You are on page 1of 48

Integrating Cloud

Native Security into


the SRE culture

Anais Urlichs

© 2023 Aqua Security Software Ltd., All Rights Reserved


2 @urlichsanais
Site Reliability Cloud Native
Engineering Security

3 @urlichsanais
Talk Title: How We Built a Cloud On K3s: The Learnings Of Growing Up
Fast - Alex Jones & Anaïs Urlichs, Civo
4 @urlichsanais
Where is the security tooling?

5 @urlichsanais
Source

6 @urlichsanais
Source

7 @urlichsanais
What is the SRE Culture?

8 @urlichsanais
SRE Culture

Continuous
Embracing Risk
Improvement

Analysing and
learning from Autonomy
failure

9 @urlichsanais
SRE Culture

10 @urlichsanais
SRE Culture

11 @urlichsanais
SRE Culture

Healthy Services are


Secure Services

12 @urlichsanais
SRE Goals are Security Goals
Visibility

• Dashboards
• Alerts
13 @urlichsanais
SRE Goals are Security Goals
Automation

• Building Robust Delivery Pipelines


14 @urlichsanais
SRE Goals are Security Goals
Automation

• Building Robust Delivery Pipelines


15 @urlichsanais
SRE Goals are Security Goals
Automation

• Building Robust Delivery Pipelines


16 @urlichsanais
SRE Goals are Security Goals
Scalability

Invest in Runbooks
• Define Procedures/Processes
BUT keep it simple!
• Gain a common understanding of
how tools should/should not be
used
• Define Ownership

17 @urlichsanais
SRE Goals are Security Goals
Reduce
Noise/Toil

18 @urlichsanais
SRE Goals are Security Goals
Reduce
Noise/Toil

19 @urlichsanais
10 Steps on getting started with
cloud native security

20 @urlichsanais
The following slides are going to be based on Trivy
Different Scan targets:
• Container Images
• IaC and Configuration files e.g. YAML, Terraform
• Kubernetes running clusters
• Repositories
• Filesystems (incl rootfs)
• AWS Services

4 times of scanners
• Vulnerability Scanner
• Misconfiguration Scanner
• Exposed Secret Scanner
github.com/aquasecurity/trivy
• License Scanner

Additional Features
• SBOM Generation & Vulnerability Scanning
• SBOM Attestation with Cosign
21 @urlichsanais
Step 1: Understand your needs

22 @urlichsanais
Step 1: Understand your needs

Size of your team Industry & Regulations

Company Goals and


Existing Tech Stack Budget and Expertise
Leadership

23 @urlichsanais
Step 1: Understand your needs

Size of your team

Industry & Regulations


Existing Tech Stack

Company Goals and


Budget and Expertise
Leadership

24 @urlichsanais
Step 2: Understand the different types of
scanners available

25 @urlichsanais
Difference between security scanners

Installation Scan Coverage Resources Types Integrations Focus

26 @urlichsanais
Step 3: Choosing a Security Scanner

27 @urlichsanais
Step 3: Choosing a Security Scanner

28 @urlichsanais
Step 4: Proof of Concept in your existing
workflow

29 @urlichsanais
Step 4: Proof of Concept in your existing workflow

values.yaml

1. Identifying the best installation option


2. Deciding upon the configuration
3. Testing custom configuration
4. Ensuring everything is working together

30 @urlichsanais
Step 4: Proof of Concept in your existing workflow

values.yaml

31 @urlichsanais
Step 5: Team education

32 @urlichsanais
Step 5: Team education

Tweet https://twitter.com/AlexJonesax/
status/1569998923955142657
33 @urlichsanais
Step 5: Team education

1. Everyone should know how to enhance the


security of the resources they are responsible
for
2. Divide responsibilities for shared ownership

34 @urlichsanais
Step 6: Build out tooling CI/CD, Dashboards,
Alerts etc.

35 @urlichsanais
Step 6: Build out tooling CI/CD, Dashboards, Alerts
etc.
Automation

• Building Robust Delivery Pipelines


36 @urlichsanais
37 @urlichsanais
Step 7: Correlating Metrics

38 @urlichsanais
Step 7: Correlating Metrics

105 new vulnerabilities


in the “demo” namespace

39 @urlichsanais
Step 8: Either Automate or Educate

40 @urlichsanais
Step 8: Either Automate or Educate

Story Time

41 @urlichsanais
Step 9: Don’t stop at security scanning

42 @urlichsanais
Step 9: Don’t stop at security scanning

Sigstore — Signing digital artefacts Kyverno — Policies

43 @urlichsanais
Step 10: Keep iterating on your usage of the
tools

44 @urlichsanais
45 @urlichsanais
anaisurl.com

46 @urlichsanais
Additional Resources

• Our Applica on Security Journey (Part 1) by Wise Engineering


• The Aqua Open Source YouTube Channel
• The Trivy GitHub Repository and the Trivy Operator Repository
• The demo project on GitHub

• & You can nd us on Slack: slack.aquasec.com

47 @urlichsanais
ti
fi
Thanks

@urlichsanais

© 2023 Aqua Security Software Ltd., All Rights Reserved

You might also like