stackconf 2021 | Continuous Security – integrating security into your pipelines

Snyk.io Building security into your pipelines Matt Jarvis | Senior Developer Advocate | matt.jarvis@snyk.io Continuous Security 1

Snyk.io ● Matt Jarvis ○ Senior Developer Advocate @ Snyk ● Building stuﬀ with open source for ~20 years ● Ops, Dev, DevOps and now Security $whoami @mattj_io mattj-io mattjarvis.org.uk

What is an application? Networking Virtual Machines Your application Pre-Cloud era Developers wrote the application IT Operations had the rest of the stack Security was a step in the process Virtual Infrastructure Physical Hardware

What is an application? Networking Virtual Machines Your application Pre-Cloud era Developers wrote the application IT Operations had the rest of the stack Security was a step in the process Cloud Era Developers write the code and deploy, network and provision This is now your application So where does security ﬁt? Virtual Infrastructure Physical Hardware Cloud Infrastructure Terraform Kubernetes Your application Container Image

Shifting security Your application code Are my open source dependencies up to date? Do I have any vulnerabilities? Cloud Infrastructure Terraform Kubernetes Your application Container Image Deploying your code Have I conﬁgured my containers correctly? Do I need a root user? What is this load balancer? Provision your infrastructure Is my blobstore readable by the world? Have I setup my permissions appropriately?

Snyk.io source: https://snyk.io/opensourcesecurity-2019

Snyk.io Jan 2015 rimrafall Jan 2017 crossenv May 2018 getcookies Jul 2018 eslint-scope Nov 2018 event-stream

Snyk.io May 2018 getcookies Parse HTTP headers for cookie data

Snyk.io May 2018 getcookies Parse HTTP headers for cookie data or does it...?

Snyk.io getcookies express-cookies http-fetch-cookies

Snyk.io getcookies express-cookies http-fetch-cookies mailparser 440,000 downloads/month

Developer owned 68% Developers own the security of container images

Snyk.io 44% of docker image vulnerabilities can be ﬁxed with newer base images

Snyk.io 20% of docker image vulnerabilities can be ﬁxed just by rebuilding them

Conﬁguration is increasingly in code

Conﬁguration is everywhere Azure ARM 250k+ Terraform 200k+ Kubernetes 2m+ AWS CF 90k+ Serverless 40k+ Compose 600k+ Sense of scale of infrastructure as code in public repositories on GitHub

Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage... “ “ Configuration is a security risk https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration

CI/CD Git repository Traditional/PaaS Serverless Production Container Security Spectrum Securing development and operations Registry deploy Security gate Code Test & fix Test, fix, monitor build Kubernetes Monitor & fix submit Test, fix, monitor

Developer First ... Integrated workﬂows - IDE, CLI $ snyk container test garethr/snyky --file=Dockerfile Testing garethr/snyky... ✗ High severity vulnerability found in libpng Description: Out-of-Bounds Info: https://snyk.io/vuln/SNYK-LINUX-LIBPNG-172022 Introduced through: libpng@1.6.34-r1, freetype@2.9.1-r1, openjdk8-jre@8.191.12-r0 From: libpng@1.6.34-r1 From: freetype@2.9.1-r1 > libpng@1.6.34-r1 From: openjdk8-jre@8.191.12-r0 > libpng@1.6.34-r1 Fixed in: 1.6.37-r0 ✗ High severity vulnerability found in git Description: Untrusted Search Path Info: https://snyk.io/vuln/SNYK-LINUX-GIT-175991 Introduced through: git@2.18.1-r0 From: git@2.18.1-r0 Fixed in: 2.18.1-r1

Remediation guidance to minimize exposure and reduce time-to-ﬁx Get straight to the Dockerﬁle instructions that introduce vulnerabilities Follow base image recommendations to reduce your total vulnerability exposure

● 2 factor authentication ● Strong key management practices ● Update git ● Beware of exposing private data ● Strong review processes Make sure our repos are secure !

Pull request scanning and repository monitoring Automated remediation Scan new code

The Snyk Kubernetes controller scans your workloads for vulnerable images. Then detects insecure conﬁgurations that makes those vulnerabilities easier for an attacker to exploit. Prioritise vulnerabilities based on production conﬁguration H A remotely exploitable Java vulnerability. Deployed to production, not just development. Running in a Kubernetes pod which is running as root and doesn’t drop capabilities. Connected to a service with a public IP address. + = Protect your application After the initial scan

Containers shift ownership of code + runtime environment to developers Developers aren’t security experts - they need support and tools that empower them More software + faster release cycles leads to more software risk It is critical for developers to secure containers from the start

Local CI/CD Registry Production $ snyk test --docker garethr/snyky Testing garethr/snyky... ✗ Low severity vulnerability found in git Description: CVE-2018-19486 Info: https://snyk.io/vuln/SNYK-LINUX-GIT-175991 Introduced through: git@2.18.1-r0 From: git@2.18.1-r0 Introduced by your base image (release) Fixed in: 2.18.1-r1 Organisation: garethr Package manager: apk Git Detect vulnerabilities Throughout the software supply chain

Snyk.io Thanks For Listening ! 35

stackconf 2021 | Continuous Security – integrating security into your pipelines

More Related Content

What's hot

Similar to stackconf 2021 | Continuous Security – integrating security into your pipelines

Recently uploaded

stackconf 2021 | Continuous Security – integrating security into your pipelines