Quick Wins and Low Hanging Fruit @ DevOps Türkiye (Istanbul) Community Meetup

hi everyone
good evening
let us wait for a couple of
seconds
so i think we can start um hybrid
everybody um sorry for delay by the way
because there was a problem on the uh
leaf uh the arranging the exact time so
uh sven here uh with us and he is
developer advocate from jfrog company
you know it is very famous uh company
uh known by the developers and he will
talk about their second topics so
sven it’s yours
okay so hello from germany i hope you
all are doing well
um i assume you can hear me if you can
see my slides
i haven’t checked them on youtube at the
same time so i don’t know but if you
have any questions i will try to have an
eye on the chat so if you have any
questions with that i may
try to answer this one otherwise there
are several things or ways to reach me
so
let’s
talk a little bit about the topic we are
talking about the low-hanging fruits
here the low-hanging fruits of the
sagubs and um yeah assuming the audience
has a lot of knowledge about devops i’m
not sure who have you already played
around with the security topic so
the questions i want to answer through
today is what are the low hanging fruit
so what’s a quick wins means you’re
having devops environment and you’re
going to start with the security topic
so what are the possibilities what is
the best way to start with is what are
the quick wins means the easiest way to
start with most impact and this is
addressing everybody who wants to start
with the security part and
um yeah we’ll find a way to
get first
things up and running so
okay then
my name is van robert i’m the developer
advocate for jfrog and i’m based in
germany and since covert i’m mostly
running
in the woods round and instead of going
to conferences i’m just
recording a lot of stuff and pushing it
to youtube and if you like to see job
related stuff or
security related stuff devops
or dev segments related stuff have a
look at my youtube channels i have to
i’ve
won the german one for sure i’m a german
native speaker so that’s one thing but i
have an english one as well so just
search for my name in english or just my
name then you will find it and i really
would like to have you as my new
subscriber so if you like the outdoor
style perfect and if you just want to
see watch crafting so nothing about
technology check out my private channel
about auto skills okay so
you can win the jay frog shirts
if you are
live attendee here at this um streaming
and if you are one of the first 15 so
go to jfrog.com show notes they will
find corresponding to this event
the possibility to run roughly here to
jetroc.com istanbul t-shirt and the
first 15 will win should so
try to grab one of them
so
what we’re talking about
security for sure and i’m using cloud
native as an excuse but everything what
i’m saying is not only bound to cloud
native cloud native is just one way to
look at an architecture and it shows or
highlights a few things that are coming
out more and more but
if you’re in a traditional organization
with monolith or whatever you can adopt
all this stuff what i’m saying in the
same way don’t worry
if you’re looking at this cloud native
or if you’re looking at the general
topic of of these applications we have
different layers and you have different
possibilities that
source code or that and then
program can help you so and
we we have to think a little bit more
about what what are the different
players where is the best place to start
for example if you have this micro
service or service oriented architecture
or whatever then
if you want to map a bunch of use cases
for example to a bunch of microservice
there is no tool that will say oh use
case a and b fits perfectly to this
micro service and this use case is a
separate use case microservice and so on
or function or whatever
so if you want to divide your use cases
in several parts
there’s a machine that will do the job
for you you have to do it as a human so
you as a human has to decide okay i want
to distribute use cases and this is a
good way thinking about security
yeah what is the best
composition of use cases in terms of
business security or making the
information
central at one place or sharing
information this is something the
machine is not able to help you so you
really have to think about
the service oriented architecture for
example here
and what is holding which part
if you’re going a little bit more to the
communication itself so you have now two
services and you decided what is going
on the wire the machine is not good in
telling you oh it makes sense to use
this three bits of information to send
it over the wire and then your business
is safe and the security is not or the
tools is not able to to
help you to make a business case secure
in terms of it couldn’t be misused or it
couldn’t be compromised on the
business level so
the communication between two services
this is a different thing and here’s a
computer author the program can help you
more the i.t
because the tools can start encrypting
channels can deal with different keys
and all that stuff so it’s a
not the content but the way how to
exchange communication is something you
can um yes secure on a technical layer a
little bit more what you’re learning
from this one is
if you’re talking about security you
have to divide it in different parts
concepts and all this stuff and
technical or technically related stuff
and if you are going to this technical
layer more and more you will see that
the programs in the tools and all that
stuff is more powerful to support you
going down to the container-based
infrastructure
dealing with resilience and and
against in our service attacks and and
breaking through this architecture in
terms of getting user access in the
operating system all that stuff it’s way
stronger the tools because they are
just technical things and not this
business related stuff i think you got
the point but security is really really
strong inside the devs segues
environment and this is where jfrog is
focusing on the dev sega
part and the on the container-based
infrastructure so delivering to a
container-based infrastructure or
delivering to production systems but if
you want to start with security um
the really easiest part is if you’re
starting inside your development
environment or during the time you are
