SlideShare una empresa de Scribd logo

THE THREE DISCIPLINES OF CI/CD SECURITY, DANIEL KRIVELEVICH, Cider Security

Descargar como PPTX, PDF
DevOpsDays Tel Aviv
DevOpsDays Tel Aviv

CI/CD pipelines are quickly becoming the path of least resistance for would-be attackers into sensitive internal systems, gaining access to critical data, with minimal effort. In the InfoSec world when we talk about CI/CD security often times this focuses on specific aspects of securing your pipeline - scanning the code, protecting secrets, securely managing code deployments, or even authentication and authorization mechanisms, but we rarely talk about all of these together. After years of being in the trenches and realizing that the attack surface is growing and the threat landscape becoming more and more complex, it has become increasingly apparent that security teams need to adapt and modify strategies to keep up with the new reality of CI/CD protection, without compromising developer velocity. In this talk I would like to propose a new way of thinking about CI/CD security - that encompasses the three disciplines that comprise CI/CD security - security in the pipeline, of the pipeline, and around the pipeline. Partial coverage of any or all of these disciplines simply will not cut it with the continuously evolving risk landscape. Security engineers need to address each of these aspects in their entirety to provide the full scope of coverage that modern organizations need, and I will take a deep dive on the challenges each introduce, and the approaches and techniques for mitigating them based on adversarial sec research.

Tecnología
1 de 25
The 3 disciplines of CI/CD security Daniel Krivelevich Cider Security
cidersecurity.io CTO & Co-Founder of Cider Security Intro ● CI/CD ● Cyber ● Catchy 5 letter word ● We like Cider
cidersecurity.io What does CI/CD security mean?
Shorter time to release More automation CI/CD IAC Larger diversity in tech stack Rapid adoption of new tech The engineering train moves faster and faster...
How well is security adapting to these changes?
cidersecurity.io The Engineering Ecosystem Repo CI Pipeline CD Pipeline Artifact Language SCM CI CD Artifact Repository Container Registry Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator
cidersecurity.io The Challenge Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Language Language Language Language Language Language Language Language Language Language Language Language SCM CI CD Artifact Repository Container Registry SCM CI CD Artifact Repository Container Registry Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Repo Repo Artifact Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator
cidersecurity.io Github Jenkins Artifactory ECR EKS The complexity User 1 User 3 User 2 User 4 App 1 App 3 App 2 App 4 Devops Repo Service 1 Repo Service 2 Repo Terraform Pulumi Jenkinsfile Python JavaScript Jenkinsfile Ruby JavaScript Jenkinsfile Artifact 1 Artifact 2 Artifact 3 Artifact 4 Pipeline 3 (CD) Deploy{...} Artifactory_Read_Key AWS_Access_Key_1 AWS_Access_Key_2 Pipeline 1 (CI) Build {...} Test {...} Pipeline 2 (CI + CD) Build {...} Test {...} Deploy{...} Artifactory_write_key R RW Pod 1 Pod 2 Container 2 Container 1
cidersecurity.io For Security, maneuvering through the engineering realm, Feels like walking through New York with a map of Tokyo Mapping the environment
cidersecurity.io Engineering environments have become the new attacker’s turf Today’s attack surface A single insecure step in the CI, or insecure package import - can lead to devastating results Engineers are also looking for ways to bridge the gap
cidersecurity.io CI/CD security is about allowing engineering to continue to move fast Without making any compromises on Security
cidersecurity.io SIP SOP SAP
cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline
cidersecurity.io Github Devops Repo Service 1 Repo Service 2 Repo Gitlab Devops Repo Service 3 Repo Service 4 Repo Terraform Pulumi Jenkinsfile Python JavaScript Jenkinsfile Ruby JavaScript Jenkinsfile Ansible Chef Python Java Go JavaScript Jenkinsfile SIP - Security In the Pipeline
cidersecurity.io Github Devops Repo Service 1 Repo Service 2 Repo Gitlab Devops Repo Service 3 Repo Service 4 Repo Terraform Pulumi Jenkinsfile Python JavaScript Jenkinsfile Ruby JavaScript Jenkinsfile Ansible Chef Python Java Go JavaScript Jenkinsfile SIP - Security In the Pipeline
cidersecurity.io Scanner Issue Description Severity Repo Location Checkov Bad stuff Extremely Bad Repo 1 Line 1 GoSec Bad stuff Horrible Repo 2 Line 2 Bandit Bad stuff Very severe Repo 1 Line 4 Brakeman Bad stuff Not good Repo 3 Line 5 Checkov Bad stuff Fix now Repo 4 Line 2 PMD Bad stuff Fix fast Repo 1 Line 3 Nodejsscan Bad stuff So so Repo 2 Line 7 Nodejsscan Bad stuff doing ok Repo 3 Line 18
cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline SOP - Security Of the Pipeline Addresses the risk of the systems in the pipeline being compromised
cidersecurity.io SOP - Security Of the Pipeline Crown Jewels (Production) Exploiting workstations endpoints Abusing cloud misconfigurations Breaching the perimeter Abusing software delivery systems/ processes AV/EDR /EP WAF/IPS /PT CSPM SOP
cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline SOP - Security Of the Pipeline Addresses the risk of the systems in the pipeline being compromised SAP - Security Around the Pipeline: Addresses the risk of the pipeline being bypassed
cidersecurity.io SAP - Security Around the Pipeline Code/ Artifacts Production Code/ Artifacts Code/ Artifacts
cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline SOP - Security Of the Pipeline Addresses the risk of the systems in the pipeline being compromised SAP - Security Around the Pipeline: Addresses the risk of the pipeline being bypassed
cidersecurity.io November 2021 Takeaway #1 - for defenders ●Appsec has extended far beyond the scope of code scanning. ●To address today’s challenges, we need to be thinking about SIP, SOP and SAP
cidersecurity.io November 2021 Takeaway #2 - for engineers Be patient with your AppSec teams. We have a lot to catch up on.
cidersecurity.io November 2021 Takeaway #3 - for hackers You’ve done your fair share of damage for 2021.. take a break
cidersecurity.io Thank you!

