►
From YouTube: Securing the Perimeter - CFCR/CFAR Chain of Custody With CI/CD Pipelines - Keith Strini, Pivo
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Securing the Perimeter - CFCR/CFAR Chain of Custody With CI/CD Pipelines - Keith Strini, Pivotal
Continuous integration (CI) systems automate the building of working code and Continuous Delivery (CD) is the movement of that working code into the hands of end users. These two concepts enable companies to move with effective velocity into new markets. However, because of the pervasive nature of building, testing, and delivering into production, even with immutable containers and a kubernetes secure by default posture, CI/CD pipelines could be used to severely compromise the entire software delivery process. Chain of Custody need to be established and enforced. In this talk we will cover several aspects of ensuring chain of custody, including transmission security, rotating developer keys, signed git commits, independently reproducible build verification, signed release artifacts and run time authority for immutable containers achieving secure an end-to-end chain into production.
To learn more click here: https://sched.co/FuJb
A
Hello,
everyone-
this
is
sergeant
ding,
and
this
is
Keith
and
today
we're
very
happy
to
present.
This
is
securing
the
perimeter
with
the
CFC
R
+
CF,
AR,
+,
+,
CI,
CD
pipelines,
so
CFC
R
is
a
container,
is
Cloud
Foundry
container
runtime.
They
say
this
is
a
foundry
continued
runtime
is
a
distribution
of
kubernetes
and
CFAR
is
a
cloud
foundry
application
runtime,
which
is
based
on
like
open
source
distribution
of
cloud
foundry,
and
you
know
Keith
and
I.
A
A
I
want
to
introduce
ourselves,
I
explained
what
wait,
what
do
we
do
in
pivotal
and
what
we
are
so
my
name
is
sharon
ding
and
based
at
Dallas,
I'm,
a
pivotal
foundry
principal
solutions,
architect
and
I've
been
working
with
a
pivotal
for
five
plus
years
before
that
I
worked
for
vm
work,
so
it's
always
infrastructure
as
a
service
platform
as
service.
It's
been
a
long
time
and
I
would
like
Keith
to
introduce
himself
a
little
bit.
I
told
him
how
to
introduce
himself.
D
A
So
Keith
Lee
is
also
a
Solutions
Architect
pivotal.
We
are
on
the
same
team.
We
are
basically
like
focusing
on
North
America
region
and
we
basically
provide
operational
assistance
and
guidance
for
a
pivotal.
Our
foundry
we
deploy
cloud
foundry
to
you,
know
the
products
on
the
customer
side,
it's
more
like
post
sales
and
beside
that
we
also
build
balanced
customer
team.
We
want
the
customer
operational
team
to
trade,
their
developers
as
a
customers.
A
C
But
what
we
don't
want
to
do
is
sacrifice
any
of
the
security
aspects,
and
so
what
we're
going
to
show
you
today
is
how
we
walk
through
from
code
to
commit
all
the
way
to
deploying
a
production
quality
application
and
how
we
offload
these
things,
with
continuous
delivery
pipelines,
automation
within
a
different
phases
of
that
delivery
process,
and
bring
that
all
back
together
and
into
how
you
integrate
this.
With
your
security
policy,
yeah.
A
So
next
yeah,
we
won't
talk
a
little
bit
of
shape
the
mindset
and
basically
like
we
want
assume
the
continual
threat
of
compromise
traditionally
like
when
Enterprise
dealing
with
a
security
attack
right,
it's
more
like
static
like,
for
example,
they
secure
the
parameters
with
a
firewall
and
injects
a
place,
some
antivirus
software
into
the
system
like
for
us.
We
want,
like
borrow
some
concept
of
disaster
recovery.
We
want
to
tree
the
platform
that
the
security
attack
as
a
you
know
like
the
it's
kind
of
like
disaster
right.
So
what
happens
when
you
have
a
disaster?
A
You
want
like
a
recovery
to
the
previous
point
of
the
you
know,
either
by
using
recovery
point
objective.
It's
basically
like
the
time
that
you
wish
to
recover
to
the
otherwise
RPO
is
how
much
time
you
take
to
recover
that
in
pivotal,
Cloud
Foundry,
we
got
a
product
called
parsh.
