SlideShare a Scribd company logo

Embacing service-level-objectives of your microservices in your Cl/CD

Nebulaworks, profile picture
Nebulaworks

Aqua Security is a leading provider of cloud-native security solutions, focusing on securing container-based and serverless applications throughout their development and production lifecycle. The document details Aqua's open-source tools such as kube-bench for Kubernetes security assessment, kube-hunter for penetration testing, and Trivy for image scanning, alongside their Cloud Security Posture Management (CSPM) tool, CloudSploit. It emphasizes the importance of vulnerability management and runtime protection for modern cloud infrastructure.

Technology
1 of 33
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
© 2018 Aqua Security Software Ltd., All Rights Reserved Aqua Security Cloud Native Security
2 The Leading Cloud Native Security Company Aqua helps the world’s leading enterprises to modernize security for their container-based, serverless and cloud native applications, from development to production Open Source Leadership Maintaining the industry-standard tools for container, Kubernetes and cloud security We “wrote the book” on K8s security, and chair the CNCF Technical Oversight Committee Community Leadership CloudSploit
Agenda n Aqua’s Open Source Tools n Kubernetes config with Kube-Bench n Kubernetes penetration testing tool with Kube-Hunter n Image scanning and CI integration with Trivvy n Aqua Enterprise called Aqua CSP n Runtime protection n Container firewall
4 Aqua’s Open Source Tools n Scans Kubernetes nodes against the CIS benchmark checks n github.com/aquasecuri ty/kube-bench n Scan images for known vulnerabilities n Works within CI tools n github.com/aquasecuri ty/trivy CIS benchmark for K8S Image vulnerability scanner K8S penetration-testing n Tests K8s clusters against known attack vectors, both remote and internal n github.com/aquasecurit y/kube-hunter
5 ….and more Aqua Open Source Tools…. n CloudSploit is a cloud security auditing and monitoring product that scans IaaS and SaaS accounts for security risks, including misconfigurations, malicious API calls and insider threats. CloudSploit is a CSPM (Cloud Security Posture Management) service. n github.com/cloudsploit n Tracee is a lightweight, easy to use container and system tracing tool. After launching the tool, it will start collecting traces of newly created containers (container mode) or processes (system mode). n github.com/aquasecuri ty/tracee System Tracing Tool Tracee CloudSploit Cloud Security Posture Management CSPM
Kubernetes Configuration Assessment for Security
7 Kubernetes components ■ Kubernetes components installed on your servers ■ Master & node components ■ Many configuration settings have a security impact ■ Example: open Kubelet port = root access ■ Defaults depend on the installer Scheduler Controllers Etcd Kubernetes Master Node Node Kubelet Kube- proxy Pod Node Kubelet Kube- proxy Pod Node Kubelet Kube- proxy Pod Node Kubelet Kube- proxy Pod API Server
CIS Kubernetes benchmark
■ Open source automated tests for CIS Kubernetes Benchmark ■ Tests for Kubernetes Masters and Nodes ■ Available as a container kube-bench github.com/aquasecurity/kube-bench
Embacing service-level-objectives of your microservices in your Cl/CD
Kubernetes penetration testing
■ Open source penetration tests for Kubernetes ■ See what an attacker would see ■ github.com/aquasecurity/kube-hunter ■ Online report viewer ■ kube-hunter.aquasec.com kube-hunter How do I know the config is working to secure my cluster?
kube-hunter.aquasec.com
14
15
Image scanning and CI integration – Trivy
Common Vulnerabilities & Exposures
Known Vulnerabilities Unknown Vulnerabilities Vulnerabilities l Static scanning l Scanner identifying components with known vulnerabilities l e.g. Trivy, Clair, Aqua l Dynamic Threat Analysis • Identify advanced threats that try to hide their purpose • Aqua Designed by vvstudio / Freepik
19 CentOS OS Nginx Application (package) Binaries Scanning Container Images Alpine OS NodeJS (NPMs)
20 Vulnerability sources ■ Vulnerabilities are published on different security advisories ■ NVD – national vulnerability database ■ Vendors will have their own advisories
l NVD reports this in Varnish HTTP Cache versions 4.0.0 - 5.2.0 Case study: Debian / CVE-2017-8807
Debian applied patch to 5.0.0
l System Package Manager l apt l yum l apk Detect comprehensive vulnerabilities ● Application Package Manager ● Bundler ● Composer ● Pipenv ● Poetry ● npm ● yarn ● Cargo
Not all scanners are created equal Information sources / advisories • NVD • Distributions • Vendors • (Commercial DBs) Scanning techniques • Layer-by-layer or image Detection techniques • Version comparison • Hash comparison Functionality • Malware • File scanning • Windows
Embacing service-level-objectives of your microservices in your Cl/CD
script: - ./trivy --exit-code 0 --severity HIGH --no-progress --auto-refresh [YOUR_IMAGE] - ./trivy --exit-code 1 --severity CRITICAL --no-progress --auto-refresh [YOUR_IMAGE] ... DevSecOps With Travis CI With CircleCI - run: name: Scan the local image with trivy command: trivy --exit-code 0 --no-progress --auto-refresh [YOUR_IMAGE] ...
Aqua Enterprise….we call this CSP….Cloud-Native Security Platform
28 Aqua Cloud Native Security Cloud IaaS Orchestration Workloads Kubernetes Security Cloud Security Posture Management Container & CaaS Security FaaS Security VM Security PAS SecurityCI/CD,Registries SIEM,Analytics,Monitoring LDAP / AD / SAML Secrets Vaults Collaboration Cyber Intelligence
29 Automatic learning of pod/container behavior and then runtime enforcement
DevSecOps ContainerContainer l Immutable containers are easier to protect l Any change in runtime is not legit l If a change is detected, it’s blocked = No code injection into containers Image Container bin user etc bin user etc ? =
Container Firewall that learns network traffic and then allows granular control of all inbound and outbound traffic. Policy is enforced regardless where the orchestrator places the pod/container
Jenkins Aqua Plugin for container images and serverless functions (Lambda)
© 2018 Aqua Security Software Ltd., All Rights Reserved github.com/aquasecurity/kube-bench github.com/aquasecurity/kube-hunter github.com/aquasecurity/trivy github.com/aquasecurity/tracee github.com/cloudsploit

