SlideShare a Scribd company logo

Application security meetup k8_s security with zero trust_29072021

lior mazor
lior mazor

The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.

Technology
1 of 85
Posture Vs Runtime
APPLICATION RELEASE CYCLE Security Assessment
K8S WHO, WHY AND HOW? How often are you release cycles? What role at your organization is most responsible for container and Kubernetes security?
K8S WHO, WHY AND HOW? • Compliance is a priority • Lack of K8s knowledge, uses: • Network security (NGFW) for North- South sanitation • WAF/API gateways for application-level vulnerabilities • Willing to purchase a standalone solution for K8s security • Looking for solution that covers A-Z (runtime, posture etc) • Security is not priority • Hates adding tools to his pipeline • Bottle neck in the organization • “Don’t touch my production!” - shift left • Everything is code/API • Visibility is very important, but not as a standalone offering • Secret management is a headache Deliver code as fast as possible Risk Mitigation, Compliance and avoid data breach
K8S CUSTOMERS POINT OF VIEW
K8S CUSTOMERS POINT OF VIEW
SHIFT LEFT
CAN WE SECURE USING ONLY SHIFT LEFT? Others can claim: IMO, NO!!! Micro Services are predictable Pro: Watch for abnormal behavior Con: Not really the case with many types of workloads -> a lot of false positive Immutability Pro: you scan for vulnerabilities and deliver new image every time Con: if the attacker knows how to insert a malware he can do it every time + maybe he is already on the host/other workload
POSTURE VS RUNTIME
K8S SECURITY REQUIREMENTS
WHERE AND WHY EXISTING SOLUTIONS FAIL Endless chase No single source of truth for K8s Configuration Thousands of potential misconfigurations Inability to build a reliable normal baseline False Positives, Complexity, and performance impact Resources intensive Find Vulnerabilities & Misconfigurations Anomaly Behavioral Analysis and Network Segmentation K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION
LOOKING TO SECURE KUBERNETES? K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION kubernetes
A WHOLE NEW WAY TO SECURE KUBERNETES Infusing Visibility, Control, and Security Seamlessly into Every Workload
ARMO BRINGS K8S POSTURE AND RUNTIME TOGETHER - SEAMLESSLY Enrich finding with runtime deep visibility information Shrink the attack surface based on field proven best practices Continuous compliance validation and auditing From Zero to Zero-Trust in 10 minutes No need to change policies when microservices change Resiliency by design, even against the most advanced attacks Add Context and Relevancy to posture findings Patented one-YAML deterministic ZERO-TRUST K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION ARMO Kubernetes Fabric™
KEY TAKEAWAYS • You need both posture and runtime protection • Scan your posture as soon as possible (shift left) • Apply runtime protection on dev/staging/production Stay Safe! Questions?
The greatest risk is the one you are not aware of zvika.ronen@fossaware.com TEL: +972-(0)52-426-5306 All right reserved © FOSSAware LTD
• I am 48 • L.L.B law degree - Ono academic college • I am the CTO of FOSSAware • I specialized in FOSS technologies and software audits • I help organizations to implement a risk management program to manage their OSS usage, lower the remediation costs and comply with ISO standards • I also perform tech due-diligence audits and escort such process for target companies 18 Who am I 18
19 Few Words on Open Source 19
20 freely accessed, used, changed, and shared FSF four essential freedoms of the Free Software Definition OSI Ten criteria of the Open Source Software Definition 20 FOSS Definition
Legal risk • Losing IP protection • Paying Monetary Damages • Block product shipment/distribution (Injunction) • Negative press and damaged relationship with customers Cyber security vulnerabilities • Denial of service, taking a service offline • Business intelligence and Client information theft • Hacker remote access • Ransom attacks Operational risk • Losing ability to build your software due to missing web based components • Losing community support due to open source project with low contribution activities • Using outdated open source components (less secure, more complex to upgrade) Open Source Risks 21
https://www.theregister.com/2001/06/02/ballmer_linux_is_a_cancer/ Steve Ballmer Former Microsoft CEO 22
23 Today Everyone loves Open Source 23
24 https://www.zdnet.com/article/ballmer-i-may-have-called-linux-a-cancer-but-now-i-love-it/
25
Source: Synopsys OSSRA 2021 26
Source: Synopsys OSSRA 2021 Industry Sectors and Open Source 27
Own Proprietary Software 3rd Party Commercial Software Open Source Commercial Software Dependencies Open Source Dependencies 28 Open Source in Commercial Software
29 Hackers also Love Open Source 29
dateutil vs python3-dateutil 350 FORKS jellyfish vs jeIlyfish (“L” is an “I”) 122 FORKS Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks 30 OSS Malicious Package Analysis by the Academy Hundreds of open source packages were used in real cyber events 61% malicious packages used typosquatting 2nd most common – injection to existing package
Source: Dustico Blog, https://dusti.co/blog/unsafe-to-download-pip/ 31 Downloaded FOSS may include hidden setup
Source: WhiteSource, 2021 32 Open Source Vulnerabilities Continue To Increase
#1 Lodash #2 FasterXML jackson-databind #3 HtmlUnit #4 Handlebars #5 http-proxy 33 Source: WhiteSource, Top 10 Open Source Vulnerabilities In 2020 33 Top 10 Open Source Vulnerabilities In 2020
34 Source: Sonatype, devsecops community survey 2020
35 Open Source related breaches occur much too often 35
