►
From YouTube: NM CI/CD CDF March Meetup - Palo Alto Networks - Security for a Cloud Native DevOps World
Description
Matthew Barker of Palo Alto Networks explains how to incorporate security into your Continuous Delivery pipeline starting from container scanning to run-time monitoring with a feed back loop. If you are moving to containers, this is a must see. You will learn why you no longer need to worry about security in a Kubernetes containerized environment. March 5th, 2020.
A
A
B
Introduction
in
the
space
for
over
dickey
with
soda
tight
with
twist
la
now
with
networks,
the
last
few
years
I've
had
a
focus
on
cloud
security
before
that
docker,
kubernetes
security,
etc.
You
can
hit
me
up
on
LinkedIn
or
Twitter
under
Matthew
ABQ
and
before
we
start
the
whole
to
start
off
my
talks,
because
this
this
talks
today
is
really
about
automation
and
enablement.
B
But
first
of
all,
let's
talk
a
little
bit
about
the
need
for
security.
They
say
software
is
even
the
world
and
I
say
the
exocomps
is
also
eating
the
world.
But
unfortunately
there
are
you
here
in
the
paper
attacks
occurring
every
week,
we'll
give
them
to
a
few
of
those
here
in
a
little
bit.
Let's
talk
a
little
bit
about
DevOps
and
cloud,
so
almost
every
enterprise
is
either
using.
B
B
B
B
A
B
Let's
talk
a
little
focus
a
little
bit
on
how
and
cloud
native
anyone
here
not
know
what
cloud
needles
raise
your
hand,
don't
be
embarrassed.
Okay,
we
all
know
what
cloud
native
is
kind
of.
What
we've
been
talking
about
of
cloud
native
in
some
ways
makes
security
harder.
There
are
many
layers
of
abstraction
if
you
look
at
traditional
security
tools
that
try
to
secure
your
hosts
a
lot
of
those
vendors
like
Symantec
and
others
are
going
to
say
we
can
secure
containers
because
everything
goes
eventually
to
the
host.
The
problem
with
that
is
one
container.
B
A
A
B
Controversial
honey
think
about
this
when
you
deploy
an
application
and
there's
a
bug
in
the
application,
who's
primarily
at
fault-
the
developer
that
put
in
the
bug.
If
there's
a
security
flaw
in
the
application,
let's
say
in
a
component,
it
was
primarily
responsible
for
that.
The
developer
he
chose
that
component
security
could
come
and
say:
hey,
that's
got
a
vulnerability,
but
who's
going
to
change
out
the
component.
B
B
A
B
Entire
pipeline,
you
can
sort
containers
if
you're
in
a
be
the
best
practice
around
containers
is
going
to
micro
services.
If
you
have
any
micro
services
architecture,
that
means
container
does
one
and
only
one
thing
or
are
maybe
two
things
impose.
Your
web
container
separate
from
your
database
container
separate
from
your
ingress,
separate
from
your
monitoring
container,
so
micro
services
really
allow
us
to
say
this
container
is
allowed
to
do
just
this
at
nothing
else.
B
So
if
you
can
build
a
security
customized
per
container,
you
can
have
the
best
kind
of
security,
and
one
way
to
do
that
is
with
behavior
model,
and
basically
you
can
model
each
container.
The
web
container
accepts
they
bound
requests.
If
all
of
a
sudden,
the
web
contenders
making
out
now
requested,
Russia
or
China,
you
probably.
B
Okay,
so
with
the
right
approach,
this
one
is
more
secure.
That's
kind
of
what
we're
going
to
go
into
today,
def
set
off
is
the
Calgary
so
I'm
going
to
be
talking
about
that
set
off
how
to
put
security
into
your
DevOps
pipeline
I'm
going
to
actually
show
and
then
we're
going
to
have
a
quiz.
So
yeah
I'll
have
your
copy
by
the
way
I
take
off
my
jacket,
I
hope
I
didn't
lose
my
credibility
but
I'm
wearing
it.
B
B
B
B
Well,
absolutely
the
screen
master
is
the
one
that
kind
of
orchestrates
the
ball
right,
but
we're
all
responsible.
There
is
no
dead
sega's
person.
That's
a
cost,
is
a
collaboration
between
teams,
concepts
and
self
processes
and
tools.
Now
this
is
my
definition
of
XM
box
and
I
add
the
increases
collaboration.
This
is
des
like
awesome.
By
the
way,
this
is,
for
me,
I
think
their
definition
of
DevOps
and
increases
collaboration
between
security.
