SlideShare a Scribd company logo
1 of 33
Download to read offline
for Cloud Native Stacks
19 July, 2022
Minimum Viable
Security
David Melamed, Co-Founder & CTO at Jit
2022
Source: https://visual.ly/community/Infographics/entertainment/protecting-your-house-home-alone-style
Public resources
IPs, buckets, …
3rd parties
User access
YOUR APP
CI/CD Pipeline
Protecting your perimeter
Admin User
Cloud Misconfig.
Pentesting
MFA / Scope
MFA / Least
privilege
YOUR APP
Least privilege
Controls to protect your perimeter
Admin User
YOUR APP
Protecting your app and its data
Disaster
recovery
Incident
Investigation
Access to
services
Traffic
Libraries
Secrets
YOUR APP
Controls to protect your app
Backup
Logging
Least Privilege
Encryption
Depcheck
SecretMgr
Minimum Security Controls
Securing a sample microservice
● Simple FastAPI-based app to display movies information
● Data persistence: SQLite
● SCM: Github / CI: Github Actions
● Goal: integrate the 7 tools that are part of the MVS in the CI pipeline
● Demo repository
https://github.com/dvdmelamed/stackconf-2022
Example for a Python-based app
Code vulnerabilities
➔ Ensure you don’t have vulnerabilities in your code
➔ Use a Static Application Security Testing (SAST) scanner to
detect vulnerabilities based on existing patterns
➔ Demo: Bandit
◆ Security open-source linter for Python source code
◆ Includes 35 rules for detecting vulnerabilities
Your Code
Secrets
➔ Make sure there are no hard-coded secrets
➔ Use a scanner that both searches for regexes of well known
secret patterns like PAT, Slack token, AWS keys…
➔ Demo: Gitleaks
◆ Supports multiple types of secrets: API keys, AWS credentials, SSH keys…
◆ Supports detecting secrets in git history
Your Code
Vulnerable Dependencies
➔ Track 3rd parties libraries with disclosed vulnerabilities (CPE / CVE)
➔ Use a scanner that will track down those vulnerable libraries
➔ Demo: dependency-check
◆ OWASP OSS project
◆ Detects publicly disclosed vulnerabilities contained within a project’s
dependencies
Your Code
Infrastructure misconfiguration
➔ When the infrastructure is expressed as code, it is possible to
detect misconfigurations early by scanning the code
➔ Use a scanner that will look for IaC misconfigurations
➔ Demo: KICS
◆ OSS by Checkmarx supporting many infrastructure types: CloudFormation,
Terraform, Ansible, Kubernetes, Helm, Docker, Ansible, ARM…
◆ Include 2000+ checks
Your Infrastructure
Pentesting
➔ Simulate attacks on your frontend to ensure it is safe
➔ Use a pentest / Web Application Scanner
➔ to test the security of your SaaS
➔ Demo: ZED Attack Proxy (ZAP)
◆ Free web app scanner by OWASP
◆ Includes 17 built-in rules
◆ Supports also API Scanning using OpenAPI
or Swagger for endpoint discovery
Your Runtime
Vulnerable container images
➔ When building your container images, make sure there is no
vulnerability in the base image
➔ Use a scanner that will scan your container images and enforce
your image trust (Notary)
➔ Demo: Trivy
◆ OSS by Aqua supporting OS packages and language-based packages
◆ Supports also IaC misconfigurations
Your Pipeline
Multi-Factor Authentication (MFA)
➔ Ensure you enforce MFA for all 3rd party access
➔ Make sure MFA is used (custom tool)
➔ Demo: MFA on Github
Your 3rd Parties
Securing a sample microservice: the tools
Bandit Gitleaks OWASP
Dependency-check
OWASP
ZAP
SAST SAST (Secrets) SCA DAST MFA
Custom
IAC
KICS Trivy
Containers
Example for a Python-based app
A Minimum Viable Security plan (1)
Code vulnerability
Secrets
Logging
Vulnerable libraries
01
04
Vulnerable containers
Least priv. access
02
Cloud Misconfiguration
Least Priv. Remote access
Your code Your infra
Your pipeline
03
Pentesting
API Security
Your runtime
A Minimum Viable Security plan (2)
05
Data encryption
Secrets storage
06
Multi-Factor Auth
Secured access
08
Audit
Backup
Your data Your 3rd parties
Your operations
07
Password manager
Your people
Improving dev-first experience: Jit
Dev-native experience
using PR comments
Customized MVS plan
Your next step on the security journey
Thank you
Intrigued? Try our free beta at jit.io
Inspired? Join us! We are hiring!
Questions? Contact me at david@jit.io

More Related Content

Similar to stackconf 2022: Minimum Viable Security for Cloud Native Stacks

Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises
 

Similar to stackconf 2022: Minimum Viable Security for Cloud Native Stacks (20)

Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Developer Nirvana with IBM Bluemix™
Developer Nirvana with IBM Bluemix™Developer Nirvana with IBM Bluemix™
Developer Nirvana with IBM Bluemix™
 
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - Toronto
 
DevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryDevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous Delivery
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Shifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istioShifting security to the left with kubernetes, azure, and istio
Shifting security to the left with kubernetes, azure, and istio
 
