Polyglot Apps Lead to Polyglot Security Holes. It’s Time to Fight Back! @ CD Foundation Webinar – 2021

great let’s get started today thank you
everyone for joining us i am very
much looking forward to introducing sun
rupert
from jfrog he is joining us today to
talk about
polyglot apps lead to polyglot security
holes and it’s time to fight back all
right sven
i will let you have the floor okay
hello hello from my side as well here
from cold germany
so i i was reading already a few from
greece and mexico and hi
it’s definitely warmer and better
weather than here so
what we are talking today is a little
bit about polyglot
security rules and during this talk
um if you have any questions feel free
to use the chat
feel free to use this q a um window from
zoom
i will try to have an eye on this one so
if there is anything
i see and at the right time i will give
an answer otherwise i
will do this q and a in the end of this
session
but if there’s anything just um yeah
feel free to
ask why is the chat and then
i try to give an answer during the
talk or immediately in time if i see it
so now one of the most critical things
i will start sharing my screen let’s see
if this is working
so hopefully can everybody hear me just
a sign hello
i hope so so
okay where is my powerpoints
okay so now i have to grab my my chat
window
this is something weird in in zoom that
always they are
catching this chat window
so let me see i have my chat back
and now i’m ready to go so if there’s
any question
let me know if you have any comments
feel free
and now we will start so polyglot
look note is a complicated word but what
we want to talk about
say first of all my name is van if you
want to reach me
well over the internet take take twitter
take link in
you can see me on on youtube by the way
this
background you see here um from me
was also screen sharing it’s just taken
from one of my outdoor trips
i’m recording it related stuff in the
woods so if you’re interested in this
one
have a look on my um youtube channel i’m
there in german
and in english feel free so
and jfrog what we are doing with
straightforward we are talking about
devops
and explicitly about devsecops and this
is what i’m doing as developer advocate
at jayprock
say i’m focusing on the security part
and this is where we want to go today
so by the way slides and all this stuff
and the raffle if you want to win
something here it’s oh it’s an amazon
accurate show
five go to this bitly link
and then you have the chance to win one
i don’t know i think two business days
three business days something like this
and uh we will announce a winner so feel
free if you want to have this um
later on just let me know i will copy
paste it
in the slack later uh in the chat here
so okay
cloud native the big word huh and i
don’t want to go in all these details
but
cloud native is perfect to show a few
things but
uh even if you’re working with monoliths
or serverless or whatever
more or less the principles i’m talking
about is the same
so this is um yeah this is one thing
that
you should have in mind don’t fix too
much on on this cloud native stick
here it’s just one thing but we have
this service oriented and api
communication these are
quite generic things and so um if you’re
thinking about
splitting up for example some some uh
some
services to microservices then a machine
is not really good in helping you in uh
if you want to decide this is a use case
for this microservices
use case for another microsoft so here
the human has to decide and have to
split
up and all this stuff the same with the
api communication so
you have to decide what’s going over the
wire but the tools are start helping a
little bit more with
how to encode this stuff how to
serialize unserialized and so on and so
on
but on the other side you have these
generic things that
are in these layers and if you are going
to this container-based infrastructure
to this def
segments part then you see that more and
more the tools can help you
with certain things and um
here what we wanted to reach was with
splitting up the micro service
sure we want to have this short release
cycles we want to rewrite instead of
maintaining old stuff and this is it’s
fine it’s nice we as a developer
we like it we often to play around with
new stuff but on the other side
um i’m i’m cutting java now since i
don’t know 1996
and if i would start coding a joe go
tomorrow
i wouldn’t be a senior anymore so it
would be nice i would learn it
maybe first or not but i would do all
the mistakes that junior would do
more or less in the same way maybe in a
shorter time
but i’m not seeing anymore and this is
something that is tricky so
new technologies here fancy you like it
but on the other side you have to make
sure that these new technologies are not
bringing a
huge stuff in so you have new tools you
have new
best practices with the language and so
on and so on
and by default if you are talking about
the cloud natives or in in general about
that microservices zoo or serverless or
whatever
if you’re splitting up then we are more
or less
just increasing the amount of
technologies and
per definition we are talking about
polyglot systems so
different technologies in one thing and
the amount of different technology is
increasing and well
this is something you should have in
mind but splitting all this stuff away
so just focusing on one single
application called it one or let’s call
it uh
microservice call it serverless i i just
okay
we have more or less always the same
stack here
and here again we have two dimensions i
want to to look at so
first of all we are writing an
application and this application is