B
A
B
B
B
I,
don't
know
anyone
here,
her
Clifford
Stoll
anybody,
tired
Clifford
talk
in
Chicago,
look
her
in
Clifford's
fall.
He
is
one
of
the
first
people
to
uncover
an
international
cyber
attack
team
from
Germany.
He
was
a
system
administrator
at
Berkeley
back
in
the
60s
and
he's
the
first
one
to
deploy
a
honeypot
and
he
was
noticing
attacks
on
Holly's
servers
in
other
places
and
what
he
did
is
he
worked
with
the
FBI
and
he
uncovered
this.
The
first
really
large
cyber
attack
team
in
Germany.
That
was
discovered
in
the
West.
B
B
B
But
what
else
does
it
need
to
be
one
of
the
keys
besides
efficient
and
fast
the
quality
and
secure?
Thank
you.
Thank
you.
Okay.
So
how
do
we
get
that
across
our
entire
pipeline?
After
the
automated
checks
with
feedback
are
really
important,
and
it
must
include
disability,
automation
and
intervention
I'm,
a
big
believer
in
prevention.
There
are
a
lot
of
security
tools
out
there.
That
will
tell
you
when
they
think
your
cluster
or
your
application
workloads
are
under
attack,
but
MDM
ago
barn,
the
barn
door,
the
horse
story.
B
B
A
lot
of
people
develop
with
git
and
github
there's
other
products
out
there
build
you
mentioned
Jenkins,
there's
tons
of
others
share
some
kind
of
registry
for
kubernetes
deployment
stage.
You
can
stage
actually
include
names
and
deploying
to
cover
guys
so
that's
kind
of
what
our
room
looks
like,
so
how
we
add
those
security
checks
and
what
kind
of
security
checks.
B
First
of
all,
you
should
scan
your
source
code
for
security
and
quality,
oh
and
in
the
developer.
If
they're
working
on
custom
containers,
they
should
scan
their
container.
It
should
scan
their
base
image
before
they
write
a
single
line
of
code
and
then
once
they
have
a
good
basic
as
they
bring
in
their
app
and
put
it
inside
the
container
that
app
in
the
source
code
and
in
the
packages
could
have
longer
abilities.
So
the
shift
left
is
the
developer,
doing
test
honest
on
his
or
her
desktop
or
securing
it.
Now.
B
B
A
B
B
B
So
a
container
is
a
virtualization.
Everything
eventually
occurs
on
the
hose
I've
thrown
this
out.
I've
done
demos
and
evaluations
for
years
in
this
area
of
one
time,
I've
been
with
twistlock
for
three
and
a
half
years,
and
now
it's
how
that
works.
So,
basically,
everything
that
could
go
on
inside
a
container
is
either
a
process
rules.
It
does
filesystem
activity,
it
does.
B
Network
activity,
inbound
or
outbound
opens
up
a
port
as
a
Navajo
or
doesn't
have
bound
connection
or
it
does
a
system
call
that's
everything
that
could
go
on
inside
of
a
container
really
there's
nothing
else.
That
could
happen,
and
so
that's
where
you
both
are
the
activities.
You
want
a
mop.
What
folders
are
being
written
to
what
network
activity
is
occurring?
What
processes
are
being
called
and
when
it's
folder,
what
process
updated?
What
folder?
It's?
Not
it's,
not
it
has
to
be
a
little
sophisticated.
B
Docker
allows
you
to
say
this
folders
writable
and
this
folder
is
read-only,
but
what
it
doesn't
allow
you
to
do
is
say
our
database
server
writes
to
our
database
folder
and
no
other
process.
If
it's
a
MongoDB,
the
mam
BBB
process
writes
to
them
DB
folder,
no
other
process,
but
with
docker.
You
can't
walk
it
down
enough,
but
with
the
right
tools
you
can
you
need
to
do
it
on
the
container.
Can
you
do
it
on
container,
because
you
need
the
smarts
to
know?
B
B
So
it
has
to
be
perfect
in
there
for
the
other
apps
running
on
different
costs,
priority
has
to
be
per
we're.
Building
out
the
network
pool
prison
cow,
we
build
out
a
bottle
and
store
it
in
the
platform.
So
and
then
we
monitor
when
launches
a
container
in
production.
We
monitor
the
activities
at
containers,
point
compared
against
the
model
and
you
can
either
alert
or
block
activity,
not
in
the
model.
So
it's
about
it's
about
preventing
suspicious
activity
from
occurring
for
learning,
again
I'm
a
big
believer
in
prevention.
