Secure Your Apps with NGINX Plus and the ModSecurity WAF
Die SlideShare-Präsentation wird heruntergeladen.
×
Hier ansehen
Empfohlen
Weitere Verwandte Inhalte
Diashows für Sie (20)
Ähnlich wie DevSecCon Singapore 2019: Preventative Security for Kubernetes (20)
Weitere von DevSecCon (20)
Aktuellste (20)
DevSecCon Singapore 2019: Preventative Security for Kubernetes
- 1. © 2018-19 Aqua Security Software Ltd., All Rights Reserved Preventative Security for Kubernetes Liz Rice @lizrice | @aquasecteam
- 2. @lizrice Agenda ■ Kubernetes configuration for security ■ CIS benchmarks – testing the configuration ■ Penetration testing – testing for vulnerabilities
- 3. 3 Authored by Liz Rice from Aqua Security and Michael Hausenblas from Red Hat https://info.aquasec.com/kubernetes-security
- 4. @lizrice ▪ Secure the CI/CD pipeline ▪ “Shift left” security, fix issues early and fast ▪ Accelerate app delivery with security automation Aqua: our approach ▪ Enforce immutability – no patching, no drift ▪ Whitelist good behavior, preventing anomalies ▪ Prevent lateral movement ▪ Secure apps regardless of platform, cloud, or OS ▪ Enable hybrid cloud and cloud migration ▪ Avoid cloud lock-in and security reconfiguration Automate DevSecOps Modernize security through containers Secure once, run anywhere
- 5. @lizrice Create software Build Deploy Code quality Security testing Vulnerability scanning Image policies Runtime protection Artifacts free of security defects Only expected code & config Detect anomalous behaviour Host configuration Automating Security at Every Stage
- 6. @lizrice Kubernetes Host Configuration
- 7. @lizrice ■ Kubernetes components installed on your servers ■ Master & node components ■ Many configuration settings have a security impact ■ Example: open Kubelet port = root access ■ Defaults depend on the installer Kubernetes configuration What config settings should I use?
- 8. @lizrice CIS Kubernetes Benchmark
- 9. @lizrice ■ Open source automated tests for CIS Kubernetes Benchmark ■ Tests for Kubernetes Masters and Nodes ■ Available as a container kube-bench github.com/aquasecurity/kube-bench
- 10. @lizrice
- 11. @lizrice ■ Job configuration YAML ■ Run regularly to ensure no configuration drift ■ Tests defined in YAML ■ Released code follows the CIS Benchmark ■ Modify for your own purposes kube-bench github.com/aquasecurity/kube-bench
- 12. @lizrice ■ Built into the Aqua CSP ■ Provides a scored report of the results ■ Can be scheduled to run daily Kubernetes & Docker CIS Benchmarks
- 13. @lizrice Kubernetes penetration testing
- 14. @lizrice ■ Open source penetration tests for Kubernetes ■ See what an attacker would see ■ github.com/aquasecurity/kube-hunter ■ Online report viewer ■ kube-hunter.aquasec.com kube-hunter How do I know the config is working to secure my cluster?
- 15. @lizrice kube-hunter.aquasec.com
- 16. 16
- 17. 17
- 18. @lizrice kube-hunter with kube-bench
- 19. 19
- 20. 20
- 21. 21
- 22. @lizrice kube-hunter inside a pod
- 23. @lizrice Kubernetes cluster pod kube-hunter inside a pod What if my app gets compromised? token API server
- 24. @lizrice ■ Results depend on RBAC settings ■ and the service account you use for the pod kube-hunter inside a pod What if my app gets compromised?
- 25. © 2018-19 Aqua Security Software Ltd., All Rights Reserved github.com/aquasecurity/kube-bench github.com/aquasecurity/kube-hunter @lizrice | @aquasecteam