We
we
try
to
convince
our
customers
to
tree
the
platform
to
be
more
ephemeral
and
we're
basically
like
a
lot
like
even
banking
system.
A
We
recommend
them
to
repay
the
whole
environment
right
tree
to
be
ants
ephemeral
and
as
long
as
they
have
the
high
availability
which
our
products
provides.
I
weighed
this
car,
the
VN
like
every
24
hours
and
doing
some
rolling
repaving
when
we
call
repaving
we'll
be
paving
all
the
VMS
within
24
hours,
so
assume
like
you've,
got
like
a
security
attack.
A
As
someone
like
even
inside
the
employee,
they
play
something
like
that:
a
newer
virus
all
like
they
got
like
some
meat
mine
in
the
middle
of
an
attack
to
call
your
certificate,
but
because
you
just
discard
the
whole
VM
right,
you've,
trees,
everything
to
be
ephemeral
and
its
repaving
everything,
and
that's
actually
like
just
the
the
minimize,
the
security
risk
and
the
security
attack,
but
that's
the
concept
of
repaving.
What
we
want
like
keep
reiterating
in
this
talk,
maybe
you
want
to
chamber
a
little
bit
more
here
sure.
C
So
the
big
idea
here
is
that
the
hardest
target
to
hit
is
a
moving
target
right.
So
the
idea
is,
if
we
look
at
a
recovery
point-
and
we
set
that,
for
let's
say
every
24
hours,
so
we
won't
lose
data
any
longer
than
24
hours
in
the
past
and
we're
it
takes
us.
You
know,
say
four
hours
to
roll
off
the
entire
environment,
then
we're
going
to
continuously
do
that,
knowing
that
we
have
a
safety
net
there
between
our
objective
and
our
time
recovery.
A
Yeah,
so
we
definitely
want
to
talk
a
little
bit
how
we
can
secure
the
pipeline,
but
before
that
I
want
what
is
the
standard
delivery
pipeline?
It's
ready
for
application.
So
pivot-hole
like
we
like
to
automate
everything.
We
regard
our
products
about
conkers
and
we
using
conkers
to
support
pipeline
right.
So
TV
CS
is
specific
to
the
version
system.
Kill
hobby
is
a
standard,
TV
CS
and
you
can
have
like
the
CBS
and
other.
You
know
version
system.
A
So,
basically,
like
you
checking
the
code
to
your
DVCS
and
and
then
you
start,
Union
tasking
start
building
your
boundaries
and
your
containers,
docker
images
and
then
push
to
artifactory
or
like
darker
registry,
and
then
assume
you
have
a
platform
as-a-service
here
and
you
basically
like
pool
the
images
or
boundary
and
deploy
to
different
environments.
We
call
this
is
build
ones
and
promotes
two
different
environments.
This
is
cool
right,
so
you
can
continuous
delivery
as
long
as
you
check
in
the
code
but
like
because
we
got
this
automation.
A
A
So
we're
going
to
explain
like
some
like
prototype
or
principles,
to
secure
your
pipeline
and
make
sure
you
don't
get
like
something,
some
malicious
code
into
your
production,
so
the
first
one
is
defining
the
supply-chain
thread
and
no
matter
whether
using
github
or
CVS,
something
that
something
about
that
they
always
have.
This
sign
the
commit
feature
right
basically
like
a
developer.
They
have
authorized
keys
right.
This
is
a
kind
of
like
all
authentication
and
authorization
and
github
definitely
have
this
feature.
B
A
The
from
the
github
you
busy
doing
the
signature
verification,
because
public
with
public
kids
were
pre-installed
over
there
and
the
same
concept
about
another
data
is
your
boundaries
of
darker
images.
You
want
like
a
sign
the
commits
by
using
the
builds
you
during
the
build
phase
and
the
artifactory
you
when
you're
pulling
the
data
from
the
artifactory
or
darker
image
you
you
basically
like
make
sure
the
signature
verification.
Also
over
there
and
again
you
don't
have
to
do
that
by
ourselves
right.
A
So,
if
you're
ever
using
torque
or
IO,
and
you
don't
to
use
the
darker
content
and
trans,
that's
you
expose
yourself
to
something
like
security
risk,
I,
always
trying
to.
