►
From YouTube: A 10 Step Guide for Integrating Security Metrics Into Your Observability Stack - Anais Urlichs
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Keynote: A 10 Step Guide for Integrating Security Metrics Into Your Observability Stack - Anais Urlichs, Developer Advocate, Aqua Security
The Prometheus ecosystem makes it possible to integrate all your metrics and their management in one tool. This provides several benefits such as correlating metrics from different services, which in turn enhances decision making and acting upon changes of your application. The health of our application is highly dependent on its security. Thus, integrating your security tooling with your observability stack will not only make it possible to utilise existing processes but also make your application stack more robust.
In this lightning talk, Anais will walk you through a 10 step guide for integrating Trivy metrics with Prometheus and its benefits. Trivy is an open source security scanner, and will be used as an example. However, alternative tools such as Kubescape will be mentioned.
A
Hello,
everybody
and
thank
you
so
much
for
joining
me
here.
At
my
talk
at
10
step
guide
for
integrating
security
metrics
into
your
observability
stack
at
Prometheus
day
2022.
My
name
is
Anis
olis
I'm,
the
open
source
developer
Advocate
at
Aqua
security
before
that
I
was
working
as
that
reliability
engineer
at
our
Cloud
native
startup
in
the
UK
I
also
have
a
four
months
old
puppy.
That
is
keeping
me
quite
busy
and
prevents
me
from
traveling
right
now
here
she
is
now
I'm
really
excited
to
present
to
you
over
the
screen.
A
Instead,
last
year,
my
manager
at
the
time
and
I
gave
a
talk
about
our
observability
stack,
our
setup
of
our
super
clusters
and
all
of
the
tools
all
of
the
operators
that
we
use
within
to
get
insights
out
of
those
clusters
and
out
of
the
tenant
clusters
to
us
to
be
able
to
act
upon
them.
Now,
at
the
time
we
were
talking
very
little
about
any
security
related
tooling
that
we
are
utilizing
or
integrating
with
and
that's
kind
of
when
I
joined
Aqua.
A
That's
how
it
all
came
about
that
I
thought
to
myself
who
actually
said
reliability,
engineering
and
security.
Cloud
native
security
are
closely
related
and
you
can
easily
integrate
Cloud
native
security
into
your
observability
stack
and
that's
what
I'm
going
to
show
you
in
those
next
10
steps,
now
I
kind
of
put
out
these
10
steps
and
along
the
way,
a
lot
of
times
when
you're,
integrating
with
a
new
area
within
a
cloud
native
space
with
new
set
of
tools,
you
will
experience
different
emotions.
A
It
might
all
make
sense
at
some
point,
and
in
the
next
moment
it's
just
all
very
frustrating
and
nothing
seems
to
work
but
I
promise
you
there's
always
a
Finish
Line,
where
things
look
nice,
where
things
work
within
your
environment,
with
new
cluster
So
within
the
next
slides,
I'm
gonna,
walk
you
through
Clinic
security
scanners
and
then
how
to
integrate
them
into
your
monitoring
stack
and
along
the
way.
I'm
gonna
outline
some
of
the
do's
and
don'ts
of
that
now.
The
first
step
is
understanding
your
need.
A
Now,
your
need
will
be
different
depending
on
the
size
of
your
team.
If
you're
an
individual
contribute
a
maintainer
of
an
open
source
project
or
you,
if
you're
working
with
an
alleged
scale
team-
and
you
actually
have
a
security
team
who
is
also
working
on
the
security
of
your
applications,
now
here
is
a
list
of
needs
of
things
that
device
engineering
team
wanted
to
solve
for
by
developing
their
security
service
platform
Integrations.
A
So
the
first
thing
is,
they
want
to
assign
ownership
of
vulnerabilities,
meaning
vulnerabilities
cannot
just
get
ignored,
they
have
a
clear
owner.
The
second
thing
is
a
global
view
of
the
security
state
of
services.
They
don't
want
to
have
everything
broken
down
in
individual
reports
on
specific
applications,
but
have
a
global
view
of
those.
A
Then
next
develop
a
dashboard
for
different
uses
and
requirements.