creating your binaries so this um what
what is a good and the bad part for this
microsoft stuff so for all
uh we have with microsoft shorter
uh life cycles
or release cycles means that
you’re writing something you can put it
to production okay this microsoft is not
nice it is something bad and then you
can just throw it away and rewrite it
it’s good in terms of getting rid of old
technology but it’s bad in the same way
because if you’re changing technology
maybe you are not sustainer anymore but
who you are in the other one so for
example for me
i’m since ages in java since really ages
in general i never learned go means if
i’m
if i’m now writing a microservice in go
it’s fun for me for sure i will learn a
lot of stuff but i’m a junior again so
not in terms of the language this is not
exactly what i’m meaning but it’s a
whole ecosystem so what are the best
tracks with compiler what are the good
libraries who’s what’s the trustable
community inside the go community what
are the good reference and so on and so
on so you have to learn all this stuff
again even if you’re a really
old senior in one language you will
learn very fast but you will do a lot of
this beginner mistakes anyway so
it means that um
having the possibility to
go was the time to to fast adapt to new
technologies in the same way it’s
dangerous because you have to re-learn a
lot of stuff in this field
[Music]
thinking about micro services functions
cloud native whatever
what you can see in the composition of
use cases is that we are going more more
to polyglot environments but polyglot
environments leading to polyglot attack
vectors means that if you have different
technologies and you are connecting
different technologies you have
different ways to attack your system and
not only based on one technology but on
multiple technologies and the attack
vector could be
quite um complex and this is not easy to
understand so you need tools that are
able to deal with a whole package not
only one stack not only one micro
service now the whole impact graph of
the whole architecture so and political
environment sometimes even inside and
micro service itself and so thinking
about for example this open source tool
vadim budin is from finnish company and
they build this you’re writing a java
your code and it’s
translating it to honor translating it’s
building a
web app based on web components
but you have written it down in java so
it’s not transparent it’s just
connecting two things it’s connecting
java with the npm stack and then you
have html5 you have javascript and the
npm sake and all this stuff so the
developer will quit in java but in the
end you have a stack that relies on the
live cycle java on the live cycle npm
the whole dependency management there
the whole um vulnerability and
compliance issues that you can have here
and so on and so on so polyglot
environments are sometimes even inside
one micro source
but
throwing everything away what you see
around this different microservice model
is whatever focus on one single part so
we’re focusing now on one single
application if you’re focusing on one
single application
with every abstraction layer you’re
adding you’re adding more complexity
different technologies and so on
so if you have the application and there
are vulnerabilities in and you let it
run inside linux or an operating system
before you
use a virtualization technique like
docker or whatever means that with every
layer you’re wrapping around the
vulnerabilities in the previous layer is
still there
and
it could be used
direct or indirectly but the
vulnerabilities are there so it means
with every new layer you’re just adding
vulnerabilities even if you’re adding
zero vulnerabilities but you’re never
removing vulnerabilities and this is one
thing that you should be aware always
that with every new wrapper around
you’re just adding vulnerabilities per
definition and the same with compliance
issues so talking about security means
that we are not only talking about
vulnerabilities and how to hack your
system and all that stuff it’s fancy
sure but on the other side the
compliance part is important as well
because the wrong license or the right
license it’s wrong place in your
whole production line can be a huge
damage to your whole organization or can
kill the project or even the company so
security means security in terms of
being
yeah able to
defend against and attacks in the same
way as make your business secure in
terms of compliance issues
and here again you have two layers you
have the domain specific part so tools
are not good in making your domain
specific thing secure so can i misuse
this text rule to do something weird but
on the other side it’s a technical thing
can i prevent against or can i defend
against sql injections
this is something that technology
is good so even here you have two
dimensional thing it means one thing is
a domain specific thing this must be
done by humans for sure there is no
really good tool
on the other side the technical thing
tools can support you
enormously so
but the most the most project people
developer whatever you want to say
they’re forgetting one thing and this is
a whole devops
tool stack
um for this just a short side note
you all heard more or less about the
solo insect
what happened here um the company
solarwinds they have 300 000 customers
and they have a product and this product
is managing networks okay so
um this means the software orion
platform is the name um will be
installed somewhere in the network and
is able to do a lot of stuff with admin
rights monitor
things reconfigure things and so on
and
if you have 300 000 customers
most likely the most customers are
customers with huge networks not just
tiny networks because then you’re not
buying this management software right so
what what happened
there was a hacker group
they broke in through into the system
from solarwinds and the target was not
to compromise binary or to steal data or
to
destroy something so no this was not the
type what they have in mind is or what
they had in mind is that they
broke into the ci environment of this
company
and they insert the ci environment they
manipulated the ci environment so that
with every release built
they start building compromised binaries
by themselves so they just provided
internally and it was a little bit
hidden there’s boundaries they wanted to
