Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Continuous Hacking
Search
Omer Levi Hevroni
November 04, 2020
Programming
0
51
Continuous Hacking
Omer Levi Hevroni
November 04, 2020
Tweet
Share
More Decks by Omer Levi Hevroni
See All by Omer Levi Hevroni
Hacking Monitoring for Fun and Profit
omerlh
0
120
Vulnerable Dependencies - Going Beyond Discovery
omerlh
0
66
GitOps keeping it secret
omerlh
1
84
Other Decks in Programming
See All in Programming
Googleのテストサイズを活用したテスト環境の構築
toms74209200
0
270
PHP でアセンブリ言語のように書く技術
memory1994
PRO
1
150
Synchronizationを支える技術
s_shimotori
1
150
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
550
のびしろを広げる巻き込まれ力:偶然を活かすキャリアの作り方/oso2024
takahashiikki
1
410
外部システム連携先が10を超えるシステムでのアーキテクチャ設計・実装事例
kiwasaki
1
230
Amazon Neptuneで始めてみるグラフDB-OpenSearchによるグラフの全文検索-
satoshi256kbyte
4
330
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
3
400
讓數據說話:用 Python、Prometheus 和 Grafana 講故事
eddie
0
350
Nuxtベースの「WXT」でChrome拡張を作成する | Vue Fes 2024 ランチセッション
moshi1121
1
530
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
9
1k
Universal Linksの実装方法と陥りがちな罠
kaitokudou
1
220
Featured
See All Featured
Building Applications with DynamoDB
mza
90
6.1k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.2k
Speed Design
sergeychernyshev
24
570
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
32
1.8k
Happy Clients
brianwarren
97
6.7k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Agile that works and the tools we love
rasmusluckow
327
21k
Testing 201, or: Great Expectations
jmmastey
38
7k
Documentation Writing (for coders)
carmenintech
65
4.4k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Product Roadmaps are Hard
iamctodd
PRO
48
10k
For a Future-Friendly Web
brad_frost
175
9.4k
Transcript
Kubernetes Edition Omer Levi Hevroni | AppSec Engineer | @omerlh
Continuous Hacking
@omerlh
Secure defaults Easy Medium Hard Automated tools Bug bounty Pen
tests Runtime monitoring https://Bit.ly/2020AppSecCali_Gibler Vulnerability Classification @omerlh
@omerlh
I’m a Developer @omerlh
AppSec Engineer @ Snyk @omerlh
Develop fast. Stay secure @omerlh
One line of text slide confidential Dogfooding @omerlh
Continues Hacking https://github.com/omerlh/juice-shop/pull/54 @omerlh
Kubernetes Apps has many layers Code Packages Container Manifests files
@omerlh
@omerlh
@omerlh
Code Layer @omerlh
Option A: Manual Code Review @omerlh
Option B: Automatic Code Review @omerlh
Code Layer @omerlh
confidential Snyk.io 17 WHAT WHERE @omerlh
18 WHERE @omerlh
19 Exploit Time! @omerlh
20 Exploit Time! @omerlh
21 Exploit Time! @omerlh
22 What happened? @omerlh
confidential Snyk.io 23 WHAT WHERE @omerlh
24 @omerlh
25 SQL Comment Sign @omerlh
• Never trust user input • Input sanitization Mitigating SQLi
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preventio n_Cheat_Sheet.html @omerlh
Packages Layer @omerlh
Most Dangerous Command You Can Run? @omerlh
https://info.snyk.io/sooss-report-2020 @omerlh
https://info.snyk.io/sooss-report-2020 @omerlh
ERe https://github.com/webpack/webpack/issues/690 React Dependencies @omerlh
Running in the CI https://snyk.io/docs/github/ @omerlh
And the results… @omerlh
Let’s zoom in @omerlh
Cross Site Scripting @omerlh
Let’s zoom in @omerlh
We can see the original GitHub issue! @omerlh
Let’s exploit it! @omerlh
Viola! @omerlh
Fixing Vulnerable Packages @omerlh
• Never trust user input • Input sanitization • Security
headers • React is not immune to XSS! Mitigating XSS https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cr oss_Site_Scripting_Prevention_Cheat_Sheet.md @omerlh
Container Layer @omerlh
43 @omerlh
https://info.snyk.io/sooss-report-2020 @omerlh
45 https://snyk.io/vuln/search?q=node&type=upstream
https://hadolint.github.io/hadolint
47 @omerlh
48 @omerlh
Should we care? @omerlh
50 @omerlh
51 @omerlh
Fixing it? @omerlh
@omerlh
https://hadolint.github.io/hadolint @omerlh
Manifest Files Layer @omerlh
https://madhuakula.com/kubernetes-goat/ @omerlh
57 @omerlh
58 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ @omerlh
59 @omerlh
60
61 @omerlh
Wrapping Up @omerlh
Kubernetes Apps has many layers Code Packages Container Manifests files
@omerlh
confidential Snyk.io 64 Tip of the Iceberg @omerlh
@omerlh
Omer Levi Hevroni | AppSec Engineer | @omerlh Thank You
67 References • https://www.omerlh.info/2018/10/04/write-good-code-with-security-tests/ • https://snyk.io/blog/from-image-security-to-workload-security/ • https://snyk.io/learn/container-security/ • https://www.youtube.com/watch?v=3H8pF6yoSgU
• https://github.blog/2020-09-30-code-scanning-is-now-available/ • https://snyk.io/blog/developer-first-sast-with-snyk-code • https://cheatsheetseries.owasp.org/ • https://madhuakula.com/kubernetes-goat/ • https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/ • https://snyk.io/open-source-security/ @omerlh