►
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Integrating Security in the Build Pipeline - Anirban Saha, Allianz Direct
With infrastructures and platforms going cloud native, there are greater security risks now than ever before. In the build and release workflow, often the focus on security comes at a very later stage and sometimes unfortunately, it does not happen at all due to lot of constraints. In this session, Anirban Saha will demonstrate security can be integrated in the build and deployment pipeline and address the problems early in the process. He will stress on the factors that can be problems in achieving this objective and how to go about solving them. He will also discuss the different vulnerability points that can and need to be considered when designing the solution. He will also demonstrate situations where deployment decisions can be made depending on the security status of the artifacts thus eliminating the need for post deployment measures to tackle security flaws.
A
A
A
A
I
should
also
mention
here
that
all
the
information
tools,
strategies,
opinions
and
demonstration
presented
in
this
session
are
entirely
my
own
and
they
do
not
represent
the
views
of
alias
direct
or
any
other
allianz
entity.
Although
we
do
a
lot
of
cool
stuff
at
alias
direct,
the
contents
of
this
session
are
not
really
aligned
with
them.
A
This
session
ends
with
a
live
demonstration
of
a
ci
cd
pipeline
with
security
tests,
enabled
and
involves
a
cloud
native
setup
I'll
explain
the
tools
that
have
been
used
here
during
the
session
and
for
the
attendees
who
are
really
interested
in
trying
it
out
themselves.
I
have
added
the
configuration
files
in
a
couple
of
github
repositories.
A
So
we
will
first
look
at
why
we
are
here
understand
the
problem
analyze.
It
find
out
reasons
for
them
and
look
at
ways
to
mitigate
them.
We
will
look
at
how
a
vulnerability
scanning
workflow
works,
how
they
plug
into
the
build
pipeline,
the
options
that
we
have
in
terms
of
tools,
analyze
different
strategies
to
integrate
security
scans
into
the
build
pipeline.
A
A
A
A
The
architect
designs,
the
software
as
per
requirements,
developers
get
on
the
same
page
with
the
architect
and
they
start
creating
some
cool
software
with
modern
life
cycle
software
life
cycle
processes,
testing
the
software
is
very
essential.
We
all
we
all
know
that
once
all
of
this
is
achieved,
the
artifact
is
created
and
the
product
is
released
generally.
At
this
point,
a
security
or
penetration
test
is
scheduled.
A
Where
vulnerabilities
are
detected
or
sometimes,
unfortunately,
there's
really
no
security
test
done
at
all,
as
the
software
has
never
been
scanned
before
this
list
is
quite
long
now
think
about
a
cloud
native
scenario
where
we
are
talking
about
more
than
50
to
60
micro
services
and
the
amount
of
time
it
would
require
to
fix
those
problems.
That's
huge
right
now
with
product
priorities
and
feature
requests.
It
is
quite
difficult
to
devote
dedicated
time
for
such
fixes.
A
A
A
A
A
A
When
you
leave
your
office
door
open
by
mistake,
you
are
responsible
for
the
safety
of
hundreds
of
your
colleagues
in
the
office
building,
and
you
can
compromise
it
by
letting
in
an
intruder.
This
person
can
be
an
office
administrator.
He
can
be
an
engineer,
a
manager
or
even
the
ceo
of
the
company.
A
Similarly,
in
the
software
product
lifecycle,
each
person
needs
to
understand
that
they
need
to
be
responsible
for
security,
whether
it
is
via
software
design,
code
creation,
software
deployment
or
really
site.
Reliability
developers
really
understand,
features
and
feature
requests
very
well
right,
so
start
treating
security
fixes
as
features
and
integrate
them
in
the
development
process
in
large
development
teams.
A
A
A
This
is
called
static,
application,
security,
testing
or
sast,
because
the
code
is
not
running
yet.
Another
type
of
security
scanning
is
the
dasd
or
dynamic
application
security
testing.
In
this
stage,
the
application
needs
to
be
scanned
for
vulnerabilities,
which
exist
when
the
code
has
been
executed.
A
A
A
The
code
repository
is
used
as
a
source
for
our
code
and
the
image
repository
for
image.
Artifact
storage.
The
security
tool
is
really
not
mandatory.
