►
Description
In this monthly series, learn how Red Hat weaves together DevOps and Security to master the force called DevSecOps. This show brings you Red Hat products and our security ecosystem partners to aid in your journey. September is Runtime Analysis month! In this episode, we’ll take DevSecOps beyond the CI/CD pipelines that are such a popular topic and focus on the SecOps side of delivery and design principles. We’ll discuss SecOps practices and how they can be used as part of the operational monitoring of establishing a DevSecOps program. Bring your lightsaber and be prepared to train hard... may the DevSecOps be with you!
A
A
B
C
It's
going
awesome
another
great
day
down
here,
you
know
in
tampa
bay
and
that's
right.
We,
I
think
we
have
a
really
good
show
this
month
and
yeah
jamie's,
not
only
gonna
break
stuff,
he's
going
to
hack
some
stuff
we're
going
to
we're
going
to
actually
hack
some
kubernetes
today,
which
will
be
very
cool
yes
before
I
do
that.
I
just
want
to
let
the
audience
know.
Some
of
you
already
know.
This
is
part
of
the
monthly
security
series
called
devsec.
Ops
is
the
way
we've
broken
each
month
into
different
security
categories.
C
This
is
actually,
according
to
a
framework.
Red
hat
has
developed
around
devops
and
security
and
what
how
to
make
sense
of
all
the
different
security
categories
and
methods
out
there,
we've
actually
got
34
different,
distinct
functions,
underneath
some
of
these
categories
that
we
detail,
but
this
all
consists
of
a
lot
of
publications
during
each
month.
So
this
is
one
of
two
red
hat
live
streaming
shows
we
publish
at
most
three
podcasts
per
month.
C
C
D
C
B
D
So
one
of
the
things
we
saw
really
early
on
was
that
kubernetes
very
holistically
allowed
you
to
have
the
context
in
order
to
make
more
informed
risk
management
decisions,
and
we've
tried
over
the
last
few
years
to
put
that
context
together
in
order
to
enable
security
teams.
So
our
team
came
over
with
the
acquisition
and
I'm
product
manager
for
that
team.
C
Very
cool,
yeah
stackrocks
was
actually
one
of
the
partners
that
I
dealt
with
before
the
acquisition.
So
it
was
interesting
to
see
guys
all
come
over
as
a
great
acquisition
really
helps
to.
You
know
add
that
what
we
call
red
hat,
the
layered
approach
to
container
security
or
defense
and
depth,
of
course,
acs
as
it's
now
called
advanced
cluster
security.
There's
a
lot
of
things
this
month,
we're
going
to
talk
specifically
about
runtime
security
and
in
the
show,
we'll
we'll
look
at
actually
how
to
hack
a
running
kubernetes
cluster.
C
D
C
D
C
Yeah,
it's
almost
like
you,
don't
know
what
you
don't
know
right,
so
attackers
can
exploit
all
sorts
of
ways
that
you
don't
account
for
which
is
pretty
interesting
so
before
we
get
to
before
we
get
to
the
demo.
What
were
we
we
were
talking
earlier
about
the
mitre
attack
framework?
Can
you
can
you
comment
on
that
like?
What
is
that?
Are
there
different
revisions?
Is
that
helpful
for
understanding
attack
factors.
D
D
So,
ultimately,
we
see
these
tactics
and
techniques
be
used
in
order
to
map
defensive
strategies
and
prioritize
where
people
are
trying
to
target
their
instant
response
procedures.
So,
for
instance,
something
that
is
initial
access
might
be
a
lower
priority
than
something
that
is
an
indicator
of
privilege
escalation.
D
So
this
is
an
industry
framework
which
we
see
people
using
in
order
to
map
defensive
strategies,
but
there's
also
ones
that,
in
my
opinion,
are
a
little
bit
more
mature.
So,
for
instance,
the
microsoft
threat
matrix
for
kubernetes
also
has
a
very
similar
mapping.
That's
more
kubernetes
specific!
So
really
there
are
many
industry
standards
and
they
help
users
to
understand
and
prioritize
where
their
gap
analysis
is
and
their
instant
response
procedures.
C
C
D
Yeah,
so
in
terms
of
so
we
don't
actually
get
that
information
from
our
customers,
because
we
do
sell
this
commercial,
the
commercial
off-the-shelf
software.
So
I'm
going
to
speak
to
what
I've
seen
in
things
like
hacker
news,
for
instance,
and
usually
what
we
see
in
hacker
news
and
the
attacks
that
are
reportedly
wild
are
mostly
financially
incentive,
so
crypto
mining,
for
instance.
