Slides from session 3 of the Snyk AWS live hack series
Dec 15, 2021 with Eric Smalling, Dev Advocate at Snyk, and Peter McKee, Head of Dev Relations & Community at Docker.
2. Senior Developer Advocate at Snyk
@ericsmalling
Eric Smalling
Today’s Speakers
Peter McKee
Head of Developer Relations & Community at Docker
@pmckee
4. The modern application
A New Risk Profile
● Software deployed daily - ‘waterfall’ approach doesn’t
scale. Scans can’t take hours.
● 10-20% of code is custom - and digital transformation
increases pressure to deliver more and faster.
Code
5. The modern application
A New Risk Profile
● 80-90% of codebase is Open Source
● 80% of vulnerabilities found in indirect dependencies
● Software deployed daily - ‘waterfall’ approach doesn’t
scale. Scans can’t take hours.
● 10-20% of code is custom - and digital transformation
increases pressure to deliver more and faster.
Code
Open Source
6. The modern application
A New Risk Profile
● 80-90% of codebase is Open Source
● 80% of vulnerabilities found in indirect dependencies
● 100s of Linux packages inherited from public sources
● Built, deployed & scaled in seconds
● Software deployed daily - ‘waterfall’ approach doesn’t
scale. Scans can’t take hours.
● 10-20% of code is custom - and digital transformation
increases pressure to deliver more and faster.
Code
Open Source
Containers
7. The modern application
A New Risk Profile
● 80-90% of codebase is Open Source
● 80% of vulnerabilities found in indirect dependencies
● 100s of Linux packages inherited from public sources
● Built, deployed & scaled in seconds
● #1 cloud vulnerability is misconfiguration [NSA]
● Network access, storage, servers - deployed
as fast as code
● Software deployed daily - ‘waterfall’ approach doesn’t
scale. Scans can’t take hours.
● 10-20% of code is custom - and digital transformation
increases pressure to deliver more and faster.
Code
Open Source
Containers
Infrastructure
as Code
8. CodeBuild
or various others
CodeCommit
or various others
ECS
Production
How Snyk and Docker fits in w/ AWS
Lambda
deploy
Security
gate
Any
Source Code
Editor
Test & fix
Test, fix,
monitor
EKS
Monitor & more...
build
submit
Test, fix,
monitor
Test, fix,
monitor
Ticketing
CodePipeline
or various others
Docker Hub
Integrated from development to
production to help AWS customers
develop securely
12. Defence in
Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Minimize Footprint
Don’t give hackers more tools to expand their exploits
Layer Housekeeping
Understand how layers work at build and run-time
Build strategies
Multi-Stage, repeatable builds, standardized labeling,
alternative tools
Secure Supply Chain
Know where images come from.
Only CI should push to registries.
13. Defence in
Depth
Further practices and
tech to
consider.
Images
Runtime
Kubernetes
Don’t run as root
You probably don’t need it.
Privileged Containers
You almost definitely don’t need it.
Drop capabilities
Most apps don’t need even Linux capabilities;
dropping all and allow only what’s needed.
Read Only Root Filesystem
Immutability makes exploiting your container harder.
Deploy from known sources
Pull from known registries only.
14. Defence in
Depth
Further practices
and tech to
consider.
Images
Runtime
Kubernetes
Secrets
Use them but make sure they’re encrypted and have
RBAC applied
RBAC
Hopefully everybody is using this.
SecurityContext
Much of the Runtime practices mentioned can be
enforced via SC
Network Policy
Start with zero-trust and add allow rules only as
necessary.
Enforcement
Use OPA (Gatekeeper), Kyverno, etc
16. Custom Code
Open Source Code
Containers
Infrastructure
as Code
First off...
Empower developers
Developer adoption requires a frictionless and intuitive solution to
enable security without impacting pace.
Automate fixes
The solution can’t just report on what vulnerabilities exist. It must make
it easy to fix the problems quickly.
Be security deep
The solution must leverage complete, timely, and accurate vulnerability
data and cannot rely solely on publicly available sources.