add inside the ci environment one of the
last steps was just grabbing this binary
and adding it to the program
okay and then they had an automatic
update so they built a huge release it
was already compromised binary then they
offered it via an automatic update to
all of their 300 000 customers and in a
few days they infected over 15 or 20 000
networks
not servers networks because
huge companies with huge networks are
using this
software
and this was more or less a disaster so
the attack was not against the final
target the attack was against the supply
chain this is something we should be
aware as a developer so we are now the
targets and with this we have two
dimensions now we have two dimensions
and this means uh the first one is that
um i need
or i have to make sure that i’m not
compromising
uh i’m not using compromise stuff
on the other side
i have to make sure that i’m not pushing
compromise stuff out so that i’m not a
multiplicator so we have now two attack
vectors against ourselves a pro um
protecting ourselves and protecting our
customers or consumers of all software
even if it is inside the company no it’s
the next department
so uh yeah so uh the first question to
you is any one of you ever checked uh
for example the
jenkins against non-vulnerabilities
who have you protected your compiler and
all this stuff so you have to make sure
that the whole supply chain you have
must be
secured
and this against non-vulnerabilities and
compliance issues but
non-vulnerabilities is here it’s a big
part
there’s a term
called shift left shift left is you
should start as early as possible with
the security stuff
it makes no sense to do it in the end
and for me to remind what shift left
means is i’m just rotating this picture
of application line and soccer and so on
and shift left means
going to the left and the third thing
what we are doing is we are writing
application we are creating source code
so that’s the earlier thing and we
really have to start there during the
time we are writing software not if
everything is done and it’s running no
that’s too late we have to start as
early as possible
what i’m excluding here is the concept
phase
because this is something we have to do
um on a human level inside the
organization but we are focusing here on
the technical thing so having now in
mind that
we have all these different layers and
we have all these different uh attack
vectors inside every text layer we have
to think about um what what is a
composition per layer
so
as the first thing is
if i’m writing a java application i have
something that is managing my
dependencies because i’m writing some
piece of code and the other thing is i’m
using some dependencies i will cover
this in a few minutes
but
what is sure is per layer we have
corresponding dependency managers
because we are not reinventing the wheel
we are working with dependencies we are
grabbing stuff from outside and this is
for every
tech layer so the application may be in
maven linux is a debian layer maybe or
dockers the docker repositories
kubernetes and so on but again the most
people are forgetting if they are
starting with security the whole text
stack so all binaries inside this text
stack should be
available in an immutable
way or repository as well to make sure
that there is no compromisation so okay
but if you are thinking about this
single point that will try to help you
to understand
the whole tech layer
you need something that’s able to
understand every text layer and then you
need something that’s able to work with
this metadata we at jfrog we have
artifactory that’s a binary manager or a
manager for dependency managers we have
a different kind of repositories where
all this meta-information and binaries
are stored and then we have x-ray that
is connecting through it and working
with binaries and the meta information
to get the full impact graph i will
cover the full impact graph in a few
minutes again but um have in mind that
these are the essential tools to deal
with the whole meta information built
info and all the stuff and binaries and
on the other side where it’s a
possibility to have access to all layers
and don’t forget your tool stick this is
really really important so don’t forget
your toolset scan your jenkins check
your compiler check whatever
we have different terms and
if you start with security
there’s mostly a challenge with
different parts of the company so how to
implement security what the best way and
one thing i always see is that there is
a lack of
wording
so a lot of companies are
using more or less are describing the
same mechanism using different words
and so on and here are two things that
are highly recommended to think about
and talk with management for example
about it if you want to start
implementing security
the first thing is time to market
if you’re talking to a management layer
time to market is very common for them
what they understood or what they’re
meaning with this is you have this use
case
we have this description then we have
this time of creating this stuff and
then it must be as fast as possible
delivered to the customer so that they
can use it the company can charge it
okay so if i want to get money for it
means i have to clearly a vision what i
need
and then i have this production phase
and this must be as short as possible
and as cheap as possible and then i need
the possibility to use it
why why i never understood it why not
thinking with security in the same way
so what is security security is a
requirement like a use case there is a
vulnerability for example
then you have exactly the same behavior
it must be delivered as fast as possible
to production
not the vulnerability but the back fix
of the security fix okay
so you have that requirement there is a
vulnerability must be fixed then you
have the possibility to fix it then it
must be as fast as possible delivered to
production so that it couldn’t damage
not get more money but not losing more
money okay it’s the same it’s just the
opposite of it
right
i see so often that
process of there is a use case and then
do it and push it to production and then
we will test it this is optimized yeah
and then you can just do it
but for security issues they have
different processes
and then they have this
this guy must say yes the next one must
prove it the next one has to do