Recomendados

DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
HelloCloud.io - Introduction to IaC & Terraform
HelloCloud.io - Introduction to IaC & TerraformHelloCloud.io - Introduction to IaC & Terraform
HelloCloud.io - Introduction to IaC & Terraform
Hello Cloud
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Tom Stiehm
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Microservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsMicroservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native Apps
Araf Karsh Hamid
 
"Platform Engineering in practice — Why and How to start", Serg Hospodarets
"Platform Engineering in practice — Why and How to start", Serg Hospodarets "Platform Engineering in practice — Why and How to start", Serg Hospodarets
"Platform Engineering in practice — Why and How to start", Serg Hospodarets
Fwdays
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 

Recomendados

DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
HelloCloud.io - Introduction to IaC & Terraform
HelloCloud.io - Introduction to IaC & TerraformHelloCloud.io - Introduction to IaC & Terraform
HelloCloud.io - Introduction to IaC & Terraform
Hello Cloud
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Tom Stiehm
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Microservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native AppsMicroservices Architecture - Cloud Native Apps
Microservices Architecture - Cloud Native Apps
Araf Karsh Hamid
 
"Platform Engineering in practice — Why and How to start", Serg Hospodarets
"Platform Engineering in practice — Why and How to start", Serg Hospodarets "Platform Engineering in practice — Why and How to start", Serg Hospodarets
"Platform Engineering in practice — Why and How to start", Serg Hospodarets
Fwdays
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
WhiteSource
 
Code Security with GitHub Advanced Security
Code Security with GitHub Advanced SecurityCode Security with GitHub Advanced Security
Code Security with GitHub Advanced Security
Luis Fraile
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Tomas Honzak
 
Gitops: a new paradigm for software defined operations
Gitops: a new paradigm for software defined operationsGitops: a new paradigm for software defined operations
Gitops: a new paradigm for software defined operations
Mariano Cunietti
 
SRE From Scratch
SRE From ScratchSRE From Scratch
SRE From Scratch
Grier Johnson
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Managing Infrastructure as a Product - Introduction to Platform Engineering
Managing Infrastructure as a Product - Introduction to Platform EngineeringManaging Infrastructure as a Product - Introduction to Platform Engineering
Managing Infrastructure as a Product - Introduction to Platform Engineering
Adityo Pratomo
 