D
We
all
know
that
bitcoin
and
ethereum
have
gone
exponentially
into
a
curve
at
this
point,
and
we
also
know
that
most
attacks
are
from
not
from
complicated
things,
they're
actually
from
gross
misconfigurations
right
so,
for
instance,
an
unauthenticated
kubernetes
api
endpoint.
Well
by
default,
most
cloud
providers-
openshift
they're
gonna,
have
an
authentication
mechanism
that
prevents
that.
But
if
you're
rolling
your
own
kubernetes,
then
it's
really
low-hanging
route
to
just
start
scanning
the
internet
reports
and
trying
to
authenticate
and
then
stealing
all
of
those
resources
and
doing
what
you
want
with
them.
D
C
D
Yeah
I
mean
ultimately,
we
do
see
that
the
the
basics
of
hardening
and
using
compliance
benchmarks,
like
the
cis
benchmarks,
are
really
effective
methods
to
compete
with
attackers
trying
to
exploit
basic
misconfigurations.
So
like.
Ultimately,
I
think
you'll
realize
that
a
lot
of
attacks
are
script.
Kitties,
an
advanced
nation-state
attacker
is
going
to
have
a
lot
more
of
a
budget
in
order
to
run
a
dedicated
attack
on
you.
C
D
Sure
so,
first,
I
want
to
show
you
some
examples
of
known,
good
and
known
bad
activity
by
going
through
a
reasonably
realistic
attack
scenario
that
to
preface
this
is
definitely
set
up
in
a
way
that
will
help
me.
But
I
want
to
show
you
places
and
the
steps
that
an
attacker
would
go
through
in
order
to
identify
bad
known
bad
attack
vectors
so
that
you
can
get
a
better
idea
to
understand
how
to
approach
runtime
analysis.
D
C
D
C
A
D
D
So
up
here
we
see
visa
processor,
backend
atlas
and
mastercard,
processor,
mastercard,
processor
and
visa
processor
and
both
in
the
payment
name
space.
So
it's
reasonable
to
assume
hey.
Maybe
they
potentially
contain
credit
card
information,
so
I'm
going
to
click
on
master
card
processor
and
get
some
identification
of
what
the
risk
indicators
are
and
why
people
are
saying
this
is
the
riskiest
in
my
environment.
D
D
So
I
want
to
look
at
this
a
little
bit
more
because
cad
and
ls
don't
really
tell
me
much.
It
really
just
tells
me,
maybe
someone's
troubleshooting
something
so
I
click
on
cat
and
I
can
see
they're
counting
the
file,
var
lib
processor
card
data,
and
now
this
is
beginning
to
concern
me
so
rather
than
unders
and
it
looks
like
the
ls
was
really
just
to
understand
what
was
in
a
processor.
D
So
let's
look
a
bit
more
about
what's
happening.
I
can
see
you
name
is
a
standard
they're,
not
running
arguments.
There's
a
java
process
running
looks
like
this
is
tomcat,
so
maybe
they're
exploiting
a
tomcat
vulnerability.
I'm
not
sure
how
someone
could
have
gotten
in
this
or
if
someone
just
looked
at
that,
then
I
look
at
carl,
and
what
I
see
here
is
that
someone
is
posting
the
card
data
that
was
just
catted
to
innocent.site.web.
D
So
obviously,
that's
an
innocent
site
and
I'm
going
to
completely
overlook
that
for
now,
because
it
says
it's
innocent
right,
I'm
I'm
going
to
go
to
a
visa
processor
now
and
basically
do
the
same
thing,
and
this
is
a
lot
more
representative
of
an
attack
that
you
would
see
because
you
can
see.
People
are
accessing
the
entry
point.
Rm
is
standard,
sh
and
sleep
are
standard.
D
D
So,
ultimately,
these
are
the
types
of
things
that
we
can
start
to
look
for
in
terms
of
deviations
from
known
good
activity.
While
these
are
more
drastic
examples,
you
can
get
the
value
proposition
of
I
understand
what
my
container
should
be
running.
Containers
are
ephemeral
and
if
my
container
does
not
standardly
run
this
process-
and
I
have
not
pardoned
it
in
order
to
remove
processes
that
are
not
standardly
run,
then
this
is
my
best
option,
and
this
is
some
of
the
value.
D
So
that's
just
an
example,
but
now
I
want
to
talk
about
known
bad
because
that's
way
more
interesting,
so
I'm
going
to
move
this
and
move
over
to
our
our
shell
shock
site.