something and then they have a really
slow process of fixing vulnerabilities
and this is just a nightmare so if you
have the knowledge about vulnerabilities
then it’s a requirement handle it like a
refinement optimize a whole production
line to get rid of this stuff as fast as
possible and make sure that you have the
same lean processes to push stuff to
production
and as i mentioned i see so many
environments where the use case is fast
on a fast track and security fix are on
the slow track that makes no sense so
talk about time to market with your
management with your lead or whatever to
get that thing done make this process
lean fast easy and fully automated the
next step is make or buy
the most people know okay we don’t have
this knowledge and then we can hire an
external and he will do everything great
because he had so many experience and he
saw it in so many different companies
and
then i’m just paying money and stuff is
done okay let’s make a buy on the
economic pattern and i think we all had
our experience with this
the pros and cons
but
we as a developer we’re doing exactly
the same and we have exactly the same
issues we are not hiring external but we
are using externals in terms of we are
adding dependencies and here again it’s
the same mechanism and the same way of
talking about the risk the investment
and all this stuff
should i learn this stuff by myself
should i know enough about this
technology that i
um that i’m able to identify if my
depends here if this external guy is
doing the right thing
how to make sure that i have a good
amount of quality in my external
dependencies
and i don’t
or i shouldn’t reinvent the wheel by
myself so if the if i have no clue about
how to create a pdf
then it makes mostly no sense to learn
all the pdf specs writing a pdf
generator and then doing this one
because i know more about pdf after this
for sure i have a lot of security issues
for sure and then i have to maintain
that stuff no time for this on the other
side if i’m adding a pdf library i must
be able to understand what is a bad
thing in pdf oh yeah you can add
javascript and then it could be executed
okay so you need to learn a little bit
about pdf then you must be able to test
and verify the functionality then you
have to decide what’s enough and what’s
a good dependency so what is external
you can trust
okay i think this is more or less clear
so we have to deal with dependencies and
we should treat it in the same way so
don’t add just dependency because yeah
it looks nice and then do it you
wouldn’t do it with next certain
consultant
okay you wouldn’t just say hey yeah
looks cool just do it and forget and
then firing the next one don’t do the
same stuff with your dependencies okay
we have different approaches inside the
security area and there are two main
parts one is a developer centric part
it’s zust static application security
testing the next one is the ops part
more or less a dynamic application
security testing and then we have a few
combinations and rasp as a
runtime protection
okay so uh what’s this
with zest we mean
that we are able to scan all static
parts of an application
and searching for known vulnerabilities
okay what what mean non-vulnerabilities
non-vulnerabilities are identified
vulnerabilities with knowledge how to
get rid of them or there’s a patch
already and whatever so it’s maybe not a
patch already but we know this
vulnerability what’s going on so uh
these are non-vulnerabilities then there
is a certain amount of unknown
vulnerabilities and the unknown
vulnerabilities is everything we don’t
know and then we have to think a little
bit about the balance between
non-vulnerabilities and unknown
vulnerabilities
if i can trust different
reports i was i had the chance to read
or different other companies
that are doing way better research than
me because i’m not a security researcher
in detail and i don’t have too many
statistical material but
what they are saying is that the whole
amount of non-vulnerability is just
constantly growing okay except because
the non-vulnerability is never removed
you have something against it that’s a
vulnerability there
okay so this amount is constantly
growing and then the amount of unknown
vulnerability is smaller than the amount
of known vulnerability first of all the
non-vulnerability amount is constantly
growing since a long time and
the amount of unknown vulnerability is
limited by the people that are able to
create no
new vulnerabilities and this is
this is not a group that is
exponentially growing this amount of
humans that are creating vulnerabilities
so the assumption is that the amount of
known vulnerabilities is in some range
but more or less constant
but from this
step-by-step vulnerabilities are
converted to known vulnerabilities and
this amount is constantly growing
okay having this in mind means that
fighting against known vulnerabilities
has the fastest and biggest impact and
this is something you need to do because
this is growing anyway
okay so and this is where static
application security testing is focusing
on so static application security
testing is losing the dynamic context of
an application but it can search for
already known vulnerabilities and here
you can scan hundred percent of the
whole test tastic okay
the opposite is dynamic application
security testing for this one you need
an already running system
just you can do immediately with the
first code of line of code you’re
writing you can start with scanning what
you have on the other side with dust you
need something that’s running and then
it must run in the same context of the
operation system you want to protect so
it makes no sense to have a dust
application where you’re testing stuff
and in the end you’re using a completely
different environment to run it so you
would lose a lot of the power of dust
tools
these test tools they have this hack
approach they are looking from outside
to an application and try to identify
the weak points here
the attack vectors are mostly based on
the most common vulnerabilities most
common vulnerabilities that are defined
so like
sql injection heat them
so memory terms and all that stuff so
you have a list of this one that are
language neutral and mostly
yeah mostly
seen already
and then the the weak point with dust
towards is first of all you need
something that’s already running so it’s