Source: Sonatype, devsecops community survey 2020 1 in 5 breaches is Open Source related 36
Open Source Component - Apache Struts (CVE-2017-5638) 37 Equifax breach was 100% preventable
• Popularity: 2 million downloads per week • Dependency: “flatmap-stream” has malicious code • The action: Harvest the victim’s “copay” private keys • Intention: Steal Bitcoin • Result: 7000 stollen bitcoins 38 The “Event-Stream” incident https://github.com/dominictarr/event-stream/issues/116
• Open Source Component - Mozjpeg (CVE-2020-13790) • Mozjpeg weekly downloads from NPM - 650k Instagram Hack core reason – Mozjpeg 39
40 40 Source: reddit.com CODECOV
Source: medium.com/@alex.birsan/dependency-confusion 41
42 42 PyPI and NPM Flooded with over 5,000 Dependency Confusion Copycats Source: securityreport.com Copycat behavior (Dependency Confusion based)
• Human factor (training) • Proprietary code (static analysis) • Supply chain 3rd party (liability & support) • Open Source? • White/Black-box (testing) What is the weakest / unknown link of the chain? 43
44 Top 10 Web Application Security Risks
“Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product.” What Biden has to say on Open Source? 45
46 What Should We Do? 46
47 1. Know Your Product 47
Homegrown code 3rd Party Commercial Software Open Source Commercial Software Dependencies Open Source Dependencies 48 Open Source in Commercial Software
49 2. Manage your Open Source 49
3rd Party Commercial Software Open Source Dependencies Open Source Dependencies 50 Choosing right Manage your software supply chain in “critical software” Manage your Open Source “critical software” — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources)
51 CII Best Practices badge program
End User License Agreement BSD Open Source License 52 Manage risks from 3rd party (Supply Chain) Common Default in Commercial Software Agreements
Homegrown code Open Source 3rd Party Proprietary SW Cost All type of software requires some level of compliance and/or vulnerability monitoring Possible Vulnerabilities IP rights Owned Licensed Licensed License Requirements Procurement is being done by Homegrown The developers Procurement people Monitoring is being done using different tools, processes, and policies Who is responsible? The developer The developer The vendor Support By the developer Community/Developer By the vendor Additional Dependencies Access to Source Code Analysis tools Static Code Analysis Software Composition Analysis Penetration Test 53 53 Homegrown vs. Open Source vs. 3rd Party Proprietary SW
54 54 1. Risk management program (ISO-5230) • Policy • Process • Tools • Training 2. Early detection = Lower remediation cost 3. Ongoing management (pre-> post production) OSS in Commercial Software Development
55 3. Do not invent the wheel 55
International Standard for open source license compliance 56
Questions? zvika.ronen@fossaware.com TEL: +972-(0)52-426-5306
The greatest risk is the one you are not aware of zvika.ronen@fossaware.com TEL: +972-(0)52-426-5306
Automated Red-Team for Managing Attack Surface Alex Peleg CEO | Hacker
AI and Community powered Attack Surface and Operations Management For SMEs Reducing Time From Breach to Fix Recover From Incidents Offensive Engineering Cynergy.app
Agenda Kesaya breach story Attack Surface 101 Why AI? Continuous Red-Team, the good the bad and the ugly. Open topics for further research and innovation 1 2 3 4 5
What has gone wrong? A server was exposed....
Attack Surface 101 Attackers need only one hole in the defense
Attack Surface 101 External Attack Surface
Attack Surface 101 Web & Mobile Apps
Attack Surface 101 Infrastructure
Attack Surface 101 Cloud
Attack Surface 101 Employees
Attack Surface 101 3rd & 4th Parties
Attack Surface 101 Subsidiaries
Why AI? Context Scale Stupidity
Continuous Red-Team
Additional Research... 1 Faster and Better Context 2 Threat Intelligence to Improve Prioritization 3 AI based mitigation - GPT3 4 Integration with CICD
Q&A
Thanks and Questions! Alex@cynergy.app Type text
Turn any Kubernetes solution into Zero-Trust by design FROM ZERO to ZERO-TRUST
WHAT ARE WE UP AGAINST? What hackers are looking for? What do they do inside? • Data  Business & customer’s data • Keys  Encryption & Authentication • Resources  CPU (coin miners)  Storage  Network (bots) • Damage & Extortion  Ransome  DDoS, UI/UX harm • Intellectual Property  Algorithms  APIs • Use existing software in inappropriate way • Change behavior of existing software  Change configuration • Inject new software  Corrupt existing software  Add new software How do they break in? • Misconfigurations • Credential abuse • Software vulnerability
KNOCK-KNOCK, WHO IS THERE? Who is calling my APIs? Who is reading my Data?
DON’T TRUST, VERIFY! Protect customer solutions even if infrastructure is compromised Genuine Software Identity – like DNA Automated Zero-Trust Network Policy Transparent Data Signing & Encryption
SOFTWARE DNA – WHAT DOES THIS MEAN? Executable DLL/SO DLL/SO ARMOGuard DLL/SO Python/Java/JS/.NET ConfigFile/ConfigMap Environment Variables Command Line ARMO Back-End Prove DNA validity Receive Cryptographic Materials Protect process memory while it runs: • Validate cryptographic digest of every relevant artifact • Prevent unsigned artifacts from loading • Keep containers immutable • Use Kubernetes for automation
INTENTION POD A Secret Volume POD B Server Legit App Container Container
REALITY POD A Secret Volume POD B Injected App Server Legit App Container Container
WITH ARMO ZERO-TRUST POD A Secret Volume POD B Injected App Server Legit App Container Container
DEMO Questions?
• Thank You! • Questions? • To be continued…