B
A
B
B
Container
looking
for
things
like
sequel
injection
site
request
forgery,
anybody
know
where
to
layer,
3
or
layer
for
file
all
this
here
same
so
layer,
3
or
3/4.
It's
either
one
of
those
is
up
east-west
traffic
firewall.
So
your
traffic
in
between
your
containerized
workloads.
Do
you
want
to
lock
that
down
as
well?
So
if
you're,
if
you
are,
let's
say
your
web
container,
talks
to
your
database
container,
allow
that
connection,
but
don't
allow
anyone
else
either
on
the
host
or
they'll
connect
here.
B
B
Why
do
you
think
you
might
need
security
analysis?
You
know
that
anybody,
it
is
one
of
the
quiz
questions,
certainly
give
away
anybody's
employment
application.
Let's
say
a
man
held
about
the
Equifax
breach,
they
deployed
an
application
which
stretched
to
it
and
when
they
got
hit,
143
million
consumer
records
were
lost
or
compromised.
They
should
say
what
was
their
excuse
hey
when
we
deployed
it
there
was
no
longer
building
stress
and
then
what
did
the
Apache
stress?
Do
you
come
back
and
say.
B
They
fixed
it,
they
publicize
the
fix
and
Equifax
just
ignore
right.
So
who
is
really
who's?
That
hot?
Is
that
know
when
you
deploy?
You
might
be
pleased
hey
tomorrow.
You
couldn't
have
a
high
level
of
vulnerability,
a
doctor
one
where
they
give
you
root
access
on
your
hosts.
The
struts
won't
allow
them
to
deploy
a
script
of
their
own
making
inside
the
environment.
That's
bypasses
all
their
endpoint
protection,
so
endpoint
protection
is
not
sufficient.
That's
why
we
that's
why
you
need
all
the
B's
look.
Let's.
A
B
A
demo
occupation,
so
I
found
a
no
gay
ass
to
tear
or
multi-tier
application.
Welcome
came
a
little
sample.
Applications
are
already
interested
and
what.
A
B
B
B
Anybody
know
what
compliance
is
in
the
kubernetes
world,
dr.
Lu,
okay
right
in
just
so,
you
know
two
expandable
on
that.
There's
actually
organizations
that
publish
these
or
kubernetes
for
docker
for
hosts,
so
one
is
the
Center
for
Internet
Security
CIS,
so
they
have
CIS
OH
docker
standards,
kubernetes
standards,
this
there's
another
one,
there's
PCI,
there's
HIPPA
gdpr.
B
So
there's
all
these
organizations
and
most
enterprises.
Unfortunately,
that's
actually
either
have
their
own,
like
you
said,
or
they're,
require
mandated
to
be
compliant
to
one
of
these
standards.
It's
published
Wow.
That
being
said,
I'm,
not
big,
on
Big
Brother.
What
we
have
to
realize
is
those
compliance.
Checks
are
security
chips.
You
have
to
remember
them
when
they
say
do
not
run
your
application
container
as
privileged
the
reason.
That's
a
big
no-no.
A
B
B
B
B
Let's
leave
the
slides
here.
A
B
B
B
Insecure
might
be
at
lots
of
security
if
you're,
insecure,
so
I'm
going
to
do
a
non,
secure,
build
and
share
and
I'm
going
to
use
those
thresholds
that
we've
got
from
security,
so
high
for
vulnerabilities
and
critical
for
compliance
checks.
Okay,
so
I
have
a
docker
file
here
in
local
I'm.
Building
from
it,
I'll
show
you
that
in
a
little
bit
so
I'm
building
my
docker
image
and
then
it's
actually
two
images.
B
So
this
has
got
a
webserver
container
based
on
NPM,
though
jeguk,
and
then
it
has
a
bongo
database
server,
so
I've
actually
built
both
of
them
and
asked
me
if
I
want
to
push
them
through
the
registry.
Now,
since
right
now,
I'm
doing
it
in
the
Mon
secure
way
screw
security,
I,
don't
care
about
security,
I'm
going
to
push
it
to
the
ribs.
So
now
I
push
that
to
the
registry.
B
Now
this
is
my
deploy
box
and
what
I
can
do
is
show
you
that
all
it
does
is
take
these
yellow
files
for
this
application
and
it
deploys
them
into
point
clusters.
So
if
students
are
done
pushing
I'm
going
to
deploy
that
in
the
cluster,
but
before
I
do
that
I'm
going
to
show
they
take
on
the
role
of
security
and
tell
you
what
I've
done
in
terms
of
protecting
putting
a
security
gate
at
the
point.