More Related Content

PDF
App sec in the time of docker containers
Akash Mahajan
 
PDF
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
PDF
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
Agile Testing Alliance
 
PDF
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
PPTX
Dev secops security and compliance at the speed of continuous delivery - owasp
Dag Rowe
 
PPTX
DevSecOps OWASP
Priyanka Raghavan
 
PPTX
Enable DevSecOps using JIRA Software
AUGNYC
 
PPTX
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
App sec in the time of docker containers
Akash Mahajan
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
Agile Testing Alliance
 
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dag Rowe
 
DevSecOps OWASP
Priyanka Raghavan
 
Enable DevSecOps using JIRA Software
AUGNYC
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 

What's hot (20)

PPTX
DevSecOps reference architectures 2018
Sonatype
 
PDF
Don’t have a Meltdown! Practical Steps for Defending Your Apps
Docker, Inc.
 
PDF
Building security into the pipelines
Vandana Verma
 
PDF
Hacking into your containers, and how to stop it!
Eric Smalling
 
PDF
Policy as code what helm developers need to know about security
LibbySchulze
 
PDF
Talk DevSecOps to me
Michelle Ribeiro
 
PDF
DevSecOps : The Open Source Way by Yusuf Hadiwinata
Hananto Wibowo Soenarto
 
PDF
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
PDF
Dev secops. Real experience.
Vitaly Balashov
 
PPTX
Automated Testing in Continuous Change Management
Perforce
 
PDF
Rugged DevOps: Bridging Security and DevOps
James Wickett
 
DOCX
10 things to get right for successful dev secops
Mohammed Ahmed
 
PPTX
Infrastructure automation with .NET
Swaminathan Vetri
 
PDF
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
PDF
use case ibm k8s_service+devops
Shoichiro Sakaigawa
 
PDF
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
PDF
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
VMware Tanzu
 
PDF
Hybrid Cloud Networking
SVForum Cloud SIG
 
PDF
Cloud Native Engineering with SRE and GitOps
Weaveworks
 
PDF
Workshop Azure DevOps | Docker | Azure Kubernetes Services
Norberto Enomoto
 
DevSecOps reference architectures 2018
Sonatype
 
Don’t have a Meltdown! Practical Steps for Defending Your Apps
Docker, Inc.
 
