Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Red Hat OpenShift / London 2020 | OpenShift Commons Gathering / 29 Jan 2020
Red Hat OpenShift / London 2020 | OpenShift Commons Gathering / 29 Jan 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Lightning Talk: DevSecOps culture with OpenSource Tools with Benjy Portnoy (Aqua Security)

Description

Lightning Talk
DevSecOps culture with OpenSource Tools: Shifting Security Left
Benjy Portnoy (Aqua Security)
Jan 29 2020

https://github.com/aquasecurity
https://commons.openshift.org/gatherings/London_2020.html

A

My goal in the next 14 minutes and 48 seconds is to share with you some really great open-source tools that you can use to enhance the security posture of your cloud native applications. Aqua was founded four years ago, specifically to address the challenges around cloud native security. Now, if there's one thing, I want you to remember from this presentation, it is our github page, I'm gonna, try and cover four of the six projects that are available here, and hopefully these will help. You enhance the security posture of your cloud native workloads.

A

This is a slide from last year, but if you talk to security people today and ask them what our one of the key challenges when migrating to a cloud native application security is up there. If you talk today to CISOs devops people, sec, ops, people, they're still trying to understand this world of kubernetes of containers and how they can take traditional security, best practices and adopt them to this world.

A

The good news is that if you talk to a security person, initially their reaction and the thought process kind of goes all the way from denial until eventually understanding what they need to do, and the reason is is that security folks, like myself, are slowly understanding that the people that need to be in control of security and take responsibility are often DevOps people. The people building. Your images in your pipeline need to understand the security risks and be able to address some of those.

A

If you talk to you a DevOps person they're also aware, there are many people in this room that are using openshift. One of the key challenges when go into that environment is having your compliance team or your security team coming over and saying hold it. You cannot go live with this project because we do not have regulatory requirements answered. We don't have our security tools, we have visibility into this application and this can obviously be a big hindrance in a pain when you want to go live with your applications. Now.

A

The good news is that, from a theoretical standpoint, if DevOps and security both know there is a need to collaborate, there should be a utopia with every organization having a dev suck-ups role, a dev suck ups group, that is fostering collaboration between the security and the DevOps teams.

A

The actual reality on the ground is very different and looks a lot like this, where we have DevOps well dev and ops that have been working really productively together for many many years and then you have security, comes and tries to get in the middle and trying to understand. Okay, this is our open shift cluster. These are our functions. How do we take these processes like Incident Response? How do we take our patch management?

A

How do we take our security visibility and apply it to this new world, and this is what we're seeing it's a lot more realistic, I would say than the previous slide. So, hopefully, the tools I'm going to share with you in the next few minutes can help DevOps people being empowered and take back the security of those applications. The first tool I'm going to share with you is trivy just raise your hands. Anyone using trivy today or familiar with trivy good, that's about 90% of the room.

A

Hopefully, after this, the other 10% will be familiar with the tool as well. What trivy does it allows you to do a security assessment of your images at build time, we found that about 82% of images are built locally on developers workstations before they get into your Jenkins pipeline or whatever CI told you're using trivia is extremely easy to use. It is very fast. You can scan your image in under 10 seconds the first time the next scan will be even quicker.

A

It looks for vulnerabilities in operating system packages dependencies and, as you can see here, it supports things like NPM. You can run it there's many ways to run it we'll see in a second, but it can be run locally as it executable as a container as well see in a second. It can be easily embedded into your CI pipeline. It is available assuming you're, using rail or CentOS. You can install it very easily, as you can see here. Another option is to simply put it on a Mac.

A

So again, the nice thing about trivy is that it is a tool that can be used to create a dev, psych, ops, culture. You can take all the developers that are creating the images they can assess the security posture locally on their workstations prior to the image getting into the pipeline. Okay, how do you run it? As you can see here? It's dead, easy, trivy and the image name, and you can give it all kind of parameters.

A

Like only show me critical vulnerabilities and only show me high severity vulnerabilities, and we will actually show you what you need to do to remediate as well. Here's an example of a report: trivia where that image is a bunch of there's a Python as an NPM vulnerability in here for each one, we'll give you the installed version in your image, the fixed version that you need to use in order to remediate, and this report can obviously be generated as JSON HTML, and it's really really nice again.