DevOps Maturity Curve v5
DevOps Maturity Curve v5DevOps Maturity Curve v5
DevOps Maturity Curve v5
Paul Peissner
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
Haggai Philip Zagury
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Backstage at CNCF Madison.pptx
Backstage at CNCF Madison.pptxBackstage at CNCF Madison.pptx
Backstage at CNCF Madison.pptx
BrandenTimm1
 
Serverless Kafka on AWS as Part of a Cloud-native Data Lake Architecture
Serverless Kafka on AWS as Part of a Cloud-native Data Lake ArchitectureServerless Kafka on AWS as Part of a Cloud-native Data Lake Architecture
Serverless Kafka on AWS as Part of a Cloud-native Data Lake Architecture
Kai Wähner
 
Platform Engineering - a 360 degree view
Platform Engineering - a 360 degree viewPlatform Engineering - a 360 degree view
Platform Engineering - a 360 degree view
Giulio Roggero
 
Transform Agile Development With Practical DevOps
Transform Agile Development With Practical DevOpsTransform Agile Development With Practical DevOps
Transform Agile Development With Practical DevOps
Gaurav Sharma
 
DevOps Approach (Point of View by Ravi Tadwalkar)
DevOps Approach (Point of View by Ravi Tadwalkar)DevOps Approach (Point of View by Ravi Tadwalkar)
DevOps Approach (Point of View by Ravi Tadwalkar)
Ravi Tadwalkar
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
Araf Karsh Hamid
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
Opsta
 
Continuous Delivery
Continuous DeliveryContinuous Delivery
Continuous Delivery
Mike McGarr
 
stackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesstackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelines
NETWAYS
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
jonmccoy
 

Más contenido relacionado

La actualidad más candente

Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Serverless Kafka on AWS as Part of a Cloud-native Data Lake Architecture
Serverless Kafka on AWS as Part of a Cloud-native Data Lake ArchitectureServerless Kafka on AWS as Part of a Cloud-native Data Lake Architecture
Serverless Kafka on AWS as Part of a Cloud-native Data Lake Architecture
Kai Wähner
 

La actualidad más candente (20)

SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
 
Code Security with GitHub Advanced Security
Code Security with GitHub Advanced SecurityCode Security with GitHub Advanced Security
Code Security with GitHub Advanced Security
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Gitops: a new paradigm for software defined operations
Gitops: a new paradigm for software defined operationsGitops: a new paradigm for software defined operations
Gitops: a new paradigm for software defined operations
 
SRE From Scratch
SRE From ScratchSRE From Scratch
SRE From Scratch
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
Managing Infrastructure as a Product - Introduction to Platform Engineering
Managing Infrastructure as a Product - Introduction to Platform EngineeringManaging Infrastructure as a Product - Introduction to Platform Engineering
Managing Infrastructure as a Product - Introduction to Platform Engineering
 
DevOps Maturity Curve v5
DevOps Maturity Curve v5DevOps Maturity Curve v5
DevOps Maturity Curve v5
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
Backstage at CNCF Madison.pptx
Backstage at CNCF Madison.pptxBackstage at CNCF Madison.pptx
Backstage at CNCF Madison.pptx
 
Serverless Kafka on AWS as Part of a Cloud-native Data Lake Architecture
Serverless Kafka on AWS as Part of a Cloud-native Data Lake ArchitectureServerless Kafka on AWS as Part of a Cloud-native Data Lake Architecture
Serverless Kafka on AWS as Part of a Cloud-native Data Lake Architecture
 
Platform Engineering - a 360 degree view
Platform Engineering - a 360 degree viewPlatform Engineering - a 360 degree view
Platform Engineering - a 360 degree view
 
Transform Agile Development With Practical DevOps
Transform Agile Development With Practical DevOpsTransform Agile Development With Practical DevOps
Transform Agile Development With Practical DevOps
 
DevOps Approach (Point of View by Ravi Tadwalkar)
DevOps Approach (Point of View by Ravi Tadwalkar)DevOps Approach (Point of View by Ravi Tadwalkar)
DevOps Approach (Point of View by Ravi Tadwalkar)
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
Continuous Delivery
Continuous DeliveryContinuous Delivery
Continuous Delivery
 