Building security into the pipelines
Vandana Verma
 
Hacking into your containers, and how to stop it!
Eric Smalling
 
Policy as code what helm developers need to know about security
LibbySchulze
 
Talk DevSecOps to me
Michelle Ribeiro
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
Hananto Wibowo Soenarto
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
Dev secops. Real experience.
Vitaly Balashov
 
Automated Testing in Continuous Change Management
Perforce
 
Rugged DevOps: Bridging Security and DevOps
James Wickett
 
10 things to get right for successful dev secops
Mohammed Ahmed
 
Infrastructure automation with .NET
Swaminathan Vetri
 
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
use case ibm k8s_service+devops
Shoichiro Sakaigawa
 
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
VMware Tanzu
 
Hybrid Cloud Networking
SVForum Cloud SIG
 
Cloud Native Engineering with SRE and GitOps
Weaveworks
 
Workshop Azure DevOps | Docker | Azure Kubernetes Services
Norberto Enomoto
 
Ad

Similar to Embacing service-level-objectives of your microservices in your Cl/CD (20)

PPTX
Deploy Secure Cloud-Native Apps Fast
Codefresh
 
PDF
Cumulonimbus fortification-secure-your-data-in-the-cloud
David Busby, CISSP
 
PDF
Continuous Security: From tins to containers - now what!
Michael Man
 
PDF
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon
 
PDF
Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...
DevOps.com
 
PDF
trivy - Vulnerability Scanning
Knoldus Inc.
 
PDF
Slide DevSecOps Microservices
Hendri Karisma
 
PDF
Container Security Vulnerability Scanning with Trivy
Faheem Memon
 
PDF
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 
PPTX
10.aws system management
DrRajapraveen
 
PDF
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
CloudVillage
 
PDF
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Jose Hernandez
 
PDF
A Developer’s Guide to Kubernetes Security
Gene Gotimer
 
PDF
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
NUS-ISS
 
PDF
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
NoNameCon
 
PDF
Cloud-Native Security
VMware Tanzu
 
PDF
Cloud Native Security: New Approach for a New Reality
Carlos Andrés García
 
PPTX
Hackproof Your Cloud: Responding to 2016 Threats
CloudCheckr
 
PDF
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
PDF
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDays Riga
 
Deploy Secure Cloud-Native Apps Fast
Codefresh
 
Cumulonimbus fortification-secure-your-data-in-the-cloud
David Busby, CISSP
 
Continuous Security: From tins to containers - now what!
Michael Man
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon
 
Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...
DevOps.com
 
trivy - Vulnerability Scanning
Knoldus Inc.
 
Slide DevSecOps Microservices
Hendri Karisma
 
Container Security Vulnerability Scanning with Trivy
Faheem Memon
 
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 
10.aws system management
DrRajapraveen
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
CloudVillage
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Jose Hernandez
 
A Developer’s Guide to Kubernetes Security
Gene Gotimer
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
NUS-ISS
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
NoNameCon
 
Cloud-Native Security
VMware Tanzu
 
Cloud Native Security: New Approach for a New Reality
Carlos Andrés García
 
Hackproof Your Cloud: Responding to 2016 Threats
CloudCheckr
 
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
DevOpsDaysRiga 2017: Chris Van Tuin - A DevOps State of Mind: Continuous Secu...
DevOpsDays Riga
 
Ad

More from Nebulaworks (19)

PDF
Dynamic Policy Enforcement for Microservice Environments
Nebulaworks
 
PDF
Overcoming scalability issues in your prometheus ecosystem
Nebulaworks
 
PDF
Why we chose Argo Workflow to scale DevOps at InVision
Nebulaworks
 
PDF
Methods to stay focused & productive amidst COVID-19!
Nebulaworks
 
PDF
Embracing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 
PDF
Deploying to Day N Operations of Kubernetes and Containerized Apps
Nebulaworks
 
