►
From YouTube: Lightning Talk: DevSecOps culture with OpenSource Tools with Benjy Portnoy (Aqua Security)
Description
Lightning Talk
DevSecOps culture with OpenSource Tools: Shifting Security Left
Benjy Portnoy (Aqua Security)
Jan 29 2020
https://github.com/aquasecurity
https://commons.openshift.org/gatherings/London_2020.html
A
My
goal
in
the
next
14
minutes
and
48
seconds
is
to
share
with
you
some
really
great
open-source
tools
that
you
can
use
to
enhance
the
security
posture
of
your
cloud
native
applications.
Aqua
was
founded
four
years
ago,
specifically
to
address
the
challenges
around
cloud
native
security.
Now,
if
there's
one
thing,
I
want
you
to
remember
from
this
presentation,
it
is
our
github
page,
I'm
gonna,
try
and
cover
four
of
the
six
projects
that
are
available
here,
and
hopefully
these
will
help.
You
enhance
the
security
posture
of
your
cloud
native
workloads.
A
This
is
a
slide
from
last
year,
but
if
you
talk
to
security
people
today
and
ask
them
what
our
one
of
the
key
challenges
when
migrating
to
a
cloud
native
application
security
is
up
there.
If
you
talk
today
to
CISOs
devops
people,
sec,
ops,
people,
they're
still
trying
to
understand
this
world
of
kubernetes
of
containers
and
how
they
can
take
traditional
security,
best
practices
and
adopt
them
to
this
world.
A
The
good
news
is
that
if
you
talk
to
a
security
person,
initially
their
reaction
and
the
thought
process
kind
of
goes
all
the
way
from
denial
until
eventually
understanding
what
they
need
to
do,
and
the
reason
is
is
that
security
folks,
like
myself,
are
slowly
understanding
that
the
people
that
need
to
be
in
control
of
security
and
take
responsibility
are
often
DevOps
people.
The
people
building.
Your
images
in
your
pipeline
need
to
understand
the
security
risks
and
be
able
to
address
some
of
those.
A
If
you
talk
to
you
a
DevOps
person
they're
also
aware,
there
are
many
people
in
this
room
that
are
using
openshift.
One
of
the
key
challenges
when
go
into
that
environment
is
having
your
compliance
team
or
your
security
team
coming
over
and
saying
hold
it.
You
cannot
go
live
with
this
project
because
we
do
not
have
regulatory
requirements
answered.
We
don't
have
our
security
tools,
we
have
visibility
into
this
application
and
this
can
obviously
be
a
big
hindrance
in
a
pain
when
you
want
to
go
live
with
your
applications.
Now.
A
The
actual
reality
on
the
ground
is
very
different
and
looks
a
lot
like
this,
where
we
have
DevOps
well
dev
and
ops
that
have
been
working
really
productively
together
for
many
many
years
and
then
you
have
security,
comes
and
tries
to
get
in
the
middle
and
trying
to
understand.
Okay,
this
is
our
open
shift
cluster.
These
are
our
functions.
How
do
we
take
these
processes
like
Incident
Response?
How
do
we
take
our
patch
management?
A
How
do
we
take
our
security
visibility
and
apply
it
to
this
new
world,
and
this
is
what
we're
seeing
it's
a
lot
more
realistic,
I
would
say
than
the
previous
slide.
So,
hopefully,
the
tools
I'm
going
to
share
with
you
in
the
next
few
minutes
can
help
DevOps
people
being
empowered
and
take
back
the
security
of
those
applications.
The
first
tool
I'm
going
to
share
with
you
is
trivy
just
raise
your
hands.
Anyone
using
trivy
today
or
familiar
with
trivy
good,
that's
about
90%
of
the
room.
A
Hopefully,
after
this,
the
other
10%
will
be
familiar
with
the
tool
as
well.
What
trivy
does
it
allows
you
to
do
a
security
assessment
of
your
images
at
build
time,
we
found
that
about
82%
of
images
are
built
locally
on
developers
workstations
before
they
get
into
your
Jenkins
pipeline
or
whatever
CI
told
you're
using
trivia
is
extremely
easy
to
use.
It
is
very
fast.
You
can
scan
your
image
in
under
10
seconds
the
first
time
the
next
scan
will
be
even
quicker.
A
It
looks
for
vulnerabilities
in
operating
system
packages
dependencies
and,
as
you
can
see
here,
it
supports
things
like
NPM.
You
can
run
it
there's
many
ways
to
run
it
we'll
see
in
a
second,
but
it
can
be
run
locally
as
it
executable
as
a
container
as
well
see
in
a
second.
It
can
be
easily
embedded
into
your
CI
pipeline.
