You okay? Welcome to this awesome conference. We continue with this talk in comf 22. Thanks for invite me and also I am very it's a big pleasure to be here. So today we talk about the adding security to development for allowable continuous delivery and also tom this is me. We start for this who is Jonathan Gillianipon. He's a simple human that I love Linux and also love shared knowledge around for the text ecosystem. I try to main more easily our lives when we try to develop and start deployed on cloud or on local on our internal providers that we have on our countries. So it's my passion. I sincerely love using that. That is my social network at JTAN 24, in GitHub, in YouTube and also in X or Twitter. If you can contact me and adding me on LinkedIn I use johnnypunk. You can find me and I want to share with you this phrase that is from Confucius life is really simple but wins is on making it complicated that as part of avalides. So continue here. This is our agenda for today. We talk about for containerized applications. What exactly this? How do we can use that and address this using the software development lifecycle general challenges in these container best apps. What is the principal challenge here? Address the challenge using the sodium element lifecycle little demo and a couple of conclusions here. So we start at this part. At this part we talk about for containerizer application. But what exactly is a container? The container is exactly how do we can encapsulate our process encapsulate our source code using the Docker file. I think is the more simple way for using that. How to using this Docker file for split our comments and exactly wrote these road for our applications. How do we can add in and use our proper ecosystem, our proper operation systems. So at this part we define exactly every step that we need to cover for our packaging. This compilation of source code that is the one part and also we have the part of the containerization, right? This part of containerization is how do we move from our package and how do we can support and start using this docker for using that. The second part is hey, what kind of initiatives are around here we found exactly open container initiative that is OCI and also this container initiative talk from a couple of values. These values are decomposable, portable, decentralized, open, minimalist but we're compatible. But one biggest part here is that around for secure how to isolate shellbugable and add a cryptographic for these containerized application and generate more stronger container for our application how to add in the part of detail for this container and generate layer for security site. That is pretty awesome. And also we have a couple of benefits using containers. The first one is about for portability. How to use this portability for mode pretty quick this package for software and move from one side to another side from what cloud environment to our bare metal or our centralized definition for our infrastructure. The second one is the agility that we generate for all teams around for that. Now how do we generate this easily way to deploy the application. And another is the installation because we generate this installate paras software, generate their network around for this containerized application. And also we talk about the resource efficiency because when we generate this container we reduce exactly the consumer about the memory or cpu and disk about for this piece of software. And how do we can drop this in all around for our orchard station site. So that is a couple of images that I generated using the Hughen phase and also the Dali generation for images. How to the IAA generate these images for us and how to the IAA seems the container actually work. So when we talk about the lifecycle we talk about these could be focuses about these benefits or feature that we enable when we talk about this. So from our side we talk about the accelerated development and deployment side that it's very awesome. Because when we start this containerized move internally for our companies, we enable these capabilities for all teams, not just for development. We enable that for the testing team and the operation teams and also for the DevOps, Devsecops and SRE or platform engineerings around for this ecosystem that we have internally. The second one are related for portability and reproducibility. That is awesome because when you generate these docker files or these container applications, you move from one side your container application and also you can move this application for another part and deploy very quick that it's brilliant. Enhance excalibility and resource efficiency. That is talking previously about the cpu, memory and disk drive around for that simplify microservice detector. When you start that using the docker apps for your teams, you enable exactly these capabilities for move very quick. And also you support the architecture that the principal architecture definition was made for your teams and also the architectural department behind us. And how you can drop this using the containerizer war. And you support very quick these new capabilities for all ecosystems for the architectural designs. Or generate this valuable for all teams around for the containerized award. Reduce the deployment friction because you generate this and generate more reputable software and generate streamline testing and quality assurance because you drop these pieces of software and you can test pretty quick this piece of software and generate very easily these movements internally for this generation. So enhancement, security and compliance that is the focus that we talk in the next slides. Improved collaboration communication because you reduce this communication side and also you involve all capabilities for DevOps side. And when you added this DevOps culture inside of we added the security part. We enable these cuttings for all teams. How do these cuttings works for all and how do we can generate and reduce this friction from one side and another side and how do we can talk more efficiently and generate more quality software for our ecosystems and deploy more easily way and also reduce this friction from all teams around for and also reduce cost. Because when you reduce exactly your scope and you generate this last reduce in a minimal way, you generate this reduction for all around for that, that could be when you start for that using database practice the subfatilian lifecycle. But you need to talk about that inside of your company because when you define this and also you need to move internally for the companies it's not easy to sell something like that. Because when the companies start to generate these DevOps or DevOps move and DevOps culture that it's no easy to sell them because they open this mind and this mindset is very difficult to sell at the beginning. So we support here all these capabilities for the software development lifecycle using these phases for development, for deployment and also for the operation. Because when we define this from one part, that is for the develop side, we enable these capabilities for the development team. But what happened with the development team also using the dockerized application, they have the capabilities for deploy and explore and expose internally for their computers these source code. But what happened when we move this for hey, we need to deploy that for development environment or for QI environment or for testing environment for lower environments and also for production. That is the next challenge here. And also when I deploy the application I need to start the parachute. When we start the operation for this application we need to generate these capabilities for all ecosystems, right? Because the it guys need to take these features and how they can access to these capabilities. How do we can enable these capabilities for the Docker racer apps? How do we can enable that using software around that, right. So what is the challenge here? The general challenge here are related for image vulnerabilities, the misconfiguration supply chains attack and also the identification and access management. You see here in the image the OAS top ten that is related for Docker. And when you start docker, you start talking about the security side. How do you can drop this security for the old last radios that have the docker images that you have for the containerized application. You need to identify