If
you're
working
on
a
before
Enterprise,
using
darker,
counting
trust
and
I.
Remember
we
have
some.
You
know:
harbor
harbor
insert
order
registry.
You
know
it's
kind
of
like
enterprise
level,
docker
registry.
A
It
has
like
a
notary
and
whenever
you
push
the
docker
registry
with
a
darker
content,
trance
enabled
and
the
developer
will
Sun
the
image
with
their
private
key
and
then,
when
you
pull
that
it
has
to
be
a
Sun.
If
it
is
not
Sun,
then
the
polling
will
be
fair.
It
will
failing
right,
so
this
is
basically
like
defining
the
supply
chain
thread
by
using
signature,
and
this
is
a
very
standard,
cryptography
way
of
the
secure
pipeline
and
your
data
anything
so.
C
The
primary
reason
why
this
is
labeled
phase
one
is
because
this
is
the
first
place
of
which
you
can
start
doing
rotation
of
those
keys
to
make
sure
that
the
development
force,
that's
contributing
to
that
codebase
is
active.
So,
like
you
know,
if
you
have
several
companies
that
you
outsource
your
development
to
and
you
as
a
company
as
though
as
the
provider
that's
gonna,
take
those
and
put
it
in
front
of
the
end-user
unit.
C
Don't
necessarily
know
who's
been
hired,
who's
been
fired
in
those
different
companies
right
so
and
then,
if
they
fire
somebody,
but
then
their
key
or
or
you're
not
using
keys
at
all,
then
they
can
and
they
may
still
have
access
to
contribute
to
your
code,
repo,
which
then
means
that
they
can
inject
that
malicious
code.
So
phase
one
is
being
able
to
rotate
those
developer
credentials
so
that
they
have
to
check
in
with
you
on
whatever
that
policy
is,
let's
say
you
rotated
every
30
days.
That
means
every
30
days.
C
You
know
exactly
who
is
still
hired
by
that
particular
company
and
who's
authorized
code
contributors
and
you
can
trace
every
line
of
code
back
into
the
sign
commit.
So
you
know
exactly
who
wrote
the
code
if
there
is
some
sort
of
malicious
intent,
so
this
is
phase
one
where
you
can
actually
impact
your
security
on
on
the
very
initial
part
of
that
supply
chain.
A
Yeah,
the
other
one
is
the
limiting
C
ICD
breakout
Explorer.
There
are
two
points:
I
want
to
talk
about.
First
one,
is
you
wanna
like
secure
data
in
transit
right,
so
we
talked
about
like
the
signature
on
the
static
data,
but
like
for
the
security,
the
data
in
transit,
you
want
to
enable
TLS
and
like
sometimes,
we
also
want
to
like
using
mutti
I
asked
for
the
mutual
trust
before
between
the
client
points
and
several
points,
so
I
always
use
TLS.
A
Some
people
argue
that
you
know
this
is
the
internal
system,
but
you
also
want
to
avoid
the
man-in-the-middle
attack
and
also
there
may
be
some
inside
the
employee
that
can
thicken
do
security
attack
on
your
system,
so
always
using
TLS
and
mildew
tiaras
and
the
other
one
is
the
the
local
environment,
the
credentials
to
be
local
environment
right
so
limited
your
credential
to
local
environments,
for
example.
You
don't
want,
like
the
the
build
stage
of
deploy
to
tasks
to
have
the
credential
overlap
with
the
deploy
to
QA.
I
saw
a
lot
available.
A
C
So
why
we
call
this
phase.
2
is
because
this
is
the
second
area
where
you
can
have
the
big
impact
on
your
actual
security.
The
big
impact
is
that
you
have
no
transference
so,
even
though
shoutian
or
I
might
be
able
to
use
stuff
in
production
and
do
stuff
and
test
and
maybe
leave
when
we
do
code
contributions.
What
typically
happens
is,
it
seems,
like
common
sense,
like
only
have
the
credentials
for
that
specific
environment.
But
what
would
happen
is
like.
Oh,
hey,
it's
key.
Let's
go
ahead.
C
He
should
know
he
has
permission
to
do
that
stuff
from
production.