Stups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSStups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWS
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor appsKube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
 
Security Patterns for Microservice Architectures
Security Patterns for Microservice ArchitecturesSecurity Patterns for Microservice Architectures
Security Patterns for Microservice Architectures
 
Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020
 
Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseSecurity and Advanced Automation in the Enterprise
Security and Advanced Automation in the Enterprise
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
 
Software Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CDSoftware Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CD
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 

Recently uploaded

Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 

Recently uploaded (20)

Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 

stackconf 2022: Minimum Viable Security for Cloud Native Stacks

  • 1. for Cloud Native Stacks 19 July, 2022 Minimum Viable Security David Melamed, Co-Founder & CTO at Jit 2022
  • 2.
  • 3.
  • 5.
  • 6.
  • 7.
  • 8. Public resources IPs, buckets, … 3rd parties User access YOUR APP CI/CD Pipeline Protecting your perimeter Admin User
  • 9. Cloud Misconfig. Pentesting MFA / Scope MFA / Least privilege YOUR APP Least privilege Controls to protect your perimeter Admin User
  • 10.
  • 11.
  • 12.
  • 13.
  • 14. YOUR APP Protecting your app and its data Disaster recovery Incident Investigation Access to services Traffic Libraries Secrets
  • 15. YOUR APP Controls to protect your app Backup Logging Least Privilege Encryption Depcheck SecretMgr
  • 16.
  • 17.
  • 18.
  • 20. Securing a sample microservice ● Simple FastAPI-based app to display movies information ● Data persistence: SQLite ● SCM: Github / CI: Github Actions ● Goal: integrate the 7 tools that are part of the MVS in the CI pipeline ● Demo repository https://github.com/dvdmelamed/stackconf-2022 Example for a Python-based app
  • 21. Code vulnerabilities ➔ Ensure you don’t have vulnerabilities in your code ➔ Use a Static Application Security Testing (SAST) scanner to detect vulnerabilities based on existing patterns ➔ Demo: Bandit ◆ Security open-source linter for Python source code ◆ Includes 35 rules for detecting vulnerabilities Your Code
  • 22. Secrets ➔ Make sure there are no hard-coded secrets ➔ Use a scanner that both searches for regexes of well known secret patterns like PAT, Slack token, AWS keys… ➔ Demo: Gitleaks ◆ Supports multiple types of secrets: API keys, AWS credentials, SSH keys… ◆ Supports detecting secrets in git history Your Code
  • 23. Vulnerable Dependencies ➔ Track 3rd parties libraries with disclosed vulnerabilities (CPE / CVE) ➔ Use a scanner that will track down those vulnerable libraries ➔ Demo: dependency-check ◆ OWASP OSS project ◆ Detects publicly disclosed vulnerabilities contained within a project’s dependencies Your Code
  • 24. Infrastructure misconfiguration ➔ When the infrastructure is expressed as code, it is possible to detect misconfigurations early by scanning the code ➔ Use a scanner that will look for IaC misconfigurations ➔ Demo: KICS ◆ OSS by Checkmarx supporting many infrastructure types: CloudFormation, Terraform, Ansible, Kubernetes, Helm, Docker, Ansible, ARM… ◆ Include 2000+ checks Your Infrastructure
  • 25. Pentesting ➔ Simulate attacks on your frontend to ensure it is safe ➔ Use a pentest / Web Application Scanner ➔ to test the security of your SaaS ➔ Demo: ZED Attack Proxy (ZAP) ◆ Free web app scanner by OWASP ◆ Includes 17 built-in rules ◆ Supports also API Scanning using OpenAPI or Swagger for endpoint discovery Your Runtime
  • 26. Vulnerable container images ➔ When building your container images, make sure there is no vulnerability in the base image ➔ Use a scanner that will scan your container images and enforce your image trust (Notary) ➔ Demo: Trivy ◆ OSS by Aqua supporting OS packages and language-based packages ◆ Supports also IaC misconfigurations Your Pipeline
  • 27. Multi-Factor Authentication (MFA) ➔ Ensure you enforce MFA for all 3rd party access ➔ Make sure MFA is used (custom tool) ➔ Demo: MFA on Github Your 3rd Parties
  • 28. Securing a sample microservice: the tools Bandit Gitleaks OWASP Dependency-check OWASP ZAP SAST SAST (Secrets) SCA DAST MFA Custom IAC KICS Trivy Containers Example for a Python-based app
  • 29. A Minimum Viable Security plan (1) Code vulnerability Secrets Logging Vulnerable libraries 01 04 Vulnerable containers Least priv. access 02 Cloud Misconfiguration Least Priv. Remote access Your code Your infra Your pipeline 03 Pentesting API Security Your runtime
  • 30. A Minimum Viable Security plan (2) 05 Data encryption Secrets storage 06 Multi-Factor Auth Secured access 08 Audit Backup Your data Your 3rd parties Your operations 07 Password manager Your people
  • 31. Improving dev-first experience: Jit Dev-native experience using PR comments Customized MVS plan
  • 32. Your next step on the security journey
  • 33. Thank you Intrigued? Try our free beta at jit.io Inspired? Join us! We are hiring! Questions? Contact me at david@jit.io