►
From YouTube: Commit Virtual 2020: Cloud Native Security Processes and Tools To Protect Modern Applications
Description
Speakers: Jonathan Schreiber, Ram Kailasanathan, Rand Waldron
Cloud-Native development with containers and serverless functions are being deployed at an increasing pace. This shift to cloud-native development puts more responsibility on developers to secure their applications and development toolchain. In this session, we will discuss how, where and when to apply a security-centric approach to application development. We will cover the security best practices followed within Oracle Cloud Infrastructure (OCI) as a case-study.
Get in touch with Sales: http://bit.ly/2IygR7z
A
Is
your
agency
or
organization
thinking
of
moving
to
oracle
cloud?
But
you
need
to
know
more
about
how
oracle
views
cloud
native
security,
then
this
session
is
for
you,
rahm
khalasanathan
senior,
director
of
product
management
with
oracle
cloud
and
jonathan
schreiber
product
manager
will
share
everything
you
need
to
know
about
devsecops
in
oracle
cloud.
B
This
is
a
safe,
harbor
clause.
This
tells
you
that
all
the
things
I'm
going
to
say
I'm
going
to
say,
but
they
may
not
apply
to
your
particular
situation,
so
you
know
take
that
under
advisement.
We
are
sponsors
here
at
the
commit
conference
and
we're
sponsored
here
because
we
build
tools.
We
build
systems
just
like
all
of
you
guys
do,
and
we
want
you
to
make
sure
that
you
know
that
and
that
we
are
here
for
you
as
you
take
on
your
next
challenge.
B
I'm
going
to
talk
at
the
very
end
about
some
of
our
specialized
solutions
for
some
of
the
audience
out
there
and
then,
of
course,
we're
going
to
be
available
for
questions.
Take
any
of
that
at
the
end,
and
I
think
there
will
be
live
questions
even
right
now.
So
with
that,
I'm
going
to
dive
in
the
first
thing
I
want
to
tell
everybody:
is
that
the
oracle
cloud,
the
oracle
cloud
infrastructure,
is
real.
B
There
are
a
lot
of
people
out
there
that
sometimes
don't
even
know
or
forget
that
we
have
a
real,
huge,
hyperscale
cloud
all
over
the
world,
designed
to
serve
the
exact
kind
of
solutions
that
you
guys
built.
We've
got
26
regions
live
right
now
we're
building
another
12
in
the
next
year,
which
is
frankly
crazy.
This
is
a
global
presence
like
few
other
cloud
providers.
Have
it's
also
really
important
to
say
that
we
are?
Although
we're
oracle
cloud,
we
don't
just
do
oracle
things.
B
We
have
all
the
oracle
stuff,
you
know
and
love,
so
we
have
the
oracle
database.
We
have
amazing
analytics
if
you
want
to
bring
data
together,
smash
that
data
and
figure
out
what
it
all
means.
There
really
is
no
better
cloud,
but
we
have
everything
else
too.
We
have
a
massive
set
of
tools
that
are
cloud
native
container
native
that
are
developer,
focused
focused
on
the
devops
problem,
and
these
these
tools
are
out
there
in
other
cloud
providers,
but
they're
here
with
us
too,
and
there's
reasons
to
choose
us
over
them.
B
We
have
better
performance,
we
have
low
and
predictable
pricing,
we
have
expertise
at
the
enterprise.
We
are
truly
security
first
and
in
a
really
deep
way
that
it
gets
missed
a
lot.
We
are
deeply
invested
in
the
open
environment,
so
first
I'll
hit
superior
performance.
We
are
based
from
foundational
level
on
bare
metal
compute.
This
gives
us
an
ability
to
give
performance
to
your
applications
that
is
faster
than
you
can
get
essentially
anywhere
else.
That's
because
we
are
not
necessarily
running
vms
or
any
code
on
the
machines
that
we
provide
to
you.
B
That
means,
as
you
put
your
own
virtualization
layers
over
it,
whether
it
be
our
container
engines,
whether
it
be
your
container
engines
or
somebody
else's.
Do
you
have
the
highest
performance,
because
that
virtualization
is
running
right
on
the
bare
metal?
We
also
have
the
fastest
networking.
We
have
layer,
two
networking
in
the
cloud
which
is
in
essentially
impossible.
Nobody
else
has
it,
but
we
do-
and
this
means
that
your
your
application
can
talk
to
itself
faster
and
can
drive
better
performance.