very late in production it’s again shift
left
the next thing is a tool need
if it is just as soft as a server thing
you need access to your to your
application it’s way better if you have
it on some production like systems
because then you have the potential to
identify
reconfigurations or open ports and all
that stuff
and
the next thing is that most attack
vectors are built based on this
multicore vulnerabilities
and um there is a tiny chance to or
mostly no functionality to define your
own attack vectors against the system
and if there is a new attack vector that
will take a bit time
not endless but a bit time depending on
your service you are using to adopt to
this new
attack vector
okay
and then the next approach if you have
zest and dust the next next logical step
was to merge both its interactive
application security testing so you’re
merging both approaches it’s like a
security debugging of your system so
you’re ramping up your application you
have full access to all
components of your system you’re
checking all binaries and all
configurations all this stuff you’re
bringing it in in context and then
you’re doing this dust stuff so there’s
mercury vulnerability based attacks and
then it is in a way that you can
manipulate the attack in a way that you
are identifying your individual attack
vector against this system so and this
is a b so
theoretically this is a perfect thing
okay because it’s just merging zest and
dust
if you start with security
it makes no sense to start with
interactive application security testing
because you need the knowledge how to
attack how to compromise your technology
and all this stuff and most likely you
need very highly educated people in this
specific area to make the most usage of
iest okay this is interactive
application security testing
these are the three testing things so
more or less two exhausting dust and
then the combination with
your own attack vectors in iris
then there is rasp
runtime application security protection
means
that this system is
used
to
identify an ongoing cyber attack means
rasp
is completely useless in test staging or
even
all the stages rasp is only useful in
production
most technologies are with this agent
approach so you’re ramping up an agent
this agent is manipulating the software
you’re using and then they try to
identify with machine learning and other
techniques and patterns and all this
stuff to identify they are
different users or different actions
that
that looks like an attack and then you
have to mode um
you can just monitor it and alerting and
the other thing you can proactively just
stopping this application so this is a
rasp so it’s really protecting the
runtime production against ongoing
cyberattacks
what is the best order to start my
personal opinion is that you should
start with zest because this can you do
with a
minimum amount of knowledge about how to
attack systems and all this stuff
if you have this in place and this is
running then you can start testing your
environment with
with the approach of most common
vulnerabilities so dust tools and if you
have budget left and you have the
infrastructure and the possibility to
use agent approaches so this agent-based
approach then you can use rusp as well
starting with rasp is mostly a very
counterproductive thousand or a way
because mostly the developers knobs
people saying oh if i’m missing
something rust will catch it and this is
mostly
not good for the quality and some other
things and having in mind raspberries
mostly on this agent approach means if
the whole production line is weak
you can get compromised agents as well
so you have to harden your whole tech
stick against non vulnerabilities and
compromising binaries before you are
introducing the next
level of manipulating automatically with
some external dependency my production
line okay having this in mind so thus
does rasp if you ever be able to use is
interactive application security testing
depends really on if you have the right
skill people in your organization that
are able to do it
okay
back to the application if you want to
now to to start
and the easiest way to start is just
why and why this is good
so if you’re looking at the whole tech
layer applications
how much lines of code or how many lines
of codes you are writing by yourself and
how many lines of code you’re adding as
a dependency most likely it’s in a way
that you have a huge amount of external
lines of code grab fire dependency
compared to what you’re writing itself
so even if you’re writing a million
lines of code your dependency in the
most environments i saw not always but
the most environment is just
a huge amount of
potential amount of of this lines
as a dependency if you’re going towards
the operating system it’s even worse
you’re writing a few configurations
you’re not writing a kernel driver
mostly some people yes but mostly you
are not writing kernel driver and the
rest of the operating system is a binary
you’re grabbing and there’s a huge
amount of lines of codes so it means
your configuration a few lines of codes
again this amount
of lines of code that you’re grabbing
from outside docker is the same you’re
writing a docker file maybe and the
first statement is from so it is a
dependency anyway
and then
you’re going to the kubernetes layer and
then helm charts and all this stuff so
looking at all this the amount of stuff
you’re doing by yourself and the amount
of stuff you’re grabbing as an ex
external dependency looking at the whole
text deck is
the balance between in this way that the
dependencies are the most dominant thing
so
make it sense to scan your own source
code against non-vulnerabilities with
zest to have machine learning running on
your own source code
no because it’s a tiny part
and the tools that are scaling with
machine learning and all this stuff your
source code they’re missing a little bit
the context
you can have best practice and you
should write
code in best practice make sure that
you’re not
just using all input fields and just
pushing it to the database sql injection
not reading just binaries and executing
everything and so okay that’s fine do
this one but analyzing the source code
with tools extensively would be the
wrong focus focus on the dependency
because it’s just the biggest part and
then
it is a part of just static application