A

What we're doing here is allowing that DevOps people that are creating the images to take control of security there's no reason to get blocked. You know once the application is down the line, we want to shift the security left and this is a great capability. You can do that now. Everyone here loves going through airport security and if you look here from a DevOps mindset, DevOps need velocity the speed the agility when a devops a person goes through airport security. They want to get to the other side as quickly as possible.

A

They're not going to be faffing around taking their shoes off. Sir. Please take your belt off. Do you have any money on you? They know and it's the same thing when they go when their pipeline is being built. They want to have multiple, very quick releases every single day. Everything needs to be automated. Everything needs to be embedded in that pipeline. If it's not DevOps people will simply circumvented security in stark contrast, as you can see here in a very different mindset, they are driven by regulatory compliance, all kind of standards, PCI gdpr.

A

They need to comply with all different standards, and a security guy usually is not doesn't have that automated mindset right- and this is where we're trying to bridge this gap very quickly. If you wanted to use trivia in your pipeline, here's an example and you can use it in any tool- jenkins, travis, whatever you happen to be using, give me an exit code of zero.

A

If I have high severity vulnerabilities, because that is aligned with my risk appetite, give me a exit code of one if I have a critical vulnerability and prevent my image from being pushed into my production registry. So this is a great tool you can use it on the developers. Workstations put it in your pipeline control, the promotion of images from staging to production. The next tool we're going to talk about is Tracy.

A

Tracy is trivias little sister is anyone in the room familiar with EBP F good there's a few people you'll hear a lot more about EBP, f. Upf is a great tool that can be used to observe the behavior of your systems, processes, containers, anyone, that's familiar with BPF from the berkeley packet filter days of net filter and IP tables. This is kind of the next generation which it has very, very low performance impact. It allows you to trace pretty much anything in your operating system.

A

What do I mean by anything anything right, so it allows you to get down to kernel levels. If anyone use strace before to think of strace on steroids, you can pretty much hook into anything in the underlying operating system using EBP eff with very, very low performance impact.

A

Why is this important for cloud native applications because hackers more and more frequently targeting cloud native applications, because everyone knows that this is where the next generation replications is but they're using their obfuscating the attacks inside the images, so this kind of attack here you can see this is a piece of malware that was embedded inside a bunch of images that were publicly available on docker hub last year.

A

This image was compressed and then base64 encoded and then put into the image so scanning this image with any security tool, including trivy or any other tool, is not going to pick this up. This image is going to be fine, gonna go into production when you run the pod and it spins up the container, then it's gonna unpack this piece of malware, which is going to do crypto mining. All your pods are going to jump to 100 and you have kubernetes at scale hacking infrastructure, whatever flavor, you are using right.

A

So here on a blob, you can see exactly how this happens, but again. This is why you need to have deep behavioral analysis of what is happening at your in your containers at runtime and why static scanning of the images is slowly we're realizing the security. Well, this is not enough anymore to detect these kind of attacks.

A

How do you install that you can see here? It's very easy. It's on a github page. Let me show you a quick example of what happens if you're using Treacy to try and look inside the run, a simple Alpine image and run LS right. This is the kind of visibility you will get. Why is this important because it allows us to say you know what this container is running. It is trying to access something it should not be doing it trying to access a system. Call it's trying to unpack something.

A

This is an example of a report of an image that, when you scan the image, everything is fine. When you run the image, it is extremely malicious and can basically do a container break out again. Another reason why I too, like Tracy, can give you that deep visibility, the next time I'm going to share with you, is Cube hunter. So a quick question is kubernetes secure by default resounding though okay, good, let's take a look and understand by the way which kubernetes is the most secure by default.

A

Red Hat, so, as it happens, openshift is definitely the most secure. The problem is, is that, while there are many tools with kubernetes like PSPs, like admission controllers, like role based access control, there are many things you can use by default. A lot of flavors. Don't do that and there's a huge gap between what happens in reality when we spin up new clusters and what should happen from a security standpoint?

A

If you look here, this is becoming more and more common where high profile cyber attacks occur due to a misconfigured, kubernetes cluster or a kubernetes cluster. That has a critical vulnerability like run c, which we had last year. John mentioned this in his presentation before, but you can see some of the kind of risks that are happening here and one of the key challenges is that the CISOs or the security in your organization may not even be aware that you have your openshift clusters running.