So
what
I
did
is
I
actually.
A
B
B
B
B
So,
let's
try
that
deploy
again
with
that
disable
okay.
So
what
this
is
doing
is
those
images
I
just
built
that
push
to
the
registry.
My
llamo
file
is
why
not
to
that
registry
pulling
them
and
then
deploy
my
app
into
my
kubernetes
cluster
I
have
a
replica
block,
so
I
don't
really
have
much
of
a
cluster,
but
it
is
a
Cheeto
cluster.
So
it's
kind
of
small
right
now,
but
while
it's
doing
that,
I
can
tell
your
preview
it's
going
to
fail.
B
Yeah
yeah
I
turned
off
the
network
alerts,
oh
here
here
again
yeah.
No,
it's
good
I
disabled,
that
global,
protect
okay.
So
before
we
go
over
waiting
for
that,
we
push
those
images
to
the
registry
and
those
images
start
with
Matthew,
maybe
cute.
So
let's
take
a
preview.
Let's
assume
that
that
deployed,
fails
and
I
want
to
know
why
it
fails.
B
Yeah,
so
the
vulnerabilities
that
you
were
seeing
on
that
spring
were
for
all
the
images
in
that
register,
so
what
I've
done
is
pointed
our
product
to
continuously
monitor
and
ski
and
any
immune
signals
pushed
to
our
register.
So
that's
another
security
gate
where
your
Margery
images
interracial
at
your
registries,
your
storehouse,
you
can
because
your
shelf
of
components
which
are
images
etc.
Now
you
want
to
make
sure
you
have
quality
components.
So
it's
good
to
monitor
your
registry.
When
you
push
you
to
the
registry,
it
could
be
clean,
but
look
it
happened
to
one.
B
A
B
B
A
B
Yeah,
so
this
time
both
images-
it's
telling
me
it
fails
secure
before
sharing
with
others,
so
we
actually
out
the
developer
desktop,
not
have
visibility
into
the
security
console
working
now.
Typically,
what
you
want
to
do
is
kind
of
look
at
those
vulnerabilities
and
work
on
the
fix
I'm
going
to
quickly
see
if
I
can
bring
that
up.
B
B
Yes,
in
compliance
trips
right
right,
so
this
will
scan
a
doctor
image
find
all
of
the
OS
utilities,
all
of
the
components
in
it
everything
binary
in
the
image
fingerprint
and
then
tell
you
what
are
abilities
you
have
and,
most
importantly,
what's
the
remediation.
You.
A
B
B
A
B
B
B
The
other
images
has
five
boner
abilities.
What
too
critical
and
actually
more
critical,
because
this
component
Kuro
actually
has
four
vulnerabilities,
even
though
it
has
multiple
vulnerabilities,
they're
all
fixed
in
the
same
see
that
quite
a
bit
there's
multiple
vulnerabilities,
they
typically
fix
them
same
time.
So
again
we
have
the
remediation.
So
with
this
information
with
our
developer
art,
with
this
information,
we
can
now
do
a
fix
of
security
and
I'll
show
you,
like
obviously
pre
done
this.
B
Okay,
so
what
I'm
actually
doing?
There
is
installing
the
latest
version
of
that
model.
Evp
JavaScript,
because
I
notice,
the
latest
versions,
way
beyond
the
fixed
first,
so
I
actually
installed.
The
latest
version
and
yeah
for
I
was
using
bit
Nami
MongoDB,
which
is
not
enough
for
one
instead
I'm
using,
which
is
the
approval,
version
and
I'm
doing
app
updates.
B
Yeah
yeah
I
checked
it
before
I
used
it
that's
right,
I
said:
look
this
pet
Nami
ones
insecure.
Let's
try!
The
most
popular
official
mommy
release,
I
told
that
down
my
skin
and
said
it
looks
clean.
So
I
put
it
in
my
doctor
file
you're
exactly
right,
so
I
fixed
all
the
security
issues.
Now
I'll
try
the
secure
building
chair
and,
let's
see
what
happens,
you.
B
B
B
Anybody
know
what
happens
in
to
your
container.
If
you
have
a
doctor
file
that
doesn't
have
a
number
of
user-created.
What
happens
when
you
run
this
group?
What
do
they
say
earning
about?
One
is
rude.
Somebody
else
don't
do
it.
Why?
Why
don't
do
yeah?
It's
really
very
specific,
see
what
a
lot
of
developers
do.
Is
they
don't
create
a
number
of
user
in
their
doctor
file,
but
they
run
I
say
the
main
main
demon
has
done
and
they
think
they're
good
they're,
not
a
default
nominal
user,
but
they
run
their
container.
