Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Continuous Hacking

Avatar for Omer Levi Hevroni Omer Levi Hevroni
November 04, 2020
Programming
0
60

Continuous Hacking

Avatar for Omer Levi Hevroni

Omer Levi Hevroni

November 04, 2020
Tweet

More Decks by Omer Levi Hevroni

See All by Omer Levi Hevroni
Hacking Monitoring for Fun and Profit
Avatar for Omer Levi Hevroni omerlh
0
130
Vulnerable Dependencies - Going Beyond Discovery
Avatar for Omer Levi Hevroni omerlh
0
74
GitOps keeping it secret
Avatar for Omer Levi Hevroni omerlh
1
91

Other Decks in Programming

See All in Programming
AIのメモリー
Avatar for watany watany
12
1.3k
Vibe coding コードレビュー
Avatar for kinopee kinopeee
0
410
「次に何を学べばいいか分からない」あなたへ──若手エンジニアのための学習地図
Avatar for panda_program panda_program
3
710
CEDEC 2025 『ゲームにおけるリアルタイム通信への QUIC導入事例の紹介』
Avatar for SEGADevTech segadevtech
3
760
バイブコーディング超えてバイブデプロイ〜CloudflareMCPで実現する、未来のアプリケーションデリバリー〜
Avatar for azukiazusa azukiazusa1
3
790
Vibe Codingの幻想を超えて-生成AIを現場で使えるようにするまでの泥臭い話.ai
Avatar for Kuu fumiyakume
21
10k
Comparing decimals in Swift Testing
Avatar for 417.72KI 417_72ki
0
160
実践!App Intents対応
Avatar for 野瀬田 裕樹 yuukiw00w
1
190
11年かかって やっとVibe Codingに 時代が追いつきましたね
Avatar for yimajo yimajo
1
240
Dart 参戦!!静的型付き言語界の隠れた実力者
Avatar for Kuno Ayana kno3a87
0
170
[Codecon - 2025] Como não odiar seus testes
Avatar for Camila Campos camilacampos
0
100
WebAssemblyインタプリタを書く ~Component Modelを添えて~
Avatar for ruccho ruccho
1
360

Featured

See All Featured
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
5.7k
BBQ
Avatar for Matthew Crist matthewcrist
89
9.8k
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
70
11k
Code Reviewing Like a Champion
Avatar for maltzj maltzj
524
40k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
134
9.5k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
53
2.9k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
332
22k
Side Projects
Avatar for Sacha Greif sachag
455
43k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
251
21k
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
53k
Adopting Sorbet at Scale
Avatar for Ufuk Kayserilioglu ufuk
77
9.5k
Code Review Best Practice
Avatar for Trisha Gee trishagee
69
19k

Transcript

  1. Kubernetes Edition Omer Levi Hevroni | AppSec Engineer | @omerlh

    Continuous Hacking

  2. @omerlh

  3. Secure defaults Easy Medium Hard Automated tools Bug bounty Pen

    tests Runtime monitoring https://Bit.ly/2020AppSecCali_Gibler Vulnerability Classification @omerlh

  4. @omerlh

  5. I’m a Developer @omerlh

  6. AppSec Engineer @ Snyk @omerlh

  7. Develop fast. Stay secure @omerlh

  8. One line of text slide confidential Dogfooding @omerlh

  9. Continues Hacking https://github.com/omerlh/juice-shop/pull/54 @omerlh

  10. Kubernetes Apps has many layers Code Packages Container Manifests files

    @omerlh

  11. @omerlh

  12. @omerlh

  13. Code Layer @omerlh

  14. Option A: Manual Code Review @omerlh

  15. Option B: Automatic Code Review @omerlh

  16. Code Layer @omerlh

  17. confidential Snyk.io 17 WHAT WHERE @omerlh

  18. 18 WHERE @omerlh

  19. 19 Exploit Time! @omerlh

  20. 20 Exploit Time! @omerlh

  21. 21 Exploit Time! @omerlh

  22. 22 What happened? @omerlh

  23. confidential Snyk.io 23 WHAT WHERE @omerlh

  24. 24 @omerlh

  25. 25 SQL Comment Sign @omerlh

  26. • Never trust user input • Input sanitization Mitigating SQLi

    https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preventio n_Cheat_Sheet.html @omerlh

  27. Packages Layer @omerlh

  28. Most Dangerous Command You Can Run? @omerlh

  29. https://info.snyk.io/sooss-report-2020 @omerlh

  30. https://info.snyk.io/sooss-report-2020 @omerlh

  31. ERe https://github.com/webpack/webpack/issues/690 React Dependencies @omerlh

  32. Running in the CI https://snyk.io/docs/github/ @omerlh

  33. And the results… @omerlh

  34. Let’s zoom in @omerlh

  35. Cross Site Scripting @omerlh

  36. Let’s zoom in @omerlh

  37. We can see the original GitHub issue! @omerlh

  38. Let’s exploit it! @omerlh

  39. Viola! @omerlh

  40. Fixing Vulnerable Packages @omerlh

  41. • Never trust user input • Input sanitization • Security

    headers • React is not immune to XSS! Mitigating XSS https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md @omerlh

  42. Container Layer @omerlh

  43. 43 @omerlh

  44. https://info.snyk.io/sooss-report-2020 @omerlh

  45. 45 https://snyk.io/vuln/search?q=node&type=upstream

  46. https://hadolint.github.io/hadolint

  47. 47 @omerlh

  48. 48 @omerlh

  49. Should we care? @omerlh

  50. 50 @omerlh

  51. 51 @omerlh

  52. Fixing it? @omerlh

  53. @omerlh

  54. https://hadolint.github.io/hadolint @omerlh

  55. Manifest Files Layer @omerlh

  56. https://madhuakula.com/kubernetes-goat/ @omerlh

  57. 57 @omerlh

  58. 58 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ @omerlh

  59. 59 @omerlh

  60. 60

  61. 61 @omerlh

  62. Wrapping Up @omerlh

  63. Kubernetes Apps has many layers Code Packages Container Manifests files

    @omerlh

  64. confidential Snyk.io 64 Tip of the Iceberg @omerlh

  65. @omerlh

  66. Omer Levi Hevroni | AppSec Engineer | @omerlh Thank You

  67. 67 References • https://www.omerlh.info/2018/10/04/write-good-code-with-security-tests/ • https://snyk.io/blog/from-image-security-to-workload-security/ • https://snyk.io/learn/container-security/ • https://www.youtube.com/watch?v=3H8pF6yoSgU

    • https://github.blog/2020-09-30-code-scanning-is-now-available/ • https://snyk.io/blog/developer-first-sast-with-snyk-code • https://cheatsheetseries.owasp.org/ • https://madhuakula.com/kubernetes-goat/ • https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ • https://snyk.io/open-source-security/ @omerlh