Similar a THE THREE DISCIPLINES OF CI/CD SECURITY, DANIEL KRIVELEVICH, Cider Security

stackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesstackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelines
NETWAYS
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
Liran Tal
 
DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга Свиридова
Mail.ru Group
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-time
DataWorks Summit
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Weaveworks
 

Similar a THE THREE DISCIPLINES OF CI/CD SECURITY, DANIEL KRIVELEVICH, Cider Security (20)

stackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesstackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelines
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
 
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
 
Cilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPF
 
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your CloudHumans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
 
Prepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/Green
 
All Day DevOps 2016 Fabian - Defending Thyself with Blue Green
All Day DevOps 2016 Fabian - Defending Thyself with Blue GreenAll Day DevOps 2016 Fabian - Defending Thyself with Blue Green
All Day DevOps 2016 Fabian - Defending Thyself with Blue Green
 
Cilium - Network security for microservices
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservices
 
DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга Свиридова
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-time
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
 
Alexey Kupriyanenko "Release Early, Often, Stable"
Alexey Kupriyanenko "Release Early, Often, Stable"Alexey Kupriyanenko "Release Early, Often, Stable"
Alexey Kupriyanenko "Release Early, Often, Stable"
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Networking in Java with NIO and Netty
Networking in Java with NIO and NettyNetworking in Java with NIO and Netty
Networking in Java with NIO and Netty
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 

Más de DevOpsDays Tel Aviv

YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...
YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...
YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...
DevOpsDays Tel Aviv
 
GRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, Salto
GRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, SaltoGRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, Salto
GRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, Salto
DevOpsDays Tel Aviv
 
MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...
MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...
MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...
DevOpsDays Tel Aviv
 
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
DevOpsDays Tel Aviv
 
PRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDog
PRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDogPRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDog
PRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDog
DevOpsDays Tel Aviv
 
NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...
NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...
NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...
DevOpsDays Tel Aviv
 
BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...
BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...
BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...
DevOpsDays Tel Aviv
 
THE PLEASURES OF ON-PREM, TOMER GABEL
THE PLEASURES OF ON-PREM, TOMER GABELTHE PLEASURES OF ON-PREM, TOMER GABEL
THE PLEASURES OF ON-PREM, TOMER GABEL
DevOpsDays Tel Aviv
 
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPackCONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
DevOpsDays Tel Aviv
 
SOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, Develeap
SOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, DeveleapSOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, Develeap
SOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, Develeap
DevOpsDays Tel Aviv
 
OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...
OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...
OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...
DevOpsDays Tel Aviv
 
HOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKH
HOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKHHOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKH
HOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKH
DevOpsDays Tel Aviv
 
HOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearB
HOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearBHOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearB
HOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearB
DevOpsDays Tel Aviv
 
FLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, Icinga
FLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, IcingaFLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, Icinga
FLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, Icinga
DevOpsDays Tel Aviv
 
(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY
(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY
(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY
DevOpsDays Tel Aviv
 
SLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.io
SLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.ioSLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.io
SLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.io
DevOpsDays Tel Aviv
 
ONBOARDING IN LOCKDOWN, HILA FOX, Augury
ONBOARDING IN LOCKDOWN, HILA FOX, AuguryONBOARDING IN LOCKDOWN, HILA FOX, Augury
ONBOARDING IN LOCKDOWN, HILA FOX, Augury
DevOpsDays Tel Aviv
 
DON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, Firefly
DON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, FireflyDON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, Firefly
DON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, Firefly
DevOpsDays Tel Aviv
 

Más de DevOpsDays Tel Aviv (20)

YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...
YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...
YOUR OPEN SOURCE PROJECT IS LIKE A STARTUP, TREAT IT LIKE ONE, EYAR ZILBERMAN...
 
GRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, Salto
GRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, SaltoGRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, Salto
GRAPHQL TO THE RES(T)CUE, ELLA SHARAKANSKI, Salto
 
MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...
MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...
MICROSERVICES ABOVE THE CLOUD - DESIGNING THE INTERNATIONAL SPACE STATION FOR...
 
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
THE (IR)RATIONAL INCIDENT RESPONSE: HOW PSYCHOLOGICAL BIASES AFFECT INCIDENT ...
 
PRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDog
PRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDogPRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDog
PRINCIPLES OF OBSERVABILITY // DANIEL MAHER, DataDog
 
NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...
NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...
NUDGE AND SLUDGE: DRIVING SECURITY WITH DESIGN // J. WOLFGANG GOERLICH, Duo S...
 
(Ignite) TAKE A HIKE: PREVENTING BATTERY CORROSION - LEAH VOGEL, CHEGG
(Ignite) TAKE A HIKE: PREVENTING BATTERY CORROSION - LEAH VOGEL, CHEGG(Ignite) TAKE A HIKE: PREVENTING BATTERY CORROSION - LEAH VOGEL, CHEGG
(Ignite) TAKE A HIKE: PREVENTING BATTERY CORROSION - LEAH VOGEL, CHEGG
 
BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...
BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...
BUILDING A DR PLAN FOR YOUR CLOUD INFRASTRUCTURE FROM THE GROUND UP, MOSHE BE...
 
THE PLEASURES OF ON-PREM, TOMER GABEL
THE PLEASURES OF ON-PREM, TOMER GABELTHE PLEASURES OF ON-PREM, TOMER GABEL
THE PLEASURES OF ON-PREM, TOMER GABEL
 
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPackCONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
CONFIGURATION MANAGEMENT IN THE CLOUD NATIVE ERA, SHAHAR MINTZ, EggPack
 
SOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, Develeap
SOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, DeveleapSOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, Develeap
SOLVING THE DEVOPS CRISIS, ONE PERSON AT A TIME, CHRISTINA BABITSKI, Develeap
 
OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...
OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...
OPTIMIZING PERFORMANCE USING CONTINUOUS PRODUCTION PROFILING ,YONATAN GOLDSCH...
 
HOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKH
HOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKHHOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKH
HOW TO SCALE YOUR ONCALL OPERATION, AND SURVIVE TO TELL, ANTON DRUKH
 
HOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearB
HOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearBHOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearB
HOW TO OPTIMIZE NON-CODING TIME, ORI KEREN, LinearB
 
FLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, Icinga
FLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, IcingaFLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, Icinga
FLYING BLIND - ACCESSIBILITY IN MONITORING, FEU MOUREK, Icinga
 
(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY
(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY
(Ignite) WHAT'S BURNING THROUGH YOUR CLOUD BILL - GIL BAHAT, CIDER SECURITY
 
SLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.io
SLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.ioSLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.io
SLO DRIVEN DEVELOPMENT, ALON NATIV, Tomorrow.io
 
ONBOARDING IN LOCKDOWN, HILA FOX, Augury
ONBOARDING IN LOCKDOWN, HILA FOX, AuguryONBOARDING IN LOCKDOWN, HILA FOX, Augury
ONBOARDING IN LOCKDOWN, HILA FOX, Augury
 
DON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, Firefly
DON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, FireflyDON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, Firefly
DON'T PANIC: GETTING YOUR INFRASTRUCTURE DRIFT UNDER CONTROL, ERAN BIBI, Firefly
 
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Último (20)

Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

THE THREE DISCIPLINES OF CI/CD SECURITY, DANIEL KRIVELEVICH, Cider Security

  • 1. The 3 disciplines of CI/CD security Daniel Krivelevich Cider Security
  • 2. cidersecurity.io CTO & Co-Founder of Cider Security Intro ● CI/CD ● Cyber ● Catchy 5 letter word ● We like Cider
  • 5. How well is security adapting to these changes?
  • 6. cidersecurity.io The Engineering Ecosystem Repo CI Pipeline CD Pipeline Artifact Language SCM CI CD Artifact Repository Container Registry Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator
  • 7. cidersecurity.io The Challenge Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo Repo CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CI Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline CD Pipeline Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Artifact Language Language Language Language Language Language Language Language Language Language Language Language SCM CI CD Artifact Repository Container Registry SCM CI CD Artifact Repository Container Registry Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Repo Repo Artifact Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator Collaborator
  • 8. cidersecurity.io Github Jenkins Artifactory ECR EKS The complexity User 1 User 3 User 2 User 4 App 1 App 3 App 2 App 4 Devops Repo Service 1 Repo Service 2 Repo Terraform Pulumi Jenkinsfile Python JavaScript Jenkinsfile Ruby JavaScript Jenkinsfile Artifact 1 Artifact 2 Artifact 3 Artifact 4 Pipeline 3 (CD) Deploy{...} Artifactory_Read_Key AWS_Access_Key_1 AWS_Access_Key_2 Pipeline 1 (CI) Build {...} Test {...} Pipeline 2 (CI + CD) Build {...} Test {...} Deploy{...} Artifactory_write_key R RW Pod 1 Pod 2 Container 2 Container 1
  • 9. cidersecurity.io For Security, maneuvering through the engineering realm, Feels like walking through New York with a map of Tokyo Mapping the environment
  • 10. cidersecurity.io Engineering environments have become the new attacker’s turf Today’s attack surface A single insecure step in the CI, or insecure package import - can lead to devastating results Engineers are also looking for ways to bridge the gap
  • 11. cidersecurity.io CI/CD security is about allowing engineering to continue to move fast Without making any compromises on Security
  • 13. cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline
  • 14. cidersecurity.io Github Devops Repo Service 1 Repo Service 2 Repo Gitlab Devops Repo Service 3 Repo Service 4 Repo Terraform Pulumi Jenkinsfile Python JavaScript Jenkinsfile Ruby JavaScript Jenkinsfile Ansible Chef Python Java Go JavaScript Jenkinsfile SIP - Security In the Pipeline
  • 15. cidersecurity.io Github Devops Repo Service 1 Repo Service 2 Repo Gitlab Devops Repo Service 3 Repo Service 4 Repo Terraform Pulumi Jenkinsfile Python JavaScript Jenkinsfile Ruby JavaScript Jenkinsfile Ansible Chef Python Java Go JavaScript Jenkinsfile SIP - Security In the Pipeline
  • 16. cidersecurity.io Scanner Issue Description Severity Repo Location Checkov Bad stuff Extremely Bad Repo 1 Line 1 GoSec Bad stuff Horrible Repo 2 Line 2 Bandit Bad stuff Very severe Repo 1 Line 4 Brakeman Bad stuff Not good Repo 3 Line 5 Checkov Bad stuff Fix now Repo 4 Line 2 PMD Bad stuff Fix fast Repo 1 Line 3 Nodejsscan Bad stuff So so Repo 2 Line 7 Nodejsscan Bad stuff doing ok Repo 3 Line 18
  • 17. cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline SOP - Security Of the Pipeline Addresses the risk of the systems in the pipeline being compromised
  • 18. cidersecurity.io SOP - Security Of the Pipeline Crown Jewels (Production) Exploiting workstations endpoints Abusing cloud misconfigurations Breaching the perimeter Abusing software delivery systems/ processes AV/EDR /EP WAF/IPS /PT CSPM SOP
  • 19. cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline SOP - Security Of the Pipeline Addresses the risk of the systems in the pipeline being compromised SAP - Security Around the Pipeline: Addresses the risk of the pipeline being bypassed
  • 20. cidersecurity.io SAP - Security Around the Pipeline Code/ Artifacts Production Code/ Artifacts Code/ Artifacts
  • 21. cidersecurity.io SIP/SOP/SAP Comprehensive Technical DNA of your environment - from Code to Deployment SIP - Security In the Pipeline Addresses the risk of code with security flaws flowing through the pipeline SOP - Security Of the Pipeline Addresses the risk of the systems in the pipeline being compromised SAP - Security Around the Pipeline: Addresses the risk of the pipeline being bypassed
  • 22. cidersecurity.io November 2021 Takeaway #1 - for defenders ●Appsec has extended far beyond the scope of code scanning. ●To address today’s challenges, we need to be thinking about SIP, SOP and SAP
  • 23. cidersecurity.io November 2021 Takeaway #2 - for engineers Be patient with your AppSec teams. We have a lot to catch up on.
  • 24. cidersecurity.io November 2021 Takeaway #3 - for hackers You’ve done your fair share of damage for 2021.. take a break

