Scribd Logo
Upload

Welcome to Scribd!

  • Anais Urlichs Integrating Security SRE

    Uploaded by

    Tom
    11 views48 pages
    The document discusses integrating cloud native security into the SRE culture. It outlines 10 steps for getting started, including understanding needs, choosing a security scanner, proof of concept testing, educating teams, building tooling for CI/CD pipelines and dashboards, correlating metrics, automating or educating on findings, expanding beyond scanning to tools like Sigstore and Kyverno, and iterating on tool usage. The focus is on aligning security goals with SRE goals like visibility, automation, and reducing toil.

    Original Description:

    Original Title

    Anais-Urlichs-Integrating-Security-SRE

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses integrating cloud native security into the SRE culture. It outlines 10 steps for getting started, including understanding needs, choosing a security scanner, proof of concept testing, educating teams, building tooling for CI/CD pipelines and dashboards, correlating metrics, automating or educating on findings, expanding beyond scanning to tools like Sigstore and Kyverno, and iterating on tool usage. The focus is on aligning security goals with SRE goals like visibility, automation, and reducing toil.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views48 pages

    Anais Urlichs Integrating Security SRE

    Uploaded by

    Tom
    The document discusses integrating cloud native security into the SRE culture. It outlines 10 steps for getting started, including understanding needs, choosing a security scanner, proof of concept testing, educating teams, building tooling for CI/CD pipelines and dashboards, correlating metrics, automating or educating on findings, expanding beyond scanning to tools like Sigstore and Kyverno, and iterating on tool usage. The focus is on aligning security goals with SRE goals like visibility, automation, and reducing toil.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 48

    Integrating Cloud

    Native Security into


    the SRE culture

    Anais Urlichs

    © 2023 Aqua Security Software Ltd., All Rights Reserved


    2 @urlichsanais
    Site Reliability Cloud Native
    Engineering Security

    3 @urlichsanais
    Talk Title: How We Built a Cloud On K3s: The Learnings Of Growing Up
    Fast - Alex Jones & Anaïs Urlichs, Civo
    4 @urlichsanais
    Where is the security tooling?

    5 @urlichsanais
    Source

    6 @urlichsanais
    Source

    7 @urlichsanais
    What is the SRE Culture?

    8 @urlichsanais
    SRE Culture

    Continuous
    Embracing Risk
    Improvement

    Analysing and
    learning from Autonomy
    failure

    9 @urlichsanais
    SRE Culture

    10 @urlichsanais
    SRE Culture

    11 @urlichsanais
    SRE Culture

    Healthy Services are


    Secure Services

    12 @urlichsanais
    SRE Goals are Security Goals
    Visibility

    • Dashboards
    • Alerts
    13 @urlichsanais
    SRE Goals are Security Goals
    Automation

    • Building Robust Delivery Pipelines


    14 @urlichsanais
    SRE Goals are Security Goals
    Automation

    • Building Robust Delivery Pipelines


    15 @urlichsanais
    SRE Goals are Security Goals
    Automation

    • Building Robust Delivery Pipelines


    16 @urlichsanais
    SRE Goals are Security Goals
    Scalability

    Invest in Runbooks
    • Define Procedures/Processes
    BUT keep it simple!
    • Gain a common understanding of
    how tools should/should not be
    used
    • Define Ownership

    17 @urlichsanais
    SRE Goals are Security Goals
    Reduce
    Noise/Toil

    18 @urlichsanais
    SRE Goals are Security Goals
    Reduce
    Noise/Toil

    19 @urlichsanais
    10 Steps on getting started with
    cloud native security

    20 @urlichsanais
    The following slides are going to be based on Trivy
    Different Scan targets:
    • Container Images
    • IaC and Configuration files e.g. YAML, Terraform
    • Kubernetes running clusters
    • Repositories
    • Filesystems (incl rootfs)
    • AWS Services

    4 times of scanners
    • Vulnerability Scanner
    • Misconfiguration Scanner
    • Exposed Secret Scanner
    github.com/aquasecurity/trivy
    • License Scanner

    Additional Features
    • SBOM Generation & Vulnerability Scanning
    • SBOM Attestation with Cosign
    21 @urlichsanais
    Step 1: Understand your needs

    22 @urlichsanais
    Step 1: Understand your needs

    Size of your team Industry & Regulations

    Company Goals and


    Existing Tech Stack Budget and Expertise
    Leadership

    23 @urlichsanais
    Step 1: Understand your needs

    Size of your team

    Industry & Regulations


    Existing Tech Stack

    Company Goals and


    Budget and Expertise
    Leadership

    24 @urlichsanais
    Step 2: Understand the different types of
    scanners available

    25 @urlichsanais
    Difference between security scanners

    Installation Scan Coverage Resources Types Integrations Focus

    26 @urlichsanais
    Step 3: Choosing a Security Scanner

    27 @urlichsanais
    Step 3: Choosing a Security Scanner

    28 @urlichsanais
    Step 4: Proof of Concept in your existing
    workflow

    29 @urlichsanais
    Step 4: Proof of Concept in your existing workflow

    values.yaml

    1. Identifying the best installation option


    2. Deciding upon the configuration
    3. Testing custom configuration
    4. Ensuring everything is working together

    30 @urlichsanais
    Step 4: Proof of Concept in your existing workflow

    values.yaml

    31 @urlichsanais
    Step 5: Team education

    32 @urlichsanais
    Step 5: Team education

    Tweet https://twitter.com/AlexJonesax/
    status/1569998923955142657
    33 @urlichsanais
    Step 5: Team education

    1. Everyone should know how to enhance the


    security of the resources they are responsible
    for
    2. Divide responsibilities for shared ownership

    34 @urlichsanais
    Step 6: Build out tooling CI/CD, Dashboards,
    Alerts etc.

    35 @urlichsanais
    Step 6: Build out tooling CI/CD, Dashboards, Alerts
    etc.
    Automation

    • Building Robust Delivery Pipelines


    36 @urlichsanais
    37 @urlichsanais
    Step 7: Correlating Metrics

    38 @urlichsanais
    Step 7: Correlating Metrics

    105 new vulnerabilities


    in the “demo” namespace

    39 @urlichsanais
    Step 8: Either Automate or Educate

    40 @urlichsanais
    Step 8: Either Automate or Educate

    Story Time

    41 @urlichsanais
    Step 9: Don’t stop at security scanning

    42 @urlichsanais
    Step 9: Don’t stop at security scanning

    Sigstore — Signing digital artefacts Kyverno — Policies

    43 @urlichsanais
    Step 10: Keep iterating on your usage of the
    tools

    44 @urlichsanais
    45 @urlichsanais
    anaisurl.com

    46 @urlichsanais
    Additional Resources

    • Our Applica on Security Journey (Part 1) by Wise Engineering


    • The Aqua Open Source YouTube Channel
    • The Trivy GitHub Repository and the Trivy Operator Repository
    • The demo project on GitHub

    • & You can nd us on Slack: slack.aquasec.com

    47 @urlichsanais
    ti
    fi
    Thanks

    @urlichsanais

    © 2023 Aqua Security Software Ltd., All Rights Reserved

    You might also like