It
is
available
assuming
you're,
using
rail
or
CentOS.
You
can
install
it
very
easily,
as
you
can
see
here.
Another
option
is
to
simply
put
it
on
a
Mac.
A
So
again,
the
nice
thing
about
trivy
is
that
it
is
a
tool
that
can
be
used
to
create
a
dev,
psych,
ops,
culture.
You
can
take
all
the
developers
that
are
creating
the
images
they
can
assess
the
security
posture
locally
on
their
workstations
prior
to
the
image
getting
into
the
pipeline.
Okay,
how
do
you
run
it?
As
you
can
see
here?
It's
dead,
easy,
trivy
and
the
image
name,
and
you
can
give
it
all
kind
of
parameters.
A
Like
only
show
me
critical
vulnerabilities
and
only
show
me
high
severity
vulnerabilities,
and
we
will
actually
show
you
what
you
need
to
do
to
remediate
as
well.
Here's
an
example
of
a
report:
trivia
where
that
image
is
a
bunch
of
there's
a
Python
as
an
NPM
vulnerability
in
here
for
each
one,
we'll
give
you
the
installed
version
in
your
image,
the
fixed
version
that
you
need
to
use
in
order
to
remediate,
and
this
report
can
obviously
be
generated
as
JSON
HTML,
and
it's
really
really
nice
again.
A
What
we're
doing
here
is
allowing
that
DevOps
people
that
are
creating
the
images
to
take
control
of
security
there's
no
reason
to
get
blocked.
You
know
once
the
application
is
down
the
line,
we
want
to
shift
the
security
left
and
this
is
a
great
capability.
You
can
do
that
now.
Everyone
here
loves
going
through
airport
security
and
if
you
look
here
from
a
DevOps
mindset,
DevOps
need
velocity
the
speed
the
agility
when
a
devops
a
person
goes
through
airport
security.
They
want
to
get
to
the
other
side
as
quickly
as
possible.
A
They're
not
going
to
be
faffing
around
taking
their
shoes
off.
Sir.
Please
take
your
belt
off.
Do
you
have
any
money
on
you?
They
know
and
it's
the
same
thing
when
they
go
when
their
pipeline
is
being
built.
They
want
to
have
multiple,
very
quick
releases
every
single
day.
Everything
needs
to
be
automated.
Everything
needs
to
be
embedded
in
that
pipeline.
If
it's
not
DevOps
people
will
simply
circumvented
security
in
stark
contrast,
as
you
can
see
here
in
a
very
different
mindset,
they
are
driven
by
regulatory
compliance,
all
kind
of
standards,
PCI
gdpr.
A
They
need
to
comply
with
all
different
standards,
and
a
security
guy
usually
is
not
doesn't
have
that
automated
mindset
right-
and
this
is
where
we're
trying
to
bridge
this
gap
very
quickly.
If
you
wanted
to
use
trivia
in
your
pipeline,
here's
an
example
and
you
can
use
it
in
any
tool-
jenkins,
travis,
whatever
you
happen
to
be
using,
give
me
an
exit
code
of
zero.
A
If
I
have
high
severity
vulnerabilities,
because
that
is
aligned
with
my
risk
appetite,
give
me
a
exit
code
of
one
if
I
have
a
critical
vulnerability
and
prevent
my
image
from
being
pushed
into
my
production
registry.
So
this
is
a
great
tool
you
can
use
it
on
the
developers.
Workstations
put
it
in
your
pipeline
control,
the
promotion
of
images
from
staging
to
production.
The
next
tool
we're
going
to
talk
about
is
Tracy.
A
Tracy
is
trivias
little
sister
is
anyone
in
the
room
familiar
with
EBP
F
good
there's
a
few
people
you'll
hear
a
lot
more
about
EBP,
f.
Upf
is
a
great
tool
that
can
be
used
to
observe
the
behavior
of
your
systems,
processes,
containers,
anyone,
that's
familiar
with
BPF
from
the
berkeley
packet
filter
days
of
net
filter
and
IP
tables.
This
is
kind
of
the
next
generation
which
it
has
very,
very
low
performance
impact.
It
allows
you
to
trace
pretty
much
anything
in
your
operating
system.
A
A
This
image
was
compressed
and
then
base64
encoded
and
then
put
into
the
image
so
scanning
this
image
with
any
security
tool,
including
trivy
or
any
other
tool,
is
not
going
to
pick
this
up.
This
image
is
going
to
be
fine,
gonna
go
into
production
when
you
run
the
pod
and
it
spins
up
the
container,
then
it's
gonna
unpack
this
piece
of
malware,
which
is
going
to
do
crypto
mining.