So,
if
you're
not
familiar
with
shell
shock,
shell
shock
was
a
remote
code,
execution
vulnerability,
I
believe
back
in
2014
and
it
allowed
users
to
effectively
input
trailing
commands
to
as
part
of
environment
variables,
so
it
impacted
a
large
portion
of
the
internet,
ranging
from
ssh
to
apache
for
instance.
D
So
what
we're
going
to
do
is
we're
going
to
put
exploit
apache,
so
I
want
to
show
you
just
how
to
do
that
here.
So
what
I'm
doing
here
is
apache,
so
this
exploit
is
about
running
trailing
commands
when
you
use
environment
variables,
so
apache
is
using
the
user
agent
header
here
that
I'm
defining
and
it's
inputting
that
as
an
environment
variable.
D
So
I
can
see
here.
I've
got
the
command
that
I've
tried
to
do,
I'm
just
running
pwnage
as
a
test,
and
I
can
I
know
what
I
can
do
now.
So
I
want
to
see
now
that
I
know
I
can
exploit
this.
I
want
to
see
what
permissions
I
have
so
I
want
to
see
who
I
am
so.
This
is
disappointing
to
me
because
I'm
running
as
www
data,
which
ultimately
means
there's
a
default
configuration
within
apache.
D
So
what
saddens
me
is.
I
now
know
that
I
won't
be
able
to
get
root
and
it'll
be
incredibly
more
difficult
for
me
to
exploit
this
container,
which
is
why
users
always
say
don't
run
your
containers
as
root
and
they
also
say
to
harden
it,
because
I've
just
run
two
commands
that
are
likely
anomalous
activity
and
ultimately
this
was
not
caught.
So
if
you're,
looking
at
known
good
behavior
and
looking
for
deviations,
I
should
now
have
linda
lit
up
the
sock
to
help
people.
D
I
look
and
say
who's
who's.
Checking.
Who
am
I
so
now
because
I'm
not
root.
I
want
to
see
what
I
can
get
so
I'm
going
to
check
my
environment
variables
and
I
can
see
here
that
we
have
a
host
we've
identified.
I
can
see
my
present
working
directory,
but
there's
nothing
good
here
so
now
I
want
to
see
what
commands
I
can
actually
run
in
my
environment,
so
I'm
really
just
going
to
run
an
ls
to
bin
to
understand
what
I
have
access
to
so
now.
D
I
have
a
list
of
the
processes
within
the
container
that
I
can
run
and
this
list
is
going
to
form
the
foundation
for
how
I
approach
it,
because
I
have
a
few
methods
of
approaching
this
at
this
point.
I
can
either
try
to
download
tools,
so
I
can
use
a
package
manager.
I
can
use
wget,
for
instance,
but
I
need
to
put
in
the
tools
if
I
do
not
have
the
tools
here,
that
I
need
in
order
to
continue
this
hack,
I'm
screwed.
D
D
D
I
can
reasonably
assume
that,
given
I
can
access
this
in
the
first
place
that
it's
going
to
be
the
default,
so
I
now
have
used
a
remote
code,
execution,
vulnerability
in
a
website.
Initial
access
run
and
executed
multiple
commands
and
used
those
commands
to
get
an
authentication
credential
to
the
api
server.
D
D
So
what
I'm
going
to
do
is
I'm
going
to
exit
this.
I
know
that
we
do
not
have
the
actual
information
in
the
environment
variable,
because
this
was
not
a
root
user
to
link
to
the
kubernetes
api
server.
So
let's
assume
for
a
second
that
I
have
managed
to
get
that
api
server
endpoint
in
a
different
way
and
that
I
would
have
access
to
it.
So
I'm
going
to
export
this
token.
A
D
So
ultimately,
I
don't
want
to
set
off
a
bunch
of
alarms.
So
I
want
to
check
very
slowly
what
level
of
access
that
I'm
given
with
this
account.
So,
ultimately
I
would
go
through.
I
would
do
cube
cuddle.
Can
I
and
I
would
check
hey-
can
I
exacting
the
pods,
because
if
I
can
exec
into
pods,
then
I
can
begin
to
run
commands
within
them
to
try
and
see
if
I
can,
access
data
or
get
other
credentials
or
even
run
a
crypto
miner.
D
D
So,
first
off
I
want
to
go
back
to
that
shell
shock
deployment
that
we
had
so
I'm
going
to
exec
into
that
to
really
show
you
how
I
would
have
done
this
if
we
were
running
as
rich,
so
oc,
exec
chuck
it's
in
the
default
namespace,
so
I'm
not
going
to
put
in
a
namespace
okay.