So
different
people
within
a
team
can
look
at
different
components
of
the
security
state
of
the
services
and
then
the
last
thing
is
overcome
difficulty
to
use
different
uis
a
lot
of
times
when
we
integrate
with
new
tools
with
new
platforms.
We
end
up
having
to
use
a
new
UI,
and
the
problem
of
that
is
that
we
have
to
actually
open
up
those
new
eyes
separately
and
introduce
completely
separate
workflows
and
a
lot
of
times.
A
We
end
up
not
opening
those
different
tabs,
but
actually
sticking
to
what
we
already
know.
Now.
Here's
the
link
to
the
blog
post,
I
highly
suggests
the
wheat.
It's
really
detailed
and
well
explained
so
once
we
Now
understand
our
need,
we
have
to
choose
a
cloud
native
security
scanner.
If
you
follow
me
on
Twitter,
you
might
have
come
across
this
graphic
of
different
security
scanners,
open
source
security
scans
across
the
cloud
native
space.
A
Now,
since
I
want
to
integrate
the
security
scanner
into
our
observability
stack,
which
runs
as
kubernetes
resources
within
our
custom
we're
going
to
focus
on
in-cluster
security
scans,
the
main
tools
there
are
trivia
and
cubescape
I'm
going
to
use
trivia
because
cause
I'm
biased,
but
you
can
use
any
tool
as
long
as
it
allows
you
to
export
metrics
and
it's
producing
metrics
of
those
security
reports.
The
additional
benefit
of
actually
integrating
a
security
scanner
within
your
cluster
is
that
if
everything
is
a
kubernetes
resource,
you
can
use
the
same
processes
across
your
stack.
A
So
if
we
are
using
an
in-cluster
security
is
kind
of
inside
of
our
kubernetes
cluster,
we
can
integrate
that
tool
with
all
of
our
other
tools,
such
as
our
observability
stack.
So
that
leads
us
to
step
three
setting
it
up
and
making
sure
everything
is
running
properly
and
that's
probably
the
most
difficult
step
that
will
require
lots
of
trial
and
error
a
lot
of
times.
So
here's
kind
of
the
process
identify
the
best
installation
options.
A
Then
the
next
thing
is
that
you
have
to
decide
upon
the
configurations
that
you
want
to
have
for
those
handshots
photos
applications.
So
you
can
see
here
the
screenshot
of
my
demo
application
that
you
can
also
find
linked
at
the
end
of
the
slides,
where
I
have
worked.
Some
of
my
different
values,
files
that
I
pass
into
my
handshots
upon
insulation.
A
So
here's
an
overview
of
the
cluster.
We
have
our
application
namespace.
That
could
be
anything
right.
Then
we
have
our
monitoring
namespace
with
Prometheus
and
grafana
running
I'm,
a
huge
fan
of
the
acute
Prometheus
structure
that
just
installs
kind
of
Everything
at
Once,
which
is
great.
You
can
obviously
also
use
additional
tools,
I'm
going
to
highlight
Loki
at
the
end
as
well
towards
the
end,
but
our
main
focus
is
really
in
the
stock
on
Prometheus
and
grafana,
integrating
our
security
scans
within
that.
So
our
security
scanner
is
a
tribute
operator.
A
So
here's
what
you
will
see
in
the
trophy
system:
namespace,
we
have
a
normal
replica
set
deployment
and
a
service
running
and
that
will
produce
metrics
metrics
on
your
vulnerabilities
metrics
on
your
exposed
secrets.
Are
there
any
exposed
Secrets
within
your
cluster
and
then
also
metrics
on
your
airbag
configurations
and
on
your
configurations
on
any
Miss
configurations
of
your
running
resources?
A
Now
this
is
obviously
lots
and
lots
of
metrics
everything
really
difficult
to
filter
through
the
more
applications
you
will
have
running
within
your
cluster,
the
more
difficult
it
will
be
to
filter
through
that
and
that's
where
we
obviously
need
Prometheus
and
then
nice
dashboards
in
grafana,
now
I
could
filter
for
specific
metrics
through
Prometheus.
In
this
case,
I
went
ahead
and
set
up
in
step.