what we’re coding and we have some use
cases and we are doing all this stuff
after this
we’re introducing the next layer it’s
operating system layer for example linux
and then we are wrapping it in docker we
are composing it
in kubernetes universe so all this stuff
is more or less
layer by layer by layer we are
increasing the complexity somehow
because we’re adding new technologies
and they all have to fit together but
one thing is for sure
if you’re adding some vulnerabilities in
the first layer for example inside the
application layer
then it will be existing over all other
layers and the same with compliance
issues
so if i have the wrong license at the
right place in inside the project
i will have a challenge because it can
just kill my business
so what we are thinking about this one
what we have to do here
but there’s one thing even here we have
some parts we have
in all layers there’s more technical
part and we have this more domain
specific part so inside the domain
specific part
talking about security is more or less
talking about the
semantics talking about the processes or
security per concept and all this stuff
but if you are talking about the
technical things and here is where the
tools are
way better than in the domain specific
area
is that they can help you scanning for
vulnerabilities and all this stuff
so here again on all layers we are
adding technologies but we have a pure
technical side we have a domain specific
side
and the most people what they forget in
all of this
is we are talking about the whole tool
chain as well
so insert this depth circles but this
interesting thing in the cloud native we
are talking especially about deaf
cyclops not devops anymore
means that we have the whole two things
this is part of the whole production
line as well
and here we have to think about the term
security
but i want to talk about some polyglot
stuff
so um what i’m explicitly excluding here
this part
is a concept phase so i’m not talking
about how to
make a strong concept in terms of use
cases and all this stuff so i’m just
focusing right now on the technical part
and um yeah that’s that is one thing
that you should have in mind security
starts early in the contra phase not
just during the coding phase so
even in the conservation you have to
think about the term security
but i’m excluding it here because this
is a too broad
scope for now so let’s see
one thing i often hearing
and it took some time to remember
something is for example shift left if
you want to learn more about this topic
search for the terms shift left and what
shift left means is
if you’re just rotating this picture by
90 degree
and you’re starting from left and
reading to right
then it’s that the earliest point is
writing an application before you’re
wrapping it in the operating system
before you’re using docker and so on so
shift left means dealing with the
security
turn as early as possible and for this
talk we are stopping
with the left concept at the application
we are not going to the concept phase
but even this would be more left
so what does it mean shift left means
that we have to think about all this
vulnerability and compliance issues as
early as possible and there is no
dedicated phase where we have now
security scans and then everything is
done but
well i want to show an
example about this polyglot world
and one example is if you are a
server-side developer and you have
for example in java and you have to
write at least
in graphical user interface or you have
to create a
web app it could be an internal one for
administrative stuff it could be a
customer application whatever let’s
think about
how to write this um web ui
and if you’re a cool java developer then
all this web ui stuff is far away so you
want to have java
and and this is where you are and then
you have the different technologies
for example here this html5 css and
javascript
because we are talking about for example
web components on the
graphical user insights or on the
website
and these are two different things but
what
what will happen here as a java
developer if you’re familiar with this
technology
you have two choices you can learn html5
css javascript
so much if you want if you can if you
have the term if you like whatever
well the other thing is you’re searching
for something that is wrapping this
technology for you in a way that you
don’t have to deal with this let’s
let’s have this one so we have this web
components on
one side we have the java side where we
want to be so where we are normally
in and then we have this kind of
communication in between for
communication you will find for example
java as well so you know
you’re happy with this one but how to
deal with this now
so um here’s an example just to show how
technology is hidden
i’m using uh vadim vadim is an open
source framework
you can use it to to build on the server
side with new button a button on the
screen and it’s based on what components
so have a look at this one but it will
show you quite easily
how we are mixing up different
technologies and i want to show you what
happened
if you want to play around and what this
convenience
is bringing you at this part if you’re
digging a little bit in this api you
would see something i don’t want to go
in all details here
about this one because we want to focus
on the security but
but if you’re checking what they have
done is for example
they they started mapping these
different technologies together
because they want to have this
convenience as a java developer and will
give you
some other technology some other layers
somewhere
and here for example if you’re dealing
