Policy as code what helm developers need to know about security

"Cloud infrastructure design is complex and makes even the most straight-forward topics, such as Identity and Access Management (IAM), non-trivial and confusing and therefore, full of security risk. While AWS IAM provides for access via console and API/CLI using access keys, there is also a temporary security tokens feature, designed for secure temporary access. However, temporary tokens have multiple security pot-holes that can lead to exploits. I'll explore the limitations of temporary tokens including: - the lack of visibility/management - minimal logging - limited remediation options and how this can be taken advantage of, especially in combination with other techniques such as assuming of roles, pre-signed URLs, log attacks, and serverless functions to achieve persistence, lateral movement, and obfuscation. In addition, I’ll look at common defensive techniques and best practices around lockdown, provisioning, logging and alerting to see whether these are practical and can shift the field."

"Automating cloud security operations takes a little more than slapping together a quick lambda to fix an open S3 bucket (but that isn't a bad start). In this workshop we will cover the major categories of security automations and present practical implementation techniques. Come prepared to build your own (or use our starter scripts) as we: Review the three major categories of automations- guardrails, workflows, and orchestrations. Build demo versions of each (in AWS, bring your own account), incorporating techniques including assessments, event-driven guardrails, and an incident response workflow. See demonstrations of cross-product orchestrations that integrate commercial tools. Learn the tricks of the trade, based on 10 years of hands-on research and implementation (for realz, check the intertubes if you don't believe us). See what it takes to implement automations at global scale."

Join Datadog for a webinar on monitoring Kubernetes with a focus on Amazon EKS. You'll learn how to get the most out of Datadog's intuitive platform and EKS's unique capabilities, including: How to monitor metrics, logs and traces from your EKS environment How to test the usability of your environment with features such as adaptive Browser Tests and globally available Real User Monitoring How to find and fix user-facing issues with synthetic monitoring features like adaptive Browser Tests and globally available Real User Monitoring

This presentation presented at GDG Bangalore meetup give a star :- https://github.com/accurics/terrascan

This document discusses how Cross-Origin Resource Sharing (CORS) is intended to allow cross-domain requests but can impact security if misconfigured. CORS uses HTTP headers to enable controlled cross-domain access and is supported by services like Amazon S3, CloudFront, API Gateway, and Lambda. While CORS allows legitimate cross-domain content sharing, misconfigurations can bypass the same-origin policy and allow attackers to steal user sessions, credentials, or other sensitive data across domains. The document provides examples of how CORS has been exploited in the past and cautions that even minor CORS issues can become major security vulnerabilities when user contexts are involved.

Roberto Carratalá and Diego Escobar will present on automating cybersecurity solutions in a cloud native scenario using Red Hat Ansible Tower. The presentation will cover 5 labs demonstrating how to provision Tower, deploy an Azure environment, automatically configure Checkpoint security management and gateways, deploy applications with cybersecurity rules, and deploy NAT and firewall access rules. Red Hat experts Adrienne, Leonardo, Asier, and German will assist during the presentation. Access details and passwords to the lab environments are provided.

This document discusses how Chef and Terraform can be used together for infrastructure automation and compliance. It provides overviews of Chef Infra, Chef Habitat, Chef InSpec, and how each integrates with Terraform. Key points include the Chef Provisioner and Provider for Terraform, the Habitat Provisioner, using Kitchen-Terraform for testing, and InSpec-Iggy for generating compliance profiles from Terraform configs. The document emphasizes that these tools can work better together for provisioning, deploying applications, and verifying infrastructure and security compliance as code.

This document provides an overview of monitoring Azure and AWS cloud environments. It discusses why monitoring is important for threat detection, hunting and response. It outlines what aspects should be monitored, including operating systems, applications, network traffic, and cloud service logs. Specific AWS and Azure monitoring options are described, such as CloudTrail, VPC Flow Logs, and Azure Audit Logs. Integrating cloud logs with SIEMs and threat intelligence feeds is also covered. Endpoint monitoring tools are suggested to record process, file, registry and network activity on virtual machines.

Here are the steps to set up the Azure CLI: 1. Install the Azure CLI using pip: ``` pip install azure-cli ``` 2. Log in to your Azure account: ``` az login ``` 3. Follow the prompts to log in through a browser and authenticate with your credentials. 4. Verify your login was successful by running: ``` az account show ``` 5. You can now run Azure CLI commands to manage your Azure resources. Some key points: - The Azure CLI credentials are stored locally so you only need to log in once per session. - You can have multiple subscriptions configured by running `az account

The programmability of the cloud has revolutionized infrastructure deployments at scale and, at the same time, has enabled the automation of both the attack and defense of these deployments. In this talk, I will discuss the open-source tools and the techniques that my organization has used to scale security in the cloud to keep pace with our deployments. I’ll also cover how we’ve used automation to adapt security processes to cloud strategies such as immutable servers. Some topics include: temporal leasing of API access keys and database credentials, automation of patching groups and scans, and automated enforcement of configuration policy.