Four,
a
dashboard
with
kafana,
so
I
took
a
dashboard.
That's
out
there
on
the
grafana
repository.
There
are
lots
of
different
dashboards
with
trivia.
A
We
also
have
an
official
dashboard
with
to
read
it
kind
of
looks
similar
to
this
one,
and
now
you
can
see
here
that
we
have
several
different
types
of
vulnerabilities
and
that's
our
first
filter
point.
So
we
can
filter,
for
example,
by
critical
vulnerabilities.
We
have
a
total
175
vulnerabilities
and
on
this
part
of
the
dashboard
just
shows
the
vulnerabilities.
We
can
look
at
other
parts
of
the
dashboard
for
the
other
reports
But.
Ultimately,
this
is
already
a
lot
more
easier
to
consume
than
actually
working
at
the
metrics
directly.
A
So
the
next
step
step
5
avoid
vulnerability.
Health.
Now,
in
this
case,
I
don't
have
much
money
with
my
class
set.
Nobody
have
175
vulnerabilities,
so
the
more
you
have
running
the
more
vulnerabilities
you
will
probably
have
reported
with
in
your
security
scans
took
the
screenshot
here
from
Alex
Jones
on
Twitter,
saying
I
just
give
up
and
die.
No,
then
he
had
in
his
cluster
or
like,
in
whatever
reasons
he
was
scanning
over
500
vulnerabilities.
A
You
run
a
scam,
you
see
that
you
have
lots
and
lots
of
vulnerabilities,
and
then
you
never
look
at
the
dashboard
again
and
you
just
ignore
it,
and
it's
actually
one
of
the
benefits
within
your
security
scanning
that
you
don't
actually
need
well.
In
the
end,
you
don't
need
security
scanning
to
deploy
your
application,
you
can
deploy
an
application
and
you
can
have
happy
customers,
even
if
you
have
highly
critical
vulnerabilities
within
your
cluster
with
a
new
application.
A
So
here
are
some
of
the
possible
strategies
that
you
can
use
to
avoid
vulnerability
Health.
The
first
one
is
ignore
all
but
critical
vulnerabilities
just
look
away
now.
This
is
a
great
way
to
get
started
somewhere,
because,
ultimately,
you
have
to
get
started
somewhere
and
that's
usually
the
most
difficult
part.
Where
do
I
get
started
once
you
have
that
step,
you
can
expand
it
and
you
can
actually
look
at
other
security
issues
as
well,
but
start
with
the
critical
ones,
don't
scan
everything
at
once.
A
There's
really
no
need
to
scan
all
of
your
visas
at
once.
It's
getting
the
most
used,
the
most
critical
resources
within
your
infrastructure
within
your
applications
track
first
and
then
expand
from
there
filter
by
known
vulnerabilities
that
have
a
fixed
like
a
fix
available.
If
you
have
over
500
vulnerabilities
within
your
resources,
But,
ultimately
most
of
them-
let's
say
half
of
them,
don't
have
a
fix
available.
Yet
you
don't
have
to
pay
attention
to
them
right
then.
A
The
next
room
is
filter,
one
abilities
by
team
and
by
application
and
make
vulnerabilities
concept
context
specific,
there's
no
need
for
one
person
if
you're,
not
the
sole
maintainer
of
a
project,
to
look
at
all
the
vulnerabilities
and
all
of
the
security
issues
by
themselves.
At
once
right,
you
can
be
responsible
for
a
specific
part
for
specific
type
of
security,
scan,
not
everything,
step
six.
What
are
metrics
without
alerts,
it's
great
to
ignore
vulnerabilities
and
that's
why
we
want
to
set
up
alerting.
A
This
is
an
example,
screenshot
of
me
setting
up
a
alert
that
modifies
me
about
new
critical
vulnerabilities
within
my
cluster
in
grafana.
Now
you
can
also
set
up
alerts
for
alert
manager.
There
is
an
example
in
the
example
demo
repository
that
I'm
using
so
you
can
check
that
out
as
well,
but
ultimately,
it's
easy
to
ignore
vulnerabilities.
