Securing applications in a cloud environment can be difficult. This presentation discusses the automate and changes to be able to embed security into you application pipelines and deployments.
2. I am Will Hall
My role is Digital Architect which means I have
all video conferencing applications installed.
I support code projects in Drupal (PHP),
Python, Ruby, JavaScript; using Docker,
Ansible, GitLab, GitLab CI and Bash… I don’t
understand it all.
You can find me at @hn_will
Hello!
4. The History of
Musical Notation
La, la, la, la, la.
We’ll get to why this is relevant soon.
1
5. “
Music is oral history. However, in
its history it was unable to be
communicated easily across time
& space.
6. Compressed history of musical notation
◉ Boethius (480-525 AD) - Letter associated with notes
◉ Gregory the Great (600 AD) - First seven letters, Uppercase
and Lowercase. Also introduced lines (similar to stave) with
words moving up and down.
◉ Franco of Cologne (1200 AD) Symbols for length of notes.
22. Let’s review some testing
concepts
Static Analysis Testing
Checking the code against
standards. What is acceptable,
what is not.
Build Testing
Does the application build with
its dependencies?
Smoke Testing
Is it broken now?
Unit Testing
Testing the functionality of
code. Inputs and outputs.
Functional Testing
Testing functions/features
inside the application.
Security Testing
Testing elements of security.
31. Secrets Management
◉ How do you achieve minimum required access?
◉ Where do you inject secrets?
◉ How do you control access?
◉ Tools:
○ Hashicorp Vault
○ Docker Secrets
○ Keybase
32. Vulnerability Databases
◉ When standing on the “shoulders of giants”, we can see
further, but we also don’t know all of our dependencies
◉ CVE - https://www.cvedetails.com/
◉ Nist - https://nvd.nist.gov/
◉ Tools:
○ Clair - coreos/clair - Docker layer security
○ Snyk - Application Level
○ Retire.js
○ drupal.org
33. Vulnerability Attacks
◉ Attack your known weaknesses
◉ Bad users
◉ Tools:
○ Kali Linux 😈
○ Fuzzing, brute force, module enumeration, Metasploit,
Burp Portswigger...
36. Automate your build
◉ If you are building manually, stop. Automate.
◉ If you already use Jenkins, that is fine, if not, don’t start on it.
◉ GitOps - This should be your new search topic...
◉ Or:
○ GitLab CI
○ Drone.io
○ CircleCI
37. Clusters/Orchestrations
◉ Clusters and orchestration of containers are the future of
application delivery.
◉ Learn Docker
◉ Learn Kubernetes (and probably use services; EKS, RDS on
AWS).
38. Automate your security
◉ Test your weaknesses
◉ Reduce your effort
◉ Speed is essential - time is your non-transferable resource
41. Credits
Special thanks to all the people who made and
released these awesome resources for free:
◉ Presentation template by SlidesCarnival
◉ Photographs by Pixabay