Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / CloudNativeSecurityCon 2023 - Seattle / 2 Feb 2023
Cloud Native Computing Foundation / CloudNativeSecurityCon 2023 - Seattle / 2 Feb 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Sponsored Keynote: Why Developer Laptop Security is Key to Securing Your CI/CD Pip... Saurabh Wadhwa

Description

Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Sponsored Keynote: Why Developer Laptop Security is Key to Securing Your CI/CD Pipeline - Saurabh Wadhwa, Senior Solutions Engineer, Uptycs

Your developer’s laptop is only one hop away from cloud infrastructure and crown-jewel data and services.

When it comes to securing cloud applications, security teams need to consider how they can secure the arc of application development. It often begins when a developer signs into an identity provider using their laptop, then pulls open-source code from a Git repository. Developers use Chrome extensions for development tasks, then push code through their build, test, and deploy processes using automation servers, Kubernetes, and public cloud services like AWS. At each stage, there are multiple points an attacker can target.

This session will cover the requirements for visibility into the entire development supply chain, from laptop to cloud, including:

Why developer laptops are often an entry point for attackers—now more than ever
How to gather real-time "device integrity" or security hygiene checks for zero-trust access
How to audit for malicious Chrome extensions or vulnerable software packages
How to tie together identity and GitHub activity on the laptop with CI/CD actions

A

uh Hello, everyone, my name, is uh swarov vadhwa I'm, a Senior Solutions engineer at Optics, and the agenda for my talk today is Dev SEC Ops for your developer, ecosystem right, uh I've been a developer in my past. Life and security never crossed my mind right, but it's the harsh reality. You have developers, you have security and you have operations working together to give you a secure, working, app running in the cloud, and the second piece would be security at the developer laptop right. We never focus on developer laptop security right.

A

That's where the crown jewels lie. You have your code being built. You have your access Keys lying there. They have admin access to different systems for building the app, but we never focus on security right on the right hand, side. You see, um you know something that caught my mind. uh The last pass attack right, but this is not just the only one, the most recent one being a Dropbox right and the trend is that a lot of developer environments are being targeted right and it's not like these are just random attacks.

A

The attackers are becoming really sophisticated when they are attacking the cicd ecosystem.

A

So in this on this slide, you know just I'll pause for a moment right to just take a moment to digest what exactly is going on. You know you have your pre-production phase where the development is happening. You know the developers are uh developing code, committing it to a repository, and then you have the building and testing phase, and then you have the post-production phase, which is the control plane and the data plane. Now, if we focus on the control plane and the data plane right, this is where the different services are running.

A

You have your orchestration or you know, services like kubernetes openshift, and then you have your runtime such as Docker right and then you have the data plane where you have the worker nodes running the actual container workloads from a security perspective. This is pretty siled right. You don't can't connect the data between what's going on at the control plane with what's actually happening inside the containers so take. For example, um the container Escape attack right so continuous when they're deployed in production they widen the attack. Surface right and containers share the same IP space.

A

They share the host kernel space. So what happens is if an attacker gets does performs container Escape? He will get access to the underlying hosts, as well as the other containers, and it's the same thing for the pre-production pipeline, where the development is taking place right. We often Silo the testing and the registry stage from the code, development and the developer laptop monitoring.

A

So these days, a lot of attacks are targeting the developer, laptops the latest being a Dropbox right and what's the reason, the reason being, the groundwork is done by the developers. They build the software, they have admin privileges to different systems, maybe GitHub, for example, and once the attackers enter your cicd pipeline right, they can exploit this to move laterally around the network and gain access to the end goal.

A

So there are few different ways how we can enable security at the developer laptop. So this is the shift left approach. Why not focus on security right when the production starts rather than focusing on security, when uh the software is actually running in production? So we can, you know, start with auditing for vulnerable packages. A lot of developers use third-party libraries right and also look for any malicious, Chrome extensions, because there have been cases where there was a spare phishing attack, because some developer installed a malicious Chrome extension.

A

Then you have the zero trust access right with the BYOD. You know remote working from home, BYOD policies. We need to have something in place which gives access to developers to those critical systems that are needed to perform their job and zero. Trust is a great way because you know in every request, is authenticated and then authorized and on the laptops itself, we should have a mechanism which is detecting something, malicious and taking probably like remediative actions right so just um to wrap up.

A

I would say the attackers don't think in silos when they see your cicd pipeline or The Innovation pipeline. It's an ecosystem, and neither should security. Practitioners like us, should think in silos. We should not do like that and for a good security right developers.

A

Don't need a security program that hampers Innovation, so a good security program enables them to build a secure running product in the cloud. uh Thank you um like. If you you know, would like to talk more about this have more discussions. uh Please join us at the Optics booth and you know we would be happy to chat with you. Yeah.