Trusting Your Ingredients - What Building Software And Cheesecake Have In Common

@JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
Trusting Your Ingredients
What Building Software And Cheesecake Have
In Common

A big thanks to our hosts of today

https://jfrog.com/shownotes
shownotes
Slides Links Comments
& Ratings
Raffle

Who am I?
• Developer Advocate
• Passionate about Serverless,
Containers, and all things
Cloud
• I love dadjokes, cheesecake
and Go
@LeonStigter
Leon Stigter, Developer Advocate

• A giant cybersecurity breach
compromised the personal
information of as many as 143
million Americans
• An attacker could exploit “this” by
using a malicious tar binary to write
files to any path on the target
machine whenever
Let’s play a game! Which project is this…

There are 2 hard problems in computer science:
cache invalidation, naming things, and off-by-1 errors.
- Leon Bambrick

What is devops?

What is devsecops?

What is devsecops
SECURITY
The philosophy of integrating security practices within the
DevOps process. #SecurityFirst culture!
How? Introducing security earlier in the life cycle of application
development

P
Protocols, like zero-trust, to
implement in your pipelines
The three P’s of devsecops

P
implement in your pipelines (what)
Processes, dictating how to add
security to DevOps

P
implement in your pipelines (what)
Processes, dictating how to add
security to DevOps
Philosophy, of shared ownership and
cooperation between the teams (why)
Source: https://www.infoq.com/articles/evolve-devops-devsecops/

Who cares about security anyway?
¯_(ツ)_/¯

Q1 2019
• More than 1900 incidents (up by
56.4%)
• Close to 2B records exposed (up by
28.9%)
Well, lets talk about numbers

Q1 2019
• 3 breaches with 100M+ records
• Business sector is targeted in 85.6%
• Hacks are 84.8% of breaches
Let’s make it slightly worse

My personal favorite
“14.7% of breached organizations were
unwilling or unable to disclose the number
of records exposed.”

Let’s welcome on stage our main characters
Making a cheesecake Building an app
Ingredients
Libraries (Jars,
Modules, Gems…)
Recipe Source code
Kitchen stuff (whisk,
bowl, spatula)
Dev tools (editor, cli
tools, vcs)
Appliances (oven,
fridge)
Build tools (CI/CD
server)
Fork Runtime

Will subpar ingredients
get me the best
cheesecake?
Let’s imagine you’re a chef

Where do the vendors I
use get the ingredients
from?
Let’s imagine you’re a chef

End-to-End
transparency
TRUST
Traceability
What matters for ingredients?

Where do my ingredients come from?

• Identify what’s in a package
• Identify who’s using it
• Identify where it’s stored
Why do we care about traceability?

• Versions are tags, and are dynamic
and mutable
• Latest is not always really latest
Docker makes things a little tricky
my-image:5.0
OS layer
1.0
Framework
layer 2.0
Application
layer 2.0
OS layer
1.1
Framework
layer 2.1
Application
layer 2.1

• It let’s you pull code and
dependencies into production
systems
• It let’s you update databases or call
external services with POST data
Docker makes things a little tricky

Let’s do a quick poll (Question 1)
Who is using Open Source tech?
Yes No

Let’s do a quick poll (Question 2)
Do you have influence over which tools
your company uses?
Yes No

If you said ”yes” to question 2, you’re not alone…
71% of developers have some influence
in software choices
Source: State of the Developer Nation, 15th edition

98%
of developers use
Open Source tools
at work
96%
of commercial
apps embed Open
Source
79%
of businesses use
Open Source for
key systems
If you said ”yes” to question 1, you’re definitely not alone…

Trust, but verify…
Do you trust your colleagues?
I hope the answer is yes

Trust is built with consistency
Do you trust the rest of the world?

End-to-End
transparency
TRUST
Traceability
What matters for ingredients libraries?

I think it is safe to say that…
Having trust in where your ingredients come from
and who made them is important in both making
cheesecake and software

Protecting your recipes

35 licenses
• 13 require you to publish
product sources
• 4 allow users to ask for
sources on hosted software
Open source licenses
Source: https://choosealicense.com/appendix/

Source code
Recipes in software
Developers programming in
DevSecOps environments
fix 11x faster than other
developers

“Security is your friend! Seriously! Developers are the true
sentries of product security, as not introducing accidental
weaknesses in the first place is always much better than even
the fastest hotfix process later on. DevSecOps practices that
make developers into security champions”

So lets look at some of that in action…
Yes, I’ll use JFrog software but it’s equally applicable to other
software vendors & products too J

Common faults
• Input Validation
• Memory Corruption
• Numeric Errors
• Cryptographic Issues
But what about
• Hardcoded Passwords,
• Missing Validation
• Backdoors
• Data Anomalies
Recipes in software: things to watch for
@LeonStigter | Copyright © 2019 JFrog. All Rights Reserved

Immutability and repeatability
The best way to guarantee issues is force push
Immutable dependencies
Who doesn’t remember left-pad with Node.js?
Lost Dependencies
Do you trust your suppliers enough?
Internet Issues

Where should we inject security?

• aims to embed security in
every part of the application
lifecycle – run time, build time
and even development time.
• means developing more
secure applications faster
refusing to accept that the two
(secure & fast) are mutually
exclusive!
At the beginning of the process!
Shifting left…

Buildtime, Runtime, and real-time security

• Treat DevOps as code (automate
your processes as much as possible)
• Standardize and automate your
security and governance processes
• Get insights into your end-to-end
process (visibility and transparency)
Devsecops do’s

• Have developers write and maintain
scripts for DevOps
• Think that all current tools and
processes will magically work when
moving to cloud or containers
• Believe that a single vendor has all
tools you need
• Think that security is someone else’s
problem
• Think that a firewall is more than
adequate security
Devsecops don’ts

Trusting your
ingredients
Trusting your
suppliers
Transparency
in your
process
recap

• https://jfrog.com/shownotes
• @JFrog
• #DevSecOps / #DevOps
• @LeonStigter
Twitter, ads, and Q&a

Thank you!
Stay safe!

Trusting Your Ingredients - What Building Software And Cheesecake Have In Common

Related slideshows

More Related Content

Trusting Your Ingredients - What Building Software And Cheesecake Have In Common