Conf42 DevSecOps 2021

Build security into your DevOps! Full event schedule: https://www.conf42.com/devsecops2021 Discord server: https://discord.gg/DnyHgrC7jC Chapters below: 0:00 Sponsored Segment 6:50 Welcome! (Discord, Sponsors) Keynotes 7:15 Adelina Simion & Ross McFarlane - FORM3 8:03 Travis Gary - Teleport 8:26 Josh Stella - Fugue Testing 9:08 Pawel Piwosz 9:48 Tal Melamed Tools 10:26 Magno Logan 11:00 Ismael Hommani & Tanguy Combe 11:50 Noaa Barki & Shimon Tolts 12:16 Radosław Piliszek 12:56 Filipi Pires K8s 13:33 Eyar Zilberman 14:14 Mathieu Tortuyaux & Sayan Chowdhury 14:59 Jhonnatan Gil Chaves Pipelines 15:28 Christopher Van Der Made 16:18 Peter Maddison 16:39 Rob Richardson Lessons learned 17:34 Sven Ruppert 18:19 Adarsh Shah 19:01 Eran Bibi 19:34 Senthil Raja Chermapandian 20:12 Matty Stratton 20:54 Jonathan Williams 21:19 Manuel Schuller 21:55 Jeroen Willemsen 22:32 Ryder Damen 22:57 Let the conference begin! 23:26 Packt Pro System 23:58 80 Level free Premium opportunity 24:20 Conf42 will be back in 2022. Cheers!

Adelina Simion & Ross McFarlane Forn3 Form3 are on a journey in scaling up - we are expanding our codebase and our engineering teams as fast as we can! In this talk, we present Code Insight, our tool for scanning our code for vulnerabilities: - First, we introduce how we work and deliver code at Form3 to set the scene of our DevSecOps practices. - Then, we move on to discuss what the requirements of Code Insight to fit our practices at Form3 are. - Next up, we present the Code Insight architecture that we have built using Github webhooks and AWS technologies. - Finally, we round off the presentation with our lessons learned and next steps. Join us to learn how we used Code Insight to scale and deliver faster than ever before! 🚀 Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Travis Gary IT Director @ Teleport Jira tickets are often seen as a necessary evil in order to satisfy compliance audits however infrastructure-as-code can replace tickets while providing real security benefits. Learn how Teleport utilizes Terraform to make developers, auditors and the security team happy! Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Josh Stella CEO & CTO @ Fugue Today’s cloud attacks don’t exploit a single misconfiguration, but rather a series of them. Josh will walk through a process for understanding the blast radius of potential security events in your environment, and steps you can take to prevent minor ones from becoming catastrophic breaches. The recent Twitch breach may have begun with a lone server misconfiguration, but it's blast radius reached everything from sensitive customer data to source code for yet-to-be-released applications. Today’s cloud attacks don’t exploit a single misconfiguration, but rather a series of them. In this session, Josh Stella will walk through a process for understanding the blast radius of a variety of potential security events in your environment, and steps you can take to prevent minor ones from becoming catastrophic breaches. You’ll walk away from this session with an understanding of how to: -Evaluate your Identity and Access Management (IAM) resources for weaknesses that attackers can exploit -Employ penetration testing methodologies to assess the blast radius of public-facing resource misconfigurations -Harden your cloud security posture using policy as code to address complex, multi-resource “blast radius” risks Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Pawel Piwosz Lead Systems Engineer @ EPAM Systems "I hate DevOps, you are not thinking about security!" This is a real quote. Let's try to prove it is not the truth! Infrastructure as Code is one of the pillars of ""best practices"" in DevOps world now. It is more and more popular to use it through CI/CD pipelines, but... what about security? Do we really care about it? In this talk we will explore a few Terraform scanners and we will try to answer to one question: are these tools good enough to be security scanners? Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Tal Melamed Senior Director @ Contrast Security Serverless technology eliminates the need for development teams to provision servers, and it also results in some security threats being passed to the cloud provider. This frees up developers to concentrate on building logic and producing value quickly. But cloud functions still execute code. If the software is written poorly, it can lead to a security disaster. How can developers ensure that their code is secure enough? They can scan for common vulnerabilities and exposures (CVEs) in open-source code. They can even scan their Infrastructure-as-Code (IaC) tool to identify insecure configurations. But what about custom code? At many organizations, the application security team struggles to keep up with the speed of development in a serverless environment. Traditional testing tools not only provide very limited coverage, but also slow development cycles unacceptably. Serverless code contains a mixture of cloud configurations and application programming interfaces (API) calls. As a result, legacy solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times. Fortunately, it does not have to be this way. Organizations can leverage robust security during serverless development, automatically—if it is done properly. In this talk, we will discuss common risks in serverless environments. We will then cover existing testing methodologies and why they do not work well for serverless. Finally, we will present a new, completely frictionless way of testing serverless applications automatically—with no scripts, no tests, and no delays. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Magno Logan Information Security Specialist @ Trend Micro The term Software Composition Analysis (SCA) is relatively new to the security world. However, similar approaches have been used since the early 2000s to indicate security verifications on open source components. SCA has become an evolution of that. It is the process of identifying and listing all the components and versions present in the code, checking each specific service, and looking for outdated or vulnerable libraries that may impose security risks to the application. These tools can also check for legal issues regarding the use of open-source software with different licensing terms and conditions. Nevertheless, how do those SCA tools work, and how can they help identify and remediate open source libraries used in a codebase? This talk focuses on and explains to the audience how these tools work and the main information that these tools rely on, such as the application manifest, vulnerability data sources, and dependency metadata. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Ismael Hommani & Tanguy Combe Cloud Folks @ WeScale Compliance is about risk management and the Cloud is no exception to that. Data leaks, privilege escalation and so on happen all the time. Cloud Custodian is a rule engine that sets a comprehensive and scalable way to bake compliance into your Cloud Platform. This session will show you how. Aligned with the Everything As Code approach, the Policy As Code consists in describing a number of rules that our cloud platform should abide by. However, unlike Infrastructure As Code which is now widely adopted, this approach remains vastly unheard of. We usually observe hand crafted solutions to complete the limited services that Cloud providers already provide. Cloud Custodian is an open source solution that enables Policy As Code with AWS, Azure and GCP. Through the example of a common Finops problem, this session will demonstrate the benefits of such an approach and its straightforwardness compared to an empirical and manual approach filled with copy-pasted boilerplates. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Noaa Barki & Shimon Tolts Datree Systems are becoming more and more complex, built on microservices architecture, with large engineering organizations working together inter-dependently. In this new world order in engineering organizations, policy management has become a core piece in making this all operate more seamlessly. Projects like Open Policy Agent (OPA) have brought policy management to forefront, and have provided one method for applying centralized policy at scale. This talk will review different methods for applying centralized policy at scale, demoing this through OPA as a policy operator, and applying policies to Kubernetes config YAMLs, for a real world example for how you can apply this to your services as well. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Radoslaw Piliszek IT systems architect @ 7bulls.com The unique and innovative DevSecOps process with supporting tools will be presented. The PIACERE tools allow for the complete, secure and optimized deployment of the infrastructure to the selected cloud providers and private cloud. The unique concept of the Canary Environment for stress tests will be presented. The wide selection of supported IaC will be covered as well. All the tools are created within the PIACERE project which aims to deliver the complete DevSecOps pipeline for devops and cloud developers. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Filipi Pires Security Researcher @ Senhasegura Practical demonstration of how a Developer can use a SAST tool for static analysis in code vulnerability, executing it in source code, byte code and/or binary and identifying security holes during the development process, analyzing many languages and codes, like as, C, C #, Java, Kotlin, Python, Ruby, Golang, Javascript, JSON… And searching for key leaks and security flaws in all files of your project, as well as in Git history and in addition to receiving a managerial view with all this analysis information. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Eyar Zilberman CPO @ Datree How do you ensure the stability of your Kubernetes clusters? How do you know that your manifests are syntactically valid? Are you sure you don’t have any invalid data types? Are any mandatory fields missing? Most often, we only become aware of these misconfigurations at the worst time - when trying to deploy the new manifests. In this talk, we will review how to overcome this challenge with OSS tooling that can be integrated seamlessly into your deployment process. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Mathieu Tortuyaux & Sayan Chowdury Microsoft Even the most secured Kubernetes cluster can have security issues in case the underlying OS is not correctly hardened. In this talk, we will present the best practices to harden and secure your container hosts from the delivery to the different environments to ensure reliability, security and performance. Through an actual live example, we will introduce how Flatcar Container Linux is first built around security, and uses the hardening practices. From SELinux configuration to audit logs passing by its package management - let's see how this container optimized OS distro can contribute to reduce the surface attack and mitigate threats. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Jhonnatan Gil Chaves DevOps Engineer @ AppGate Evolution of kubernetes and uses cases is more valuable when your team can manage secrets in more secure context for all teams!! Involve secure team and dev team for this process is very essential because you need broke this dependency with external-secrets! Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Christopher Van Der Made Developer Advocate @ Cisco Cyber threats are running rampant in the IT world. It’s time to take a proactive stance. This session will teach you how to automate your hunt for active cyber thredats in your network/cloud/endpoint environments and what to do once you’ve caught them. “It is very important nowadays to stay up to date with all of the cyber threats that are posing all over the world. It is widely known that there are not enough resources to be found to fill up every Security Operation Center (i.e. SOC). Therefore, many organizations struggle with coping with the massive amount of new type of attacks and generated alerts from their tooling. During this session, you will learn how to hunt (and automate your hunt) for active cyber threats in your environment and contain them using integrated connections to network, endpoint, and cloud products. This session is targeted at SOC management, cyber security engineers, threat hunters, and analysts. It will touch on threat detection, investigation and response. All the code will be made available after the session.” Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Peter Maddison Managing Partner @ Xodiac In highly regulated environments, governing bodies of the organization can quickly get in the way of your delivery. What I present is a straw man for architecture, compliance, security and development to come to agreement on their minimum viable bureaucracy. TACO stands for Traceability, Access, Compliance, and Operations and is a set of 20 controls I use as a guideline for helping organizations define automated governance for their software delivery pipelines. However, the primary purpose of TACO is to provide a common language for the organization to understand what "good" pipelines mean for them and how to get there. This model allows for the creation of opinionated pipelines and helps create a common understanding across teams as to what is required in order to be secure. Taking a TACO approach can be considered a part of implementing a DevSecOps program and I’ve used this approach at multiple banks. Having this baseline helps build organizational confidence in the automation of software delivery. During the talk, I’ll run through the different categories of controls, how they are implemented, what the purpose of them is, how to create robust feedback loops for controls. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

[Speaker's Name] Developer Advocate @ Cyral Have your security needs taken a back seat to "run fast and break things"? Join us for this deep dive into adding container scanning to a DevOps pipeline and production monitoring. You can achieve a robust security posture and still release continuously. Have you struggled to get security baked into your DevOps process or have your security needs taken a back seat to "run fast and break things"? Just because we’re moving fast doesn't mean we can’t be secure. Join us for this deep dive into adding container scanning to a DevOps pipeline. We'll enumerate the security tool categories, and give you tips for adding these tools to your development workflow, build pipeline, and production monitoring setup. You can achieve a robust security posture and still release continuously. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Sven Ruppert Developer Advocate @ JFrog A question occurred to me that I get asked again and again at conferences, meetups or workshops: The question is almost always: What are the quick wins or low hanging fruits if you want to deal more with the topic of security in software development? And I want to answer this question right now! Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Adarsh Shah CEO of CompuZest Infrastructure as Code(IaC) has made managing infrastructure easier in a lot of ways, but there are many challenges that companies accept as the cost of adopting IaC especially when scaling. IaC is good at provisioning individual resources (or a few of them together) but engineering teams want an entire environment with various components like networking, platform (ec2/eks), database, s3 buckets, etc. to deploy and operate their applications. To provision and tear down an entire environment, these teams have two options. They can either hand roll pipelines to manage individual resources and then manage complex dependencies between these resources within those pipelines or create a monolith IaC for the entire environment. These approaches are inefficient and slow down feature development and innovation. They also make replicating, visualizing & understanding environments difficult. What if there were a better way? This talk digs into these challenges to try to better understand them and then look at how to resolve them. We will introduce Environment as Code (abstraction over IaC) that enables teams to provision & teardown entire Environments in an efficient way and promotes best practices like loosely coupled infrastructure resources. Key Takeaways: Challenges scaling Infrastructure as Code What is Environment as Code? How Environment as Code can help resolve those challenges? Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Eran Bibi CPO @ Firefly Immutable architecture is the backbone of infrastructure as code, to ensure production environments cannot be changed during runtime. While this has the benefits of its inherent safety measures, this can also be restrictive, all while creating new challenges for security. Immutable concepts are much more effective when it comes to securing cloud native environments and infrastructure, which is becoming an increasingly more complex task. This talk will focus on some of the fundamentals of immutable architecture, best practices and recommended design patterns to work around its limitations and enhance security, as well as what you most certainly should not be doing when running immutable architecture both from an infrastructure and security perspective. This will be demonstrated through a real-world example of deploying a single-tenant SaaS in an automated pipeline, typical challenges encountered, and what was learned on the way, through a Terraform, Kubernetes and step functions example. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Senthil Raja Chermapandian [Job Title] @ [Company] All Enterprises across different Industries have begun to rely on Data to enable Business decisions, processes and workflows. Data comes in different types and there are a plethora of data storage solutions for cloud-native applications. Data is stored and processed in a highly distributed fashion to fuel Analytics, AI/ML, Edge/IoT use cases. These factors open up challenges in securing the data and protecting the sensitive information. Encryption is the de-facto mechanism to protect data from malicious users. Encrypting Data at Rest is a fundamental requirement for many Organizations. This talk will introduce you to the different patterns for achieving Data encryption at rest, the relative merits and de-merits of the approaches, challenges and solutions. Attendees will benefit from this talk by gaining a good understanding of the different techniques and which ones to use for different use cases. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Matty Stratton Staff Developer Advocate @ Pulumi We have been talking about devops for years. Along the way, we’ve added various syllables to the portmanteau “devops” to include all the practices and disciplines that are key to doing this effectively. What if DevOps, DevSecOps, and all the other variants have been about the same idea all along? Cloud Engineering is an emergent way of expressing how we use and enhance software engineering practices in a cloud world. This goes beyond application design and architecture, but includes how we build, deploy, and manage the services and applications that provide value to our users and customers. In this talk I will step through the evolution of devops and how the practice of Cloud Engineering is a natural progression. I will take the traditional expression of CALMS (Culture, Automation, Lean, Measurement, and Sharing) and connect them to the build, deploy, and manage practices reflected in the Cloud Engineering discipline. Cloud Engineering isn’t “the new DevOps”. It’s the evolution of everything we have been talking about for the last ten years (and more). Let’s learn how we can provide innovation, scale, reliability, security, and compliance by harnessing the practices across all of the associate disciplines. And maybe, along the way, “take DevOps back” to what it’s really been about all this time. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Jonathan Williams Product Manager @ Twilio IoT Here’s the sobering reality: Across the Internet of Things (IoT), security has been overlooked. An amazing 1.51 billion IoT devices were breached in the first 6 months of 2021, an increase from 639 million in the same time period in 2020. With the anticipated number of connected devices worldwide predicted to reach 50B by 2030, there is still a lot that needs to be done to ensure that these devices are protected from attacks, this includes ensuring the security of your connected devices and data lives up to the promise you make to your customers. The impact of your devices being compromised is a big one and can often be ignored until it is too late. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Manuel Schuller Senior DevOps Evangelist Especially for banks, releasing controlled software is not only a must, but a business priority. In this session we will present and discuss: - Implementing DevOps processes - made possible through a set of tools - to ensure that every piece of software released into production complies to the required level of control - How this level of control is defined not by the projects, but by transverse teams who make sure all controls are compliant with the state of the art - How these controls become company-wide best practices, so that these transverse groups are meant to disappear after the Culture and Best Practices are disseminated within the organization" Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Jeroen Willemsen Principal Security Architect @ Xebia So you want to secure your applications and their infrastructure? How about their secrets? In this talk I will discuss some of the challenges and their solutions if it comes to secrets management. With examples from our own app at https://github.com/commjoen/wrongsecrets Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk

Ryder Damen DevOps Engineer @ Indeni Cloudrail In this talk, we’ll evaluate tools and techniques for implementing continuous security at your startup at the infrastructure level. Quite often as DevOps engineers at startups, we’re expected to be experts in security, and that often isn’t the case. We know to keep our ports closed, and to operate on the principle of least privilege, but with infrastructure as code introducing a vulnerability is as easy as a missed line. In startup environments where things move fast, it can be easy to create an insecure cloud, especially when operating by yourself. We’ll review the concepts of Static and Dynamic security testing, and how the both can be combined to implement into your deployment pipeline. We’ll go over open source and managed tools that can assist you in the transition to DevSecOps and continuous security, as well as give examples of how to realistically implement this at your startup, and how to explain the business value of continuous security to your leadership team. At the end of the talk, you’ll have a clear understanding of the landscape of tools you can use today to help you secure your infrastructure, an understanding of why they can be valuable, and how to explain the business value of them to a non-technical leadership team. Other talks at this conference 🚀🪐 https://www.conf42.com​/devsecops2021 — 0:00 Intro 0:26 Talk