In
most
cases,
there
is
a
central
solution,
security
platform
or
tool
which
coordinates
the
communication
between
the
build
pipeline
and
the
vulnerability
scanners.
A
A
Pipelines
can
also
direct
commun
directly
communicate
with
the
scanners.
The
vulnerability
scanners
are
the
databases
against
which
we
compare
our
image
packages.
If
all
goes
well,
we
can
deploy
our
artifact
on
the
container
orchestration
platform
for
our
demo.
We
will
use
a
similar
setup
where
we
will
use
github
as
the
code
repository
techton
and
argo
cd
as
the
cicd
tool
harbour
as
a
security
tool
and
the
image
repository
and
kubernetes
as
a
container
orchestration
platform.
A
A
A
We
definitely
wouldn't
want
vulnerable
images
to
land
up
in
plot
repositories
right
if
the
image
has
vulnerabilities
the
pipeline
will
stop
at
that
stage
and
we
can
visualize
the
vulnerabilities
in
the
harvard
dashboard
for
our
demo.
Our
app
is
a
simple
nginx
container
built
from
a
debian
or
ubuntu
based
image.
A
Nginx
is
installed
on
this
image
and
a
test
web
page
is
added
so
really
really
simple
stuff.
The
debian
image
has
high
and
critical
vulnerabilities,
which
we
don't
want
to
be
in
fraud,
whereas
the
ubuntu
image
only
has
medium
and
lower
vulnerabilities,
which
we
definitely
want
deployed
that
that
will
actually
be
our
simulation.
A
A
A
It
can
also
add
plugable
vulnerability
scanners
to
be
able
to
scan
the
uploaded
images,
although
we
will
demonstrate
an
automated
bill
pipeline
in
this
demo.
This
is
quite
far
from
a
production,
build
setup,
advanced
features
such
as
triggering
pipelines
via
events
and
passing
parameters
are
not
part
of
this
demo.
A
I
have
kept
the
app
repo
with
helm
chart
and
the
pipeline
repo
different
to
help.
You
understand
this
better.
However,
they
can
be
modified
to
create
a
more
sophisticated
workflow.
Okay,
so
we
will
now
start
with
our
demo.
This
is
the
hardware
dashboard
that
we
have
already
installed
in
our
kubernetes
cluster.
A
A
A
A
A
A
If
we
check
the
build
pipeline
repository,
we
will
find
a
directory
called
secrets
which
are
some
kubernetes
secret
manifests
which
are
to
be
applied
to
the
combinator's
namespaces.
Before
our
demo
can
be
run.
They
are
just
basic
authentication
credentials
as
some
and
some
docker
registry
credentials.
A
A
A
We
have
a
pipeline
definition
which
integrates
all
the
tasks
that
we
have
already
created
and
finally,
we
have
a
pipeline
run
definition
which
actually
runs
our
pipeline
using
tecton.
Our
second
repository
is
called
example,
app,
which
has
the
configurations
for
the
application
that
we
are
going
to
deploy.
A
A
Manifests
if
we
now
go
to
the
argo
cd
dashboard,
we
will
see
both
our
applications
have
been
created,
and
if
we
go
to
the
repositories
page,
we
will
see
that
our
hardware,
helmet
repository,
has
automatically
been
added
and
the
connection
is
successful.
The
example
lab
build
pipeline
gets
its
configuration
from
the
helm
pipeline
directory
of
the
example
app
repository.
A
If
we
go
to
the
argo
cd
application,
we
will
see
that
all
of
these
resources
are
ready
to
be
created
and
it
creates
a
dynamic
name
for
the
pipeline
run.
With
help
of
the
tag
that
we
have
added
in
the
values
file
in
a
more
sophisticated
workflow,
we
will
not
be
adding
this
tag
manually,
but
it
will
be
created
when
our
automated
build
pipeline
works
via
triggers
and
events.
A
A
A
So
with
that,
we
have
reached
the
end
of
this
session.
I
hope
the
session
was
able
to
help
you
get
some
understanding
of
how
we
can
have
better
and
secure,
build
pipelines
and
optimize
the
software
development
process.
I
have
added
some
links
about
this
topic,
so
be
sure
to
check
them
out.
I
hope
to
see
you
in
another
awesome
event
in
the
future.
Thank
you.