with a pure npm stack you would have
three
three things uh you have this npm
install to grab web components
so that you have it in your local
repository okay it’s in package manager
and you’re declaring something like take
these components with this version and
then it’s grabbing from external
repository
storing on your local hard disk and
temporary forwarder or something like an
m2 m.2.m2 like it’s done with maven
and if you uh want to make this one on
the java side for example with this
volume framework you you would have
something
like an annotation and for you as a java
developer this convenient you have just
an annotation npm package on the class
and you have this value it’s it’s
exactly what you would use with the npm
section or this coordinates or
these components and you have the
version so this is fine
on the other side you would need now
something like an import statement it’s
the same
like on java so you have an import
statement of a clause so that you can
use it
and on html5 patriot really is the same
you have an import and then you are
explicitly addressing one class of one
component
and you would find hey i have a java
component
java annotation here and it’s exactly
the same so if i want to have a badge
then i’m i’m just taking this annotation
and writing the coordinates from this
web component in
and then it’s somewhere here how to use
this one
how to map it to the javascript if you
are inside the web application you would
take this
tag for example you are five months back
and
to map it to the java site you would
have a tag like
ui five minus batch everything together
is more or less a mapping between
different technologies
at this annotation level you are purely
on the java side
and if one of your colleagues would do
this one would say okay we have to code
now
all these web web uis but we want to
have it as a java developer
one of your colleagues would exactly do
this one with what components you need
and this is another thing you can do it
with every web component if you’re using
this button stick so
um this is an example how i map the url
five
components for example then it would
have a class extends component
okay and then you have these three
annotations
what have you done now we we met
not only technologies in different
binaries we met already life cycles
so with these three annotations at this
java clause
if i’m somehow creating this instance
i would have an npm install i would have
an import
and i’m declaring attack so i have a
quite complex thing he had already done
and if one of your colleagues will use
exactly
this component i’m not sure if he’s
really aware of
all these different stacks and what he
is behind this
and there are some several some other
things that are
not so nice and they are somehow
critical
let’s see um you want to start building
some attributes here it’s quite easy you
can map it on the java site as well so
with
elements and property and you’re setting
some stuff so even this
if if you’re a java developer you can do
this one quite easy
have you understood the whole npm stack
so far no
i’m not sure you’re just reading some
documentation and see okay there’s an
attributes called color scheme
and then you’re reading in the api
documentation okay you have something
like get
element set property okay this matches
and then you start mapping all this
stuff
i mean this is great it’s very very
convenient
and if you think about how to get
something out the next thing is
okay i’m not not only possible to set an
attribute
i can grab stuff out what happened now
from the browser will be something
encoded will be sent over the wire into
your system
will be converted somehow to some java
representative
thing instance whatever it is and you’re
accessing it
wow this is fame this is really good
so the convenience factor is enormous
because you can just start coding java
even if you start thinking about okay i
don’t want to have attributes i want to
have a tree
because i’m in the java but now you
start thinking about how to how to map
all this stuff
and then you think okay if if i have a
component and there’s a complex child in
that i’m doing it exactly with the child
as well so here
you see okay there’s an url five icon
and then you start again
yes this is your icon clause extends
component you’re adding
justice free annotations and you would
see okay
reading a bit documentation you can
connect both this
setter is now something like get element
and child and
this one so we are now
able to to code on the javascript a
quite complex thing
and you’ll have different components you
have a huge amount of communication you
have a huge amount of technology stacks
in
and in the end if you’re mapping this
one one
one person in your team and we’ll make a
jar out of it
and we’ll give it to you you as a
developer would just see
new ui5 edge set icon
set text and add action listener
whatever
and you would get some generators on the
screen say
what happened here is it’s easy to map
this technology
you have a huge life cycle in the
background and if you’re checking here’s
a dependency tree it’s a nightmare
you have not only one technology you
have now two technologies you have two
package managers in the background
you’re dealing here even if you’re not
seeing it with different technologies
in a level at a level that is
well well hidden so you have to search
for all these traps way or
just combining technologies like this on
the other side
i’m assuming that this trend will be
coming more and more because if you want
to have more complex things if you want
to have more generic things on the