Recommended

Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Digital Bond
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE ExperienceDigital Bond
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBlack Duck by Synopsys
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSTripwire
 
The Case for Continuous Open Source Management
The Case for Continuous Open Source ManagementThe Case for Continuous Open Source Management
The Case for Continuous Open Source ManagementBlack Duck by Synopsys
 

Recommended

Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Digital Bond
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE ExperienceDigital Bond
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBlack Duck by Synopsys
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSTripwire
 
The Case for Continuous Open Source Management
The Case for Continuous Open Source ManagementThe Case for Continuous Open Source Management
The Case for Continuous Open Source ManagementBlack Duck by Synopsys
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsDigital Bond
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Casescentralohioissa
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Digital Bond
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Digital Bond
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
Overload: Critical Lessons from 15 Years of ICS VulnerabilitiesOverload: Critical Lessons from 15 Years of ICS Vulnerabilities
Overload: Critical Lessons from 15 Years of ICS VulnerabilitiesTripwire
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...Synopsys Software Integrity Group
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Post Wannacry Update
Post Wannacry UpdatePost Wannacry Update
Post Wannacry UpdateThomas Springer
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
Cisco Advanced Services
Cisco Advanced ServicesCisco Advanced Services
Cisco Advanced ServicesCisco do Brasil
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014Digital Bond
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityPriyanka Aash
 
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseJason Bloomberg
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 