Let's
give
him
permissions
on
his
account,
so
I
sign
in
once
and
suddenly
I
can
access
every
environment.
Well,
if
I
get
grumpy,
that
means
I
can
affect
everything
all
the
way
into
production
and
that's
a
bad
practice.
So
the
very
first
thing
is
like
no
transference
between
those
properties
in
the
environment.
That's
a
one
key
area
that
you
can
definitely
lock
down
and
keep
that
regulated.
C
So
that
means,
even
if
I
can
talk
somebody
in
to
give
me
a
credential
on
the
build
team
or
talk
somebody
into
giving
me
a
credential
attest.
I
still
can't
get
to
production.
You
see
so
that
I
am
very
limited
in
what
I
can
actually
do
and
then
the
second
thing
is
using
TLS
and
transit.
You're
gonna
rotate
those
those
certificates
out
right.
C
So
those
things
will
always
be
reactive,
but
you
also
can
IP
whitelist
between
those
particular
environments,
so
that
you
only
have
point-to-point
actual
authorization
to
actually
get
in
that
environment
through
another
specific
environment,
and
so
this
also
limits
your
breakout
potential
and
this
particular
thing.
So
this
is
why
we
call
it
phase
2
of
impact
on
your
security.
A
Yeah,
the
other
thing
is,
if
application
or
data
integrity
again,
this
is
building
into
github
or
torpor
registry
and
basically
like
the
github.
When
you
push
the
code,
if
they
will
conceal
the
hash
a
pound
like
what
kind
of
like
files
you
have
by
the
way
you
pull
the
data,
it's
it's
going
to
compare
the
hash
again
and
then
do
some
verification.
This
will
guarantee
you
that
you
know
if
someone
plays
some
malicious
code
and
the
integrity
will
be
there.
Along
with
like
a
signature
verification,
we
can
have
a
strong
application
integrity.
Yes,.
C
Oh
yeah,
this
is
this
is
really
good,
because
this
is
what
we're
this
is
the
heart
of
what
we
want
to
talk
about
today,
which
is
the
application
code
as
the
unit
of
currency
that
moves
through
the
entire
system.
This
is
what
we're
going
to
both
secure
it
up
to
this
point,
but
also,
as
we
bolt
on
other
things,
make
it
a
consistent
experience
across
that
applications,
evolution
and
what
that
means
is
that
my
coder
doesn't
have
to
know
anything
about
security
downstream.
C
They
don't
have
to
know
anything
about
what
it
looks
like
in
production
and
what
they
need
to
do.
They
don't
need
to
know
about.
You
know
how
to
configure
middleware
services
or
databases.
All
that
stuff
is
we're
about
to
show
you
how
that
stuff
is
handed
to
them.
Well,
what
we're
doing
is
we're
now
taking
delivery
of
the
code
that
they've
committed
into
our
particular
environment
and
going
to
move
it
and
graduate
it
up
into
production,
and
so
looking
at
that
unit
of
currency
over
the
next
slide.
C
C
We
already
know
that
the
code
is
safe
at
this
point
in
time,
but
we
need
a
lot
of
other
things
to
it
that
actually
make
it
viable,
and
so
some
of
those
things
are
first,
you
know
we're
talking
about
cloud
scale,
so
we
need
to
know
what
are
the
available
host
so
workload
capacity?
How
do
we
balance
this
across
all
of
our
other
tenants
on
that
particular
piece
or
within
our
company,
all
the
other
application
workloads
that
are
on
there?
So
we
look
for
available
hosts.
C
We
configure
on
top
of
a
harden
container,
so
what
the
hardened
container
we'll
talk
about
it
in
a
little
bit,
but
really
what
it
is,
is
it's
a
stripped-down
operating
system
that
is
only
there
that
has
just
a
necessity
necessary
libraries
in
order
to
run
the
container
itself.
So
this
means
that
it's
actual
attack
a
threat
surface
is
very,
very
small
as
well
compared
to
a
and
operating
system.
C
We
might
only
have
35
to
40
system
libraries
in
there
that
could
be
exposed
and
they're
very
easy
to
monitor
and
fix
an
update
with
CDs
and
patching,
and
we
want
to
grab
all
the
backing
services.
