Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Application security meetup k8_s security with zero trust_29072021

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige

Hier ansehen

1 von 85 Anzeige

Application security meetup k8_s security with zero trust_29072021

The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.

The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Application security meetup k8_s security with zero trust_29072021 (20)

Anzeige

Weitere von lior mazor (11)

Anzeige

Application security meetup k8_s security with zero trust_29072021

  1. 1. Posture Vs Runtime
  2. 2. APPLICATION RELEASE CYCLE Security Assessment
  3. 3. K8S WHO, WHY AND HOW? How often are you release cycles? What role at your organization is most responsible for container and Kubernetes security?
  4. 4. K8S WHO, WHY AND HOW? • Compliance is a priority • Lack of K8s knowledge, uses: • Network security (NGFW) for North- South sanitation • WAF/API gateways for application-level vulnerabilities • Willing to purchase a standalone solution for K8s security • Looking for solution that covers A-Z (runtime, posture etc) • Security is not priority • Hates adding tools to his pipeline • Bottle neck in the organization • “Don’t touch my production!” - shift left • Everything is code/API • Visibility is very important, but not as a standalone offering • Secret management is a headache Deliver code as fast as possible Risk Mitigation, Compliance and avoid data breach
  5. 5. K8S CUSTOMERS POINT OF VIEW
  6. 6. K8S CUSTOMERS POINT OF VIEW
  7. 7. SHIFT LEFT
  8. 8. CAN WE SECURE USING ONLY SHIFT LEFT? Others can claim: IMO, NO!!! Micro Services are predictable Pro: Watch for abnormal behavior Con: Not really the case with many types of workloads -> a lot of false positive Immutability Pro: you scan for vulnerabilities and deliver new image every time Con: if the attacker knows how to insert a malware he can do it every time + maybe he is already on the host/other workload
  9. 9. POSTURE VS RUNTIME
  10. 10. K8S SECURITY REQUIREMENTS
  11. 11. WHERE AND WHY EXISTING SOLUTIONS FAIL Endless chase No single source of truth for K8s Configuration Thousands of potential misconfigurations Inability to build a reliable normal baseline False Positives, Complexity, and performance impact Resources intensive Find Vulnerabilities & Misconfigurations Anomaly Behavioral Analysis and Network Segmentation K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION
  12. 12. LOOKING TO SECURE KUBERNETES? K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION kubernetes
  13. 13. A WHOLE NEW WAY TO SECURE KUBERNETES Infusing Visibility, Control, and Security Seamlessly into Every Workload
  14. 14. ARMO BRINGS K8S POSTURE AND RUNTIME TOGETHER - SEAMLESSLY Enrich finding with runtime deep visibility information Shrink the attack surface based on field proven best practices Continuous compliance validation and auditing From Zero to Zero-Trust in 10 minutes No need to change policies when microservices change Resiliency by design, even against the most advanced attacks Add Context and Relevancy to posture findings Patented one-YAML deterministic ZERO-TRUST K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION ARMO Kubernetes Fabric™
  15. 15. KEY TAKEAWAYS • You need both posture and runtime protection • Scan your posture as soon as possible (shift left) • Apply runtime protection on dev/staging/production Stay Safe! Questions?
  16. 16. The greatest risk is the one you are not aware of zvika.ronen@fossaware.com TEL: +972-(0)52-426-5306 All right reserved © FOSSAware LTD
  17. 17. • I am 48 • L.L.B law degree - Ono academic college • I am the CTO of FOSSAware • I specialized in FOSS technologies and software audits • I help organizations to implement a risk management program to manage their OSS usage, lower the remediation costs and comply with ISO standards • I also perform tech due-diligence audits and escort such process for target companies 18 Who am I 18
  18. 18. 19 Few Words on Open Source 19
  19. 19. 20 freely accessed, used, changed, and shared FSF four essential freedoms of the Free Software Definition OSI Ten criteria of the Open Source Software Definition 20 FOSS Definition
