►
From YouTube: Securing your OpenShift apps with Snyk - Hayley Denbraver @Snyk @OpenShiftCommon's Briefing
Description
Guest Speaker: Hayley Denbraver (SNYK)
There is a lot of emphasis on security in the OpenShift community, but mostly from the side of audit, controls and compliance. But a cloud native reality invites us to shift more ownership of security to the left, in the developer’s hands—given the right approach, process and tools. Snyk is a developer tools company that helps users find and fix vulnerabilities in open source libraries, both in apps and containers. Snyk’s focus is security depth and getting true dev adoption, which has led us to building tight integration into source control platforms, CI/CD tools, registries, PaaS and server less. Snyk features automated fixing of issues and the best vulnerability DB out there (enough to make Facebook, Netflix and others license the data feed itself). Towards Red Hat Summit, we will demo our new integrations into OpenShift, helping developers and operators to use open source while staying secure.
Resources: https://snyk.io/search/cheat+sheet
Create an account: https://app.snyk.io/signup
A
When
another
open
ship
Commons
briefing
this
time
with
snick
we're
gonna
hear
from
Haley
den
braver
and
a
few
other
folks
from
snick
and
they're
going
to
talk
about
securing
your
open
shift,
apps,
so
I'm
gonna,
let
Haley
take
it
away
and
introduce
her
other
colleagues
who
are
on
the
call
the
Q&A
will
be
in
the
chat
and
at
the
end
of
the
presentation
and
the
demo,
we
will
have
live
Q&A
and
I'll
unmute.
Everybody.
So
save
your
questions
for
the
end.
Haley
take.
B
B
Let's
get
started
so
a
little
bit
about
me.
I'm
part
of
the
developer
advocate
team
at
sneaked,
and
you
can
find
me
on
twitter
at
Haley
Dunphy.
Now,
because
sneak
we
eat,
breathe
sleep
security,
though
we've
chosen
this
Doberman
as
our
logo,
but
the
developer
advocate
team
is
really
interested
in
helping
people.
Do
security
and
use
our
product
well,
and
we
love
hearing
from
people,
though,
when
I
think
of
my
job
I,
think
more
of
this
golden
retriever
and
how
this
golden
retriever
is
friendly,
helpful
and
excited
to
talk
to
you
about
open
source
security.
B
B
B
That
is
your
open
source
dependencies
right
because
they
can
read
and
inspect
the
code,
there's
also
a
bigger
payoff,
because
a
number
of
people
use
these
dependencies.
So
you
know
if
they
find
a
vulnerability.
If
they're
able
to
exploit
a
vulnerability
in
an
open
source
dependency,
well,
they
could
potentially
get
a
much
bigger
payoff
right
and
so
at
sneak.
Our
focus
is
really
everything
in
your
app.
That's
not
the
code.
B
B
Amazing
things
done
with
open
source
I
personally
would
rather
be
proactive
than
reactive
right.
I
want
to
know
what
is
in
the
dependencies
I'm
using
instead
of
finding
out,
because
someone
broke
in
right
when
this
is
what
your
app
looks
like,
where
your
dependencies
account
for
the
vast
majority
of
your
code.
Your
really
wants
you're
really
gonna
want
some
insight
into
your
dependencies
right
and
the
thing
is.
This
has
caused
problems
in
effect
in
the
past
right,
the
Equifax
breach
of
2017
I'm.
Sure
most
of
you
have
heard
about
this.
B
This
was
caused
by
a
vulnerability
in
the
strut,
the
struts
package,
and
it
was
a
real
big
mess.
Lots
of
data
was
compromised
and
it
was
very
important
data
as
well
right
and
more
recently,
we
had
the
event
stream
vulnerability,
and
this
was
related
to
bitcoins
and
things
like
that.
But
this
one
is
an
example
of
a
malicious
actor.
The
original
owner
turned
over
their
ownership
of
the
library
to
someone
who
did
not
have
people's
best
interests
in
mind,
though,.
B
B
That
kind
of
thing
so
I
am
going
to
show
you
just
kind
of
graphically
what
that
looks
like
so,
let's
say
you
have
an
image
and
you
want
to
deploy
it
right.
So
the
image
here
is
represented
by
this
boat
right,
we're
going
to
find
a
docker
image
in
our
demo,
okay,
and
what
sneek
is
capable
of
doing
is
we
have
an
admission
controller
that
you
can
set
up
and
customize,
so
you
can
either
let
that
image
be
deployed
or
you
can
reject
it
if
certain
types
of
vulnerabilities
are
found.
B
So
the
image
has
to
pass
through
this
gate
and
get
evaluated
before
it's
allowed
to
deploy
all
right
and
we're
gonna
see
this
happen
in
we're.