So
now
I've
exec
into
this
shell
shock
deployment,
I'm
going
to
run.
Who
am
I
okay?
Now
I
am
roo
and
here's
an
important
thing
to
say
now
that
I
am
root.
D
I
have
the
information
directly
here
in
order
to
have
authenticated
to
the
api
server
in
the
first
place,
so
I
know
the
service
host.
I
know
exactly
where
it's
hosted
and
I
know
it's
poor,
so
this
has
given
me
sufficient
information
in
order
to
authenticate
to
the
kubernetes
api
server.
If
I
was
not
running
as
the
www
data
user.
D
D
Okay,
it
looks
like
I'm
failing.
I
am
failing,
because
I
am
unable
to
reach
out
to
places
where
packages
are.
I
see
that
this
is
based
on
a
really
old
container
image,
which
is
also
an
alarming
sign,
and
no
doubt
the
reason
why
it
this
is
vulnerable,
so
I
am
going
to
remove
its
sources
and
update
them
so
that
I
can
actually
download
packages
because
I
do
not
have
the
ability
to
do
a
vi.
D
D
So
what
an
ingress
tool
transfer
is,
is
it's
the
ability
to
download
tools
that
can
then
be
useful
to
me
to
continue
the
attack.
So
there
are
two
types
of
tool
transfers.
I
can
either
do
one
from
a
place
within
the
network
or
I
can
do
it
from
a
place
external
to
the
network.
This
is
an
ingress
tool
transfer
because
it
is
getting
tools
from
an
external
network,
so
I
am
going
to
download
w
getting
curl.
D
D
D
D
D
So,
if
I
look
at
the
shell
shack
deployment
here,
you
can
see.
We've
run
a
crypto
mining
process
now
sure
that
crypto
mining
process
did
not
actually
function.
But
you
can
see
here
that
process
did
not
work
because
it
doesn't
have
the
worker
name
or
the
eth
wallet,
and
you
can
also
see
that
someone's
running
a
crypto
miner
in
my
environment,
with
the
shell
shock
deployment,
which
really
is
alarming.
B
D
C
D
You
can
identify
that
the
package
manager
is
executed,
so
this
is
an
indicator
of
that
ingress
tool.
Transfer,
I'm
port
forwarding,
because
I
don't
want
to
expose
any
of
this
to
the
public
internet,
so
ignore
that
for
now-
and
you
can
see
even
that-
I've
exec
into
this
backdoor
container
so
exec
is
that
means
of
execution
and
monitoring
for
known
bad
activity
like
ingress
tool,
transfers
and
crypto
mining
services
is
what's
really
important
in
this
context.
D
So
I
have
a
few
things
I
can
do,
but
first
I
have
a
privileged
container
here.
So
I'm
going
to
use
this
privileged
container
and
schedule
it
because
I
have
access
to
create
containers
and
because
I
have
access
to
create
the
containers
and
create
pods,
I
can
schedule
a
pod
that
is
purposefully
designed
to
give
me
access
to
the
host,
so
this
is
designed
insecurely
by
me
and
by
the
attacker
in
order
to
facilitate
a
container
escape.
D
D
D
Exactly
actually,
what
I'm
going
to
do
is
I'm
going
to
look
for
the
names
within
the
the
actual
name
space,
I'm
scheduling
in
and
I'm
going
to
try
to
name
it
as
similarly
as
possible.
So
we
showed
the
visa
processor
and
the
master
card
processor
deployments
in
the
payments
name
space,
I'm
going
to
schedule
this
backdoor
pod,
I'm
going
to
call
it
the
amex
processor
and
and
see
if
anyone
notices
that
they
don't
take.
Mx
wow.
D
B
D
D
D
B
A
D
D
So
there's
a
few
things
I
could
have
done
if
I
wanted
to,
I
could
have
initiated
those
policies
that
were
catching
and
alerting
on
the
things
I
was
doing
and
I
could
have
killed
that
pod
right.
So
that's
why,
as
a
devops
program,
it's
really
important
that
you
have
liveliness
and
readiness
probes
so
that
you
can
kill
that
pod
effectively
without
business
impact.
C
Very
cool
and
that
that
whole
thing,
though,
interestingly
right
it
all
started
with
a
vulnerable
pod
right.
So
one
thing
right
that
you
probably
know
hopefully
before
you
even
push
that
into
prod
is
hey.