  20. 20. Legal risk • Losing IP protection • Paying Monetary Damages • Block product shipment/distribution (Injunction) • Negative press and damaged relationship with customers Cyber security vulnerabilities • Denial of service, taking a service offline • Business intelligence and Client information theft • Hacker remote access • Ransom attacks Operational risk • Losing ability to build your software due to missing web based components • Losing community support due to open source project with low contribution activities • Using outdated open source components (less secure, more complex to upgrade) Open Source Risks 21
  21. 21. https://www.theregister.com/2001/06/02/ballmer_linux_is_a_cancer/ Steve Ballmer Former Microsoft CEO 22
  22. 22. 23 Today Everyone loves Open Source 23
  23. 23. 24 https://www.zdnet.com/article/ballmer-i-may-have-called-linux-a-cancer-but-now-i-love-it/
  24. 24. 25
  25. 25. Source: Synopsys OSSRA 2021 26
  26. 26. Source: Synopsys OSSRA 2021 Industry Sectors and Open Source 27
  27. 27. Own Proprietary Software 3rd Party Commercial Software Open Source Commercial Software Dependencies Open Source Dependencies 28 Open Source in Commercial Software
  28. 28. 29 Hackers also Love Open Source 29
  29. 29. dateutil vs python3-dateutil 350 FORKS jellyfish vs jeIlyfish (“L” is an “I”) 122 FORKS Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks 30 OSS Malicious Package Analysis by the Academy Hundreds of open source packages were used in real cyber events 61% malicious packages used typosquatting 2nd most common – injection to existing package
  30. 30. Source: Dustico Blog, https://dusti.co/blog/unsafe-to-download-pip/ 31 Downloaded FOSS may include hidden setup
  31. 31. Source: WhiteSource, 2021 32 Open Source Vulnerabilities Continue To Increase
  32. 32. #1 Lodash #2 FasterXML jackson-databind #3 HtmlUnit #4 Handlebars #5 http-proxy 33 Source: WhiteSource, Top 10 Open Source Vulnerabilities In 2020 33 Top 10 Open Source Vulnerabilities In 2020
  33. 33. 34 Source: Sonatype, devsecops community survey 2020
  34. 34. 35 Open Source related breaches occur much too often 35
  35. 35. Source: Sonatype, devsecops community survey 2020 1 in 5 breaches is Open Source related 36
  36. 36. Open Source Component - Apache Struts (CVE-2017-5638) 37 Equifax breach was 100% preventable
  37. 37. • Popularity: 2 million downloads per week • Dependency: “flatmap-stream” has malicious code • The action: Harvest the victim’s “copay” private keys • Intention: Steal Bitcoin • Result: 7000 stollen bitcoins 38 The “Event-Stream” incident https://github.com/dominictarr/event-stream/issues/116
  38. 38. • Open Source Component - Mozjpeg (CVE-2020-13790) • Mozjpeg weekly downloads from NPM - 650k Instagram Hack core reason – Mozjpeg 39
  39. 39. 40 40 Source: reddit.com CODECOV
  40. 40. Source: medium.com/@alex.birsan/dependency-confusion 41
  41. 41. 42 42 PyPI and NPM Flooded with over 5,000 Dependency Confusion Copycats Source: securityreport.com Copycat behavior (Dependency Confusion based)
  42. 42. • Human factor (training) • Proprietary code (static analysis) • Supply chain 3rd party (liability & support) • Open Source? • White/Black-box (testing) What is the weakest / unknown link of the chain? 43
  43. 43. 44 Top 10 Web Application Security Risks
  44. 44. “Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product.” What Biden has to say on Open Source? 45
  45. 45. 46 What Should We Do? 46
  46. 46. 47 1. Know Your Product 47
  47. 47. Homegrown code 3rd Party Commercial Software Open Source Commercial Software Dependencies Open Source Dependencies 48 Open Source in Commercial Software
  48. 48. 49 2. Manage your Open Source 49
  49. 49. 3rd Party Commercial Software Open Source Dependencies Open Source Dependencies 50 Choosing right Manage your software supply chain in “critical software” Manage your Open Source “critical software” — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources)
  50. 50. 51 CII Best Practices badge program
  51. 51. End User License Agreement BSD Open Source License 52 Manage risks from 3rd party (Supply Chain) Common Default in Commercial Software Agreements
