Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Continuous Hacking

Omer Levi Hevroni
November 04, 2020
Programming
0
51

Continuous Hacking

Omer Levi Hevroni

November 04, 2020
Tweet

More Decks by Omer Levi Hevroni

See All by Omer Levi Hevroni
Hacking Monitoring for Fun and Profit
omerlh
0
120
Vulnerable Dependencies - Going Beyond Discovery
omerlh
0
66
GitOps keeping it secret
omerlh
1
84

Other Decks in Programming

See All in Programming
Googleのテストサイズを活用したテスト環境の構築
toms74209200
0
270
PHP でアセンブリ言語のように書く技術
memory1994
PRO
1
150
Synchronizationを支える技術
s_shimotori
1
150
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
550
のびしろを広げる巻き込まれ力:偶然を活かすキャリアの作り方/oso2024
takahashiikki
1
410
外部システム連携先が10を超えるシステムでのアーキテクチャ設計・実装事例
kiwasaki
1
230
Amazon Neptuneで始めてみるグラフDB -OpenSearchによるグラフの全文検索-
satoshi256kbyte
4
330
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
3
400
讓數據說話:用 Python、Prometheus 和 Grafana 講故事
eddie
0
350
Nuxtベースの「WXT」でChrome拡張を作成する | Vue Fes 2024 ランチセッション
moshi1121
1
530
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
9
1k
Universal Linksの実装方法と陥りがちな罠
kaitokudou
1
220

Featured

See All Featured
Building Applications with DynamoDB
mza
90
6.1k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.2k
Speed Design
sergeychernyshev
24
570
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
32
1.8k
Happy Clients
brianwarren
97
6.7k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Agile that works and the tools we love
rasmusluckow
327
21k
Testing 201, or: Great Expectations
jmmastey
38
7k
Documentation Writing (for coders)
carmenintech
65
4.4k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Product Roadmaps are Hard
iamctodd
PRO
48
10k
For a Future-Friendly Web
brad_frost
175
9.4k

Transcript

  1. Kubernetes Edition Omer Levi Hevroni | AppSec Engineer | @omerlh

    Continuous Hacking

  2. @omerlh

  3. Secure defaults Easy Medium Hard Automated tools Bug bounty Pen

    tests Runtime monitoring https://Bit.ly/2020AppSecCali_Gibler Vulnerability Classification @omerlh

  4. @omerlh

  5. I’m a Developer @omerlh

  6. AppSec Engineer @ Snyk @omerlh

  7. Develop fast. Stay secure @omerlh

  8. One line of text slide confidential Dogfooding @omerlh

  9. Continues Hacking https://github.com/omerlh/juice-shop/pull/54 @omerlh

  10. Kubernetes Apps has many layers Code Packages Container Manifests files

    @omerlh

  11. @omerlh

  12. @omerlh

  13. Code Layer @omerlh

  14. Option A: Manual Code Review @omerlh

  15. Option B: Automatic Code Review @omerlh

  16. Code Layer @omerlh

  17. confidential Snyk.io 17 WHAT WHERE @omerlh

  18. 18 WHERE @omerlh

  19. 19 Exploit Time! @omerlh

  20. 20 Exploit Time! @omerlh

  21. 21 Exploit Time! @omerlh

  22. 22 What happened? @omerlh

  23. confidential Snyk.io 23 WHAT WHERE @omerlh

  24. 24 @omerlh

  25. 25 SQL Comment Sign @omerlh

  26. • Never trust user input • Input sanitization Mitigating SQLi

    https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preventio n_Cheat_Sheet.html @omerlh

  27. Packages Layer @omerlh

  28. Most Dangerous Command You Can Run? @omerlh

  29. https://info.snyk.io/sooss-report-2020 @omerlh

  30. https://info.snyk.io/sooss-report-2020 @omerlh

  31. ERe https://github.com/webpack/webpack/issues/690 React Dependencies @omerlh

  32. Running in the CI https://snyk.io/docs/github/ @omerlh

  33. And the results… @omerlh

  34. Let’s zoom in @omerlh

  35. Cross Site Scripting @omerlh

  36. Let’s zoom in @omerlh

  37. We can see the original GitHub issue! @omerlh

  38. Let’s exploit it! @omerlh

  39. Viola! @omerlh

  40. Fixing Vulnerable Packages @omerlh

  41. • Never trust user input • Input sanitization • Security

    headers • React is not immune to XSS! Mitigating XSS https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md @omerlh

  42. Container Layer @omerlh

  43. 43 @omerlh

  44. https://info.snyk.io/sooss-report-2020 @omerlh

  45. 45 https://snyk.io/vuln/search?q=node&type=upstream

  46. https://hadolint.github.io/hadolint

  47. 47 @omerlh

  48. 48 @omerlh

  49. Should we care? @omerlh

  50. 50 @omerlh

  51. 51 @omerlh

  52. Fixing it? @omerlh

  53. @omerlh

  54. https://hadolint.github.io/hadolint @omerlh

  55. Manifest Files Layer @omerlh

  56. https://madhuakula.com/kubernetes-goat/ @omerlh

  57. 57 @omerlh

  58. 58 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ @omerlh

  59. 59 @omerlh

  60. 60

  61. 61 @omerlh

  62. Wrapping Up @omerlh

  63. Kubernetes Apps has many layers Code Packages Container Manifests files

    @omerlh

  64. confidential Snyk.io 64 Tip of the Iceberg @omerlh

  65. @omerlh

  66. Omer Levi Hevroni | AppSec Engineer | @omerlh Thank You

  67. 67 References • https://www.omerlh.info/2018/10/04/write-good-code-with-security-tests/ • https://snyk.io/blog/from-image-security-to-workload-security/ • https://snyk.io/learn/container-security/ • https://www.youtube.com/watch?v=3H8pF6yoSgU

    • https://github.blog/2020-09-30-code-scanning-is-now-available/ • https://snyk.io/blog/developer-first-sast-with-snyk-code • https://cheatsheetseries.owasp.org/ • https://madhuakula.com/kubernetes-goat/ • https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ • https://snyk.io/open-source-security/ @omerlh