r1, freetype@2.9.1-r1,
openjdk8-jre@8.191.12-r0
From: libpng@1.6.34-r1
From: freetype@2.9.1-r1 > libpng@1.6.34-r1
From: openjdk8-jre@8.191.12-r0 > libpng@1.6.34-r1
Fixed in: 1.6.37-r0
✗ High severity vulnerability found in git
Description: Untrusted Search Path
Info: https://snyk.io/vuln/SNYK-LINUX-GIT-175991
Introduced through: git@2.18.1-r0
From: git@2.18.1-r0
Fixed in: 2.18.1-r1
Remediation guidance to minimize exposure
and reduce time-to-fix
Get straight to the Dockerfile
instructions that introduce
vulnerabilities
Follow base image recommendations
to reduce your total vulnerability
exposure
● 2 factor authentication
● Strong key management practices
● Update git
● Beware of exposing private data
● Strong review processes
Make sure our repos are secure !
Pull request scanning and repository monitoring
Automated remediation
Scan new code
Scan images in registries ...
CI Pipelines
The Snyk Kubernetes controller scans your workloads
for vulnerable images. Then detects insecure
configurations that makes those vulnerabilities easier
for an attacker to exploit.
Prioritise vulnerabilities based on
production configuration
H
A remotely exploitable Java vulnerability. Deployed to production, not just
development. Running in a Kubernetes pod which is running as root and doesn’t
drop capabilities. Connected to a service with a public IP address.
+ =
Protect your application
After the initial scan
Containers shift
ownership of code +
runtime
environment to
developers
Developers aren’t
security experts -
they need support
and tools that
empower them
More software +
faster release
cycles leads to
more software risk
It is critical for developers to secure containers
from the start
Local CI/CD Registry Production
$ snyk test --docker garethr/snyky
Testing garethr/snyky...
✗ Low severity vulnerability found in git
Description: CVE-2018-19486
Info: https://snyk.io/vuln/SNYK-LINUX-GIT-175991
Introduced through: git@2.18.1-r0
From: git@2.18.1-r0
Introduced by your base image (release)
Fixed in: 2.18.1-r1
Organisation: garethr
Package manager: apk
Git
Detect vulnerabilities
Throughout the software supply chain
Snyk.io
Thanks For Listening !
35

More Related Content

What's hot

What's hot (20)

Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...
Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...
Securing the Software Supply Chain with TUF and Docker - Justin Cappos and Sa...
 
Crikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopCrikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor Workshop
 
IstioD - From Microservices to Monolithic
IstioD - From Microservices to MonolithicIstioD - From Microservices to Monolithic
IstioD - From Microservices to Monolithic
 
Hyperledger community update 201805
Hyperledger community update 201805Hyperledger community update 201805
Hyperledger community update 201805
 
Technical introduction to Hyperledger's Fabric
Technical introduction to Hyperledger's FabricTechnical introduction to Hyperledger's Fabric
Technical introduction to Hyperledger's Fabric
 
RootStack - Devfactory
RootStack - DevfactoryRootStack - Devfactory
RootStack - Devfactory
 
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy Agent
 
FIWARE Wednesday Webinars - Short Term History within Smart Systems
FIWARE Wednesday Webinars - Short Term History within Smart SystemsFIWARE Wednesday Webinars - Short Term History within Smart Systems
FIWARE Wednesday Webinars - Short Term History within Smart Systems
 
Help , My Datacenter is on fire
Help , My Datacenter is on fireHelp , My Datacenter is on fire
Help , My Datacenter is on fire
 
Hyperledger community update Feb 20, 2018
Hyperledger community update Feb 20, 2018Hyperledger community update Feb 20, 2018
Hyperledger community update Feb 20, 2018
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
 
Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...
 
OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...
OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...
OSMC 2018 | Tailored SNMP monitoring – Your own SNMP MIB and sub-agent with P...
 
C++ Webinar "Why Should You Learn C++ in 2021-22?"
C++ Webinar "Why Should You Learn C++ in 2021-22?"C++ Webinar "Why Should You Learn C++ in 2021-22?"
C++ Webinar "Why Should You Learn C++ in 2021-22?"
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
 
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open SourceEnhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
Enhance Your Kubernetes CI/CD Pipelines With GitLab & Open Source
 
OSMC 2018 | Current State of Icinga by Bernd Erk
OSMC 2018 | Current State of Icinga by Bernd ErkOSMC 2018 | Current State of Icinga by Bernd Erk
OSMC 2018 | Current State of Icinga by Bernd Erk
 
Hyperledger Cello Feb 20, 2018
Hyperledger Cello Feb 20, 2018Hyperledger Cello Feb 20, 2018
Hyperledger Cello Feb 20, 2018
 

Similar to stackconf 2021 | Continuous Security – integrating security into your pipelines

EuroPython 2019: Modern Continuous Delivery for Python Developers
EuroPython 2019: Modern Continuous Delivery for Python DevelopersEuroPython 2019: Modern Continuous Delivery for Python Developers
EuroPython 2019: Modern Continuous Delivery for Python Developers
Peter Bittner
 

Similar to stackconf 2021 | Continuous Security – integrating security into your pipelines (20)

Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
Alexey Kupriyanenko "Release Early, Often, Stable"
Alexey Kupriyanenko "Release Early, Often, Stable"Alexey Kupriyanenko "Release Early, Often, Stable"
Alexey Kupriyanenko "Release Early, Often, Stable"
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
 
EuroPython 2019: Modern Continuous Delivery for Python Developers
EuroPython 2019: Modern Continuous Delivery for Python DevelopersEuroPython 2019: Modern Continuous Delivery for Python Developers
EuroPython 2019: Modern Continuous Delivery for Python Developers
 
Binary Authorization in Kubernetes
Binary Authorization in KubernetesBinary Authorization in Kubernetes
Binary Authorization in Kubernetes
 
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian SkerrettIoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
 
Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/Green
 
All Day DevOps 2016 Fabian - Defending Thyself with Blue Green
All Day DevOps 2016 Fabian - Defending Thyself with Blue GreenAll Day DevOps 2016 Fabian - Defending Thyself with Blue Green
All Day DevOps 2016 Fabian - Defending Thyself with Blue Green
 
Continuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sContinuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8s
 
Network Security Open Source Software Developer Certification
Network Security Open Source Software Developer CertificationNetwork Security Open Source Software Developer Certification
Network Security Open Source Software Developer Certification
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 

Recently uploaded

JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
Max Lee
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
mbmh111980
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
Alluxio, Inc.
 

Recently uploaded (20)

A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabber
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Kraków
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
 
How to pick right visual testing tool.pdf
How to pick right visual testing tool.pdfHow to pick right visual testing tool.pdf
How to pick right visual testing tool.pdf
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and Prevention
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdf
 
Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdf
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
 
What need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersWhat need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java Developers
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf
 

stackconf 2021 | Continuous Security – integrating security into your pipelines