Continuous Hacking

Transcript

1. Kubernetes Edition Omer Levi Hevroni | AppSec Engineer | @omerlh

   Continuous Hacking

2. @omerlh

3. Secure defaults Easy Medium Hard Automated tools Bug bounty Pen

   tests Runtime monitoring https://Bit.ly/2020AppSecCali_Gibler Vulnerability Classification @omerlh

4. @omerlh

5. I’m a Developer @omerlh

6. AppSec Engineer @ Snyk @omerlh

7. Develop fast. Stay secure @omerlh

8. One line of text slide confidential Dogfooding @omerlh

9. Continues Hacking https://github.com/omerlh/juice-shop/pull/54 @omerlh

10. Kubernetes Apps has many layers Code Packages Container Manifests files

    @omerlh

11. @omerlh

12. @omerlh

13. Code Layer @omerlh

14. Option A: Manual Code Review @omerlh

15. Option B: Automatic Code Review @omerlh

16. Code Layer @omerlh

17. confidential Snyk.io 17 WHAT WHERE @omerlh

18. 18 WHERE @omerlh

19. 19 Exploit Time! @omerlh

20. 20 Exploit Time! @omerlh

21. 21 Exploit Time! @omerlh

22. 22 What happened? @omerlh

23. confidential Snyk.io 23 WHAT WHERE @omerlh

24. 24 @omerlh

25. 25 SQL Comment Sign @omerlh

26. • Never trust user input • Input sanitization Mitigating SQLi

    https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preventio n_Cheat_Sheet.html @omerlh

27. Packages Layer @omerlh

28. Most Dangerous Command You Can Run? @omerlh

29. https://info.snyk.io/sooss-report-2020 @omerlh

30. https://info.snyk.io/sooss-report-2020 @omerlh

31. ERe https://github.com/webpack/webpack/issues/690 React Dependencies @omerlh

32. Running in the CI https://snyk.io/docs/github/ @omerlh

33. And the results… @omerlh

34. Let’s zoom in @omerlh

35. Cross Site Scripting @omerlh

36. Let’s zoom in @omerlh

37. We can see the original GitHub issue! @omerlh

38. Let’s exploit it! @omerlh

39. Viola! @omerlh

40. Fixing Vulnerable Packages @omerlh

41. • Never trust user input • Input sanitization • Security

    headers • React is not immune to XSS! Mitigating XSS https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md @omerlh

42. Container Layer @omerlh

43. 43 @omerlh

44. https://info.snyk.io/sooss-report-2020 @omerlh

45. 45 https://snyk.io/vuln/search?q=node&type=upstream

46. https://hadolint.github.io/hadolint

47. 47 @omerlh

48. 48 @omerlh

49. Should we care? @omerlh

50. 50 @omerlh

51. 51 @omerlh

52. Fixing it? @omerlh

53. @omerlh

54. https://hadolint.github.io/hadolint @omerlh

55. Manifest Files Layer @omerlh

56. https://madhuakula.com/kubernetes-goat/ @omerlh

57. 57 @omerlh

58. 58 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ @omerlh

59. 59 @omerlh

60. 60

61. 61 @omerlh

62. Wrapping Up @omerlh

63. Kubernetes Apps has many layers Code Packages Container Manifests files

    @omerlh

64. confidential Snyk.io 64 Tip of the Iceberg @omerlh

65. @omerlh

66. Omer Levi Hevroni | AppSec Engineer | @omerlh Thank You

67. 67 References • https://www.omerlh.info/2018/10/04/write-good-code-with-security-tests/ • https://snyk.io/blog/from-image-security-to-workload-security/ • https://snyk.io/learn/container-security/ • https://www.youtube.com/watch?v=3H8pF6yoSgU

    • https://github.blog/2020-09-30-code-scanning-is-now-available/ • https://snyk.io/blog/developer-first-sast-with-snyk-code • https://cheatsheetseries.owasp.org/ • https://madhuakula.com/kubernetes-goat/ • https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ • https://snyk.io/open-source-security/ @omerlh