In the world of continuous delivery and cloud native, the boundaries between what is our application and what constitutes infrastructure is becoming increasing blurred. Our workloads, the containers they ship in, and our platform configuration is now often developed and deployed by the same teams, and development velocity is the key metric to success. This presents us with a challenge which the previous models of security as a final external gatekeeper step cannot keep up with. To ensure our apps and platforms are secure, we need to integrate security at all stages of our pipelines and ensure that our developers and engineering teams have tools and data with enable them to make decisions about security on an ongoing basis. In this session I will talk through the problem space, look at the kinds of security issues we need to consider, and look at where the integration points are to build in security as part of our CI/CD process.
stackconf 2021 | Continuous Security – integrating security into your pipelines
1. Snyk.io
Building security into your pipelines
Matt Jarvis | Senior Developer Advocate | matt.jarvis@snyk.io
Continuous Security
1
2. Snyk.io
● Matt Jarvis
○ Senior Developer Advocate @ Snyk
● Building stuff with open source for ~20 years
● Ops, Dev, DevOps and now Security
$whoami
@mattj_io
mattj-io
mattjarvis.org.uk
3. What is an application?
Networking
Virtual Machines
Your application
Pre-Cloud era
Developers wrote the application
IT Operations had the rest of the stack
Security was a step in the process
Virtual Infrastructure
Physical Hardware
4. What is an application?
Networking
Virtual Machines
Your application
Pre-Cloud era
Developers wrote the application
IT Operations had the rest of the stack
Security was a step in the process
Cloud Era
Developers write the code
and deploy, network and provision
This is now your application
So where does security fit?
Virtual Infrastructure
Physical Hardware Cloud Infrastructure
Terraform
Kubernetes
Your application
Container Image
5. Shifting security
Your application code
Are my open source dependencies up to date? Do I
have any vulnerabilities?
Cloud Infrastructure
Terraform
Kubernetes
Your application
Container Image
Deploying your code
Have I configured my containers correctly? Do I need
a root user? What is this load balancer?
Provision your infrastructure
Is my blobstore readable by the world? Have I setup
my permissions appropriately?
23. Configuration is everywhere
Azure ARM
250k+
Terraform
200k+
Kubernetes
2m+
AWS CF
90k+
Serverless
40k+
Compose
600k+
Sense of scale of infrastructure as code in public repositories on GitHub
24. Security misconfiguration is the
most commonly seen issue.
This is commonly a result of
insecure default configurations,
incomplete or ad hoc
configurations, open cloud
storage...
“
“
Configuration is a security risk
https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration
26. Developer First ...
Integrated workflows - IDE, CLI
$ snyk container test garethr/snyky --file=Dockerfile
Testing garethr/snyky...
✗ High severity vulnerability found in libpng
Description: Out-of-Bounds
Info: https://snyk.io/vuln/SNYK-LINUX-LIBPNG-172022
Introduced through: libpng@1.6.34-r1, freetype@2.9.1-r1,
openjdk8-jre@8.191.12-r0
From: libpng@1.6.34-r1
From: freetype@2.9.1-r1 > libpng@1.6.34-r1
From: openjdk8-jre@8.191.12-r0 > libpng@1.6.34-r1
Fixed in: 1.6.37-r0
✗ High severity vulnerability found in git
Description: Untrusted Search Path
Info: https://snyk.io/vuln/SNYK-LINUX-GIT-175991
Introduced through: git@2.18.1-r0
From: git@2.18.1-r0
Fixed in: 2.18.1-r1
27. Remediation guidance to minimize exposure
and reduce time-to-fix
Get straight to the Dockerfile
instructions that introduce
vulnerabilities
Follow base image recommendations
to reduce your total vulnerability
exposure
28. ● 2 factor authentication
● Strong key management practices
● Update git
● Beware of exposing private data
● Strong review processes
Make sure our repos are secure !
32. The Snyk Kubernetes controller scans your workloads
for vulnerable images. Then detects insecure
configurations that makes those vulnerabilities easier
for an attacker to exploit.
Prioritise vulnerabilities based on
production configuration
H
A remotely exploitable Java vulnerability. Deployed to production, not just
development. Running in a Kubernetes pod which is running as root and doesn’t
drop capabilities. Connected to a service with a public IP address.
+ =
Protect your application
After the initial scan
33. Containers shift
ownership of code +
runtime
environment to
developers
Developers aren’t
security experts -
they need support
and tools that
empower them
More software +
faster release
cycles leads to
more software risk
It is critical for developers to secure containers
from the start
34. Local CI/CD Registry Production
$ snyk test --docker garethr/snyky
Testing garethr/snyky...
✗ Low severity vulnerability found in git
Description: CVE-2018-19486
Info: https://snyk.io/vuln/SNYK-LINUX-GIT-175991
Introduced through: git@2.18.1-r0
From: git@2.18.1-r0
Introduced by your base image (release)
Fixed in: 2.18.1-r1
Organisation: garethr
Package manager: apk
Git
Detect vulnerabilities
Throughout the software supply chain