Gonna
see
the
whole
process
and
it's
a
it's
actually
pretty
easy
and
pretty
fast.
It's
also
really
customizable,
though,
on
the
issue
of
being
customizable,
we
currently
rate
open
source,
folder
abilities
into
three
categories:
basically
high
severity,
a
medium
severity
or
a
low
severity
vulnerability,
and
what's
great
about
the
tool
we
have
with
kubernetes
and
OpenShift,
is
that
you
can
customize
what
you're
ok
with
going
into
production.
B
So
this
is
a
very
typical
breakdown
of
maybe
what
you
would
want
to
see
where
you
would
fail
a
deployment
prevent
a
deployment
if
there
were
high
severity
vulnerabilities
found
right,
but
then
maybe
you're,
okay
with
medium
or
low
severity.
Vulnerability
is
going
through
and
being
deployed,
but
you
may
want
to
keep
track
of
them
or
know
about
them.
So
this
is
one
way
we
could
set
it
up.
B
So
if
you
all
can't
see
it
I
hope,
Diane
will.
Let
me
know
so:
I
can
adjust
things.
It's
worked
out
great
working,
great,
that's
great!
All
right!
So
in
this
demo
we're
going
to
be
jumping
back
and
forth
a
bit
between
the
terminal
and
the
UI.
In
order
to
give
you
the
best
picture
of
what
is
going
on.
B
Our
aim
is
to
show
you
how
we
can
protect
a
project
using
the
sneak
admission
controller,
so
we're
gonna
start
with
installing
our
sneak
admission,
control,
Arobin
shift
and
kubernetes
in
general,
we'll
create
a
project
with
the
names
leap
and
install
our
controller
in
it.
Then
we're
going
to
continue
and
use
the
provided
helm.
B
So
that
is
this
command
here,
though,
do
you
remember
the
slide?
I
showed
you
earlier
with
the
red,
orange
and
yellow
box
representing
high
medium
and
low
severity
vulnerabilities,
so
we're
going
to
recall
that
we
talked
about
how
you
can
set
different
thresholds
according
to
the
need
needs
of
your
project.
Well,
that's!
What's
going
on
with
this
command!
First,
we
specify
the
project
we
are
going
to
protect
and
you
can
see
that
the
project
is
my
project.
B
B
Finally,
we're
going
to
set
the
test
override
equal
to
false
and
the
monitor
equal
to
true
now,
setting
the
test
override
equals
to
false
means
that
we're
that,
if
we
find
a
high
severity
vulnerability,
we're
not
going
to
just
wave
it
through
anyway
right.
We
want
to
do
cause
the
deployment
to
fail,
and
this
monitor
parameter
is
going
to
it's
going
to
connect
the
project
with
your
sneaked
account
and
you
will
get
continuous
monitoring
on
successful
deployments,
and
we
will
take
a
look
at
that
a
little
bit
later.
B
Do
we
hit
return
and
we
can
see
that
now
the
sneak
admission
controller
is
installed
and
enabled
for
our
project
and
with
the
configuration
that
we
set.
So
that's
great
now
before
we
get
to
the
UI,
we're
gonna
have
to
set
proper
permissions
in
order
for
our
admissions
controller
to
operate
properly
and.
B
B
B
B
Gonna
take
a
second
and
there
we
go,
it
failed,
but
that's
kind
of
what
we
wanted
to
see
right.
Let's
look
at
the
error
message
and
see
what
happened.
It's
telling
us
that
it
wasn't
able
to
create,
create
app
1,
because
the
snake
and
mission
controller
denied
the
request
did
admission
controller
called
the
sneak
API
to
check
if
the
image
is
secure,
it
found
the
high
severity
vulnerabilities
and
it
denied
the
request
to
deploy
this
imaged.
B
This
is
what
we're
hoping
to
see
our
threshold
is
set
to
high.
We
didn't
override
failures,
and
this
is
exactly
the
behavior
we
would
expect.
This
is
awesome
because
it
means
that
you
did
not
let
an
app
with
known
high
severity
vulnerabilities
out
into
the
wild,
so
here
we're
seeing
our
admission
controller
acting
as
a
gateway,
but
we
can
also
set
it
up
to
act
in
a
more
passive
way
without
locking
the
deployment,
but
instead
of
just
monitoring
the
vulnerabilities
and
so
I'm
going
to
show
you
what
that
looks
like
now.
B
B
B
That's
awesome,
but
do
you
remember
how
we
said
that
we
wanted
to
monitor
this
application
so
now
we're
going
to
go
into
the
sneak
UI
and
look
in
this
projects.
Tab
and
now
we
see
our
project
app
2
listed
and
what's
great
here
is
with
a
really
quick
glance.
