VIP Kolkata Call Girl Salt Lake đ 8250192130 Available With Room
Â
Cncf checkov and bridgecrew
1. CNCF Live
Webinar:
Cloud native
DevOps
security
Sebastian Straube
Cloud Solutions Architect | ALPS Lead Prisma Cloud
sstraube@paloaltonetworks.com
Prisma Cloud
Cloud Native
Application Protection
Simon Melotte
Cloud Solutions Architect
smelotte@paloaltonetworks.com
2. Nearly 1 in 2 open-source Terraform
modules contain misconïŹgurations
Security check is enabled by default?
Nearly half of open-source
CloudFormation templates were insecure
Source: Bridgecrew research scanning Terraform Registry and Unit 42 scanning GitHub
Open source allows for great scalability, but we question the default security. Half of scanned OS templates we found
in public*1
are not secure, based on our research.
*1
incl. Terraform Registry and Github Open Source code.
3. What is Checkov?
â Checkov by Bridgecrew is an open-source static analysis tool and policy-as-code
engine for infrastructure as code (IaC).
â Pre-built with hundreds of policies that cover security and compliance best practices
across AWS, Azure, Google Cloud, and Kubernetes.
â With over 2M downloads to date, Checkov is the most popular IaC scanner on the
market,
â Native scanning support for Terraform, CloudFormation, Kubernetes manifests, Azure
Resource Manager, and more.
â Checkov is written in Python and is fully extensible to ïŹt into any developer workïŹow
â provide a simple and ïŹexible tool for enforcing codiïŹed, version-controlled policies.
5. Have you checked every corner in your SDLifecycle?
Find cloud infrastructure
MisconïŹgurations and security errors
â Powered by open source & community
â Both build-time and run-time
Fix issues in code, with code in Dev and
Prod
â Merge-ready pull requests
â Transform cloud misconïŹgs into secure
code and detect drift
Prevent Vulnerabilities and Compliance
issues from being deployed in Prod and
any Stage
â Enforce policy-as-code across all conïŹg
â Streamlined into developer workïŹows
6. The next big challenge: âShift-Leftâ DevSecOps security
1
MisconïŹgured or
vulnerable code
Security
Run-Time
100s
of deployments
Developers DevOps
Build Deploy
Issues To Fix
1,000s
of security alerts
Turns
Into
Turns
Into
1x
Cost to ïŹx a bug
found during coding
5x
Cost to ïŹx a bug
found during testing
20x
Cost to ïŹx a bug
found in production
Uncaught Uncaught
7. How it works
Fix & Prevent
IDE extension, block PRs and builds
ConïŹguration assurance
AWS, Azure, Google Cloud, Kubernetes
IaC scanning
Terraform, CloudFormation, Azure Resource Manager, etc.
Monitor & Remediate
Automated remediations
Bridgecrew
platform
Dashboards Compliance reports Policy engine NotiïŹcations
Code & Commit Build & Test Deploy & Operate
8. How do we integrate?
Integrations
Infrastructure as
code frameworks
Cloud providers
9. BeneïŹts of automated IaC security
Lower time to
remediation
Decrease high severity
events
Simplify compliance
Minimize the attack
surface
Reduced Nr. groups and roles by
xx%
Reduced non-compliant
resources by xx%
Reduced high severity incidents
in production by xx%
Reduced time to fix
misconfigurations by xx%
10. What requirements IaC security should include?
Infrastructure as code (IaC) security
Integrate IaC scanning with actionable feedback, PR ïŹxes, and
CI/CD guardrails for improved posture before deployment
Drift detection
Automate ïŹnding and ïŹxing drift between code and cloud
to beneïŹt from GitOps best practices
Secrets scanning
Prevent exposing passwords, API keys, and other secrets
from ever making it into public repositories
Least privilege IAM
Reduce the attack surface with cloud IAM converted to
code and audited for least privilege
13. Cloud Native Application Platform Approach
(CNAPP)
CNAPP enables IT leader:
1. Laser Focus on Shift-Left
2. Optimizing App Deployment time by integrating Security in
DevOps processes (DevSecOps)
3. Reduce Application Down-Time for Break-Fix procedure
4. Reduce security alerts and false-positives in SOC
5. Increase DevSecOps Team agility and App resilience.
6. Enables integrated and centralized management interfaces
and dashboards
7. Consolidate Tool Landscape and Licensing Model