This document discusses runtime security on Azure Kubernetes Service (AKS). It begins by introducing AKS and how it simplifies Kubernetes deployment and management. It then discusses the security concerns with containers and the need for runtime security. Runtime security involves monitoring activity within containers to detect unwanted behaviors. The document outlines how Sysdig provides runtime security for AKS through its agents that collect syscall data and Kubernetes audit logs. It analyzes this data using policies to detect anomalies and threats across containers, hosts, and Kubernetes clusters. Sysdig also integrates with other tools like Falco and Anchore to provide breadth and depth of security.

From NOVA Cloud and Software Engineering Group meetup, Feb. 17, 2021 https://youtu.be/a5uPm1mPLKQ. Hardening a Kubernetes cluster happens at different levels. We have to examine the nodes where Kubernetes is running. We want to secure the Kubernetes objects and workloads and review the files we used to create them. And we need to look for vulnerabilities in the containers we are using. Gene will show you some open-source tools that can find issues and vulnerabilities at each layer. All of them can be used in a pipeline to build your Kubernetes cluster safely and keep it secure. Gene Gotimer is the meetup organizer and a DevSecOps Senior Engineer at Steampunk, focusing on agile processes, secure development practices, and automation. Gene feels strongly that repeatability, quality, and security are all strongly intertwined; each depends on the other two, making agile and DevSecOps that much more crucial to software development.

This document discusses using GitLab CI/CD to provision and manage infrastructure with Terraform Cloud (TFC). It begins with an agenda that includes an introduction to Terraform and TFC, integrating them with GitLab, and demos of using GitLab CI/CD pipelines with TFC for infrastructure as code. It then provides bios of two presenters and discusses how GitLab offers a single platform to plan, code, test, secure and release applications. The document concludes by pointing to additional resources on using GitLab CI with Terraform.

DevSecOps, or SecDevOps has the ambitious goal of integrating development, security and operations teams together, encouraging faster decision making and reducing issue resolution times. This session will cover the current state of DevOps, how DevSecOps can help, integration pathways between teams and how to reduce fear, uncertainty and doubt. We will look at how to move to security as code, and integrating security into our infrastructure and software deployment processes.

This document provides an overview of automated end-to-end security for AWS. It discusses how the majority of compromises are due to credentials being compromised, failure to patch security flaws, insider threats, or human error. An example compromise is described where a developer at a company accidentally committed SSH keys to GitHub, allowing a hacker to access servers and exfiltrate customer data, resulting in a $148 million settlement. The document then outlines how Lacework can help secure workloads, containers, configuration, AWS accounts, and provide continuous auditing and compliance.

Lacework Head of Research James Condon's BSidesSF19 presentation "All Your Containers Are Belong To Us."

AWS serverless architecture components such as Amazon S3, Amazon SQS, Amazon SNS, CloudWatch Logs, DynamoDB, Amazon Kinesis, and Lambda can be tightly constrained in their operation. However, it may still be possible to use some of them to propagate payloads that could be used to exploit vulnerabilities in some consuming endpoints or user-generated code. This session explores techniques for enhancing the security of these services, from assessing and tightening permissions in IAM to integrating further tools and mechanisms for inline and out-of-band payload analysis that are more typically applied to traditional server-based architectures, and generalising these techniques to APIs for all AWS services.

The presentation discussed the evolution of hacks from 2009 to the present. Key hacks included the RockYou breach in 2009, Stuxnet in 2010, Shamoon in 2012, emergence of IoT hacks in 2014, Visa-Mastercard breach in 2015, WannaCry in 2017, Bangladesh Bank heist in 2016, and the FireEye hack in 2021. The presentation concluded that people will continue to be the main source of attacks, defenses need to move from reactive to resilient approaches, cloud security is important, and more interconnections will create new vulnerabilities as technology evolves.

Spring Boot is an efficient way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure. This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more! You’ll learn how to add these features to a real application, using the Java language you know and love. * Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot * Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/ * OIDC demo: http://bit.ly/spring-oidc-demo

"Secure development on Kubernetes" With the rise of Kubernetes, the Java developer has arrived in the DevOps age as well. By the multitude of complex tasks, the necessary security is often neglected. Even in managed clusters of well-known cloud providers, there are many traps and points of attack lurking. In this presentation, essential security-critical components of a Kubernetes cluster will be presented. Security problems and corresponding measures to mitigate these will be shown. All steps are described using live demos with an exemplary Spring Boot Java application, that is deployed as a docker container in a Kubernetes cluster, taking into account recommended security patterns. Speaker: Andreas Falk, Novatec Consulting Talk language: English About the Speaker: ********************* Andreas Falk has been working in enterprise application development projects for more than twenty years. Currently, he is working as a managing consultant for Novatec Consulting located in Germany. In various projects, he has since been around as consultant, architect, coach, developer, and tester. His focus is on the agile development of cloud-native enterprise java applications using the complete Spring platform. As a member of the Open Web Application Security Project (OWASP), he likes to have a closer look at all aspects of application security as well. Andreas is also a frequent speaker at conferences like Spring I/O, CloudFoundry Summit, Devoxx, and OWASP AppSec.