PDF
Trunk based development for Beginners
Nebulaworks
 
PDF
Distributed tracing with service meshes and tracing spans across polyglot Mic...
Nebulaworks
 
PDF
Managing Terraform Module Versioning and Dependencies
Nebulaworks
 
PDF
Kubernetes for Beginners
Nebulaworks
 
PDF
End to End immutable infrastructure testing
Nebulaworks
 
PDF
Building Modern Teams and Software
Nebulaworks
 
PDF
Kuberntes Ingress with Kong
Nebulaworks
 
PDF
A Hands-on Introduction on Terraform Best Concepts and Best Practices
Nebulaworks
 
PDF
The App Developer's Kubernetes Toolbox
Nebulaworks
 
PDF
Building a Container Platform with docker swarm
Nebulaworks
 
PDF
Effective Micoservice Design & Containers
Nebulaworks
 
PDF
Fast Tracking Dev Teams to Container Adoption
Nebulaworks
 
PDF
Nebulaworks | Optimize Your DevOps Game
Nebulaworks
 
Dynamic Policy Enforcement for Microservice Environments
Nebulaworks
 
Overcoming scalability issues in your prometheus ecosystem
Nebulaworks
 
Why we chose Argo Workflow to scale DevOps at InVision
Nebulaworks
 
Methods to stay focused & productive amidst COVID-19!
Nebulaworks
 
Embracing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 
Deploying to Day N Operations of Kubernetes and Containerized Apps
Nebulaworks
 
Trunk based development for Beginners
Nebulaworks
 
Distributed tracing with service meshes and tracing spans across polyglot Mic...
Nebulaworks
 
Managing Terraform Module Versioning and Dependencies
Nebulaworks
 
Kubernetes for Beginners
Nebulaworks
 
End to End immutable infrastructure testing
Nebulaworks
 
Building Modern Teams and Software
Nebulaworks
 
Kuberntes Ingress with Kong
Nebulaworks
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
Nebulaworks
 
The App Developer's Kubernetes Toolbox
Nebulaworks
 
Building a Container Platform with docker swarm
Nebulaworks
 
Effective Micoservice Design & Containers
Nebulaworks
 
Fast Tracking Dev Teams to Container Adoption
Nebulaworks
 
Nebulaworks | Optimize Your DevOps Game
Nebulaworks
 

Recently uploaded (20)

PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Teaching material agriculture food technology
LiaRayya
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 