You've
got
some
vulnerabilities
in
here
that
that
you
should
resolve,
and
so
you
talk
about
devops
devsecops.
C
That
stuff
should
all
always
be
caught.
You
know,
early
on
in
life
cycle
during
builds.
Now,
of
course,
vulnerabilities
happen
all
the
time.
You
know
your
your
image
is
clean
today
it
won't
be
tomorrow.
So
that's
why
it's
good
to
have
what
jamie
was
talking
about
some
sort
of
well,
the
liveliness
probes
and
everything.
So
you
can
kill
a
pod
or
you
have
some
sort
of
remediation
in
place,
so
you
can
take
care
of
that,
because
devops
ultimately
also
speeds
up,
helps
you
to
fix
production
issues
quicker
right.
C
C
D
That's
why
ultimately,
a
security
program
and
a
development
and
application
delivery
program
really
have
to
care
about
informed
risk
management,
because
monitoring
and
just
securing
all
the
things
like
that's
an
anti-pattern
security
is
about
risk
management,
and
there
is
literally
no
point
in
trying
to
ensure
that
your
rules
apply
to
the
least
critical
application
in
your
environment.
That's
locally,
hosted
not
even
externally
exposed
in
any
way
versus
your
visa
processor,
like
you
want
to
monitor
that,
you
want
to
make
sure
that
you
have
your
program,
treats
visa
processor
very
differently
than
cron
job.
B
That
I
mean,
and
in
a
way
like,
I
noticed
acs,
pointed
out
how
old
the
container
was
right
like
to
an
extent
like
uptime,
is
a
bad
metric
nowadays
right,
it's
kind
of
flipped
on
its
head.
Those
containers
should
kind
of
be
cycled
out
more.
You
know
often
I
feel
like
right.
So
there's
patches,
you
can
apply
constantly.
You
should
be
swapping
those
containers
out
and
updating
them
as
you
go
yeah.
D
And
that's
why
I
always
say
security
is
interests
have
shifted
right,
so
you'll
you'll
hear
a
lot
of
people
say
like
security
is
viewed
broadly
as
a
blocker
and
security
has
stopped
my
application
from
being
deployed
now.
Why
did
they
stop
that?
Okay,
there's
a
critical
vulnerability
in
it
that
they
blocked
you
on.
They
want
you
to
go
fix
it,
okay,
that
critical
vulnerability
is
already
there.
D
So
what
is
your
next
step
you
need
to?
You
do
need
to
escalate
that
you
need
to
identify
if
you
are
actually
vulnerable
to
that,
but
ultimately
fixing
it
is
going
to
need
to
occur
quickly.
So
devops
is
in
the
best
interest
of
the
security
program
because
being
able
to
deploy
and
remediate
things
quickly
and
having
a
mature
testing
program
is
going
to
be
the
ultimate
indicator
of
success,
and
that's
why
I
say:
there's
no
such
thing
as
devsecops
before
devlops.
C
B
C
So
yeah,
so
that's
you
know,
devsecops
you're,
totally
right.
Jamie
has
always
been
a
part
of
devops.
We
just
want
to
make
sure
to
focus
on
that
give
security
a
seat
at
the
table.
You
know
let
them
be
part
of
the
group.
You
know
the
lunch
team
whatever
and
so
that
you're
all
working
together.
Obviously
devops
devsecops
is
more
of
a
culture
shift,
initially
at
least
than
anything
but
yeah
and
getting
security
right
and
integrating
it
at
the
right
time
will
definitely
allow
you
to
to
not
make
it
a
roadblock.
B
C
B
Yeah
awesome.
Thank
you
very
much.
Jamie
awesome
demo
as
always
coming
up
next
on
the
channel
here
in
an
hour.
So,
oh,
I
don't
have
my
utc
clock
up.
Sorry,
we're
gonna
have
the
stack
racks
office
hours
with
we're
gonna
be
talking
about
kubernetes
network
policies
with,
if
I
can
say
the
name
right,
oh,
I
lost
it,
never
mind
it's
not
on
the
screen
anymore.
B
So
one
of
the
stack
rocks
team
members
coming
on
gonna
kick
tires
on
some
network
policies
and
show
us
the
why
and
the
how
behind
it
all
so
yeah,
please
stay
tuned
for
that
and
when
in
doubt,
subscribe
to
our
calendar
or
look
at
our
calendar
and
you
can
see
what's
coming
up
next
on
the
channel
and
thank
you
dave
for
coming
on
again.
Thank
you.
Jamie.