All
your
pods
are
going
to
jump
to
100
and
you
have
kubernetes
at
scale
hacking
infrastructure,
whatever
flavor,
you
are
using
right.
A
So
here
on
a
blob,
you
can
see
exactly
how
this
happens,
but
again.
This
is
why
you
need
to
have
deep
behavioral
analysis
of
what
is
happening
at
your
in
your
containers
at
runtime
and
why
static
scanning
of
the
images
is
slowly
we're
realizing
the
security.
Well,
this
is
not
enough
anymore
to
detect
these
kind
of
attacks.
A
How
do
you
install
that
you
can
see
here?
It's
very
easy.
It's
on
a
github
page.
Let
me
show
you
a
quick
example
of
what
happens
if
you're
using
Treacy
to
try
and
look
inside
the
run,
a
simple
Alpine
image
and
run
LS
right.
This
is
the
kind
of
visibility
you
will
get.
Why
is
this
important
because
it
allows
us
to
say
you
know
what
this
container
is
running.
It
is
trying
to
access
something
it
should
not
be
doing
it
trying
to
access
a
system.
Call
it's
trying
to
unpack
something.
A
This
is
an
example
of
a
report
of
an
image
that,
when
you
scan
the
image,
everything
is
fine.
When
you
run
the
image,
it
is
extremely
malicious
and
can
basically
do
a
container
break
out
again.
Another
reason
why
I
too,
like
Tracy,
can
give
you
that
deep
visibility,
the
next
time
I'm
going
to
share
with
you,
is
Cube
hunter.
So
a
quick
question
is
kubernetes
secure
by
default
resounding
though
okay,
good,
let's
take
a
look
and
understand
by
the
way
which
kubernetes
is
the
most
secure
by
default.
A
Red
Hat,
so,
as
it
happens,
openshift
is
definitely
the
most
secure.
The
problem
is,
is
that,
while
there
are
many
tools
with
kubernetes
like
PSPs,
like
admission
controllers,
like
role
based
access
control,
there
are
many
things
you
can
use
by
default.
A
lot
of
flavors.
Don't
do
that
and
there's
a
huge
gap
between
what
happens
in
reality
when
we
spin
up
new
clusters
and
what
should
happen
from
a
security
standpoint?
A
If
you
look
here,
this
is
becoming
more
and
more
common
where
high
profile
cyber
attacks
occur
due
to
a
misconfigured,
kubernetes
cluster
or
a
kubernetes
cluster.
That
has
a
critical
vulnerability
like
run
c,
which
we
had
last
year.
John
mentioned
this
in
his
presentation
before,
but
you
can
see
some
of
the
kind
of
risks
that
are
happening
here
and
one
of
the
key
challenges
is
that
the
CISOs
or
the
security
in
your
organization
may
not
even
be
aware
that
you
have
your
openshift
clusters
running.
A
Definitely
what
are
the
key
risks
around
that
so
there's
a
tool
available,
any
security
people
in
the
room
familiar
with
shodhan.
This
is
a
freely
you
can
go
into
children
and
you
can
pretty
much
search
for
docker
instances,
kubernetes
instances
that
are
out
there
on
the
internet.
You
will
be
shocked
at
how
many
kubernetes
clusters
are
out
there,
which
have
serious
base
configurations
and
security,
miss
configurations
and
vulnerabilities.
It's
interesting
just
to
do
it
to
understand
the
kind
of
breadth
that
we're
seeing
in
this
area.
A
What
can
you
do
about
this
cube
hunter
again
on
our
github
page?
If
another
free
tool
it
will
scan
your
network
for
kubernetes
clusters
and
do
a
penetration
test.
It
will
say
these.
This
is
your
cluster.
These
are
the
risk
we
have
identified
these
other
vulnerabilities.
You
can
run
it
either
as
a
pod.
If
you
do
it
as
a
pod,
please
do
not
use
your
production
environment
because
it's
an
active
scan,
meaning
potentially
it
could
bring
down
your
cluster,
but
you
can
run
it
remotely
just
scan
my
network.
A
You
can
give
it
an
IP
address,
or
you
can
say
just
look
for
clusters
in
my
environment
and
I'll,
give
you
a
report.
It
will
say
these
are
the
vulnerabilities
we
have
identified.
This
is
what
you
need
to
do
to
go
and
remediate
that,
so
that
is
the
the
other
tool.
The
next
one
is
cue
bench.
So
C
is
the
center
of
Internet
security
has
a
great
book.
It's
about
200
pages
of
how
your
kubernetes
and
docker
servers
should
be
configured.
Cue
bench
again
is
on
our
github
page.
A
What
it
does
is,
it
will
scan,
look
for
all
the
CIS
benchmarks
and
for
each
one
tell
you
whether
you
have
a
pass
or
a
fail
and,
more
importantly,
it
will
show
you
how
to
remediate.