So,
like
I
said,
we
don't
want
them
to
worry
about
how
to
configure
the
database
how
to
cluster
the
database.
Do
these
type
of
things.
We
just
need
to
know
that
they
need
a
database
to
use
so
we're
gonna,
inject
the
environment,
variables
and
the
connection
logic
into
the
actual
application
automatically
for
them.
C
We're
gonna,
pull
that
application
source
code.
We're
gonna,
create
the
package,
we're
going
to
configure
the
dependent
service
and
then
we're
gonna
schedule
that
add
that
container
to
start
and
then
what
we
got
to
do
is
start
looking
at
the
production
quality
stuff.
So
we
need
to
know
like
if
we
want
to
run
in
a
high
availability
configuration
well,
we
need
to
consider
things
as
a
platform.
C
We
need
to
consider
things
like
what,
if
an
entire
availability,
it
goes
down
what
if
an
entire
region
goes
down,
so
we
need
to
scale
up
a
number
of
instances
across
different
availability
zones
and
different
regions
so
that
we
can
survive
an
entire
region
going
down,
so
we're
gonna
handle
that
for
them
automatically
we're
gonna
look
at
setting
the
route,
the
SSL
termination,
the
configurational
load
balancer
all
of
this
stuff.
If
you
think
about
it,
this
is
applied
against
every
single
application
that
goes
out
there.
C
So
we
have
a
consistent
like
we
don't
forget
to
do
a
route
or
we
don't
forget
to
set
the
firewall
against
it.
We
don't
forget
to
do
the
SSL
termination.
This
is
all
done
automated
for
us,
and
the
developer
doesn't
know
anything
about
that,
so
they
don't
have
to
concern
themselves
with.
How
does
SSL
termination
work?
How
does
the
load
balancer
work?
We
take
all
that
stuff
away
from
them
and
make
this
all
the
way
automated
until
we
get
the
app
into
production.
A
Wanna
say
like
we
already
achieved
this
with
a
CFA,
our
physical,
our
foundry
distribution.
We
are
working
a
lot
on
premise:
distribution
of
a
peak
es
which
is
kubernetes
very
wise.
If
you
ever
worked
with
it
at
the
vm
work,
we
we
partnered
with
the
VMware
on
SXT
basis,
like
it's,
provided
a
lot
container
to
container
container
networking
network
policy
and
also
distributed
firewall,
and
we
are
trying
to
like
and
like
more
and
more
features
in
the
in
the
automation
way
to
to
create
a
secure
pipeline
to
make
sure
we
deliver.
C
So,
as
you
look,
we
we
basically
packaged
everything
we
needed
to
get
the
application
of
production
so
now
we're
in
the
run
sign
a
portion
of
this.
So
this
is
phase
4.
This
is
how
do
we
impact
the
run
sign
and
just
quick
shout
out,
and
that
of
Seth
is
a
platform
architect
for
us.
I
borrowed
these
this
diagram
from
him,
because
it
was
very
useful
to
talk
about
some
of
these
things.
C
We
also
do
filesystem
isolation
in
there
so
that
you
can't
impact
other
aspects
of
the
filesystem
and
then,
of
course,
it
runs
on
top
of
the
hardened
container
image,
which
is
what
we
were
talking
about
before.
So
we
have
both
the
stem
cell,
which
is
the
VM
level
operating
system.
That's
been
stripped
down
to
just
run
containers,
and
then
we
have
the
container
root
filesystem
and
there
we
do
would
like
an
overlay
on
top
of
that,
which
means
that
the
application
itself,
the
binaries,
are
in
a
very
small
read/write
layer.
They
have
very
little
impact.
C
A
It's
just
one:
toggle
is
beyond
the
stem
cell
right.
So
the
way
PCR
works
with
a
stem
cell
is
so
we
retrieve
the
stem
cell
as
a
VM
templates
right.
We
have
a
securities
hardening
pipeline,
it's
running
every
day.
It's
if
there's
a
CVE
comes
in
and
this
pipeline
we
will
just
apply
the
patch
and
it's
january,
the
stem
cell
VM
templates
for
each
infrastructure
as
service.