security testing and again what the most
environments are for getting the dev
segments part
check your compiler your scripts your ci
environment your whatever so everything
you’re using internally is with this
attack against supply chains
a target so you have to harden your ci
environment you have to scan your
jenkins you have to scan your team city
whatever so scan your environment
everything
okay
we have two things that um
they are all competing for um
a condition now for
no i mean seeing the word sorry so but
we we have two things that are here in
the field so it’s compliance and
vulnerabilities and we have different um
different
behavior
so compliance if you want to start with
compliance scanning the machine is very
good to scan all binaries into for this
you need to understand dependencies and
their direct and indirect dependencies
so it makes sense to analyze analyzing
meta information and then see okay at
this dependency will have this
dependency on this dependency and so on
and then the machine can scan for uh
license issues so for compliance that’s
easy but the initial work here is that
you need someone who’s able to decide
what is a good license and a bad license
for this part of the supply chain okay
this is the initial thing and then you
can feed with this machine and the
machine can just doing this ongoing job
in a very fast way make it sense to scan
again and again against compliance
yes
looking at different projects for
example a very prominent one is jakarta
e so java ee was jakarta ee is now
eclipse ee and is now i was eclipse e
and i was jakarta i lost the overview so
we have this one so moving big projects
on the other side
um there is a dependency and internally
he is using maybe
some collection library and then he
decided to switch to another collection
library because it’s cool
then
it’s not good to trust this developer
that he will do the compliance work
perfectly so you have the same
dependency in a new version but
indirectly you’re consuming a different
dependency so it makes sense that you
are scanning this stuff on a constant on
a frequent base
vulnerability there’s a different b so
the initial effort is zero just say
there are the binaries do it scan that’s
it the machine is scanning on the other
side you will find very often
vulnerabilities and not so often
compliance issues if you fix it once and
then you have to do what’s going on
the compliance issues here they’re
tricky
so you have a compliance issue and then
it’s a single dot in your whole tech
layer so the whole thing
and the only thing to get rid of
compliance issues is you’re removing
this part and replacing it by semantic
equal implementation with the same
functionality here and this is sometimes
really a piece of work yeah so that’s
one thing but if you have done it once
mostly it’s quite it’s not changing so
often
another thing is vulnerabilities
vulnerability is to get rid of
vulnerabilities you don’t have to change
the implementation against a semantic
equivalent you can just use a different
version of this dependency
and this means that the
full amount of vulnerabilities or attack
vectors are based on the whole
composition of versions
because the weak point with
vulnerabilities is you have in different
layers different vulnerabilities and
they can combine two different attack
vectors so it makes no sense just to
scan one layer just docker images or
just whatever wavelength is you need the
full understanding okay this jar is in
this web archive is used in this docker
layer this is using this docker image
and this was used by this helm chart and
running there so you need the full
understanding to know where all these
weak points are and what are the
possible attack vectors against your
system okay
but
let’s talk a little bit about the
lifetime of vulnerability to understand
what is the best part where you could
uh speed up the whole fight against
vulnerabilities
uh people are creating vulnerabilities
accidentally on purpose can we change it
no
i can work on myself to
to use best practices but it could
happen that i’m creating a vulnerability
okay
so next thing is
what is the first time we know so if
this vulnerability is found someone
thought oh there’s a weak point
then the next thing is if he is a good
one he will try to make this information
public public available somehow if he is
a bad one he will use it for himself
selling on darknet using it for his own
attack whatever so if it’s found by
someone who is
bad yeah so bad hacker then for me the
lifeline is more or less invisible i
can’t we can’t do anything against it
because it’s it’s somewhere it’s there
it’s found but from the wrong person
if it is found by someone who will push
it to a vulnerability database so that
it could be consumed by everybody else
and that a good way so the live line of
this dependency is is visible for me now
so i’m now a security researcher i found
a very critical thing and now i try to
sell it what is the best way or who i
will sell it okay
the first thing is that
this is amount of money i can spend this
money or i can earn money with this one
and now i will decide who will give me
the most money of this if this
vulnerability database one or two
i don’t know so sometimes i will sell it
to a sometimes to be and i will just
do it with
well where i’m getting the most money so
uh what does it mean
if i’m focusing on one vulnerability
database
it’s always a subset of dependency oh no
it depends it’s a subset of
vulnerabilities why
because i have no clue if it is sold to
this one or that one
so what whatever depends or
vulnerability database i’m using or
choosing is it will be the wrong one we
had jeff rock learned it in the same way
and we know it and so the only thing
what what is possible to work around
this or to to get this one you have to
build a super set so if you are deciding
to consume void you must decide who what
vulnerability database you are consuming
otherwise you don’t have the information
you have to make sure that you’re using
a superset to get the biggest umbrella
you could get
um
so just one single vulnerability
database is not enough you have to
combine different resources and this is
exactly what the driftwork we are doing
we have our own security research we
have vulnerability database free one
open source one commercial one and so on
