Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Continuous Hacking
Search
Omer Levi Hevroni
November 04, 2020
Programming
68
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Continuous Hacking
Omer Levi Hevroni
November 04, 2020
More Decks by Omer Levi Hevroni
See All by Omer Levi Hevroni
Hacking Monitoring for Fun and Profit
omerlh
0
140
Vulnerable Dependencies - Going Beyond Discovery
omerlh
0
100
GitOps keeping it secret
omerlh
1
100
Other Decks in Programming
See All in Programming
dRuby over BLE
makicamel
2
400
symfony/aiとlaravel/boost
77web
0
120
Oxcを導入して開発体験が向上した話
yug1224
4
370
act1-costs.pdf
sumedhbala
0
160
コンテキストの使い捨てをやめる — ビジネスルール駆動開発と miko —
ioki
0
260
「正の参照」と 「負の導出」で組む ハーネスエンジニアリング
cottpan
1
110
1B+ /day規模のログを管理する技術
broadleaf
0
120
決定論的オーケストレーションの設計と実装 / Design and Implementation of Deterministic Orchestration
nrslib
4
1.6k
はてなアカウント基盤 State of the Union
cockscomb
1
1.3k
jQueryをバージョンアップする前に使いたいjQuery Migrate
matsuo_atsushi
0
630
「AIで開発し、AIを届ける」をEvalでつなぐ 〜AIネイティブに始めるプロダクト開発の実践〜 / Connecting "Develop with AI, deliver AI" with Eval
rkaga
4
5.6k
ECSアプリログをFireLensでコスト削減しようとしたけど諦めた話 in Fargate×Node.js
akihisaikeda
2
4.2k
Featured
See All Featured
Neural Spatial Audio Processing for Sound Field Analysis and Control
skoyamalab
0
360
The Cost Of JavaScript in 2023
addyosmani
55
10k
Collaborative Software Design: How to facilitate domain modelling decisions
baasie
1
260
Lightning talk: Run Django tests with GitHub Actions
sabderemane
0
210
The Hidden Cost of Media on the Web [PixelPalooza 2025]
tammyeverts
2
340
Odyssey Design
rkendrick25
PRO
2
720
Statistics for Hackers
jakevdp
799
230k
What the history of the web can teach us about the future of AI
inesmontani
PRO
1
630
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
How to Grow Your eCommerce with AI & Automation
katarinadahlin
PRO
1
220
Organizational Design Perspectives: An Ontology of Organizational Design Elements
kimpetersen
PRO
1
760
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
Transcript
Kubernetes Edition Omer Levi Hevroni | AppSec Engineer | @omerlh
Continuous Hacking
@omerlh
Secure defaults Easy Medium Hard Automated tools Bug bounty Pen
tests Runtime monitoring https://Bit.ly/2020AppSecCali_Gibler Vulnerability Classification @omerlh
@omerlh
I’m a Developer @omerlh
AppSec Engineer @ Snyk @omerlh
Develop fast. Stay secure @omerlh
One line of text slide confidential Dogfooding @omerlh
Continues Hacking https://github.com/omerlh/juice-shop/pull/54 @omerlh
Kubernetes Apps has many layers Code Packages Container Manifests files
@omerlh
@omerlh
@omerlh
Code Layer @omerlh
Option A: Manual Code Review @omerlh
Option B: Automatic Code Review @omerlh
Code Layer @omerlh
confidential Snyk.io 17 WHAT WHERE @omerlh
18 WHERE @omerlh
19 Exploit Time! @omerlh
20 Exploit Time! @omerlh
21 Exploit Time! @omerlh
22 What happened? @omerlh
confidential Snyk.io 23 WHAT WHERE @omerlh
24 @omerlh
25 SQL Comment Sign @omerlh
• Never trust user input • Input sanitization Mitigating SQLi
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preventio n_Cheat_Sheet.html @omerlh
Packages Layer @omerlh
Most Dangerous Command You Can Run? @omerlh
https://info.snyk.io/sooss-report-2020 @omerlh
https://info.snyk.io/sooss-report-2020 @omerlh
ERe https://github.com/webpack/webpack/issues/690 React Dependencies @omerlh
Running in the CI https://snyk.io/docs/github/ @omerlh
And the results… @omerlh
Let’s zoom in @omerlh
Cross Site Scripting @omerlh
Let’s zoom in @omerlh
We can see the original GitHub issue! @omerlh
Let’s exploit it! @omerlh
Viola! @omerlh
Fixing Vulnerable Packages @omerlh
• Never trust user input • Input sanitization • Security
headers • React is not immune to XSS! Mitigating XSS https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md @omerlh
Container Layer @omerlh
43 @omerlh
https://info.snyk.io/sooss-report-2020 @omerlh
45 https://snyk.io/vuln/search?q=node&type=upstream
https://hadolint.github.io/hadolint
47 @omerlh
48 @omerlh
Should we care? @omerlh
50 @omerlh
51 @omerlh
Fixing it? @omerlh
@omerlh
https://hadolint.github.io/hadolint @omerlh
Manifest Files Layer @omerlh
https://madhuakula.com/kubernetes-goat/ @omerlh
57 @omerlh
58 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ @omerlh
59 @omerlh
60
61 @omerlh
Wrapping Up @omerlh
Kubernetes Apps has many layers Code Packages Container Manifests files
@omerlh
confidential Snyk.io 64 Tip of the Iceberg @omerlh
@omerlh
Omer Levi Hevroni | AppSec Engineer | @omerlh Thank You
67 References • https://www.omerlh.info/2018/10/04/write-good-code-with-security-tests/ • https://snyk.io/blog/from-image-security-to-workload-security/ • https://snyk.io/learn/container-security/ • https://www.youtube.com/watch?v=3H8pF6yoSgU
• https://github.blog/2020-09-30-code-scanning-is-now-available/ • https://snyk.io/blog/developer-first-sast-with-snyk-code • https://cheatsheetseries.owasp.org/ • https://madhuakula.com/kubernetes-goat/ • https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ • https://snyk.io/open-source-security/ @omerlh