B
Our
economics
are
just
unbeatable
and
we
aren't
cheaper
by
10
or
20
percent.
In
many
cases
we're
cheaper
by
50
60
90.
I
won't
go
into
the
details
of
this
here,
but
it
is
absolutely
worth
checking
out.
Look
at
your
workload.
Go
to
our
cost
comparison
site
if
you're
running
a
workload
that
can
run
in
our
cloud
and
it
can
run
in
one
of
our
competitors
cloud
check
out
our
cost
comparison.
B
It's
going
to
be
radically
cheaper
in
oracle
cloud,
we're
going
to
talk
more
about
this
later,
but
we
really
took
an
entirely
new
approach
to
security,
and
so
we
built
zero
trust
in
from
the
very
beginning.
All
of
our
virtualization
is
off
the
box.
We
cannot
see
your
customer
data.
We
cannot
see
into
any
of
the
things
you're
running
onto
our
box.
You
have
the
entire
machine,
should
you
want?
We
also
have
the
vms,
and
all
of
that
we
have
the
security
built
in
to
every
piece
of
the
tools
from
the
very
beginning.
B
B
We
have
fully
embraced
all
of
the
cloud
native
technologies
out
there,
and
so
we
really
have
these
tools
embedded
into
our
applications
and
into
our
cloud
in
a
way
that
is
cloud
agnostic.
You
can
use
our
streaming
data
service
and
it
isn't
just
a
a
forked
version
of
kafka.
It
is
kafka,
you
can
use
our
serverless
applications
fn
and
you
can
run
them
in
our
cloud
and
you
can
run
them
on
your
premises
or
in
somebody
else's
cloud.
B
This
is
just
another
picture
of
that
of
the
tools
that
we
have
that
are
truly
cloud
native
and
focused
on
you,
builders,
building
the
tools
using
the
tools
you
need
to
build
the
applications
in
the
way
you
want
to
build
them
and
the
key
of
all
this
is
you
don't
have
to
take
my
word,
for
it
just
try
it.
We
have
absolutely
always
free
tier
and
we
have
free
trials,
and
this
is
not
a
free
tier,
that's
neutered,
and
only
gives
you
a
few
things.
You
have
a
lot
of
power
in
this
free
tier.
B
D
D
D
D
However,
lack
of
proper
isolation
is
a
huge
security
risk.
Privileged
containers
running
as
root
can
be
exploited
by
a
malicious
user
containers
created
from
images
using
open
source
or
third-party
software
could
contain
known
vulnerabilities
container
sprawl
is
another
key
challenge,
mainly
caused
by
a
combination
of
limited
visibility
and
ephemeral
and
lightweight
nature
of
containers.
Agile
took
us
from
months
to
days
to
deliver.
Software
devops
took
us
from
months
to
minutes
to
deploy
software,
and
we
are
seeing
that
more
and
more
applications
are
becoming
mission.
Critical.
D
It
is
the
need
of
the
hour
that
we
incorporate
security
across
the
various
aspects
of
the
life
cycle,
and
devsecops
is
essentially
the
methodology
of
integrating
security
tools
within
the
devops
process
in
an
automated
fashion.
Devsec
ops
is
not
just
about
tooling,
it
is
also
about
the
people
and
process
aspects
of
things.
D
This
ultimately
leads
to
a
cultural
change
within
the
entire
organization,
essentially
becoming
upskilled
to
think
and
act
upon
security.
This
also
allows
them
to
collaborate
more
efficiently
and
thereby
create
creating
a
security
culture.
An
important
element
of
devsecops
is
the
pipeline.
Here
is
one
example
from
gitlab.
We
have
a
similar
one
that
we
use
internally
at
oracle.
D
There
are
many
other
examples
available
from
other
cloud
data
vendors
as
well.
It
essentially
starts
with
a
developer
ide,
a
source
code
repository
moving
to
a
ci
cd
server,
a
binary
repository
for
storing
your
images,
a
container
images,
a
staging
qa
environment
production
and
monitoring
environments,
and
all
of
this
leads
to
a
fairly
efficient
and
highly
automated
way
of
producing
innovation
in
software.
D
But
this
also
provides
us
with
an
opportunity
to
embed
security
at
every
stage
within
this
pipeline.
Take
a
look
at
pre-commit
hooks,
for
example,
it
avoids
leakage
of
sensitive
information,
storing
credentials
in
configuration
files
within
a
secret
vault,
a
secure
and
secret
vault.