and with this one now this work will
start the knowledge of this
vulnerability must be
transferred in a consumable way so it
must be available so not only is it in
force public failure it must be
consumable and consumable by you and
here is if you like it or not most
likely mostly
the free vulnerability databases are
smaller and slower
why
yes the security researchers they want
to earn money so they are not giving it
for free they are mostly selling it
means you need to spend
if if this time is critical if you want
to speed up the
time from the knowledge there and you
can consume this information if you want
to minimize this amount of time you have
to spend some money or to find another
way how to get to this information but
most likely the free ones are slower
we can endless discuss if this is good
or bad or whatever and that is economy
and now the information is consumable so
you have the whatever you’re choosing so
free one the commercial one a or b or c
or whatever whatever information pool
you’re using now you have the
information so now the time is running
because from information is consumable
time starts running to fix in production
that’s exactly where you should focus in
the beginning it must be automated in ci
environment must be fast and all this
stuff you need to have lean processes so
that there is no approval process and
all this stuff is
blocking this one so information is
consumable until fixed in production
that is where you should focus first on
so that you have the most impact on it
okay
now as a developer
what is the best safety belt you have
and this is really true so against
vulnerabilities all compliance issues
the best safety belt for you as a
developer is good test coverage
why
if you have to replace an implementation
within semantic equiron what’s the best
safety build it has coverage because
then you can change first and verify
that it’s running in the same way if you
have to build a new composition of the
same dependencies to get rid of
vulnerabilities it could be inversion
increase or decrease
the whole composition must be with less
vulnerabilities or less critical
vulnerabilities means you need to use
test coverage
to change the version that the test
coverage run and just push it to
production i personally i’m a big fan of
mutation testing because this is a very
strong test coverage um
identify what’s working best for you if
you want to check it on my youtube
channel i have the explanation about
mutation testing and how to run it and
the basics and the theoretical part
behind it
but whatever it is the best weapon
against non-vulnerabilities and
compliance issues is very effective
dependency management because this has
the biggest impact because you are
working with 99 percent of your taste
segment
and as a developer
a good test coverage is really what you
need
so
back to the previous thing what is the
best place to
start with this if you want to have all
known vulnerabilities in the whole
technique you need a single point where
all binaries are running through and
this single point must understand not
only the binary it must understand the
meta information as well so this
dependency has an expectancy as an x and
so on and if you have the possibility to
read this metadata and you are
understanding the full input graph then
you or the full dependency graph you can
create
the impact graph of vulnerabilities and
this is exactly what we are doing
without factoring x-ray
and if you want to try it i have three
workshops where you can just register
and i have it every few weeks i have
this one and you can use a factory and
x-ray for free in the free tier so check
out for freight here and then register
and use this binary storage with the
security scanner if you want to know
more about the product how to use this
feel free to check on my youtube channel
or go to one of my webinars then i’m
explaining the tool itself and how to do
it inside an ide for example so it was
ide plugin so very cool stuff but the
right place to start with security is
where all binaries are running through
and if you’re doing it for your
production
why not using it for your infrastructure
as well so if you have a router that’s
consuming linux linux then use
artifactory as well to correct this
binaries over artifactory to make sure
that you can skim all binaries that are
coming through and so on and so on so
don’t focus it just on dependencies for
your app you’re creating
it’s all infrastructure run over it
that’s the best way because then you
have really it’s a full input graph of
all components of your project
okay so slowly we are coming to the end
so if you want to win a jfrock t-shirts
the first 15 will get it it’s driver.com
is some whole t-shirt um yeah you can
stop the video at this point to write it
uh down or we’ll write it in the
comments maybe so that you can do it and
then you will find the slides and have a
mind if you want to hear the stuff in
german go to my german youtube channel
or go to my english youtube channel sven
cooper in english so i really would like
to get you as my new subscriber if you
have any feedback contact me by linkedin
twitter
don’t use email that’s just a mess but
all the social media stuff works fine so
if you have any questions feel free and
connect and i really would appreciate to
have a discussion with you about the
pros and cons and all this stuff and
this i can just say thank you very much
for attending whatever time you’re
looking at this video and watching it i
can say enjoy the rest of the day stay
safe and see you somewhere
virtually or maybe real in the future
okay
so i think
i’m done with my topic
yeah thank you swan by the way uh for
your time and it was a really cool and
helpful session i can say that
so
yeah
if you have any kind of question you can
ask on the channel so i can reflect it
to this screen
so
yep
okay
maybe a couple of minutes you can wait
maybe i can also as something because
uh especially everybody nowadays using
the containerization technologies right
we are using docker images everywhere
and um in order to store our docker
images we are using different kind of
maybe your old site registry maybe
software as a service
so um
for example i i’m using koi io let’s say
that just an example they are doing a
docker image scanning
and then let’s say that i am using jfrog
for my artifactory and i can also store