on the inside but more easier ways to to
formulate your use cases and all this
stuff
you need this convenience to have the
right speed
to to have this use case fast enough
on the market so we are talking about
time to market and so there’s a
requirement it must be pushed to
production as soon as possible
so we will have this one and this is
just a layer
inside the application you will have the
same on the operating system or inside
docker inside kubernetes
and this is something that is more and
more coming
and this means we need more aware of it
and we need tools that help me to
identify
what’s going on here by the way
if you want to have a look at this
you’re a java developer you have to do
what web components you want to try it
out
i have this one on github and then you
can just try it out
it’s it’s a good running proof of
concept i use it for some some small
projects
it’s open source apache license grab it
try it and if you have some feedback let
me know i’m more than happy to
to see it what we what we have now
we have now the following we have now
an application and instead of playing
with one package manager
we are playing indirectly with two
package managers
with all the life cycles with all the
dependencies we are all grabbing these
binaries
and now we need something that will help
us to identify
the whole stack not only the java site
it would be a disaster if you’re just
checking
vulnerabilities on the javascript we
have to check it on the npm side now as
well
and this as early as possible i have on
youtube a few examples so
how to do this one i’m explaining it
here in a few words
but if you want to have the long version
go to youtube and
check it out um for example how to
harden this body
framework with the stuff i’m showing
here right now
so next is
thinking about this convenience part and
thinking about
that we are just using what means just
we are using open source i
i really love open source because we
have the possibility to check we have
supported visibility to to analyze to
fix
bugs and all this stuff but if you’re
looking
how much of this open source stuff we
have in
it’s quite a huge thing so half
maybe 16 maybe 40 i don’t want to be so
strict with a percentage but
it will be a bigger party and that means
we are grabbing something because we
don’t want to reinvent the wheel on the
other side we have to trust something
that’s coming from outside
so we have to check against
vulnerabilities and we have to check
against
compliance issues and this of all
transitive dependencies
if you’re just adding a few dependencies
just for fun
generate the whole dependency tree of
your application and check how many
dependencies you have and
just assume how much time you would need
to scan all of this
but we have two different things i
mentioned compliance issues
and i mentioned um vulnerabilities
and one thing is even in the polyglot
system you have this
in direction to other technologies means
you have to have an eye on compliance as
well of the whole stack
but the good thing with compliance
issues is in the beginning you need a
lawyer that’s defining this is a good
license for your project
and there’s a bad license for your
project whatever if this is done once
then the machine can do it constantly
and
if you have a compliance issue somewhere
then it’s just this tiny
thing so you have this library you have
to grab it out
and you have to find a semantic equal
solution
running under different license so the
the process is quite clear
the machine must be uh yeah must must
initialize must be initialized
with the information what’s a good
license for the battery license but if
there’s something found the process is
clear
you have to remove it that’s it
it’s vulnerability it’s a different
piece
if you have vulnerabilities in different
parts of your application over the whole
stack
then maybe the single vulnerability is
not really
bad or high risk or whatever but
all these vulnerabilities can can be
combined to different attack vectors
and that means you’re not only talking
about the single vulnerability here
you’re talking about the whole
composition of vulnerabilities and this
of
all dependencies and this overall
technology layers
and this is a base so you need something
that will give you the full impact graph
so it makes no sense just to focus on
one layer
or one technology you need the whole
text stack
everything from the application up to a
health child everything
even the tooling itself but what what is
the lifetime of
vulnerability and what’s a critical part
and where we can jump in
with this um if there is a vulnerability
and it’s created by accident or
someone want to have this vulnerability
in somewhere
we have no way to influence this one so
someone
will create some vulnerability some
vulnerability will be
somewhere and then we have this time
until this
is found um do we have any chance to to
influence this one or two to make this
faster shorter whatever
yeah if you’re a security researcher we
can work on this topic but i assume that
most of us are not security researchers
so
we have just wait then there is this
information
found so this vulnerability is found
someone found it now we have to waste a
good one and the bad one the bad one is
just selling it on
in the darknet and the good one is going
to the company
that is a provider of this binary or
this group or whatever project
i will give this information to them and
sometimes they decide okay
we’ll wait until two weeks before we are
making the public so that you can create
a patch and all this stuff
and can we influence this time frame
now if you’re not directly yeah affected