All
of
your
secrets
encrypted
is
highly
efficient
from
a
security
standpoint,
every
piece
of
code
is
tested
upon
comet,
and
so
now,
as
part
of
your
security
code
review,
you
can
look
at
look
for
sql
injection
cross
script
cross
site
scripting
using
automated
tools.
D
D
D
Ultimately,
we
want
to
get
to
a
compliance
as
a
code
environment,
so
everything
is
automated
and
streamlined
shifting
gears.
I
want
to
focus
my
next
part
on
best
practices
that
we
follow
within
within
our
team
and
also
what
recommendations
we
particularly
offer
to
several
public
sector
and
garment
cloud
customers.
D
Let's
first
take
a
look
at
what
is
cloud
native
at
oracle.
This
is
an
overview
of
the
various
cloud
native
developer
services
that
we
offer
within
oracle
cloud.
It
covers
key
services
within
the
adopt
category,
including
console
and
marketplace
to
the
build
tools,
including
api
design
and
cloud
shell
infrastructure
as
code
that
we
offer,
through
our
resource
manager,
service
to
deploy
tools,
including
kubernetes
and
serverless,
to
the
operate
tools,
including
monitoring
and
logging,
I'm
taking
ok
as
an
example,
but
this
applies
to
all
the
services
that
we
build
within
oracle
cloud,
nato
organization.
D
We
deliver
tools
and
services
that
are
complete,
integrated
and
based
on
open
source.
The
key
is
open
source.
We
actively
participate
in
community
driven
open
source
container
technologies.
We
invest
in
and
leverage
open
source
technologies
as
the
fundamental
basis
for
portable
portability.
Oke
offers
an
enterprise
grade
and
developer
friendly,
container
orchestration
service
based
on
kubernetes.
D
It
is
fully
managed
and
integrated
with
a
private
registry
and
available
in
all
oracle
cloud
commercial
regions.
All
of
this
leads
to
reduced
time
to
value
and
faster
time
to
market.
Since,
as
a
developer,
you
don't
have
to
worry
about
infrastructure
or
container
orchestration
or
the
application
availability.
All
of
these
come
built
in
okay
team
follows
the
following:
best
practices.
We
keep
up
with
the
community
and
support
the
latest.
Released
version
of
kubernetes
always
always
apply
the
least
privileged
security
controls
for
cluster
access
apply
very
strong
network
policies
to
ensure
highest
levels
of
security.
D
Encrypt
and
safeguard
are
secrets
and
leverage
audit
logs
and
other
observability
tools
for
continuous
monitoring
and
remediation.
I
want
to
now
talk
about
some
of
the
security
capabilities
that
okie
offers.
It
starts
with
the
foundation,
which
is
the
infrastructure
oracle.
Okay
is
built
on
highly
secure
second
generation
oracle
cloud,
as
jonathan
earlier
mentioned.
D
This
offers
the
highest
levels
of
infrastructure
and
data
security.
Oracle
cloud
infrastructure
is
fully
sock,
1,
2,
iso
27001
compliant.
It
includes
the
the
best
of
capabilities
from
a
data
encryption
standpoint
we
encrypt
data
while
at
rest
and
offer
capabilities
to
encrypt
data
in
transit
and
also
take
care
of
key
management
capabilities
as
well.
D
Strong
access
controls
for
operator
access,
coupled
with
in-depth
auditing
console
and
api
security,
includes
no
matter
how
you
interact
with
ocr
resources.
You
will
have
to
go
through
proper
authentication
and
authorization
checks,
control,
plane,
host
security
includes
a
combination
of
access
controls
patched
for
patching
and
monitoring
tasks.
Another
key
important
takeaway
for
for
this
slide
is
isolation.
D
Different
isolation,
boundaries
available
are
available
based
on
the
different
needs
that
you
might
have,
and
you
need
to
pick
the
one
that
works
best
for
you.
We
offer
resource
isolation
at
the
region,
level
at
the
compartment
level,
at
the
availability
domain
level
and
at
the
host
level.
This
is
a
key
tenet
of
our
overall
security
approach.
D
This
essentially
includes
isolation
at
pretty
much
all
the
varying
levels
that
you
can
think
of.
Shifting
gears
now
talking
about
security
controls,
security
controls.
It
is
an
extremely
important.
It
is
extremely
important
to
have
a
rich
set
of
security
controls
to
choose
from,
and
one
size
does
not
fit
all.
So.
The
key
here
is
to
provide
a
bunch
of
choices
to
our
customers
and
let
you
pick
the
right
options
for
a
given
use
case.