1) The document discusses new AWS security services for container threat detection, including Amazon GuardDuty for EKS, Amazon Inspector, and AWS Security Hub. 2) It provides information on how these services can help secure containers by providing visibility, improving security posture, and automating responses to threats. 3) Recommendations are given on how to integrate and leverage these services for continuous threat monitoring, vulnerability management, and streamlining security workflows across container environments.

Many organizations are shifting to containers and Kubernetes, and that move means learning new ways to secure their environments. Kubernetes clusters have to be hardened at different levels. We have to consider the nodes where the Kubernetes control plane is running. We also need to secure the Kubernetes workloads and check the code that creates them. And we need to inspect the containers we are using for vulnerabilities and watch for unusual behavior. Gene will show you some open-source tools that can find issues and vulnerabilities at each layer. You will see how they can be used to build your Kubernetes cluster safely and keep it secure.

In the latest versions of K8s there has been an evolution regarding the definition of security strategies at the level of access policies to the cluster by users and developers. The security contexts (securityContext) allow you to define the configurations at the level of access control and privileges for a pod or container in a simple way using keywords in the configuration files. To facilitate the implementation of these security strategies throughout the cluster, new strategies have emerged such as the Pod Security Policy (PSP) where the cluster administrator is in charge of defining these policies at the cluster level with the aim that developers can follow these policies. Other interesting projects include Open Policy Agent (OPA) as the main cloud-native authorization policy agent for creating policies and managing user permissions for access to applications. The objective of this talk is to present the evolution that has occurred in security strategies and how we could use them together, as well as analyze their behavior in accessing resources. Among the points to be discussed we can highlight: *Introduction to security strategies in K8s environments *Pod Security Admission(PSA) vs Open Policy Agent (OPA) *Combination of different security strategies together *Access to resources in privileged and non-privileged mode

This document discusses how to build high quality Node.js applications. It covers attributes of quality like understandability, modifiability, portability, reliability, efficiency, usability, and testability. For each attribute, it provides examples of what could go wrong and best practices to achieve that attribute, such as using dependency injection for modifiability, environment variables for portability, and graceful shutdown for reliability. It also discusses Node.js programming paradigms like callbacks, promises, and async/await and recommends best practices for testing Node.js applications.

The document provides an overview of using Amazon Web Services (AWS) for hosting applications and storing files. It summarizes key AWS services including Amazon S3 for object storage, Amazon EC2 for virtual servers, and Amazon CloudFront for content delivery. It also provides code examples for accessing S3 and EC2 using APIs and SDKs.

The document discusses CloudStack test automation and continuous integration using Jenkins. It describes using the Marvin testing framework to automate deploying CloudStack infrastructure and running tests. The continuous integration process involves building CloudStack, deploying it to hypervisors and storage, then using Marvin to run integration tests on the deployed environment. Jenkins is used as the continuous integration server to trigger builds, deployments, and tests on a schedule or with each code change. The goal is to automate testing to speed up the process and catch issues early in development.

Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure. This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more! You’ll learn how to add these features to a real application, using the Java language you know and love. * YouTube video: https://www.youtube.com/watch?v=PpqNMhe4Bd0 * Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot * Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/

Cloud-Größen wie Google, Twitter und Netflix haben die Kernbausteine ihrer Infrastruktur quelloffen verfügbar gemacht. Das Resultat aus vielen Jahren Cloud-Erfahrung ist nun frei zugänglich, und jeder kann seine eigenen Cloud-nativen Anwendungen entwickeln – Anwendungen, die in der Cloud zuverlässig laufen und fast beliebig skalieren. Die einzelnen Bausteine wachsen zu einem großen Ganzen zusammen, dem Cloud-Native-Stack. In dieser Session stellen wir die wichtigsten Konzepte und aktuellen Schlüsseltechnologien kurz vor. Anschließend implementieren wir einen einfachen Microservice mit .NET Core und Steeltoe OSS und bringen ihn zusammen mit ausgewählten Bausteinen für Service-Discovery und Konfiguration schrittweise auf einem Kubernetes-Cluster zum Laufen. @BASTAcon #BASTA17 @qaware #CloudNativeNerd https://basta.net/microservices-services/cloud-native-net-microservices-mit-kubernetes/

This document discusses securing DevOps pipelines and Kubernetes clusters. It recommends practices like using multi-stage Docker builds to minimize images, running as non-root users, signing images, scanning for vulnerabilities, using Kubernetes namespaces and secrets safely, and implementing a service mesh like Istio for traffic management and encryption between services. The document emphasizes limiting attack surfaces by securing access to secrets, pods and cluster metadata, and implementing network policies and circuit breakers to control traffic.

Mario-Leander Reimer presented on building cloud-native .NET microservices with Kubernetes. He discussed key principles of cloud native applications including designing for distribution, performance, automation, resiliency and elasticity. He also covered containerization with Docker, composing services with Kubernetes and common concepts like deployments, services and probes. Reimer provided examples of Dockerfiles, Kubernetes definitions and using tools like Steeltoe and docker-compose to develop cloud native applications.