because we are the
person that’s contacted we have no
choice
or no no possibility to to to make this
shorter
then there is this information available
do we have access to it
well mostly not directly
so we have different we have this free
vulnerability databases we have
commercial vulnerability
databases and there’s a big gap between
the commercial and the free one
if you like it or not i what whatever i
don’t want to say it’s good it’s bad
it’s whatever i just mentioning
that mostly the commercial vulnerability
databases are faster
and have more information as a free one
maybe the free one will have the same
but maybe later
so what can we do here we can wait until
this information is consumable for us if
you’re spending money for service or if
you’re just
waiting whatever you’re choosing at some
point this information will be
available for you so it’s now consumable
you’re not even
just know it it’s not consumable until
this time
is uh that this information is
consumable for you
the timer is starting so now that the
clock is running you would say insurance
so
now you must be fast so if you have a
good cr environment
everything is automated perfect now you
can start thinking about
okay i know there is a vulnerability i
have to
change somewhere in my stack and it must
run in production so time to market we
are talking about exactly the same
time to market so there is a need and we
have to push it as fast as possible to
production so and this is the only time
we
completely have under control and mostly
this is a
quite long time so for a lot of projects
even this there is a vulnerability until
it’s running production we are talking
sometimes about
weeks or months or even longer so it’s
it’s a disaster
we’re not checking the whole system
application layer for example
and the difference between make and buy
makers you’re writing it by yourself
bias you’re adding a dependency you will
see that insults application
you will have at least some some part of
make because this
is the biggest part mostly because
you’re writing all this stuff
but even the bypass so this i have a lot
of dependencies
is a quite big one if you are going to
the operating system
mostly i’m just adding some
configuration and the rest of this
operation system
is a dependency and the same with docker
the first statement is from so
it’s it’s just a dependency and then
we’re adding some stuff and the same
with kubernetes and so on and so on
and the whole tool stack for example if
you’re compiling your jvm and all this
stuff
it’s a dependency model so we are
grabbing a huge potion to our tech stack
and this is a binary that’s coming from
outside
and this is why i’m saying mostly if you
want to start with the security part
focus on the binaries the external
dependencies because this is the biggest
part in your whole text act whatever
text that you’re looking at
mostly this is the biggest part so if
you’re focusing on scanning this one and
making different clean against non
vulnerabilities and compliance issues
you have the
low-hanging fruit the quick wins done
then you can start analyzing your code
with ai
or whatever but having the dependencies
under control
is a key point if you want to start with
security so
what is helping you you have this
vulnerability and compliance issues and
those
will push you to some change in your
code
and if you’re changing something well
the best you could have is
a perfect test coverage so if you have a
really strong test coverage
then you can start shifting versions
around
that’s a test suite run and be sure that
you can push it to production because
you have the same behavior of your
application
and i personally i’m a fan of mutation
testing
because it’s way stronger than pure line
coverage
whatever fits to your needs and decide
what is the strongest line coverage you
have or how to make this test coverage
as strong as possible because this is
your safety belt
because the first line or the first
thing
working against vulnerabilities means
you need a very
efficient dependency management because
a very efficient dependency management
will have the biggest impact or the
fastest impact
of the biggest part of your project so
tdd
is just working hand in hand with
security that means
quality and security they’re just going
in the same direction and this is
perfect so they are not running in
different directions
if you’re not thinking about okay we
have different dependencies we have
different technologies and even inside
the application i have different
technologies because we are
talking inside an application about
polygonal systems but
even if i have different microsoft this
polyglot system is
is even bigger even more components and
technologies are running around
it would be perfect if you would have
something that is able to handle all
these dependencies
all these different dependency managers
to aggregate all binaries in one logical
point
why this is important because if you
have all binaries all
this logical point where everything is
running together
you have the perfect place for scanning
the dependencies so scanning
against compliance and vulnerability
issues
and this is what we are delivering here
with artifactory and with x-ray
so without factory here there’s
dependency management
inside so a binary repository and you
can have your maven repository your
debian repository and everything
together
and if you have this your artifactory
instance as a getaway
then you can go with x-rays as a binary
scanner
can you connect and analyze against
compliance and vulnerabilities
if you want to try it out we have a
freight here i will share the url