  52. 52. Homegrown code Open Source 3rd Party Proprietary SW Cost All type of software requires some level of compliance and/or vulnerability monitoring Possible Vulnerabilities IP rights Owned Licensed Licensed License Requirements Procurement is being done by Homegrown The developers Procurement people Monitoring is being done using different tools, processes, and policies Who is responsible? The developer The developer The vendor Support By the developer Community/Developer By the vendor Additional Dependencies Access to Source Code Analysis tools Static Code Analysis Software Composition Analysis Penetration Test 53 53 Homegrown vs. Open Source vs. 3rd Party Proprietary SW
  53. 53. 54 54 1. Risk management program (ISO-5230) • Policy • Process • Tools • Training 2. Early detection = Lower remediation cost 3. Ongoing management (pre-> post production) OSS in Commercial Software Development
  54. 54. 55 3. Do not invent the wheel 55
  55. 55. International Standard for open source license compliance 56
  56. 56. Questions? zvika.ronen@fossaware.com TEL: +972-(0)52-426-5306
  57. 57. The greatest risk is the one you are not aware of zvika.ronen@fossaware.com TEL: +972-(0)52-426-5306
  58. 58. Automated Red-Team for Managing Attack Surface Alex Peleg CEO | Hacker
  59. 59. AI and Community powered Attack Surface and Operations Management For SMEs Reducing Time From Breach to Fix Recover From Incidents Offensive Engineering Cynergy.app
  60. 60. Agenda Kesaya breach story Attack Surface 101 Why AI? Continuous Red-Team, the good the bad and the ugly. Open topics for further research and innovation 1 2 3 4 5
  61. 61. What has gone wrong? A server was exposed....
  62. 62. Attack Surface 101 Attackers need only one hole in the defense
  63. 63. Attack Surface 101 External Attack Surface
  64. 64. Attack Surface 101 Web & Mobile Apps
  65. 65. Attack Surface 101 Infrastructure
  66. 66. Attack Surface 101 Cloud
  67. 67. Attack Surface 101 Employees
  68. 68. Attack Surface 101 3rd & 4th Parties
  69. 69. Attack Surface 101 Subsidiaries
  70. 70. Why AI? Context Scale Stupidity
  71. 71. Continuous Red-Team
  72. 72. Additional Research... 1 Faster and Better Context 2 Threat Intelligence to Improve Prioritization 3 AI based mitigation - GPT3 4 Integration with CICD
  73. 73. Q&A
  74. 74. Thanks and Questions! Alex@cynergy.app Type text
  75. 75. Turn any Kubernetes solution into Zero-Trust by design FROM ZERO to ZERO-TRUST
  76. 76. WHAT ARE WE UP AGAINST? What hackers are looking for? What do they do inside? • Data  Business & customer’s data • Keys  Encryption & Authentication • Resources  CPU (coin miners)  Storage  Network (bots) • Damage & Extortion  Ransome  DDoS, UI/UX harm • Intellectual Property  Algorithms  APIs • Use existing software in inappropriate way • Change behavior of existing software  Change configuration • Inject new software  Corrupt existing software  Add new software How do they break in? • Misconfigurations • Credential abuse • Software vulnerability
  77. 77. KNOCK-KNOCK, WHO IS THERE? Who is calling my APIs? Who is reading my Data?
  78. 78. DON’T TRUST, VERIFY! Protect customer solutions even if infrastructure is compromised Genuine Software Identity – like DNA Automated Zero-Trust Network Policy Transparent Data Signing & Encryption
  79. 79. SOFTWARE DNA – WHAT DOES THIS MEAN? Executable DLL/SO DLL/SO ARMOGuard DLL/SO Python/Java/JS/.NET ConfigFile/ConfigMap Environment Variables Command Line ARMO Back-End Prove DNA validity Receive Cryptographic Materials Protect process memory while it runs: • Validate cryptographic digest of every relevant artifact • Prevent unsigned artifacts from loading • Keep containers immutable • Use Kubernetes for automation
  80. 80. INTENTION POD A Secret Volume POD B Server Legit App Container Container
  81. 81. REALITY POD A Secret Volume POD B Injected App Server Legit App Container Container
  82. 82. WITH ARMO ZERO-TRUST POD A Secret Volume POD B Injected App Server Legit App Container Container
  83. 83. DEMO Questions?
  84. 84. • Thank You! • Questions? • To be continued…

×