A
It
applies
GCP
or
vSphere,
and
this
kind
of,
like
stem
cell
actually
applies
to
both
kubernetes
and
Cloud
Foundry
distribution,
and
they
are
the
only
thing
is
like
we
for
Cloud
Foundry.
We
have
this
root
filesystem,
but
since,
since
you
can
have
this,
what
I
call
the
the
docker,
and
so
you
can
pull
the
docker
image,
is
now
like
as
hard
and
as
Cloud
Foundry.
A
C
Of
them,
the
next
slide
so
continue
yeah
continuing
on.
We
look
at
network
namespace,
and
this
is
how
we
do
network
isolation
with
port
virtualization.
So
the
reason
I'm
showing
you
all
these
different
pieces
of
this
is
because
these
are
all
the
things
that,
as
so,
the
Cloud
Foundry
application.
Runtime
is
a
little
bit
more
mature
than
the
container
runtime,
but
we're
working
to
make
the
same
level
of
parity
inside
of
kubernetes
so
that
you
have
the
same
level:
security
within
the
actual
container
itself
and
then
ruas
containers.
C
Obviously
you
know,
anytime
that
you
have
a
bridge
between
your
root
vm
and
your
container
vm
and
in
any
of
those
accounts
you
have
a
problem
because
you
can
escalate
privileges.
You
can
break
into
the
actual
root,
vm
+
f8
those
privileges
and
do
some
more
malicious
stuff,
so
with
Ruis
containers.
What
this
means
is
that
there's
no
concept
of
mapping
between
a
user
in
the
container
and
a
user
on
the
vm,
which
means
there's
no
way
to
break
into
the
vm
and
elevate
those
privileges.
C
C
And
then
we
talked
about
this
a
little
bit,
which
is
the
continuous
zero
down
si
de
patching
because
of
these
contracts.
We're
really
trying
to
get
to
is
this
particular
model.
This
allows
us
to
swap
out
vulnerabilities
if
we
discover
a
vulnerability
like
a
virus
itself
or
some
sort
of
malicious
piece,
we're
able
to
rotate
out
that
stem
cell
without
impacting
any
of
the
actual
user
base
right.
So
as
we
do
this
canary
style
deep
deploy,
we
can
actually
move
the
user
access
to
a
different,
a
different
VM,
a
rotate
out.
C
C
And
so
again,
your
user
experience
doesn't
go
down,
but
then
you're
also
still
focus
very
focused
on
the
security
aspects
of
of
that
stem
cell
and
of
the
root
filesystem
itself,
and
so
this
same
concept
is
exactly
what
we're
doing
in
on
the
PKS
I,
which
is
the
kubernetes
offering
which
is
looking
at
those
root
file
systems.
And
how
are
we
going
to
rotate
that
out
from
from
the
actual
doctor-doctor
registry?
C
The
next
part
of
this
is
the
other.
Continue
studies
advanced
persistent
threat.
So
what
an
advanced
persistent
threat
is
it's
the
type
of
code
that
gets
into
your
system
doesn't
act
right
away.
It
sits
there
for
a
while,
and
it
learns
about
your
system
and,
as
it
gathers
more
and
more
information
about
your
system,
then
it
gets
ready
to
do
an
attack.
It
says
I've
now
discovered
the
IPS
I've,
now
discovered
the
types
of
file
systems
or
operating
systems,
I
now
to
discover
all
these
different
things
and
now
I'm
going
to
launch
an
attack.
C
So
how
we
get
rid
of
this
is,
we
assume
a
zero
trust
network
right,
and
this
is
what
you
want
to
look
at-
is
all
your
components
that
make
up
your
distributed
operating
system,
whether
which
it,
whether
it's
a
platform
as
a
service,
whether
it's
your
own
distributed,
offering
what
you're
doing
is
through
mutual
TLS
between
the
components
we
ensure
that
you
know
you're
stuck
on
one
side
of
the
other.
We
rotate
out
those
credentials.
C
If
we're
setting
this
for
a
24-hour
period,
that
means
you
have
less
than
a
day
to
get
in
learn
about
the
system
launch
an
attack
to
some
other
system
component.