finish so that you can just try it in
the cloud but
it’s on hybrid environments means half
cloud half
on prem or completely on prem so it
doesn’t depends but you need this
you need this single point where you can
just analyze all binaries
of all technologies and the most people
and this is one thing
the most people forgetting just the tool
stick itself so they have all
dependencies of the application
but they are not scanning their binaries
they are using inside the protector line
and even this it’s just a dependency
you’re declaring it you need to place
the stored
take a generic repository put your
compiler in put your
whatever just just push all this stuff
in to make sure that
it’s immutable so that you can reproduce
the state every time to analyze it and
on the other side that you can just scan
your binaries
that’s it and even a compiler can have a
wrong license
okay we have different ways to to
formulate it so if you have an
um auditing system or you have some
compliance rules or some documentation
that’s describing all the stuff you need
some ways to to describe
uh what’s written down somewhere
excuse me and on the other side you need
something that
is mapping to this technology and here
we have this concept of the rules
policies and watches
i’m not explaining everything in detail
but the main thing is you have this rule
that is an independent
stateless definition if i find something
wasn’t cvss
7.3 or higher than
breakabilt center web book
sender mail whatever so different things
you can do
and that is independent from the
technology you are just describing what
should happen if i’m
if if i found something then you have
this policies and policies as a
composition of this rules
under logical name and it would be if
you have a document an auditing document
a security dis
description somewhere you would have the
single actions what should happen
inside these rules and then every
chapter would be a policy and then you
can have even
a one-to-one mapping between your
documentation and requirements to
what’s running in inside x-ray
and then you want to have this
technology independent description what
should happen
uh what should happen um and you map it
against repositories
it’s called watchers so then you’re
combining these policies with watches
with
maven repositories docker whatever so
it’s free
free to combine and this is what we have
watches policies and rules
if you want to know this in detail i
made this how to’s and then you can
really see how to create it what are you
doing
all this stuff or just check out for
them in on our side we
then you can get this one but in the
beginning during the beginning we spoke
about
um shift left what does it mean
what does shift left mean shift left
means that you want to start as early as
possible
assume the following you’re starting a
proof of concept
you’re happy damn yeah finally i i can
start coding something from scratch
i can choose some technologies whatever
or just playing around with some stuff
and then you start aggregating
technologies
you’re writing your proof of concept and
after the first day
you’re committing the first things and
you’re pushing it and oh you have to
create this pipeline and then you are
creating the pipeline
inside your ci environment
the ci environment will start working
and then at some point it will say
oh that’s the pencil you’re using sorry
but
too many vulnerabilities in or wrong
license there’s a transitive dependency
and this is just not possible here in
this project
the maintain of this project was not
good enough
in checking if there’s one or
maintaining a such one what have you
done
you just wasted a huge amount of time
and this is a huge amount of money and
we don’t
like to face money because we have to
explain it somehow
so we have to remove this time or we
have to shorten this time
as much as possible so having all this
stuff inside ccr environment
it’s perfect but it’s not the earliest
point you need this information
earlier and one early stage is
having this information inside your ide
and that means
if you’re working with java for example
and you’re dealing with this
dependency management system the first
thing before you’re
doing something is firstly you are
declaring some kind of dependency
oh i want to have j unit 5. or i want to
have this library this pdf library or
this
algorithm whatever so you’re declaring
this one inside the pom xml
or gradle or whatever you use and
immediately at this point
you’re declaring the coordinates of the
binary and the version
and at this point the ide plugin
that we are offering for x-ray will grab
this
version information this is coordinates
and
also vulnerability database if there’s
anything
that we should know any vulnerability or
any compliance issue
and this for all transitive dependencies
as well
so if you’re adding a dependency not
only this one is important one but you
need all transitive dependencies
and this is the id you plug in doing so
you can just install this id plug in
it’s open source is free so even with
the free tier
you can connect with the ide plugin into
your feed here and in the free tier you
have
a slightly limited version of x-ray
that you can scan or use to scan against
non-vulnerabilities
so inside here we have it for intellij a
code eclipse whatever but feel free
so try it and then you will get
immediately this information and
here’s a screen uh screenshot it’s just
showing a little bit there’s a
tree you will get this tree of all the
pencils so you see the whole hierarchy
and then you can start searching for
stuff you don’t
want to have and then you start
replacing this dependencies
