Professional Documents
Culture Documents
Anais Urlichs
3 @urlichsanais
Talk Title: How We Built a Cloud On K3s: The Learnings Of Growing Up
Fast - Alex Jones & Anaïs Urlichs, Civo
4 @urlichsanais
Where is the security tooling?
5 @urlichsanais
Source
6 @urlichsanais
Source
7 @urlichsanais
What is the SRE Culture?
8 @urlichsanais
SRE Culture
Continuous
Embracing Risk
Improvement
Analysing and
learning from Autonomy
failure
9 @urlichsanais
SRE Culture
10 @urlichsanais
SRE Culture
11 @urlichsanais
SRE Culture
12 @urlichsanais
SRE Goals are Security Goals
Visibility
• Dashboards
• Alerts
13 @urlichsanais
SRE Goals are Security Goals
Automation
Invest in Runbooks
• Define Procedures/Processes
BUT keep it simple!
• Gain a common understanding of
how tools should/should not be
used
• Define Ownership
17 @urlichsanais
SRE Goals are Security Goals
Reduce
Noise/Toil
18 @urlichsanais
SRE Goals are Security Goals
Reduce
Noise/Toil
19 @urlichsanais
10 Steps on getting started with
cloud native security
20 @urlichsanais
The following slides are going to be based on Trivy
Different Scan targets:
• Container Images
• IaC and Configuration files e.g. YAML, Terraform
• Kubernetes running clusters
• Repositories
• Filesystems (incl rootfs)
• AWS Services
4 times of scanners
• Vulnerability Scanner
• Misconfiguration Scanner
• Exposed Secret Scanner
github.com/aquasecurity/trivy
• License Scanner
Additional Features
• SBOM Generation & Vulnerability Scanning
• SBOM Attestation with Cosign
21 @urlichsanais
Step 1: Understand your needs
22 @urlichsanais
Step 1: Understand your needs
23 @urlichsanais
Step 1: Understand your needs
24 @urlichsanais
Step 2: Understand the different types of
scanners available
25 @urlichsanais
Difference between security scanners
26 @urlichsanais
Step 3: Choosing a Security Scanner
27 @urlichsanais
Step 3: Choosing a Security Scanner
28 @urlichsanais
Step 4: Proof of Concept in your existing
workflow
29 @urlichsanais
Step 4: Proof of Concept in your existing workflow
values.yaml
30 @urlichsanais
Step 4: Proof of Concept in your existing workflow
values.yaml
31 @urlichsanais
Step 5: Team education
32 @urlichsanais
Step 5: Team education
Tweet https://twitter.com/AlexJonesax/
status/1569998923955142657
33 @urlichsanais
Step 5: Team education
34 @urlichsanais
Step 6: Build out tooling CI/CD, Dashboards,
Alerts etc.
35 @urlichsanais
Step 6: Build out tooling CI/CD, Dashboards, Alerts
etc.
Automation
38 @urlichsanais
Step 7: Correlating Metrics
39 @urlichsanais
Step 8: Either Automate or Educate
40 @urlichsanais
Step 8: Either Automate or Educate
Story Time
41 @urlichsanais
Step 9: Don’t stop at security scanning
42 @urlichsanais
Step 9: Don’t stop at security scanning
43 @urlichsanais
Step 10: Keep iterating on your usage of the
tools
44 @urlichsanais
45 @urlichsanais
anaisurl.com
46 @urlichsanais
Additional Resources
47 @urlichsanais
ti
fi
Thanks
@urlichsanais