B
They're
not
letting
that
process
as
loot.
The
problem
with
that
is,
or
trying
to
Equifax
breach,
enabled
someone
to
run
a
script
inside
a
container
for
there's
other
ones
that
were
they
running
without
shell
insider.
If
they
launch
a
script
inside
your
continues
root.
What
is
that
script
they're
great,
so
you
always
want
to
create
a
novel
user,
even
if
you
watch
a
container
as
non-root
very
poor
okay.
So
we
have
this
non
word
user
compliance
issue,
and
if
you
look
up
here,
you
can
see
that
what
did
I
do.
B
B
B
So
let's
push
those
to
the
registry
and
then
we'll
remember
make
sure
that
we
turn
that
down
already
we'll
deploy
as
soon
as
these
images
hip
registry
I'm,
using
the
same
name
for
the
images
for
the
insecure
and
secure
cell,
you
have
to
wait
till
they
get
pushed
to
the
registry.
I
wanted
to
do
that
on
purpose
is
that's
typical
for
a
production
environment,
right,
you're,
making
a
whole
bunch
of
versions
and
you're
deploying
you
don't
want
to
change
the
name.
You
always
have
the
latest
for
our
pride.
B
B
It's
an
excellent
question,
so
yeah
I
remember
that
those
that
this
is
definitely
one
of
them
right
security
said
you
have
to
under
hasn't,
provided
so
what
you
do
basically
is
you
use
a
product
that
has
an
option
to
say,
fail
the
scan,
if
there's
a
certain
threshold,
unless
what,
unless
there's
no?
So
we
have
that
capability.
So
in
you
and
is
basically
what
security
wants
awareness
into
those
they
need
to
get
those
ones.
Typically,
those
I
have
to
say
the
honest.
The
majority
of
those
are
low
to
medium.
B
There
are
a
few
high
and
critical,
or
was
it
critical
are
typically
clearly
you,
so
it
picks
his
forthcoming,
but
for
the
highly
critical
of
security
West,
but
look
at
those
and
assess
through
this
and
then
give
it
a
green
light
on
the
desktops
environment.
The
best
you
can
do
is
say,
don't
allow
deployment.
If
there's
a
pressure
on
vulnerability
and
there's
a
things,
that's
the
best.
You
can
do
clear
autumn
eh
if
you
want
to
get
better
security
than
the
automated
check,
and
you
have
to
have
security,
architects
review.
B
Bhutto's
like,
for
example,
blue
I've,
been
scanning
of
gluto
images
for
like
seven
eight
years
and
post
Google,
etc,
who
does
notorious
for
leaking
low
and
mean
of
all
those
forever
but
fixing
I
encrypt?
So
if
you
look
at
a
host,
a
lot
of
yellow
and
orange
hardly
ever
see
critical
to
me,
that's
not
bad.
What
bothers
me
is
when
there's
high
critical
vulnerabilities
that
they
don't
fix
like
four
years
ago
months
now.
B
B
You
want
to
know
that
out
front
before
you
invest
that
left
you're
going
to
have
to
vet
those
images
and
if
there's
critical
and
high,
where
threshold
security
gives
you
and
there's
no
fixed
you're
going
to
have
to
communicate
with
them
and
then
okay
or
you
something
else
alright,
so
you
want
to
ship
left
for
that.
We
okay,
so
we
got
our
deployment.
B
B
And
you
can
color
by
vulnerabilities
or
compliance,
and
you
can
click
on
it
and
see
the
vulnerabilities
so
security
in
production
it
can
put
in
the
security
gate
to
block
insecure
ones,
but
also
do
gloria's
occur
every
day,
so
things
to
go
that
critical
any
day,
and
you
want
what
is
important
besides
having
the
visibility
but
a
new
morning
very
occurs,
you
want
the
visibility.
What's
the
other
thing,
that's
it
more
important
than
the
UI
visibility.
B
B
B
B
Yeah
there
we
go
so
here
is
our
tank
Ballarat
vulnerabilities,
it's
all
green,
let's
color
by
compliance
now
is
red.
Let's
see
what
it
is,
not
a
user
in
the
image.
So
if
you
notice
I,
my
gate,
ericon
department
was
critical
for
compliance,
so
this
got
the
point.
Okay,
it
did
that
on
purpose
because
fixing
this
is
actually
quite
challenging
because
I
tried
to
create
a
user
in
the
base.
Image
support,
so
I
have
to
go
back
and
get
that
religion
of
docker
file
base
image.