Embacing service-level-objectives of your microservices in your Cl/CD

  • 1. © 2018 Aqua Security Software Ltd., All Rights Reserved Aqua Security Cloud Native Security
  • 2. 2 The Leading Cloud Native Security Company Aqua helps the world’s leading enterprises to modernize security for their container-based, serverless and cloud native applications, from development to production Open Source Leadership Maintaining the industry-standard tools for container, Kubernetes and cloud security We “wrote the book” on K8s security, and chair the CNCF Technical Oversight Committee Community Leadership CloudSploit
  • 3. Agenda n Aqua’s Open Source Tools n Kubernetes config with Kube-Bench n Kubernetes penetration testing tool with Kube-Hunter n Image scanning and CI integration with Trivvy n Aqua Enterprise called Aqua CSP n Runtime protection n Container firewall
  • 4. 4 Aqua’s Open Source Tools n Scans Kubernetes nodes against the CIS benchmark checks n github.com/aquasecuri ty/kube-bench n Scan images for known vulnerabilities n Works within CI tools n github.com/aquasecuri ty/trivy CIS benchmark for K8S Image vulnerability scanner K8S penetration-testing n Tests K8s clusters against known attack vectors, both remote and internal n github.com/aquasecurit y/kube-hunter
  • 5. 5 ….and more Aqua Open Source Tools…. n CloudSploit is a cloud security auditing and monitoring product that scans IaaS and SaaS accounts for security risks, including misconfigurations, malicious API calls and insider threats. CloudSploit is a CSPM (Cloud Security Posture Management) service. n github.com/cloudsploit n Tracee is a lightweight, easy to use container and system tracing tool. After launching the tool, it will start collecting traces of newly created containers (container mode) or processes (system mode). n github.com/aquasecuri ty/tracee System Tracing Tool Tracee CloudSploit Cloud Security Posture Management CSPM
  • 7. 7 Kubernetes components ■ Kubernetes components installed on your servers ■ Master & node components ■ Many configuration settings have a security impact ■ Example: open Kubelet port = root access ■ Defaults depend on the installer Scheduler Controllers Etcd Kubernetes Master Node Node Kubelet Kube- proxy Pod Node Kubelet Kube- proxy Pod Node Kubelet Kube- proxy Pod Node Kubelet Kube- proxy Pod API Server
  • 9. ■ Open source automated tests for CIS Kubernetes Benchmark ■ Tests for Kubernetes Masters and Nodes ■ Available as a container kube-bench github.com/aquasecurity/kube-bench
  • 12. ■ Open source penetration tests for Kubernetes ■ See what an attacker would see ■ github.com/aquasecurity/kube-hunter ■ Online report viewer ■ kube-hunter.aquasec.com kube-hunter How do I know the config is working to secure my cluster?
  • 14. 14
  • 15. 15
  • 16. Image scanning and CI integration – Trivy
  • 18. Known Vulnerabilities Unknown Vulnerabilities Vulnerabilities l Static scanning l Scanner identifying components with known vulnerabilities l e.g. Trivy, Clair, Aqua l Dynamic Threat Analysis • Identify advanced threats that try to hide their purpose • Aqua Designed by vvstudio / Freepik
  • 19. 19 CentOS OS Nginx Application (package) Binaries Scanning Container Images Alpine OS NodeJS (NPMs)
  • 20. 20 Vulnerability sources ■ Vulnerabilities are published on different security advisories ■ NVD – national vulnerability database ■ Vendors will have their own advisories
  • 21. l NVD reports this in Varnish HTTP Cache versions 4.0.0 - 5.2.0 Case study: Debian / CVE-2017-8807
  • 23. l System Package Manager l apt l yum l apk Detect comprehensive vulnerabilities ● Application Package Manager ● Bundler ● Composer ● Pipenv ● Poetry ● npm ● yarn ● Cargo
  • 24. Not all scanners are created equal Information sources / advisories • NVD • Distributions • Vendors • (Commercial DBs) Scanning techniques • Layer-by-layer or image Detection techniques • Version comparison • Hash comparison Functionality • Malware • File scanning • Windows
  • 26. script: - ./trivy --exit-code 0 --severity HIGH --no-progress --auto-refresh [YOUR_IMAGE] - ./trivy --exit-code 1 --severity CRITICAL --no-progress --auto-refresh [YOUR_IMAGE] ... DevSecOps With Travis CI With CircleCI - run: name: Scan the local image with trivy command: trivy --exit-code 0 --no-progress --auto-refresh [YOUR_IMAGE] ...
  • 27. Aqua Enterprise….we call this CSP….Cloud-Native Security Platform
  • 28. 28 Aqua Cloud Native Security Cloud IaaS Orchestration Workloads Kubernetes Security Cloud Security Posture Management Container & CaaS Security FaaS Security VM Security PAS SecurityCI/CD,Registries SIEM,Analytics,Monitoring LDAP / AD / SAML Secrets Vaults Collaboration Cyber Intelligence
  • 29. 29 Automatic learning of pod/container behavior and then runtime enforcement
  • 30. DevSecOps ContainerContainer l Immutable containers are easier to protect l Any change in runtime is not legit l If a change is detected, it’s blocked = No code injection into containers Image Container bin user etc bin user etc ? =
  • 31. Container Firewall that learns network traffic and then allows granular control of all inbound and outbound traffic. Policy is enforced regardless where the orchestrator places the pod/container
  • 32. Jenkins Aqua Plugin for container images and serverless functions (Lambda)
  • 33. © 2018 Aqua Security Software Ltd., All Rights Reserved github.com/aquasecurity/kube-bench github.com/aquasecurity/kube-hunter github.com/aquasecurity/trivy github.com/aquasecurity/tracee github.com/cloudsploit