You
can
see
that
we
have
three
high
severity,
vulnerabilities
and
one
medium
severity
and
we
will
click
through
and
see
some
more
detailed
information
on
these
vulnerabilities
all
right.
B
So
here
we
have
a
summary
of
top
of
the
project
telling
us
that
we
have
four
vulnerabilities
and
146
dependencies.
This
is
all
interesting
and
relevant
information,
but
then
we
can
also
scroll
through
and
read
about
the
different
vulnerabilities,
what
kind
they
are,
perhaps
any
remediation
advice,
and
when
it's
broken
down
this
way,
you
can
take
a
closer
look
at
it
and
decide,
or
so
with
the
previous
example.
We
rejected
any
high
severity
vulnerabilities,
but
this
one
we
let
them
through,
but
maybe
upon
looking
through
these,
you
decide
you're,
not
comfortable
with
one
of
them.
B
B
We
can
also
look
at
all
of
the
dependencies,
though
I
didn't
film
that
and
if
you
play
around
with
our
product,
you
can
see
the
dependency
tree
and
all
these
interesting
insights
and
information
into
the
open
source
library
as
you're,
using
though
this
is
the
end
of
the
demo
and
thanks
for
sticking
with
me
through
it
I'm,
going
to
take
us
back
to
the
presentation
and
give
some
final
thoughts
and
open
things
up
for
questions.
So
pardon
me,
while
I,
while
I
pulled
that
back
up.
B
All
right,
I'm
gonna,
assume
that
that
is
visible
unless
Diane
tells
me
otherwise
and
we're
going
to
review
and
wrap
up.
So
you
can
see
here
how
sneek
helped
us
find
these
open
source
vulnerabilities.
We
also
have
capability
of
fixing
them,
but
even
finding
them
is
great
information
right
because
we
were
able
to
decide
whether
we
wanted
that
image
to
deploy
or
not,
and
it's
all
automated
with
that
admission
controller
and
just
really
great,
but
we
have
tools
as
well
to
help
you
fix
vulnerabilities
in
your
open
source
dependencies.
B
B
We
can
help
you
with
code
review,
all
these
sorts
of
things
and
I'm
just
really
happy
that
we
integrate
with
OpenShift.
We
try
to
meet
people
where
they
are
and
we're
just
really
happy
to
have
been
able
to
meet
with
this
awesome
community
today
and
hopefully
give
you
some
insight
into
how
you
can
use
sneak
to
up
your
security
game.
B
So
thank
you.
So
much
we
really
like
to
hear
from
our
community
because
we
want
to
build
awesome
things
that
developers
and
other
people
in
the
industry
will
find
it's
really
easy
to
use.
So
we
love
hearing
from
you.
Our
Twitter
is
particularly
active.
You
can
tweet
us
there
at
snake
SEC
or
you
can
reach
out
to
me
directly
at
Haley
Denby
on
Twitter,
and
you
can
try
all
of
this
from
our
website.
Wwe
COO.
B
A
B
A
C
Great
so
I
said
a
question
regarding
the
vulnerabilities
that
you're,
detecting
initially
I,
was
that
you
were
gonna,
look
for
things
like
people
that
leave
compilers
along
you
know
with
their
images
by
accident
or
whatever,
or
that
they
leave
editors
in,
but
it
looks
like
this
is
a
different
kind
of
vulnerability
that
you're
looking
you're
you're
exposing
here.
These
are
like
known
issues
that
are
security
that
are
known
in
the
community
is
that
is
that
the.
B
B
Well,
thank
you
yeah.
When
you
have
you
know,
we
saw
the
project
in
the
demo.
It
had
nearly
a
hundred
and
fifty
dependencies
and
that's
kind
of
a
lot
to
juggle
and
so
a
tool
like
this
can
help
you
automate
it,
and
that
means
that
you're
all
the
more
likely
to
stay
on
top
of
those
known
vulnerabilities,
Delphia.
D
If
I
could
just
add
a
bit
of
color,
this
is
Rudy,
so
on
a
given
day
and
depending
on
language
on
average,
about
40
percent
of
our
database
is
stuff
that
we
find
and
we
surface
and
obviously
we
disclose
it,
but
there's
also
there's
always
like
a
time
window
until
things
get
classified
so
we're
a
CNA.
So
you
know
we
have
relationships
with
academia
with
researchers.
Like
Haley
said
we
have
kind
of
these
machine
learning.
D
Algorithms
is
carrying
the
web,
looking
for
for
things
that
may
be
vulnerabilities
and
then
we
analyze
them
in-house,
and
then
you
get
that
on
top
of
the
aggregation
of
of
everything,
that
is
public
data,
which
is
roughly
60%
of
a
database
and
I,
also
see
a
question
from
Peter.
Do
we
scan
custom
content?
So
we
look
at
the
manifest
files
and
we
look
at
what
libraries
and
packages
you're
leveraging.