Give
them
a
voice,
make
them
scream
at
you
until
you
fix
them,
that's
ultimately
the
best
way
since
otherwise
you
can
just
look
away
right
so
make
it
uncomfortable
for
yourself
that
leads
us
to
step.
A
Seven
correlate
metrics
it's
great
to
have
metrics
within
your
grafana
dashboard
and
with
any
existing
monitoring
stack,
because
that
allows
you
to
look
while
you
look
at
security
metrics
to
also
look
at
the
metrics
of
your
deployments,
for
instance.
So
you
can,
for
example,
look
at
well
your
vulnerability
reports
and
you
can
see.
Oh
there
are
lots
more
vulnerabilities.
What
has
happened
there
and
correlate
them
through
other
dashboards
now.
A
The
thing
here
is,
which
is
important,
that
you
have
to
define
those
workflows
for
yourself
for
your
use
case,
for
the
way
that
you
like
to
analyze
dashboards
in
your
application.
So
this
will
look
different
for
everybody.
You
might
not
find
this
really
useful.
Somebody
else
might
find
this
very
useful
right.
So
it's
really
about
to
trial
and
error
figure
out
what
works
for
you
to
make
the
processes
more
understandable,
so
step,
eight,
some
additional
tips,
some
additional
things
that
you
can
do,
some
of
them.
I
already
mentioned
some
of
them.
A
A
You
really
do
not
right
start
small
start
with
tools
that
make
sense
to
you
and
maybe
just
Implement
security
scanning
into
you
see
ICD
pipeline
first,
if
you
don't
want
to
have
it
in
cluster
right
away
or
to
that
extent
right
I
mean
you
can
also
need
to
use
a
combination
of
both,
but
don't
change
up
all
of
your
workflows
and
integrate
it
straight
away
everywhere.
Try
to
understand
the
way
you
integrate
tools
first
and
then
expand
from
there
utilize
existing
workflows,
platforms
and
processes.
It's
really
self-explanatory.
A
People
don't
like
to
get
used
to
new
things.
A
lot
of
times
new
things
will
end
up,
just
not
being
looked
at
again,
being
ignored
in
the
long
term,
failed
to
be
useful
and
that's
why
you
want
to
utilize
your
existing
workflows
as
much
as
possible.
If
somebody
loves
to
work
with
Prometheus
and
girlfriend
and
let
them
work
with
Prometheus
and
Rosanna
and
similar
tools
right
and
then
optimize
based
on
what
works
for
your
team
again,
the
initial
setup
might
be
the
same
for
everyone,
but
everything
else
will
be
completely
different.
A
A
lot
of
times
when
people
have
questions
about
the
trivia
operator
about
trivia
and
related
I
can't
give
a
straightforward
answer,
because
it
will
be
so
much
so
different
depending
on
everybody's
setup.
So
I
really
encourage
you
to
ex
explore
different
options
in
the
setup
and
figure
out
also
look
at
whatever
people
have
been
doing,
for
example,
how
wise
set
up
their
security
scanning
another
project
as
well.
There
are
lots
of
projects
that
talk
about
how
they're
integrate
it
with
trivia,
so
you
can
find
lots
of
lots
of
amazing
resources.
A
Then
the
last
step
don't
stop
at
security
scanning.
You
can
also
integrate
with
other
security
tools
such
as
Tracy
trade,
to
use
ebpf
to
expose
events
on
an
odd
level,
so
you
can
also
integrate
in
the
same
way
other
security
tools
into
your
stack.
Obviously,
that
is
later
on.
Maybe
the
next
step
yeah.
A
Let's
see
here
some
additional
resources,
some
research
that
I
mentioned
first
of
all,
application
security
Journey
from
the
wise
engineering
team,
then
the
acro
open
source
YouTube
channel,
where
we
have
lots
and
lots
of
tutorials
the
trivia
GitHub
repository
and
interview
operator
repository
on
GitHub.
They
are
completely
open
source.
You
don't
have
to
sign
up
you're,
not
sending
us
any
information
related
to
your
scans
or
anything
related
and
then
the
last
thing
is
the
demo
project
that
I'm
used.
You
can
also
find
us
on
slack.