So
what
can
you
do?
What
do
you
need
to
do
in
order
to
remediate
so
again,
that
is
for
the
kubernetes
CIS
benchmark?
We
have
done
something
similar,
specifically
around
Red
Hat,
so
taking
red
hats
best
practices
for
how
should
an
open
ship
cluster
be
configured?
A
If
you
want
to
see
more
around
that,
please
come
upstairs
after
join
a
day,
and
we
can
show
you
what
that
looks
like
at
the
Aqua
booth
as
well.
So
I've
showed
you
three
of
the
six
another
tool
again
open
source
on
a
github
page
is
around
I
asked.
So
how
can
you
do
cloud
security,
posture
management,
cloud
security,
posture
management,
see
SPM
is
about
scanning
your
underlying
infrastructure
scanning,
your
AWS,
your
Microsoft,
your
Google
cloud
infrastructure
and
looking
for
miss
configurations
looking
for
risks,
those
can
be
s3
buckets
with
sensitive
data.
It
can
be.
A
How
do
you
measure
your
compliance
against
PCI
or
another
regulatory
standard?
Are
you
using
audit
trails
like
you
should
be
in
Amazon?
Do
you
have
V
pcs
that
are
exposed,
so
everything
that
I
talked
about
until
now
was
looking
at
things
like
the
images,
your
orchestrated
security?
This
is
going
a
level
lower
looking
at
the
actual
infrastructure,
CS
p.m.
so
I
think
coming
up
to
the
end
of
my
15
minutes,
we
spoke
about
trivy.
A
Just
to
wrap
up
trivia
allows
you
to
scan
images
both
locally
on
developers,
workstations,
but
perhaps
more
importantly,
to
embed
that
in
the
CI
pipeline
to
control
the
promotion
of
images
into
your
registry,
and
it
check
that
if
you
do
have
vonda
bilities
in
the
underlying
operating
system
that
you're
using
inside
that
image
or
the
dependencies
that
you
get
the
information
about
how
to
remediate
that
and
prevent
those
images
from
going
into
the
registry.
The
next
tool
we
spoke
about
was
Tracy.
A
Traveese
sister
Tracy
is
an
EVP
F
tool
that
leverages
that
technology
to
do
deep,
behavioral
analysis
of
containers.
It
allows
you
to
identify
malicious
behavior
that
would
not
have
been
identified
just
by
static
scaling
like
that
piece
of
malware,
that
we
saw
that
was
gzip,
compressed,
base64,
encoded
and
embedded
in
the
image
right,
and,
as
we
see
that
you
know,
these
applications
become
more
and
more
ubiquitous.
A
Hackers
are
targeting
more
and
more
frequently,
these
kind
of
applications
we're
seeing
more
and
more
publicly
available
images
in
docker
hub
or
publicly
in
any
other
repo
that
contain
melih
the
next
tool
we
spoke
about
with
coupon
tur.
This
can
be
used
to
do
penetration
tests
on
your
network.
Looking
for
kubernetes
clusters,
identifying
misconfigurations
a
classic
case
by
the
way
was
Tesla.
A
They
were
probably
the
most
notorious
breach
about
a
year
and
a
half
ago
where
they
left
their
kubernetes
cluster
in
an
publicly
exposed
in
an
Amazon
environment
where
the
dashboard
was
enabled
with
anonymous
authentication.
Obviously,
kubernetes
has
since
fixed
a
lot
of
stuff,
but
again
there
are
many
many
defaults
that
are
still
not
secure.
A
It
should
be
given
once
a
hacker
gets
into
that
dashboard
to
get
from
there
to
map
out
the
entire.
You
know,
structure
of
all
your
pods,
your
secret,
so
everything
else
is
very
easy.
I,
usually
when
we
talk
to
security,
people
compare
this
to
in
the
old
days
of
just
VMware,
it's
like
getting
into
your
vSphere
server
and
being
able
to
right-click
and
map
out
the
entire
organization,
so
need
to
check
that
that's
not
happening.
And
finally,
we
spoke
about
CSP
M
cloud
security,
posture
management.
A
This
is
the
the
fourth
tool
which
you
can
use
to
scan
your
infrastructure,
your
cloud
provider
and
check
for
security
and
miss
configurations.
If
you
have
any
questions
or
would
like
to
see
any
of
this
life,
please
come
up
to
our
demo
environment
upstairs.
We
also
are
giving
away
our
books
on
kubernetes
security
from
Liz
Rice
and
Michael
from
Red
Hat.
So
please
kind
of
get
one
of
these,
and
thank
you
very
much.