Even
if
you
did
you're
gonna
be
stopped
by
the
TLS
command,
a
TLS
aspect
of
that,
and
even
if
you
did,
that,
24
and
24
hours,
you're
gonna,
be
wiped
off
and
have
to
start
again,
and
so
this
is
phase
five.
C
This
is
when
you're
bringing
everything
together:
you're
repaving
your
entire
stuff,
you're
rotating,
all
your
credentials
out,
you're,
updating
all
your
your
certificates,
so
that
they're
new
and
current
you're
you're
getting
rid
of
any
disgruntled
users
that
happen
to
still
be
in
the
system,
because
you've
rotated
those
things
out
and
you've
brought
it
all
together
into
like
a
final
vision
of
how
to
continuously
move
this
target
for
attackers
to
try
to
hit
and
here's
the
zero
duds
model
rotating.
All
those
system
credentials
jump.
C
I
just
kind
of
combine
a
ball
and
then,
finally,
if
you
look
at
what
this
looks
like
so
for
us,
this
is
what
we
do.
So
you
know
wash
is
how
we
actually
manage
all
these
things
in
a
consistent
fashion,
so
whether
it's
Bosch
or
at
some
other
release
management.
That's
you
know
totally
up
to
you
guys.
Well,
what
it
does
is,
if
you
can
see
you
know
you
combine
in
a
sixty
with
like
the
Software
Defined
Networking
piece
that
does
a
container
level
security
perimeter
security.
C
Then
inside
each
of
these
big
boxes,
you
did
the
component
level
credential
rotation
and
the
repaving
of
those
platforms,
and
then
you
can
and
then
you
can
continuously
update
the
the
vulnerabilities
through
the
actual
virus
piece,
and
so
all
these
things
give
your
platform
operations
team,
a
single
user
experience
of
how
to
actually
manage
this
thing
from
a
security
aspect.
It
gives
you
consistent
security
model
across
any
of
the
type
of
workloads
that
you're
dealing
with,
including
the
the
networking
piece
as
well.
So
it's
pretty
much.
C
You
know
you've
thought
from
the
beginning,
from
your
developers
all
the
way
through
to
production
and
how
you're
going
to
manage
that
in
in
terms
of
the
runtime
you
go
to
the
last
slide
and
so
to
bring
this
all
together
phase
one.
You
know
the
thing
you
can
start
with
his
aggressive
rotation
of
those
developer
credentials
or
key
developer
keys
phase:
two
is
rotation
of
the
environment,
credentials,
endpoint,
IPS
and
dynamic
management
of
those
in
points.
C
So
this
is
your
in
your
TLS
in
transit,
IP,
whitelisting
from
point
one
to
point
two
and
then
rotating
that
search,
so
those
are
always
consistent
are
always
current
and
then
phase.
Three
is
the
continuous
verification,
the
application
integrity.
So
this
means
that,
even
if
somebody
attacked
me
in
the
middle
of
that
process
like
post,
build
but
pre
deployment
in
operations,
I
would
immediately
see
the
hash,
inconsistencies
and
I
would
know
the
application
was
tampered
with
and
then
once
I
get
into
runtime.
C
Is
that
making
sure
that
it's
only
something
that's
authorized
to
run
in
there
and
if
it
ever
broke
out
restricting
its
movement?
So
they
can't
go
anywhere
else,
and
so
that's
phase
four
and
then
phase
five
is
bringing
that
all
together
and
doing
all
the
different
pieces,
including
me
at
least
privileged
on
the
container
and
renewal,
those
authorizing
credentials.
So
all
these
brought
together.
C
B
C
A
You're
talking
about
the
image
is
signing
right,
so
there's
a
there's,
a
framework
called
top
right.
It's
a
tu
F
is
updated
framework
which
is,
is
it's
are
being
adopted
in
the
darker
world,
so
like
dr.
Doyle
or
the
other
one
is
called
harbor
I
think
you
know
other
vendors.
They
have
docker
registry.
Provide
that
feature
as
long
as
you
enable
darker
content
once
or
if
you
Google
darker
content.
Trust
I
probably
cannot
Google
here
despite
the
darker
content,
trust
and
it
you
know,
once
you
enable
that
you
started'
pull
push.