D
This
includes
everything
from
iam
policies,
authorization
controls,
secure
keys
certificates,
api
gateway
for
secure
api,
ingress,
on-time,
patching
of
cb,
cves
and
multi-factor
authentication
for
a
customers
who
need
that
second
level
of
validation,
transitioning
to
network
security.
Now
again,
network
security
is
a
foundation
for
any
of
the
security
architectures
that
we
can
think
of,
and
particularly
more
important
from
a
cloud
standpoint.
D
Oracle
cloud
provides
key
capabilities,
including
security
lists,
route
tables,
vcn,
subnet
network
segmentation,
vpn
support
and
a
whole
slew
of
capabilities
for
network
security.
This
is
the
foundation
on
top
of
it.
Okay
offers
several
cloud
native
security
capabilities.
It
supports
the
concept
of
service
mesh
to
run
on
top
of
okay.
D
You
know
it
can
it
could
be
istio
or
any
third-party
service
mesh
offering
there's
also
okey
also
supports
networking
tools
such
as
kalikov
public
sector
and
government
cloud
customers
who
leverage
okie
can
now
take
advantage
of
private
worker
nodes
with
no
public
ips
basically,
is
it
is
the
ability
to
limit
the
network
traffic
on
top
of
it?
Customers
can
also
take
advantage
of
port
security
policies,
private
load
balances
and
web
application
firewall
pretty
much
covering
the
entire
gamut
of
use.
D
Cases
that
we
can
think
of
the
last
set
of
categories
include
data
security,
visibility
and
audit,
encryption,
tls,
enabled
interactions
and
in-transit
and
at
rest.
Encryption
of
container
images
in
ocr
registry
service
are
important
set
of
tools
within
the
data
security
category
that
we
offer
is
equally
important
to
offer
observability
tools,
particularly
around
monitoring,
audit
logging
and
and
and
several
other
popular
add-ons,
that
we
hear
from
our
customers
to
essentially
cover
other
day-to-day
end
use
cases
within
oracle
cloud.
D
Our
compliance
thinking
starts
from
day
one,
and
there
is
strong
emphasis
to
support
compliance,
certifications
across
both
commercial
and
public
sector
aspects
of
things,
and
so
we
have
everything
from
fedramp,
certification
to
g
cloud
certification
and
our
approach
to
oci
data
center
design,
as
well
as
to
devsecops,
helps
us
approach.
Compliance
in
a
unified
way
for
each
regulation
and
framework
passing
it
to
jonathan
thanks
ron,
hi.
E
E
So
if
we
think
about
a
cicd
pipeline
and
automating
deployment,
often
customers
want
to
be
able
to
ensure
that
their
governance
requirements
are
met
in
their
pipeline
and
those
checks
are
often
manual
then.
So
one
piece
that
we
want
to
show
today
is
how
we
can
automate
delivery
using
a
system
to
to
validate
the
artifacts
before
they're
deployed
to
kubernetes
and
we're
going
to
do
that
using
the
graffias
metadata
api.
So
this
is
an
open
source
project
that
we're
going
to
integrate
in
with
with
api
with
with
okay
in
our
demo.
E
So
what
we're
going
to
show
is
just
a
sample
deployment
going
to
our
okay
cluster
and
we're
going
to
use
graphas
to
record
a
note,
so
graphics
works
in
which
there
are
types
of
metadata
that
are
notes
and
then
instances
of
that
metadata
occurrences
and
we're
going
to
enable
an
admission
controller
webhook
to
ok.
So
this
is
part
of
the
security
surface
that
kubernetes
provides
where
we
can
validate
based
on
our
own
sort
of
logic.
E
So
here
I've
opened
up
cloud
shell,
so
cloud
shell
is
in
in
the
usaid
console.
So
here
we
are,
and
I'm
gonna
use
this
to
to
run
commands
with
our
okay
cluster.
So,
first
of
all,
let
me
just
show
you
that
I'm
running
graphis
so
locally
in
my
cluster.
This
could
be
run
sort
of
in
your
cluster
or
another
location,
and
I've
already
set
up
the
the
signature
web
hook.
That
is
going
to
that's
going
to
validate
our
deployment.
E
E
E
E
E
So
you
can
see
here
no
matching
signatures
for
the
container
image,
so
that's
part
of
our
validation,
it's
the
negative
case
where
it's
not
allowing
the
container
image
to
be
pulled.