and again if you have good test coverage
it’s exactly what you need so
and how to do this one i have there um
this whole process how to how to exclude
it how to add a new dependency and do
this until everything is fine
i have a youtube video to uh in this j4
cartoons
where i’m explicit showing this process
and how to install the plugin but mostly
searching for the plugin and store so
this is one thing
so inside the ide you will have note the
whole
information about the text deck back to
the polyglot topic
if we have now this dependency
my colleague mapped all this stuff
against npm i’m just adding an f
independency i’m not
aware of this one i’m grabbing this
dependency but the life cycle mapping
will include all those technologies you
will see
there in this tree you have a tree for
java
maven and you will have a tree for the
web components
for the npm stack so first of all you
see that there is some other technology
in the background second you see even
for
this hidden technology that there is a
vulnerability
and you can start working against it
even if you’re just declaring a
component
and that’s what is really saving time
and money
and is reducing risk so focus on
something that will give you as early as
possible this information
later on if you are inside the
web ui you can have the full impact
graphics
client interface that you can completely
provision all this stuff via command
line interface
if you want or via rest
what can you do with this if you’re
talking about this
um scanning against vulnerabilities you
need some process how to handle this one
sure you can break a build this is one
thing
you can notify via email okay but the
really cool thing
is that you have two things the rest api
to to interact with the machine and the
second one is a web hook because with
this one
you can start integrate third-party
components and you can build
semi-dynamic workflows there is a
vulnerability
in this docker image i start now i
process it will
make a dedicated current time repository
i’m pushing my stuff in i’m
automatically doing all these updates in
this docker
layer for example and then i’m scanning
it again or whatever so
you can start working with semi-dynamic
workflows
and this will give you the possibility
to feed reportings like compliance tools
you can uh
pre-harden images uh if it’s just an
update of the versions and so on and so
on so that’s one thing
and yeah if you want to try it
uh feel free uh grab this one jeffrey
the co
3t devops underscore cdf and then it
will
come to the point where you can start a
free tier and
if you want to see how to do it uh some
how to so how to start the free tier
and platform overview if you want to
have a short guideline otherwise check
out the documentation
or just ask me and then you can start
this one
and what should you do you start a free
tier it will take
five minutes or so you’re just creating
the repositories you need for example
your main repository
you’re changing inside your pawn it in a
way that you’re using
exactly this map repository and then
make a clean verify
that’s it and then you have all
informations all earlier with the eda
plugin
just connect to your experiences and
later dependency scan
that’s it so much time you need to to
start with devsecops
below two hours if you’re doing
everything and slow and reading and all
this stuff
but then you can start even in your
project just with
unscanning all this stuff i want to have
the full empty graph at least once of
the docker layer and so on
and want to see what’s going on so and i
think two hours is
not so much time if you’re doing it
really of the whole stack and all that
stuff
so i think it
is first time for the summary and second
i yeah if you have any questions
feel free to ask i don’t know if it’s
allowed to
to activate your microphone i don’t know
but otherwise just
ask or write it
in the chat i will allow
everybody to talk now so oh
everybody at the same time
okay so if you have a question you are
more than welcome to come
off mute and ask or if you’re feeling
shy you can always
enter it in the q a section
yes so
until i am hearing the first question
i’m just summarizing be aware of
this polyglot environments uh check for
all technologies that are involved
don’t forget your troll stick check this
one as well so if you are using jkit
then
check your jenkins why not and
you can do it in in different ways
so you can have different single tools
but i really
will give you that advice that you have
a tool that’s getting the whole tech
layer so that you have a combined
picture and the full impact graph
shift left as much as possible so even
inside your ide
so that you have all informations as
soon as possible
and well by the way if you want to know
how to do it with the vardin stick just
check out this repository
or if you if you really want to try how
to map the components to the javascript
so any questions let’s see
oh no question so far
okay um just for folks reference
um i dropped in the chat the uh
youtube playlist where this will get
updated to
um so i’ll clean it up after
we’re done and then i’ll i’ll post it on
this playlist so
if you want to refer to it or share this
with other people
this is where this will get populated um
and if we don’t have any questions i
will not take any more time
um from sun and
the attendees and and we can wrap up
so last year otherwise yeah otherwise
connect via twitter connect via linkedin
so if you have any question tomorrow
just feel free to ping me
okay well thank you so much then it was
a great presentation
and we hope to see you again okay
thank you very much and bye-bye bye