In the world of continuous delivery and cloud native, the boundaries between what is our application and what constitutes infrastructure is becoming increasing blurred. Our workloads, the containers they ship in, and our platform configuration is now often developed and deployed by the same teams, and development velocity is the key metric to success. This presents us with a challenge which the previous models of security as a final external gatekeeper step cannot keep up with. To ensure our apps and platforms are secure, we need to integrate security at all stages of our pipelines and ensure that our developers and engineering teams have tools and data with enable them to make decisions about security on an ongoing basis. In this session I will talk through the problem space, look at the kinds of security issues we need to consider, and look at where the integration points are to build in security as part of our CI/CD process.

1. Snyk.io
Building security into your pipelines
Matt Jarvis | Senior Developer Advocate | matt.jarvis@snyk.io
Continuous Security
1

2. Snyk.io
● Matt Jarvis
○ Senior Developer Advocate @ Snyk
● Building stuff with open source for ~20 years
● Ops, Dev, DevOps and now Security
$whoami
@mattj_io
mattj-io
mattjarvis.org.uk

3. What is an application?
Networking
Virtual Machines
Your application
Pre-Cloud era
Developers wrote the application
IT Operations had the rest of the stack
Security was a step in the process
Virtual Infrastructure
Physical Hardware

4. What is an application?
Networking
Virtual Machines
Your application
Pre-Cloud era
Developers wrote the application
IT Operations had the rest of the stack
Security was a step in the process
Cloud Era
Developers write the code
and deploy, network and provision
This is now your application
So where does security fit?
Virtual Infrastructure
Physical Hardware Cloud Infrastructure
Terraform
Kubernetes
Your application
Container Image

5. Shifting security
Your application code
Are my open source dependencies up to date? Do I
have any vulnerabilities?
Cloud Infrastructure
Terraform
Kubernetes
Your application
Container Image
Deploying your code
Have I configured my containers correctly? Do I need
a root user? What is this load balancer?
Provision your infrastructure
Is my blobstore readable by the world? Have I setup
my permissions appropriately?

6. Snyk.io
Your App

7. Snyk.io
Your App
Your Code

8. Snyk.io
source: https://snyk.io/opensourcesecurity-2019

9. Snyk.io
source: https://snyk.io/opensourcesecurity-2019

10. Snyk.io
Jan 2015
rimrafall
Jan 2017
crossenv
May 2018
getcookies
Jul 2018
eslint-scope
Nov 2018
event-stream

11. Snyk.io
May 2018
getcookies
Parse HTTP headers for cookie data

12. Snyk.io
May 2018
getcookies
Parse HTTP headers for cookie data
or does it...?

13. Snyk.io

14. Snyk.io
getcookies
express-cookies
http-fetch-cookies

15. Snyk.io
getcookies
express-cookies
http-fetch-cookies
mailparser 440,000 downloads/month

16. Developer
owned
68%
Developers own
the security of container images

17. Snyk.io
source: https://snyk.io/opensourcesecurity-2019

18. Snyk.io
source: https://snyk.io/opensourcesecurity-2019

19. Snyk.io
source: https://snyk.io/opensourcesecurity-2019

20. Snyk.io
44%
of docker image vulnerabilities can
be fixed with newer base images

21. Snyk.io
20%
of docker image vulnerabilities can
be fixed just by rebuilding them

22. Configuration is increasingly in code

23. Configuration is everywhere
Azure ARM
250k+
Terraform
200k+
Kubernetes
2m+
AWS CF
90k+
Serverless
40k+
Compose
600k+
Sense of scale of infrastructure as code in public repositories on GitHub

24. Security misconfiguration is the
most commonly seen issue.
This is commonly a result of
insecure default configurations,
incomplete or ad hoc
configurations, open cloud
storage...
“
“
Configuration is a security risk
https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration

25. CI/CD
Git repository
Traditional/PaaS
Serverless
Production
Container Security Spectrum
Securing development and operations
Registry
deploy
Security
gate
Code
Test & fix Test, fix,
monitor
build
Kubernetes
Monitor & fix
submit
Test, fix,
monitor

26. Developer First ...
Integrated workflows - IDE, CLI
$ snyk container test garethr/snyky --file=Dockerfile
Testing garethr/snyky...
✗ High severity vulnerability found in libpng
Description: Out-of-Bounds
Info: https://snyk.io/vuln/SNYK-LINUX-LIBPNG-172022
Introduced through: libpng@1.6.34-r1, freetype@2.9.1-r1,
openjdk8-jre@8.191.12-r0
From: libpng@1.6.34-r1
From: freetype@2.9.1-r1 > libpng@1.6.34-r1
From: openjdk8-jre@8.191.12-r0 > libpng@1.6.34-r1
Fixed in: 1.6.37-r0
✗ High severity vulnerability found in git
Description: Untrusted Search Path
Info: https://snyk.io/vuln/SNYK-LINUX-GIT-175991
Introduced through: git@2.18.1-r0
From: git@2.18.1-r0
Fixed in: 2.18.1-r1

27. Remediation guidance to minimize exposure
and reduce time-to-fix
Get straight to the Dockerfile
instructions that introduce
vulnerabilities
Follow base image recommendations
to reduce your total vulnerability
exposure

28. ● 2 factor authentication
● Strong key management practices
● Update git
● Beware of exposing private data
● Strong review processes
Make sure our repos are secure !

29. Pull request scanning and repository monitoring
Automated remediation
Scan new code

30. Scan images in registries ...

31. CI Pipelines

32. The Snyk Kubernetes controller scans your workloads
for vulnerable images. Then detects insecure
configurations that makes those vulnerabilities easier
for an attacker to exploit.
Prioritise vulnerabilities based on
production configuration
H
A remotely exploitable Java vulnerability. Deployed to production, not just
development. Running in a Kubernetes pod which is running as root and doesn’t
drop capabilities. Connected to a service with a public IP address.
+ =
Protect your application
After the initial scan

33. Containers shift
ownership of code +
runtime
environment to
developers
Developers aren’t
security experts -
they need support
and tools that
empower them
More software +
faster release
cycles leads to
more software risk
It is critical for developers to secure containers
from the start

34. Local CI/CD Registry Production
$ snyk test --docker garethr/snyky
Testing garethr/snyky...
✗ Low severity vulnerability found in git
Description: CVE-2018-19486
Info: https://snyk.io/vuln/SNYK-LINUX-GIT-175991
Introduced through: git@2.18.1-r0
From: git@2.18.1-r0
Introduced by your base image (release)
Fixed in: 2.18.1-r1
Organisation: garethr
Package manager: apk
Git
Detect vulnerabilities
Throughout the software supply chain

35. Snyk.io
Thanks For Listening !
35