If
there's
not
a
signature
that
match
the
signature,
is
we're
going
to
sign
using
gpg
the
hash?
So
that's
going
to
be
our
unique
signature,
that's
going
to
be
checked
by
the
admission
controller.
So
let's
go
sign
this
and
then
push
that
at
to
our
tigger.
That's
the
metadata.
E
E
E
E
E
E
B
Hi
everybody
I'm
back
to
talk
about
some
of
our
specialized
capabilities
in
the
oracle
cloud
for
the
government
and
public
sector,
so
we
have
29
regions
all
around
the
world
that
we
have
built
for
customers
of
all
sorts,
but
in
the
united
states
we
have
built,
we
are
building
nine
regions
for
the
us
government.
Five
of
them
are
already
built
and
live.
They
have
fed
ramp
high
accreditation
and
they
have
the
il-5
accreditation
and
we're
building
right
now.
B
Four
regions
for
the
u.s
government,
at
il6
secret
and
at
top
secret
two
of
those
regions
at
secret
and
top
secret
are
coming,
live
right
now,
they're,
actually
in
accreditation
and
they're.
Getting
on
the
us
government's
classified
networks
right
now.
It's
really
important
to
understand
the
way
we've
approached
this
because
it
is
different
from
some
of
our
competitors.
B
We
have
completely
physical
separation
between
each
of
these.
We
call
them
realms,
which
are
collections
of
regions,
so
our
il5
usdod
realm,
which
serves
the
department
of
defense,
the
national
security
community
at
the
highest
level
of
unclassified
security,
is
completely
physically
separated
from
our
realm,
designed
to
serve
the
rest
of
the
us
government.
At
fedramp
high
that
physical
separation
is
a
really
big
deal
and
a
complete
isolation
from
other
tenants
that
you
may
not
want.
Next
to
you,
the
same
thing
is
obviously
the
case
at
secret
and
top
secret.
B
Our
secret
realm
is
on
the
us
government's
large
secret
network,
as
is
our
top
secret
realm,
and
the
two
are
completely
isolated
from
the
internet
and
from
each
other.
That
may
not
mean
a
lot
to
a
lot
of
you,
but
those
secret
and
top
secret
regions.
We
call
the
national
security
regions
oracle.
National
security
regions
is
a
really
big
deal,
so
these
are
facilities
that
are
hardened
to
government
requirements
and
have
isolation
from
radio
signals.
B
Specific
power
supplies
all
that
they
are
connected
to
the
us
government's
top
secret
and
secret
networks
and
completely
isolated
from
the
internet
by
air
gap.
They're
operated
solely
by
ts,
sci
cleared
personnel
from
within
a
skip
which
gives
them
the
highest
level
of
security
and,
really
importantly,
because
again
it's
a
differentiator
from
how
we
are
approaching
this.
We
have
a
strategy
called
everything
everywhere.
That
means
that
a
service
cannot
go
ga
generally
available
in
our
commercial
regions
until
it
has
a
path
into
our
government
and
national
security
regions.
B
We
have
bare
metal
and
networking
that
make
migration
easy
and
you
first
like
you
can't
get
anywhere
else.
We
have
vendor
agnostic
cloud
native
technology
that
allows
you
to
build
in
a
very
cloud-native
way,
but
also
move
those
workloads
in
and
out
of
the
oracle
cloud,
and
we
are
priced
for
scale.
We
know
that
the
com,
the
customers
that
are
going
to
come
to
us
are
going
to
come
to
us
with
applications
of
scale
and
we've
made
that
affordable.
We've
made
that
make
sense
versus
staying
on
premise
and
versus
our
competitors
out
there.
B
We
have
all
the
key
resources,
compute
networking
block
store,
they
are
faster,
they
are
cheaper
and
we
have
better
slas
than
our
competitors
on
top
of
all
of
them.
We
have
the
cloud
native
technologies
like
you've,
just
been
hearing
about
from
grafana
and
kubernetes
and
functionless
serverless
functions,
and
all
of
those
tools
that
you.
B
I'll
close
out
there,
I
know
that
there's
some
questions,
some
q,
a
time
after
this
presentation
we
also
have
a
virtual
booth
and
we
have
a
ton
of
resources
to
feed
you,
as
you
want
to
explore
this,
but
the
best
way
to
explore
is
to
just
try
it.
It
literally
costs
you
nothing.
Take
a
few
minutes
check
out
the
always
free
tier
check
out
our
services
you'll
be
impressed.
Thank.