Secure the Pipeline - OWASP Poland Day 2018
Download as PPTX, PDF1 like132 views
The document discusses security testing for applications running on Kubernetes. It lists several tools that can be used for static analysis, dynamic analysis, package scanning, container scanning, and Kubernetes security testing. These include DevSkim, OWASP Zap, OWASP Dependency Track, Anchore Engine, Clair, and KubeSec. It also provides a GitHub link to a .NET Core containerized sample app deployed to Kubernetes that can be used for the testing. The document encourages feedback and ends by thanking attendees.
Secure the Pipeline - OWASP Poland Day 2018
- 1. Secure the Pipeline Omer Levi Hevroni W a r s a w , 1 0 . 1 0 . 2 0 1 8 OWASP Poland Day 2018 @omerlh
- 2. @omerlh Wr i t i n g S e c u re C o d e i s H a rd
- 3. @omerlh A l l i s G o o d Yo u C a n P u b l i s h
- 6. I OWASP • Zap contributor • Proud member • Glue project leader @omerlh
- 7. @omerlh What Security Tests do we Need for Apps Running on Kubernetes?
- 8. O u r Te st C a s e https://github.com/omerlh/container-security-testing @omerlh • .NET Core • Containerized • Deployed on Kubernetes
- 9. @omerlh Wait, What About the Pipeline?
- 10. Wra p p i n g U p h t t p s : / / w p . m e / p a k m v i - 1 w @omerlhhttp://www.viralgoal.com/wrap-adorable-cat-blanket-named-purritos/ Test Type Tool Name Static Analysis Microsoft DevSkim Dynamy Analysis OWASP Zap Packages OWASP Dependency Track/Dotnet Retire Docker Anchore Engine/Clair Kubernetes KubeSec
- 11. Q u e st i o n s ? @omerlhhttp://www.applestory.biz/hermione-hand-raise-gif.html
- 12. @omerlh Feedback is much appreciated!
- 13. @omerlh Wr i t i n g S e c u re C o d e i s H a rd
- 14. @omerlh htt p s : / / w p . me / p a k mv i - 1 w
- 15. Thank You Omer Levi Hevroni @omerlh @SolutoEng
Editor's Notes
- #2: Hey, good afternoon everyone My name is Omer, and I’m really excited being here Today I’m going to talk about how we can secure the pipeline I want to start this talk by showing gratitude First, to all the people who worked hard on organizing this conf and all the people who are working today so we all could enjoy it - thank you Second, I want to thank the organizers who choose me to speak here, so thank you. It is a big honor Why do we need to Secure the Pipeline?
- #3: Especially when starting to work on a new platform – we don’t always have the time on security Security tools can help us with that
- #4: Embedding security into the pipeline can help us with that – by running security tests the pipeline can let us know that our code is secure This is why we need to secure the pipeline
- #5: I’m a builder, this is what I love doing and doing it from a really early age Doing it professionally for the last 8 years I’m from Israel, married etc Who else is a builder? This talk is for you!
- #6: Today I’m working at Soluto, our missing is to help people with their technology My job is DevSecOps, or as I see it - helping the entire team to build a more secure software I’m achieving it via many approaches, including education, reviewing and threat modeling – but what I love the most is threat modeling
- #7: Big part of my work is OWASP, I’m enthusiast and familiar to many project. I contributed code to projects, mainly Zap and Glue and I’m a paid memember and project leader of Glue. Glue is a tool that helps to integrate security tools into the CI/CD pipeline – I will not have time to dive into the tool, but come talk with me later about it – I have stickers
- #8: This is the questions we started with. It’s a really wide question, and it’s really hard to answer it Let’s use induction – take one specific use case, find the answer and try to generalize it
- #9: Let’s go quickly over the different tests. Due to time limits, this is only a taste of the tools – going quickly over them, understand the value and how they run – but not going into details. There is a blog post for this. Blog post blog post blog post
- #10: I talked a lot about tools – but where is the pipeline part? Due to time limit, I focused more on what tests and tools you should be using. The next step is pipeline integration – and all the tools could be integrated into the pipeline
- #11: These are the tools I showed during this talk, you can find all the information I discussed and more on this blog post. You can also play with the readme. All these are generics and can be used by multiple languages and frameworks.
- #13: If you got value from this session, I’ll highly appreciate your feedback – personally or via twitter
- #15: I talked a lot in this talk, and I showed you 5 different types of tests, and tools you can start using today. My part is over now – and now it’s your turn. Think about one tool, just one, from all the tools I’ve discussed and give it a try – use the repo or the blog post.