Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / Cloud Native SecurityCon NA 2022 / 2 Nov 2022
Cloud Native Computing Foundation / Cloud Native SecurityCon NA 2022 / 2 Nov 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Keynote: Why Developer Laptop Security is Key to Securing Your CI/CD Pipeline - Jeremy Colvin

Description

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Why Developer Laptop Security is Key to Securing Your CI/CD Pipeline - Jeremy Colvin, Technical PMM, Uptycs

Your developer’s laptop is only one hop away from cloud infrastructure and crown-jewel data and services.

When it comes to securing cloud applications, security teams need to consider how they can secure the arc of application development. It often begins when a developer signs into an identity provider using their laptop, then pulls open-source code from a Git repository. Developers use Chrome extensions for development tasks, then push code through their build, test, and deploy processes using automation servers, Kubernetes, and public cloud services like AWS. At each stage, there are multiple points an attacker can target.

This 5-minute lightening session will cover the requirements for visibility into the entire development supply chain, from laptop to cloud, including:

Why developer laptops are often an entry point for attackers—now more than ever
How to gather real-time "device integrity" or security hygiene checks for zero-trust access
How to audit for malicious Chrome extensions or vulnerable software packages
How to tie together identity and GitHub activity on the laptop with CI/CD actions

A

Awesome: hey everyone, I'm Jeremy, I'm, a technical product marketer at Optics, and I'm really excited to talk to you all today. So I'm going to be talking about securing the CI, CD, Pipeline and kind of really the special place that developer laptops have from a security perspective. So I really only have two things to talk to you guys about.

A

First I want to take a look at a traditional CI, CD Pipeline, and really break down some of the data silos and security gaps that we create for ourselves there and then I want to dive a little deeper to security at the developer, laptop so on the right I, including a fun headline that grabbed me from about a month ago. It's pretty prevalent for this talk, so LastPass got hacked and hackers had access to the development environment for over four days.

A

So Andrew was touching on this earlier when he gave the opening remarks but kind of keep in mind that idea of software supply chain attacks and attackers embedding themselves into your development pipeline so yeah. This is kind of the Innovation pipeline or traditional CI CD pipeline. As we see it, you know on the far left. You have that development stage. You have developers working off laptops, crafting the crown jewels of your organization, really building that intellectual property. You move into the CI CD stage.

A

You maybe have a build server, you're scanning images, you're testing for compliance, vulnerabilities registry scanning, maybe secret scanning as well, and then we hit runtime and in runtime we kind of split this up into two phases. We have the control plane layer of that orchestration and runtime services, and then you have the data layer of those actual running nodes and containers and I want to reiterate what I said on the last side, where let's look at this and let's see some of the data silos and security gaps we create for ourselves.

A

So let's take runtime, for example, and runtime you have this control plane layer in this data plane layer and at the control plane layer. You have, you know: runtime orchestration, you're, doing compliance you're doing maybe Network policy as well and at the data point layer. You have this Rich socket event and process event data, but teams right now are really struggling with correlating this data together or correlating this data from say the data plane back to your backend infrastructure, and this is a problem. Let's imagine you know like a container Escape attack pretty high profile.

A

Your node gets compromised they're, trying to hop to another container they're trying to hop to another node, maybe they're, trying to hop to the control plane or to your AWS infrastructure. Are you able to correlate this data back together and I? Think that's the big question right now.

A

Is that attackers don't think in silos and we need to be sure that we're securing across the CI CD pipeline so that way we're not creating these security gaps and we're able to correlate data together so kind of with that in mind, I want to dive a little deeper into security at the developer laptop my security at the developer laptop well. First off, we've actually seen first hand a rise in a attacker's targeting developer, laptops and I. Think that's for a few reasons, but one of the main ones is.

A

This is just a really high value Asset, you know I. Think too often we focus on the the shiny part of the hack, where data gets exfiltrated or remote code gets executed and I think we need to look a little layer deeper. You know. Imagine a developer laptop is like the perfect entry point for an attacker. They can enumerate your environment, they can see what tooling you have. They can try and steal, get SSH keys. They can try and steal AWS credentials.

A

So this is just a really strong point that we need to secure when we think holistically about our pipeline so on the right here, I, including some of the the fun examples that customers have been coming to us to help solve this. This problem of security at the developer laptop so I'll go through them now, the first one, this one's, pretty fun auditing for vulnerable software packages or malicious Chrome extensions. We have some really fun War stories around Chrome extensions and malicious Chrome extensions.

A

So folks will attackers will actually clone real Chrome extensions, put them on the store and try to entice and like Spearfish specific developers, to try and download these Chrome extensions onto their developer laptops. So some really fun stuff happy to talk about it more after I can't share all right now, but number two Dynamic trust scores for zero trust access. So this is a really good one.

A

We know in real time dynamically quickly, assigning uh zero trust scores so being able to assess the identity and health of a developer's laptop as it's trying to access, critical resources or infrastructure, and for me this is a really big one, because it goes back to that idea of security should really enable our development teams.

A

You know too often we hear about security, roadblocks and I think zero trust access is a really fun one where we can break down those roadblocks and really enable teams to work from these untrusted or lightly secured home networks around the world, as everyone works remotely nowadays and then finally, detecting and protecting against malicious behavior, and this really synthesizes. So much of the talk you know go back to that last past example of hackers having access to the environment for over four days, or maybe two years ago, the solar, wind, Sunburst attack.

A

Those of you who are familiar with the the solar winds attack also will remember. That was actually a software supply chain attack which goes back to Andrew's point, and you know attackers embedded malicious code into the build the build got distributed out, and then attackers actually executed the code. So keeping all of that in mind, I want to say thank you. So much I want to reiterate two points.

A

First attackers don't think in silos and that's why we really need to normalize and correlate data, regardless of whether it starts in that development section that runtime control plane layer or that data layer and then my second point is really bringing laptops into the fold and enabling our developers through good security. So that's all I had had for you today. If any of this resonated with you definitely come find me after even better.

A

Actually, if any of this didn't resonate with you uh come find me after you know, that's why we're all here is to have these fun conversations, so upticks will be at booth number G29 and we'll be around all week in the purple. Shirt so come say hi. Thank you. So much for letting me talk with you all today.