A
The
image
is
automatically
signing
the
image
and
using
this
update
framework,
the
other,
the
other
terminologies
called
notary
service,
notary
services,
kind
of
like
implementation
of
tough
and
yeah.
To
answer
a
question
directly
like
this
is
our
ability
into
talker,
though,
all
like
you
know,
commercial
Darkrai
registry
as
Harper
is
very
transparent
to
developers.
C
Yeah
your
biggest
level
of
effort
and
that
is
managing
actual
keys
themselves,
so
you're
gonna
have
to
create
some
sort
of
internal
company
process
that
does
it
on
a
on
a
cycle
like
hey
every
30
days.
We
regenerate
these
keys
and
then
we
hand
these
things
out.
How
do
we
make
sure
that
these
things
are
done
or,
if
you're
doing
it
within
the
image
signing
it's?
How
are
we
going
to
actually
manage
those?
C
What
kind
of
cadence
are
you
going
to
manage
those
keys
on,
but
the
actual
how
it
works
is
very,
very
straightforward,
because
it's
built
into
a
lot
of
the
technologies
today,
it's
just
more
the
difficulties
getting
your
company
to
enforce
that
policy,
so
that
it
is
actually
done
on
a
regular
basis.
Any
other
questions.
B
B
C
C
So
if
your
technology
already
has
it,
then
I
would
make
sure
that
you're
taking
advantage
of
a
technology
that
already
has
that,
if
it
does
not,
then
things
like
you
know
how
you're
managing
your
containers
and
runtime
is
probably
the
most
critical
right,
because
this
is
your
if
you
think
about
it
from
a
user
perspective,
where
does
your
user
give
you
personal
information
through
your
application?
Where
does
your?
Where
is
the
most
exposure
to
the
outside
world
through
the
runtime
in
the
application?
C
Where
is
it
that
most
likely
folks
are
going
to
attack
your
production
environment?
So
you
really
want
to
start
with
your
production
environment
and
making
that
secure
and
then
work
your
way
back
into
the
less
threat
bottles.
You
always
look
it
up
from
the
threat
where's
the
greatest
threat.
The
greatest
threat
is
wherever
it
touches
the
internet
and
the
most
people
have
access
to
it
right.
That
is
most
likely
where
your
threat
is
going
to
come
in
each
of
the
edge
cases
which
are
like
insider
threat.
C
Those
are
those
tend
to
be
edge
cases
that
don't
happen
as
frequently,
so
you
always
want
to
approach
it
and
like
it,
the
escalating
sort
of
thing
most
most
important,
but
most
likely
to
lease
likely
and
so
I
would
really
focus
on
your
actual
runtime.
It
would
be
the
first
thing
that
I
would
try
to
try
to
work
out
how
your
end
time
works.
B
C
C
B
C
D
B
B
B
B
C
So
both
so
what
this
is
is
this
is
born
out
of
Sochi
I
have
been
doing
this
for
a
long
time
with
a
lot
of
fortune
100
companies,
and
so
this
is
borne
out
of
our
experience
when
working
with
those.
So
some
of
these
things
like,
if
you
look
at
phase
four
like
yes
Cassandra
already,
does
that,
but
this
isn't
a
cloud
foundry
Talk.
This
is
a.
This
is
the
type
of
thing
that
you
have
to
do
some
way.
C
If
you
choose
the
technology
like
say
Papandreou,
it's
already
done
that's
great,
but
if
you
want
to
do
yourself,
that's
fine,
but
you
need
to
think
about
this.
This
kind
of
thing,
but
you
know
we
come
in,
and
we
do
a
lot
of
these
things
with
our
customers
as
an
additional
value
that
we
provides
them
because
of
our
experience
with
all
these
companies
understand
so
yeah.
This
isn't,
like
a
must
add.
This
is
more
like
experiential,
like
what
we've
done
in
the
past.
C
That
has
worked
out
really
well
like
there
are
security
teams,
a
look
at
this
and
they
say
that
makes
sense.
This
is
what
we
want.
You
know-
and
this
is
how
we
do
it
so
that
that's
what
this
is
born
out
of,
just
to
kind
of
give
you
guys
ideas
of
the
things
that
you
have
to
think
about
from
a
Brett
perspective,
for
free
to
your.