Notas del editor

  1. Good morning everyone, this is the 3 disciplines of CI/CD security Great honor and privileged to be speaking here
  2. A short intro I’m the Co-Founder and CTO of Cider Many people ask us why ‘what kind of a name is Cider’
  3. Releases are conducted on a daily or hourly basis The stack is comprised of more technologies It takes a much shorter time to adopt a new technology or framework Not only applications are codified, infra is And of course a lot less manual process, a lot more automation and continuous integration continuous delivery
  4. Security is struggling to keep up Especially relevant now that security is no longer a blocker
  5. when we look at the The building blocks that comprise the ecosystem Different systems moving around different types of objects and artifacts all the way from the engineers endpoint to production a fusion of human collaborators and services and applications accessing the systems and a lot of 3rd parties and access tokens and keys spread out through the environment
  6. And the challenge for us as defenders, Is that reality doesn’t really like in the slide we saw earlier it looks a little more like this Even in a small startup, definitely a big organization Each one of these building blocks being potentially connected to one or more of the others
  7. And the complexity of coping with the challange, stems from how deeply familiar we need to become with the inner working of the environment in order to understand where the risks are and what security measures are required ((click)) what repos what languages how do CI pipelines connect to repos, with what permissions what secrets are stored in CI and what is their scope how do CI and CD pipelines take code, package it, upload to artifcat repositories, which are then bundled in cotaniers and ultimately deployed to prod and which humans and which applications have access to that ecosystem unless we know all of this, it is pretty hard to understand what security risks exist in our ecosystem
  8. Coping with the challange of what is going on in this fast paced and dynamic ecosystem Very easy to get lost Have partial visibility and understanding of what’s going Don’t really know who to refer to if we have specific questions
  9. In parallel what’s evident is that engineering have become a primary area of focus for attackers some examples of that, which I’m sure many of you are familiar with - just from the past year - Solarwinds - which had their built/ci system compromised, ending with malware being shipped to 18000 orgs the codecov hack - where orgs using codecov as part of their ci had their environment variables php - that had their git infrastructure compromised and served a PHP version with a backdoor dependency confusion - where apple, msft and dozens of other giants were at the risk of having their CI compromised by managing dependencies in an insecure manner and the recent COA, RC, UA PARSES NPM packages - with millions of weekly downloads, were compromised and infected with malware So in this reality - it’s not just about security bridging the gap towards engineering
  10. We at Cider have defined 3 disciplines which, together, help organizations address the challenges and complexities we described earlier and build strong CI/CD security progrmas they are called SIP, SOP, SAP Security in the pipeline Security of the pipeline Security around the pipeline In the next slides we’ll review each one and understand what they are
  11. We have to keep in mind that , as we discussed, building strong CI/CD security programs requires us to begin a very intimate level of familiarity with the ecosystem, the technologies and the interconnectivity between the different systems. Having that “technical DNA” is basically our base layer on top of which we build our CI/CD security program let’s start with SIP Security in the pipeline is about implementing the effective measure to detect security flaws in our code
  12. CI Pipeline
  13. CI Pipeline
  14. CI Pipeline
  15. Security of the pipeline is about understanding that hackers are targeting our SCM, our CI, the rest of the systems down the pipeline, and we need to make sure they are secure enough to prevent those attacks
  16. The best way to understand SOP is to look at it from the attacker’s perspective, and that means looking at it from the crown jewels SOP is the equivalent of the solutions in blue, for the vector of abusing software delivery systems and processes for getting to production
  17. SAP - addresses the concern of our pipeline being bypassed
  18. So when we look at our ecosystem... If we think about it, it’s not enough to be perfect in SIP and in SOP, if someone can connect directly to k8s and deploy malware to production. Or connect directly to AWS and modify a lambda function in a manner that isn’t consistent with what’s stored in our SCM. (click) So SAP is about taking the measure to be able to answer 2 main questions
  19. SAP - addresses the concern of our pipeline being bypassed
  20. Daniel and I are coming from many years in the trenches and we felt the pain in our day-to-day work. Even companies like AppsFlyer that have strong security teams and strong understanding of the need for security as part of engineering (it was a competitive advantage for us) can’t handle the complexity and the security teams are struggling with working with the engineering teams. I always felt that I have so many blind spots in the engineering even after I found something I realized that there are many other issues that I’m not aware. We need to change the way we interact with engineering teams. We need to do it better and faster. This is why we established Cider.