The migration from monoliths to microservices is long behind us, however managing microservices operations at scale comes with a layer of complexity, particularly with aspects of security that still have a learning curve. But what if all of this could be simplified and automated pretty easily? If we think about our production Kubernetes & microservices operations, in the same way we think about how we design and build our products, we could build and automate minimum viable security plans that we could easily bake into our config files and CI/CD processes. Once we build this foundational framework of security, it will always be possible to iterate and evolve our security framework, for advanced layers of security that often comes with time, increased experience, and greater maturity around security. In this talk, we will present what MVS looks like for cloud native operations, how to build a cluster secured by design, continuously monitoring networking, container internals and primitives, and access management with a least privilege principle mindset. In this session we will demonstrate this through code, and even how this can work seamlessly with other CNCF ecosystem projects – from Helm to OPA, ArgoCD, Notary, as well at the most common DevOps stacks – Terraform, to AWS, GitHub Actions and more.

1. for Cloud Native Stacks
19 July, 2022
Minimum Viable
Security
David Melamed, Co-Founder & CTO at Jit
2022

4. Source: https://visual.ly/community/Infographics/entertainment/protecting-your-house-home-alone-style

8. Public resources
IPs, buckets, …
3rd parties
User access
YOUR APP
CI/CD Pipeline
Protecting your perimeter
Admin User

9. Cloud Misconfig.
Pentesting
MFA / Scope
MFA / Least
privilege
YOUR APP
Least privilege
Controls to protect your perimeter
Admin User

14. YOUR APP
Protecting your app and its data
Disaster
recovery
Incident
Investigation
Access to
services
Traffic
Libraries
Secrets

15. YOUR APP
Controls to protect your app
Backup
Logging
Least Privilege
Encryption
Depcheck
SecretMgr

19. Minimum Security Controls

20. Securing a sample microservice
● Simple FastAPI-based app to display movies information
● Data persistence: SQLite
● SCM: Github / CI: Github Actions
● Goal: integrate the 7 tools that are part of the MVS in the CI pipeline
● Demo repository
https://github.com/dvdmelamed/stackconf-2022
Example for a Python-based app

21. Code vulnerabilities
➔ Ensure you don’t have vulnerabilities in your code
➔ Use a Static Application Security Testing (SAST) scanner to
detect vulnerabilities based on existing patterns
➔ Demo: Bandit
◆ Security open-source linter for Python source code
◆ Includes 35 rules for detecting vulnerabilities
Your Code

22. Secrets
➔ Make sure there are no hard-coded secrets
➔ Use a scanner that both searches for regexes of well known
secret patterns like PAT, Slack token, AWS keys…
➔ Demo: Gitleaks
◆ Supports multiple types of secrets: API keys, AWS credentials, SSH keys…
◆ Supports detecting secrets in git history
Your Code

23. Vulnerable Dependencies
➔ Track 3rd parties libraries with disclosed vulnerabilities (CPE / CVE)
➔ Use a scanner that will track down those vulnerable libraries
➔ Demo: dependency-check
◆ OWASP OSS project
◆ Detects publicly disclosed vulnerabilities contained within a project’s
dependencies
Your Code

24. Infrastructure misconfiguration
➔ When the infrastructure is expressed as code, it is possible to
detect misconfigurations early by scanning the code
➔ Use a scanner that will look for IaC misconfigurations
➔ Demo: KICS
◆ OSS by Checkmarx supporting many infrastructure types: CloudFormation,
Terraform, Ansible, Kubernetes, Helm, Docker, Ansible, ARM…
◆ Include 2000+ checks
Your Infrastructure

25. Pentesting
➔ Simulate attacks on your frontend to ensure it is safe
➔ Use a pentest / Web Application Scanner
➔ to test the security of your SaaS
➔ Demo: ZED Attack Proxy (ZAP)
◆ Free web app scanner by OWASP
◆ Includes 17 built-in rules
◆ Supports also API Scanning using OpenAPI
or Swagger for endpoint discovery
Your Runtime

26. Vulnerable container images
➔ When building your container images, make sure there is no
vulnerability in the base image
➔ Use a scanner that will scan your container images and enforce
your image trust (Notary)
➔ Demo: Trivy
◆ OSS by Aqua supporting OS packages and language-based packages
◆ Supports also IaC misconfigurations
Your Pipeline

27. Multi-Factor Authentication (MFA)
➔ Ensure you enforce MFA for all 3rd party access
➔ Make sure MFA is used (custom tool)
➔ Demo: MFA on Github
Your 3rd Parties

28. Securing a sample microservice: the tools
Bandit Gitleaks OWASP
Dependency-check
OWASP
ZAP
SAST SAST (Secrets) SCA DAST MFA
Custom
IAC
KICS Trivy
Containers
Example for a Python-based app

29. A Minimum Viable Security plan (1)
Code vulnerability
Secrets
Logging
Vulnerable libraries
01
04
Vulnerable containers
Least priv. access
02
Cloud Misconfiguration
Least Priv. Remote access
Your code Your infra
Your pipeline
03
Pentesting
API Security
Your runtime

30. A Minimum Viable Security plan (2)
05
Data encryption
Secrets storage
06
Multi-Factor Auth
Secured access
08
Audit
Backup
Your data Your 3rd parties
Your operations
07
Password manager
Your people

31. Improving dev-first experience: Jit
Dev-native experience
using PR comments
Customized MVS plan

32. Your next step on the security journey

33. Thank you
Intrigued? Try our free beta at jit.io
Inspired? Join us! We are hiring!
Questions? Contact me at david@jit.io