devsecops culture with opensource tools: shifting security ...€¦ · ebpf observability of...
TRANSCRIPT
![Page 1: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/1.jpg)
DevSecOps culture with Opensource Tools: Shifting Security Left
Benjy Portnoy, CISSP, CISA
@AquaSecTeam
![Page 3: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/3.jpg)
3
Security pros think containers are their weakest link
Source: CyberEdge 2019 Cyberthreat Defense Report
![Page 4: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/4.jpg)
4
Denial
Thought process when security folks first learn of this?
Oh Shit Bargaining AcceptanceDepression
![Page 5: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/5.jpg)
5
And DevOps agree…
Source: Portworx & Aqua survey, May 2019 (n=501)
![Page 6: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/6.jpg)
6
Dev Sec Ops
![Page 7: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/7.jpg)
Dev Sec Ops
![Page 8: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/8.jpg)
8
![Page 9: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/9.jpg)
9
◼ First scan in under 10 seconds
◼ Highly Accurate
◼ Automate as step in CI build
◼ RHEL, CentOS, Oracle, Debian, Ubuntu, Amazon Linux, SUSE, Photon OS and Distroless
◼ Bundler, Composer, Pipenv, Poetry, npm, yarn and Cargo
FAST Scanning for known vulnerabilities
![Page 10: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/10.jpg)
10
$ sudo vim /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
gpgcheck=0
enabled=1
$ sudo yum update
$ sudo yum install trivy
InstallationRHEL/CentOS
![Page 11: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/11.jpg)
11
$ brew install aquasecurity/trivy/trivy
Installation
macOS
$ docker run -it aquasec/trivy
Docker
![Page 12: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/12.jpg)
12
$ trivy [YOUR_IMAGE_NAME]
Run
![Page 13: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/13.jpg)
13
⚫ Table
⚫ JSON
⚫ HTML
⚫ XML
Results
![Page 14: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/14.jpg)
14
Security
Please remove your belt sir!
Devops
![Page 15: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/15.jpg)
15
script:
- ./trivy --exit-code 0 --severity HIGH --no-progress --auto-refresh [YOUR_IMAGE]
- ./trivy --exit-code 1 --severity CRITICAL --no-progress --auto-refresh [YOUR_IMAGE]
...
Automate CI Pipeline Integration With Travis CI
With CircleCI
- run:name: Scan the local image with trivycommand: trivy --exit-code 0 --no-progress --auto-refresh [YOUR_IMAGE]
...
![Page 16: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/16.jpg)
16
Allow me to introduce Trivee’s Sister… Tracee!
![Page 17: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/17.jpg)
17
● (e)BPF. You are going to hear this name a lot in the near future
BPF super powers to the help: performance analysis tracing (e.g. system calls) firewalls enforcing security policies debugging reverse engineering more...
eB what?
![Page 18: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/18.jpg)
18@lizrice
![Page 19: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/19.jpg)
19
Malware compressed with .gzip and base64 encoded
![Page 20: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/20.jpg)
20
When static scanning is not enough
For a step-by-step account of this:
![Page 21: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/21.jpg)
21
⚫ Tracee https://github.com/aquasecurity/tracee
⚫ git clone https://github.com/aquasecurity/tracee.git
⚫ sudo ./start.py –c
⚫ What happens if we run Alpine and type “ls”?
Installing Tracee
![Page 22: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/22.jpg)
22
Running ls in Alpine with Tracee monitoring
![Page 23: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/23.jpg)
23
![Page 24: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/24.jpg)
24
![Page 25: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/25.jpg)
25
![Page 26: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/26.jpg)
26
Insecure Defaults
![Page 27: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/27.jpg)
27
![Page 28: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/28.jpg)
28
◼ Test clusters against real-world attack vectors
◼ Get risk assessment of how vulnerable your cluster is
◼ Passive and active mode, as external user, or within a pod
Is my cluster exposed to potential attacks?
https://kube-hunter.aquasec.com/
Kube-Hunter: Integrated K8s pen-testing
![Page 29: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/29.jpg)
30
KubeHunter Options
![Page 30: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/30.jpg)
31
■ Automated tests for CIS Kubernetes Benchmark
■ Tests for Kubernetes Masters and Nodes
■ Available as a container
kube-bench
github.com/aquasecurity/kube-bench
![Page 31: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/31.jpg)
32
![Page 32: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/32.jpg)
33
![Page 34: DevSecOps culture with Opensource Tools: Shifting Security ...€¦ · eBPF Observability of container behaviour Dynamic Container Analysis Scans images for known vulnerabilities](https://reader033.vdocuments.net/reader033/viewer/2022042219/5ec56e41b18bbb3f2256ba21/html5/thumbnails/34.jpg)
35
Start here – github.com/aquasecurity
eBPF Observability of container behaviour
Dynamic Container Analysis
Scans images for known vulnerabilitiesWorks within CI tools
Image vulnerability scannerCloudSploit
Cloud security posture mgmt.
Checks cloud IaaS accounts and services against security best practices
Tests K8s clusters against known attack vectors, both remote and internal
Penetration testing for K8S