More Related Content

What's hot

Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsDigital Bond
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Casescentralohioissa
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Digital Bond
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Digital Bond
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
Overload: Critical Lessons from 15 Years of ICS VulnerabilitiesOverload: Critical Lessons from 15 Years of ICS Vulnerabilities
Overload: Critical Lessons from 15 Years of ICS VulnerabilitiesTripwire
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...Synopsys Software Integrity Group
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014Digital Bond
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityPriyanka Aash
 

What's hot (20)

Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS Solutions
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
Overload: Critical Lessons from 15 Years of ICS VulnerabilitiesOverload: Critical Lessons from 15 Years of ICS Vulnerabilities
Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
Post Wannacry Update
Post Wannacry UpdatePost Wannacry Update
Post Wannacry Update
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Cisco Advanced Services
Cisco Advanced ServicesCisco Advanced Services
Cisco Advanced Services
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
 

Similar to Application security meetup k8_s security with zero trust_29072021

Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseJason Bloomberg
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...North Texas Chapter of the ISSA
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risksWSO2
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Teemu Tiainen
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 

Similar to Application security meetup k8_s security with zero trust_29072021 (20)

Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 

More from lior mazor

The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdflior mazor
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...lior mazor
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxlior mazor
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdflior mazor
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxlior mazor
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxlior mazor
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxlior mazor
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119lior mazor
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022lior mazor
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...lior mazor
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022lior mazor
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 blior mazor
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021lior mazor
 
Application security meetup 02032021
Application security meetup 02032021Application security meetup 02032021
Application security meetup 02032021lior mazor
 

More from lior mazor (20)

The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021
 
Application security meetup 02032021
Application security meetup 02032021Application security meetup 02032021
Application security meetup 02032021
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