D
C
Have
a
question
about
that
just
to
follow
up
so
you
scanned
your
own
code.
Can
you
scan
for
things
like
what
sort
of
things
would
you
typically
look
for,
like
leaving
things
like
I
was
suggesting
before
all
the
compilers
and
things
and
editors
that
you
shouldn't
be
leaving
in
your
finished
production
image
or
what
kinds
of
things
does
it
look
for.
D
Yeah,
so
we
don't,
we
don't
look
at
the
code
itself.
So
when
I
was
in
my
answer
before,
let
me
just
clarify
there.
For
example,
you
forked
a
project
or
a
library
that
is
known
and
you
want
to
add
it,
and
if
it's
in
your
manifest
file,
we
would
be
able
to
look
at
that,
but
we
don't
go
into
the
source
code.
We're
not
a
we're,
not
unlike
a
SAS
task
type
of
company,
we're
complementary
to
that.
Yeah.
B
So
Diane
there
are
a
few
resources.
I
would
point
you
to
something:
we've
been
doing
recently
is
releasing
what
we
call
cheat
sheets
for
different
tools
and
invite
language.
Is
that
kind
of
thing
so,
for
instance,
I
believe
we
recently
released
a
docker
cheat
sheet
that
gives
ten
best
practices
for
docker
security,
and
so
I
would
encourage
you
to
check
those
out
because
they
give
a
really
good
idea
of
where
you
can
start
pan.
B
A
D
Yeah
so
sneakers
in
a
general
sense,
where
either
a
hosted
tool
or
an
on-prem
tool.
What
we
do
showed
here
is
we
used
a
helm
chart
for
installing,
essentially
at
a
mission
controller
in
a
web
hook
that
talks
to
your
sneek
account,
which
is
in
this
case
and
the
demo
was
hosted,
could
be
on
Prem.
So
that's
what
you
saw
in
the
demo
and
inside
that
container,
there's
a
script
that
builds
the
image
in
question
and
runs
Mukesh.
D
A
Answer
yeah,
yeah
I
think
it
does.
The
reason
I'm
asking
is
because
a
lot
of
what
we're
seeing
is
these
these
integrations
with
OpenShift
are
moving
to
an
operator,
it's
deployment,
and
if
you
have
a
helmet
approach
already,
it's
really
pretty
simple:
to
create
an
operator
from
help
from
a
helmet
art
and
get
it
into
the
operator
hub.
So
I'd
love
to
see.
Maybe
we
can
work
on
that
together
and
chat
about
that
at
another
upcoming
event
called
summit
next
week.
B
A
B
B
D
Specifically,
for
so
for
specifically
for
there,
for
this
use
case,
I
think
you
get
the
most
value
out
of
snake
using
it
with
within
your
source
control
system
like
good,
based,
for
example,
where
you
can
fix
by
a
pull
request,
continually
monitor
as
new
commits
come
in.
So
that's
the
most
powerful
piece
where
developers
are
actually
actually
committing,
and
you
can
also
go
further
to
the
left
with
an
IDE.
D
So
something
will
look
well
happy
to
chat
about
at
the
summit
next
week
is
about,
if
anybody's,
using
code
already,
and
it's
interested
in
sneaking
that
we're
happy
to
to
understand,
but
what
that
means
and
then,
as
gay
as
hailey
kind
of
a
little
further
on
to
the
right.
You
want
to
have
these
gates,
so
we
showed
the
admission
controller
before
you
deploy.
You
can
have
a
gate
before
you
pushed
your
registry
to
make
sure
that
the
stuff
that
goes
up
is
secure
enough
CIC
before
you
build,
you
can
trigger
new
bills
as
well.
D
A
I
think
that
was
all
the
questions
that
were
in
the
chat
for
today
definitely
go
to
your
next
slide.
Love
to
see
everybody
at
Red,
Hat
summit
have
a
visit
there
I'd
love
to
talk
to
you
guys
more
about
integrating
with
code
ready
and
see
where
we
can
go
with
that.
There's
a
great
introduction,
so
there's
I'm
sure
there's
a
lot
more.
So
we're
looking
forward
to,
as
you
mentioned,
lots
of
other
tools
that
you
have
another
briefing
sometime
in
the
not-too-distant
future,
hopefully
from
yeah
we've.
B
B
A
So
if
you're,
you
know,
didn't
get
a
ticket
go
to
Facebook
the
open
ship
page
landing
page
in
Facebook
and
it'll
all
be
streamed
there
and
then
be
uploaded
on
YouTube
as
well.
All
the
video
that
as
well
as
this
video
today,
will
be
uploaded
with
any
resources
that
Haley
and
Judy
send
me.
I
will
link
them
in
and
in
the
youtube
comment
section.