The migration from monoliths to microservices is long behind us, however managing microservices operations at scale comes with a layer of complexity, particularly with aspects of security that still have a learning curve. But what if all of this could be simplified and automated pretty easily? If we think about our production Kubernetes & microservices operations, in the same way we think about how we design and build our products, we could build and automate minimum viable security plans that we could easily bake into our config files and CI/CD processes. Once we build this foundational framework of security, it will always be possible to iterate and evolve our security framework, for advanced layers of security that often comes with time, increased experience, and greater maturity around security. In this talk, we will present what MVS looks like for cloud native operations, how to build a cluster secured by design, continuously monitoring networking, container internals and primitives, and access management with a least privilege principle mindset. In this session we will demonstrate this through code, and even how this can work seamlessly with other CNCF ecosystem projects – from Helm to OPA, ArgoCD, Notary, as well at the most common DevOps stacks – Terraform, to AWS, GitHub Actions and more.
20. Securing a sample microservice
● Simple FastAPI-based app to display movies information
● Data persistence: SQLite
● SCM: Github / CI: Github Actions
● Goal: integrate the 7 tools that are part of the MVS in the CI pipeline
● Demo repository
https://github.com/dvdmelamed/stackconf-2022
Example for a Python-based app
21. Code vulnerabilities
➔ Ensure you don’t have vulnerabilities in your code
➔ Use a Static Application Security Testing (SAST) scanner to
detect vulnerabilities based on existing patterns
➔ Demo: Bandit
◆ Security open-source linter for Python source code
◆ Includes 35 rules for detecting vulnerabilities
Your Code
22. Secrets
➔ Make sure there are no hard-coded secrets
➔ Use a scanner that both searches for regexes of well known
secret patterns like PAT, Slack token, AWS keys…
➔ Demo: Gitleaks
◆ Supports multiple types of secrets: API keys, AWS credentials, SSH keys…
◆ Supports detecting secrets in git history
Your Code
23. Vulnerable Dependencies
➔ Track 3rd parties libraries with disclosed vulnerabilities (CPE / CVE)
➔ Use a scanner that will track down those vulnerable libraries
➔ Demo: dependency-check
◆ OWASP OSS project
◆ Detects publicly disclosed vulnerabilities contained within a project’s
dependencies
Your Code
24. Infrastructure misconfiguration
➔ When the infrastructure is expressed as code, it is possible to
detect misconfigurations early by scanning the code
➔ Use a scanner that will look for IaC misconfigurations
➔ Demo: KICS
◆ OSS by Checkmarx supporting many infrastructure types: CloudFormation,
Terraform, Ansible, Kubernetes, Helm, Docker, Ansible, ARM…
◆ Include 2000+ checks
Your Infrastructure
25. Pentesting
➔ Simulate attacks on your frontend to ensure it is safe
➔ Use a pentest / Web Application Scanner
➔ to test the security of your SaaS
➔ Demo: ZED Attack Proxy (ZAP)
◆ Free web app scanner by OWASP
◆ Includes 17 built-in rules
◆ Supports also API Scanning using OpenAPI
or Swagger for endpoint discovery
Your Runtime
26. Vulnerable container images
➔ When building your container images, make sure there is no
vulnerability in the base image
➔ Use a scanner that will scan your container images and enforce
your image trust (Notary)
➔ Demo: Trivy
◆ OSS by Aqua supporting OS packages and language-based packages
◆ Supports also IaC misconfigurations
Your Pipeline
27. Multi-Factor Authentication (MFA)
➔ Ensure you enforce MFA for all 3rd party access
➔ Make sure MFA is used (custom tool)
➔ Demo: MFA on Github
Your 3rd Parties
28. Securing a sample microservice: the tools
Bandit Gitleaks OWASP
Dependency-check
OWASP
ZAP
SAST SAST (Secrets) SCA DAST MFA
Custom
IAC
KICS Trivy
Containers
Example for a Python-based app
29. A Minimum Viable Security plan (1)
Code vulnerability
Secrets
Logging
Vulnerable libraries
01
04
Vulnerable containers
Least priv. access
02
Cloud Misconfiguration
Least Priv. Remote access
Your code Your infra
Your pipeline
03
Pentesting
API Security
Your runtime
30. A Minimum Viable Security plan (2)
05
Data encryption
Secrets storage
06
Multi-Factor Auth
Secured access
08
Audit
Backup
Your data Your 3rd parties
Your operations
07
Password manager
Your people