Application security meetup k8_s security with zero trust_29072021

  • 1.
  • 4. K8S WHO, WHY AND HOW? How often are you release cycles? What role at your organization is most responsible for container and Kubernetes security?
  • 5. K8S WHO, WHY AND HOW? • Compliance is a priority • Lack of K8s knowledge, uses: • Network security (NGFW) for North- South sanitation • WAF/API gateways for application-level vulnerabilities • Willing to purchase a standalone solution for K8s security • Looking for solution that covers A-Z (runtime, posture etc) • Security is not priority • Hates adding tools to his pipeline • Bottle neck in the organization • “Don’t touch my production!” - shift left • Everything is code/API • Visibility is very important, but not as a standalone offering • Secret management is a headache Deliver code as fast as possible Risk Mitigation, Compliance and avoid data breach
  • 9. CAN WE SECURE USING ONLY SHIFT LEFT? Others can claim: IMO, NO!!! Micro Services are predictable Pro: Watch for abnormal behavior Con: Not really the case with many types of workloads -> a lot of false positive Immutability Pro: you scan for vulnerabilities and deliver new image every time Con: if the attacker knows how to insert a malware he can do it every time + maybe he is already on the host/other workload
  • 12. WHERE AND WHY EXISTING SOLUTIONS FAIL Endless chase No single source of truth for K8s Configuration Thousands of potential misconfigurations Inability to build a reliable normal baseline False Positives, Complexity, and performance impact Resources intensive Find Vulnerabilities & Misconfigurations Anomaly Behavioral Analysis and Network Segmentation K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION
  • 13. LOOKING TO SECURE KUBERNETES? K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION kubernetes
  • 14. A WHOLE NEW WAY TO SECURE KUBERNETES Infusing Visibility, Control, and Security Seamlessly into Every Workload
  • 15. ARMO BRINGS K8S POSTURE AND RUNTIME TOGETHER - SEAMLESSLY Enrich finding with runtime deep visibility information Shrink the attack surface based on field proven best practices Continuous compliance validation and auditing From Zero to Zero-Trust in 10 minutes No need to change policies when microservices change Resiliency by design, even against the most advanced attacks Add Context and Relevancy to posture findings Patented one-YAML deterministic ZERO-TRUST K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION ARMO Kubernetes Fabric™
  • 16. KEY TAKEAWAYS • You need both posture and runtime protection • Scan your posture as soon as possible (shift left) • Apply runtime protection on dev/staging/production Stay Safe! Questions?
  • 17. The greatest risk is the one you are not aware of zvika.ronen@fossaware.com TEL: +972-(0)52-426-5306 All right reserved © FOSSAware LTD
  • 18. • I am 48 • L.L.B law degree - Ono academic college • I am the CTO of FOSSAware • I specialized in FOSS technologies and software audits • I help organizations to implement a risk management program to manage their OSS usage, lower the remediation costs and comply with ISO standards • I also perform tech due-diligence audits and escort such process for target companies 18 Who am I 18
  • 19. 19 Few Words on Open Source 19
  • 20. 20 freely accessed, used, changed, and shared FSF four essential freedoms of the Free Software Definition OSI Ten criteria of the Open Source Software Definition 20 FOSS Definition
  • 21. Legal risk • Losing IP protection • Paying Monetary Damages • Block product shipment/distribution (Injunction) • Negative press and damaged relationship with customers Cyber security vulnerabilities • Denial of service, taking a service offline • Business intelligence and Client information theft • Hacker remote access • Ransom attacks Operational risk • Losing ability to build your software due to missing web based components • Losing community support due to open source project with low contribution activities • Using outdated open source components (less secure, more complex to upgrade) Open Source Risks 21
  • 25. 25
  • 27. Source: Synopsys OSSRA 2021 Industry Sectors and Open Source 27
  • 28. Own Proprietary Software 3rd Party Commercial Software Open Source Commercial Software Dependencies Open Source Dependencies 28 Open Source in Commercial Software
  • 29. 29 Hackers also Love Open Source 29
  • 30. dateutil vs python3-dateutil 350 FORKS jellyfish vs jeIlyfish (“L” is an “I”) 122 FORKS Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks 30 OSS Malicious Package Analysis by the Academy Hundreds of open source packages were used in real cyber events 61% malicious packages used typosquatting 2nd most common – injection to existing package
  • 31. Source: Dustico Blog, https://dusti.co/blog/unsafe-to-download-pip/ 31 Downloaded FOSS may include hidden setup
  • 32. Source: WhiteSource, 2021 32 Open Source Vulnerabilities Continue To Increase
  • 33. #1 Lodash #2 FasterXML jackson-databind #3 HtmlUnit #4 Handlebars #5 http-proxy 33 Source: WhiteSource, Top 10 Open Source Vulnerabilities In 2020 33 Top 10 Open Source Vulnerabilities In 2020
  • 34. 34 Source: Sonatype, devsecops community survey 2020
  • 35. 35 Open Source related breaches occur much too often 35
  • 36. Source: Sonatype, devsecops community survey 2020 1 in 5 breaches is Open Source related 36
  • 37. Open Source Component - Apache Struts (CVE-2017-5638) 37 Equifax breach was 100% preventable
