Join us for a webinar on how to secure your CI/CD pipeline for Kubernetes with GitOps best practices and continuous runtime protection. As modern developers and DevOps teams are embarking on a quest for speed and reliability through automated CI/CD pipelines for Kubernetes, enterprises still need to ensure security and regulatory compliance.
Together with Deepfence, the Weaveworks team will explain and demonstrate how GitOps continuous delivery pipelines, combined with continuous security observability, improves the overall security of your development workflow - from Git to production.
In this webinar we will demonstrate:
Deepfence container scanning
Git-to-Kubernetes using FluxCD
Deepfence continuous runtime security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
1. Hardening Your CI/CD Pipelines with
GitOps and Continuous Security
Owen Garrett, Deepfence
Matt Kryshak, Deepfence
Richard Case, Weaveworks
May, 2021
2. Webinar Platform - FAQs
Using Zoom
Questions?
• You are in listen only mode
• Q&A session will follow the presentation, please use the Q&A panel to
submit questions
• Hit escape to exit full screen
Technical Issues - please visit Zoom Help
https://support.zoom.us/hc/en-us/articles/206175806-Top-Questions
3. 3
Speaker Introduction
Owen Garrett, Head of Product and Community,
Deepfence
Owen joined Deepfence in May 2021, having previously
managed the NGINX open source project and NGINX’s
microservices and Kubernetes-centric solutions. During his
time at NGINX, the NGINX open source project rose from
relative obscurity to become the most widely-deployed of any
webserver in the world.
Owen is fascinated by the application of technology,
particularly microservices and Kubernetes, and is determined to
assist developers to build safe and secure applications.
Twitter: @owengarrett
Richard Case, Tech Lead / Solution Architect,
Weaveworks
Richard is tech lead for Kubernetes on Baremetal at
Weaveworks. Previously he worked in customer success
and helped to design and build GitOps/Cloud Native
solutions for Weaveworks customers. Richard is also a
maintainer of Cluster API Provider AWS.
Twitter: @fruit_case
7. 7
GitOps is...
An operation model
Derived from CS and operational knowledge
Technology agnostic (name notwithstanding)
8. 8
GitOps is...
An operation model
Derived from CS and operational knowledge
Technology agnostic (name notwithstanding)
A set of principles (Why instead of How)
9. 9
GitOps is...
An operation model
Derived from CS and operational knowledge
Technology agnostic (name notwithstanding)
A set of principles (Why instead of How)
Although
Weaveworks
can help
with how
10.
11. 11
GitOps is...
An operation model
Derived from CS and operational knowledge
Technology agnostic (name notwithstanding)
A set of principles (Why instead of How)
A way to speed up your team
20. The entire
system is
described
declaratively
The canonical
desired system
state is
versioned in git
Approved
changes can be
automatically
applied
to the system
Software agents
ensure
correctness and
alert (diffs &
actions)
20
Principles of GitOps
Operate an agile cloud native platform with GitOps
21. GitOps – An Operating Model for
Cloud Native Provides Separation of
Concerns between the
Development process and
the Deployment process
Transparency and
Auditability at All Levels is
Automatic
Authentication &
Authorization Isolated
Between Concerns
Risk Reduction: Complete
Application Rollback and
Logging
21
Deployment
(clusters, apps)
Monitoring
Logging
(Observability)
Management
(operations)
Git
Build
GIT
Test
IDE
“Immutability
Firewall”
Kubernetes
GitOps
Continuous
Integration
30. Copyright 2021 Deepfence, Inc.
Copyright 2021 Deepfence, Inc.
The apps we build are deeply interconnected
528
open-source
components
(2020 average)
The typical commercially-developed application
uses 528 open-source components.
This includes direct and indirect dependencies.
Source: Synopsis OSSRA Report 2021
> 10%
# of open-source
components with
known
vulnerabilities
10.4% of Java components from Maven
Repository had at least one known vulnerability.
Almost 40% of npm packages rely on code known
to be vulnerable.
Source: Sonatype 2020, University of Darmstadt 2019
Equifax
Undetected Apache Struts vulnerability led
to the leak of 143m customer details.
$1.4bn – cost to remediate security.
Capital One
Misconfiguration of ModSecurity enabled
an anomalous request flow.
106m customer details leaked.
British Airways
Hack of third-party javascript led to
380,000 stolen payment card records.
$257m fine (reduced to $26m on appeal)
npm left-pad:
When an unregarded, 11-line module with
10 GH stars was removed from npm, the
blast radius was huge.
Medium Direct and Transitive Dependencies per repo
Source: GitHub State of the Octoverse 2020
Direct
Dependencies
Transitive
Dependencies
PHP 9 70
JavaScript 10 683
Python 9 19
Ruby 9 68
PHP 9 70
31. Copyright 2021 Deepfence, Inc.
Copyright 2021 Deepfence, Inc.
Vulnerabilities lie undetected for 4 years (average)
GitHub 2020 Octoverse Report:
On average, vulnerabilities in open-source
software lie undetected for over 4 years.
Once alerted, it takes 4.4 weeks to find a
fix and 10 weeks to publish.
Sonatype 2020 State of the Software
Supply Chain
49% of organizations remediate an OSS
dependency vulnerability within 1 week.
Source: The 2020 State of the Octoverse, GitHub, Inc.
The full lifecycle of a Vulnerability (GitHub)
Applications contain a timebomb of to-be-announced vulnerabilities,
and security teams need to be ready to move fast!
32. Deepfence provides a full-lifecycle
security solution.
It observes and secures your
application from development to
production.
33. Copyright 2021 Deepfence, Inc.
Copyright 2021 Deepfence, Inc.
Continuous
Integration
Dev Commit Build Test Push to Repo
Continuous
Delivery
Devops Review Deploy
Production
Prod 2
DR 1
Staging
Prod 1
Users
Insert Security all stages of the lifecycle
Lightweight
DF agents
Operations
Ops Monitor Logs
Deepfence
Management
Console
35. Copyright 2021 Deepfence, Inc.
Copyright 2021 Deepfence, Inc.
Once in production, Deepfence’s security
monitoring takes over
1. Audits containers and hosts to
detect file system, process and
network related misconfigurations
2. Performs detailed inspection of
network traffic, system and
application behavior, and
correlates suspicious events
3. Supports manual triage or
automated quarantine of tainted
workloads