that part
so
you mentioned the diagram about this
devsecops and it is kinda compatible
with helm
maven different kind of artifactory
tooling so
can we say that for example on the
document generation site i am already
scanned my image on the koi io i how can
we just
ignore i eliminated duplications i mean
my image already scanned on the some
kind of third party service and i don’t
want to make it run on the jfrobside for
example
do you have this kind of integration so
instead of
let
jfrog scan my image
just provide the
integration let’s say that
it can be feeded by some third-party
service
so first of all all servers we have
they’re available via command line
interface and rest interface okay
and the all components have web hooks so
you can start external processing to do
something and with rest interface and
web books you have the possibility to
create dynamic workflows whatever this
workflow is we have a ton of integration
to different third parties i don’t have
all of them in mind so i really have to
check somewhere and list what’s
available but
if you want to scan just maven and
debian then for this repository you can
activate x-ray and if you don’t want to
scan docker images then don’t
activate x-ray photographer images or
docker repositories so you can very
fine-grain decide what should happen and
on the other side if you have the third
party tool and that’s scanning something
the cost of scanning inside artifactory
the docker image itself again
is not really huge yeah so
it’s a traitor of what what you want
and
you have different ways to scan so first
of all you have this classical thing
that you have this policies and rules
where defining what what is necessary so
if i have something with a cvss value a
or b
break a build uh send an email
blocks the download whatever so
different things you can start
and on the other side you can
use this information inside your ide as
well so with this ide plugin
intellij and his code and eclipse and
whatever and then
you have this information about
vulnerabilities already inside your ide
so you’re adding inside your pom file a
dependency jakarta comments whatever and
immediately you will get the information
okay in this version and all
dependencies from this dependency you
are adding you have the folder following
vulnerabilities and then you have it in
your ide already so
way earlier before you are creating a
docker image anyway and this is
something i really would
recommend that for the technologies
you’re using
try to identify it as early as possible
so often i see
that they are working
two or three days creating a docker
image and then they see there’s a
vulnerability inside the
i don’t know java layer for example
and this is just a waste of time because
you spend already so much time to create
it to identify there’s a vulnerability
and then you have to remove it
so with all the security stuff you’re
doing whatever you’re using try to do it
as early as possible and the best way
for me as a developer is
i need this information straight away
inside my ide directly if i’m adding a
dependency and if i say okay version two
has this vulnerability i have to go back
to version one i’m doing it immediately
including against this one
okay
so that’s that’s something it’s it’s
mindset how how to deal with security
and it’s it’s a functionality
everybody in the devops team has a
dedicated part where he
can efficiently work against security
issues with like quality
if you are doing crap in the beginning
it’s hard to do it later
so it makes really sense to do it as
early as possible and everybody the
developer is managing dependencies he
hopes people are running scanning
configurations and the operating system
and so on and so on i see there is a
question or what about the vulnerability
is discovered after the application is
published
in public
public available did you cover any such
scenario in real life
i think runtime
scanning or something like that so you
have different approaches to this one so
first of all this solarwinds hack was
something like this and what they
introduced with the executive order of
cyber security from mr pardon is that
the us government now wants to have
nasbom it means a full list of all
ingredients of software that is consumed
or run by the government why they want
to have it because they want to have
this dynamic information like okay there
is a vulnerability and then they want to
identify what part is infected somewhere
okay
and we have this since a long long time
it’s called build info and this is a
combination between static immutable
data and
active data warm data the vulnerability
databases
so
if you have an image and this is pushed
already
to scan production against
vulnerabilities is
semi-optimal because you have the
knowledge of
what are the ingredients
and what is a place
to let this image run so there is no
need to scan
production this would be a performance
issue it would be a weak hole where you
can sneak in and so on so i would prefer
something like i know exactly where my
images are running
and i have this information
immediately after an update of
vulnerability database and then i have
to fix it anyway
until this time i can decide i have to
shut down production or
i let it run and i have to prepare or to
provide and fix as soon as possible
i’m not sure if i really covered your
question here just let me know if if
this was um
another tool to what you um ask here
so
okay any any i don’t know how how much
is the delay from streaming out to
youtubers but i think just a few seconds
so
if there is anybody with more questions
just write it in the comments i will see
it here
quite soon i hope
okay
yep
i think there is no other question so
maybe we can finish
yeah so otherwise
i’m
available social media internet
everything don’t try email please don’t
use email that’s very important it’s a
mess
but everything else is fine so connect
via twitter or
on youtube that would be perfect then
you can ask anyway even if you see this
video in two weeks or three weeks
feel free to contact me
so
okay
any questions from your side
or we are
more or less yeah we are done yeah yes
thank you sven again for your time and
for your valuable information about on
this domain so
thank you everybody and have a nice
evening have a nice day
see you in the next event
okay bye
you

Start Free