  • 38. • Popularity: 2 million downloads per week • Dependency: “flatmap-stream” has malicious code • The action: Harvest the victim’s “copay” private keys • Intention: Steal Bitcoin • Result: 7000 stollen bitcoins 38 The “Event-Stream” incident https://github.com/dominictarr/event-stream/issues/116
  • 39. • Open Source Component - Mozjpeg (CVE-2020-13790) • Mozjpeg weekly downloads from NPM - 650k Instagram Hack core reason – Mozjpeg 39
  • 42. 42 42 PyPI and NPM Flooded with over 5,000 Dependency Confusion Copycats Source: securityreport.com Copycat behavior (Dependency Confusion based)
  • 43. • Human factor (training) • Proprietary code (static analysis) • Supply chain 3rd party (liability & support) • Open Source? • White/Black-box (testing) What is the weakest / unknown link of the chain? 43
  • 44. 44 Top 10 Web Application Security Risks
  • 45. “Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product.” What Biden has to say on Open Source? 45
  • 47. 47 1. Know Your Product 47
  • 48. Homegrown code 3rd Party Commercial Software Open Source Commercial Software Dependencies Open Source Dependencies 48 Open Source in Commercial Software
  • 49. 49 2. Manage your Open Source 49
  • 50. 3rd Party Commercial Software Open Source Dependencies Open Source Dependencies 50 Choosing right Manage your software supply chain in “critical software” Manage your Open Source “critical software” — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources)
  • 51. 51 CII Best Practices badge program
  • 52. End User License Agreement BSD Open Source License 52 Manage risks from 3rd party (Supply Chain) Common Default in Commercial Software Agreements
  • 53. Homegrown code Open Source 3rd Party Proprietary SW Cost All type of software requires some level of compliance and/or vulnerability monitoring Possible Vulnerabilities IP rights Owned Licensed Licensed License Requirements Procurement is being done by Homegrown The developers Procurement people Monitoring is being done using different tools, processes, and policies Who is responsible? The developer The developer The vendor Support By the developer Community/Developer By the vendor Additional Dependencies Access to Source Code Analysis tools Static Code Analysis Software Composition Analysis Penetration Test 53 53 Homegrown vs. Open Source vs. 3rd Party Proprietary SW
  • 54. 54 54 1. Risk management program (ISO-5230) • Policy • Process • Tools • Training 2. Early detection = Lower remediation cost 3. Ongoing management (pre-> post production) OSS in Commercial Software Development
  • 55. 55 3. Do not invent the wheel 55
  • 56. International Standard for open source license compliance 56
  • 58. The greatest risk is the one you are not aware of zvika.ronen@fossaware.com TEL: +972-(0)52-426-5306
  • 59. Automated Red-Team for Managing Attack Surface Alex Peleg CEO | Hacker
  • 60. AI and Community powered Attack Surface and Operations Management For SMEs Reducing Time From Breach to Fix Recover From Incidents Offensive Engineering Cynergy.app
  • 61. Agenda Kesaya breach story Attack Surface 101 Why AI? Continuous Red-Team, the good the bad and the ugly. Open topics for further research and innovation 1 2 3 4 5
  • 62. What has gone wrong? A server was exposed....
  • 63. Attack Surface 101 Attackers need only one hole in the defense
  • 64. Attack Surface 101 External Attack Surface
  • 65. Attack Surface 101 Web & Mobile Apps
  • 69. Attack Surface 101 3rd & 4th Parties
  • 73. Additional Research... 1 Faster and Better Context 2 Threat Intelligence to Improve Prioritization 3 AI based mitigation - GPT3 4 Integration with CICD
  • 74. Q&A
  • 75. Thanks and Questions! Alex@cynergy.app Type text
  • 76. Turn any Kubernetes solution into Zero-Trust by design FROM ZERO to ZERO-TRUST
  • 77. WHAT ARE WE UP AGAINST? What hackers are looking for? What do they do inside? • Data  Business & customer’s data • Keys  Encryption & Authentication • Resources  CPU (coin miners)  Storage  Network (bots) • Damage & Extortion  Ransome  DDoS, UI/UX harm • Intellectual Property  Algorithms  APIs • Use existing software in inappropriate way • Change behavior of existing software  Change configuration • Inject new software  Corrupt existing software  Add new software How do they break in? • Misconfigurations • Credential abuse • Software vulnerability
  • 78. KNOCK-KNOCK, WHO IS THERE? Who is calling my APIs? Who is reading my Data?
  • 79. DON’T TRUST, VERIFY! Protect customer solutions even if infrastructure is compromised Genuine Software Identity – like DNA Automated Zero-Trust Network Policy Transparent Data Signing & Encryption
  • 80. SOFTWARE DNA – WHAT DOES THIS MEAN? Executable DLL/SO DLL/SO ARMOGuard DLL/SO Python/Java/JS/.NET ConfigFile/ConfigMap Environment Variables Command Line ARMO Back-End Prove DNA validity Receive Cryptographic Materials Protect process memory while it runs: • Validate cryptographic digest of every relevant artifact • Prevent unsigned artifacts from loading • Keep containers immutable • Use Kubernetes for automation
  • 81. INTENTION POD A Secret Volume POD B Server Legit App Container Container
  • 82. REALITY POD A Secret Volume POD B Injected App Server Legit App Container Container
  • 83. WITH ARMO ZERO-TRUST POD A Secret Volume POD B Injected App Server Legit App Container Container
  • 85. • Thank You! • Questions? • To be continued…