A

Definitely what are the key risks around that so there's a tool available, any security people in the room familiar with shodhan. This is a freely you can go into children and you can pretty much search for docker instances, kubernetes instances that are out there on the internet. You will be shocked at how many kubernetes clusters are out there, which have serious base configurations and security, miss configurations and vulnerabilities. It's interesting just to do it to understand the kind of breadth that we're seeing in this area.

A

What can you do about this cube hunter again on our github page? If another free tool it will scan your network for kubernetes clusters and do a penetration test. It will say these. This is your cluster. These are the risk we have identified these other vulnerabilities. You can run it either as a pod. If you do it as a pod, please do not use your production environment because it's an active scan, meaning potentially it could bring down your cluster, but you can run it remotely just scan my network.

A

You can give it an IP address, or you can say just look for clusters in my environment and I'll, give you a report. It will say these are the vulnerabilities we have identified. This is what you need to do to go and remediate that, so that is the the other tool. The next one is cue bench. So C is the center of Internet security has a great book. It's about 200 pages of how your kubernetes and docker servers should be configured. Cue bench again is on our github page.

A

What it does is, it will scan, look for all the CIS benchmarks and for each one tell you whether you have a pass or a fail and, more importantly, it will show you how to remediate. So what can you do? What do you need to do in order to remediate so again, that is for the kubernetes CIS benchmark? We have done something similar, specifically around Red Hat, so taking red hats best practices for how should an open ship cluster be configured?

A

If you want to see more around that, please come upstairs after join a day, and we can show you what that looks like at the Aqua booth as well. So I've showed you three of the six another tool again open source on a github page is around I asked. So how can you do cloud security, posture management, cloud security, posture management, see SPM is about scanning your underlying infrastructure scanning, your AWS, your Microsoft, your Google cloud infrastructure and looking for miss configurations looking for risks, those can be s3 buckets with sensitive data. It can be.

A

How do you measure your compliance against PCI or another regulatory standard? Are you using audit trails like you should be in Amazon? Do you have V pcs that are exposed, so everything that I talked about until now was looking at things like the images, your orchestrated security? This is going a level lower looking at the actual infrastructure, CS p.m. so I think coming up to the end of my 15 minutes, we spoke about trivy.

A

Just to wrap up trivia allows you to scan images both locally on developers, workstations, but perhaps more importantly, to embed that in the CI pipeline to control the promotion of images into your registry, and it check that if you do have vonda bilities in the underlying operating system that you're using inside that image or the dependencies that you get the information about how to remediate that and prevent those images from going into the registry. The next tool we spoke about was Tracy.

A

Traveese sister Tracy is an EVP F tool that leverages that technology to do deep, behavioral analysis of containers. It allows you to identify malicious behavior that would not have been identified just by static scaling like that piece of malware, that we saw that was gzip, compressed, base64, encoded and embedded in the image right, and, as we see that you know, these applications become more and more ubiquitous.

A

Hackers are targeting more and more frequently, these kind of applications we're seeing more and more publicly available images in docker hub or publicly in any other repo that contain melih the next tool we spoke about with coupon tur. This can be used to do penetration tests on your network. Looking for kubernetes clusters, identifying misconfigurations a classic case by the way was Tesla.

A

They were probably the most notorious breach about a year and a half ago where they left their kubernetes cluster in an publicly exposed in an Amazon environment where the dashboard was enabled with anonymous authentication. Obviously, kubernetes has since fixed a lot of stuff, but again there are many many defaults that are still not secure.

A

It should be given once a hacker gets into that dashboard to get from there to map out the entire. You know, structure of all your pods, your secret, so everything else is very easy. I, usually when we talk to security, people compare this to in the old days of just VMware, it's like getting into your vSphere server and being able to right-click and map out the entire organization, so need to check that that's not happening. And finally, we spoke about CSP M cloud security, posture management.

A

This is the the fourth tool which you can use to scan your infrastructure, your cloud provider and check for security and miss configurations. If you have any questions or would like to see any of this life, please come up to our demo environment upstairs. We also are giving away our books on kubernetes security from Liz Rice and Michael from Red Hat. So please kind of get one of these, and thank you very much.

A

You.