exactly what is your security posture, how to use in this security poster for generate the roadmaps and generate the plans for doing that, right? You need to take a look more in deep this but we talk this talk about for image vulnerabilities, misconfigurations, plane chains attack and interfere and access management. So for image vulnerabilities we talk for one site that is related in a principal and the fierce part for start for this the checkup's work that is related for how do we can generate and reduce this blaster using the image vulnerabilities? Because this impact of the image vulnerabilities impact sacly for how they can access to our operation system or the runtime site or how they can gain access to containerized application and also how they can get data from these containerized apps. Also you need to reduce these attacks using exactly the image vulnerabilities. But how do you can reduce that? We talk more in the next slides about that. But the image vulnerabilities are talking about the weakness or flaws that containerated image had at the moment when you deploy the application, right? So you can generate this and also you can reduce these vulnerabilities using iscans behind us. So we talk in one tool that we generate in the demo site and also that is one site. The another part is the software components that you have around for this image that you build it for the application. Because internally for your application you had one part for the operation system, the second one part that is related for the runtime around for your application. And the third one is about for the application by default. So you have three action items here for protect. How do you can protect these items when you prepare and generate this image for your site? Right? So we need to talk and identify exactly this vector than the definition from Docker site or the containerized site. The second one is related for misconfiguration. This misconfiguration are related for how do the applications generate or could be the development team generate or could be forget remove from secrets or something like that for the container ice work. When you use these misconfigurations and you identify that you need to take a look for these misconfigurations. You need to validate exactly what kind of misconfigurations you need to cover because you need to exactly explore tools behind us. But these misconfigurations are related for hey how do we can access to these misconfigurations? Could be generate a misconfiguration by default from one ubuntu image or Debian emash or something like that and also expose more than one port that I need could be for example you expose the port 22 that is related for SSH and also I don't know could be exposed in a public site the SSH key for access to this docker or containerized app and that is the part of the misconfiguration that could be you need to cover here. And also how do you can exactly identify this exposure network? How do you can identify the file insecure definitions internally for this containerized app? How do you can address this using a couple of software behind off that validate from the community. For another part you define the unsecured container registry and how you can drop and identify what happened with this registry. And also if you could be exposed the configuration the users and password for access today and how do they can gain access to this repository and copy change the image and tag from your site and generate this in an evolved image that is related for the image vulnerabilities and generate that in that site. This impact generates a very big impact when the application will be deployed because the application or could be your system exposed unauthorized way for these misconfigurations could be for one site for the database or could be for your registry or could be for the data access. When you identify that you take a look about hey I have this compromised world and I need to take a look in deep about this position and how we can reduce this part of the misconfiguration site. The another one is really for supply chains attack. For supply chains attack. Also we need to define exactly how to these attacks will be targeted for the sword party element lifecycle, how they could compromise the containerized application. In this context the attacker could take and modify our code and generate this on the fly and generate this process internally for the Tokyo set app and also the final product that you deliver for your customer. Generate an evil package of software and could take this data from your customers generate and obtain and get this data from your customer that it's pretty weird because your customer could be hey, I get my data out of your application and just share with you what happened here. Then they added to you could be lsla bar for the security sites. So you need to cover that from the zero day for the start when you deploy this application for your customer, right? So the object here when we talk about this supply chains attack also we need to validate exactly what happened when this compromised application will be for our apps. What kind of security definition we define it internally for our companies. How do these companies define exactly what happened with this definition for that when they're not the part for the supply chains attack that is related for containerizing and also when they access to this application also for our source code they can execute malicious code for the customer side. That is the biggest challenge here. How do we can reduce this blast and how we can reduce and generate a copy of a culture internally for our teams for reduce exactly what happened here. Another part that is the impact for this plane change attacks that is related for data breaches, the application disruption, the escalation privileges and damage our reputation. Because when you expose or could we take data from your companies offer our companies that it's very difficult to try to generate and regenerate our reputation for our customer, right. On the other side, on the other hand we have the identity and access management that is related. How do they containerize it access to another components internally and externally. How do we can reduce this blast? How do we can exactly define for the container image and definitions for these access for another components around for our software? For one part we define for the resource access control list. How do they can access to and generate this granular access to another mechanisms and permissions associate for another resources. The attribute based access control provides more flexible approach to access control evaluation for attributes, user and containers. And also if we deploy using this for Kubernetes, for example, we can enable the airbag that is the role based access control. How do we can reduce this access for another set of components around for Kubernetes? And another part the challenge here are related for the scalability, complexibility and visibility. Because when we drop this part of the piece of software containerized, we define exactly this little piece of software and this piece of software will be grow and reduce these capabilities when the software grows for explore more for those customers, right? So we need to address the challenge for the next topics. That's another images related for the AA related for one to this challenge that we need to talk in the software lifecycle. So for one side we need to identify very quick the vulnerabilities and also the misconfiguration and supply chains and IAM enforcement. And how do we can arrest using tools internally? Because when we talk about in depth setups based on DevOps, we talk from one focus that is related for pipelines. When you define these pipelines for the company you enable exactly the capabilities for your software to deploy more easily. But not exactly should deploy pretty quick without quality or unsecured software. The definition internally for devsecops when you generate these pilots you enable another capabilities for the software pieces that you deploy every day or for every URL or every minute. And added these security capabilities too for the software that you deploy, right. So for this challenge we can explore these tools around for the CNCF too. That is related exactly for the security site that is taken from the CNCF that we talked at the beginning of this talk that is related for the software the cloud native Computing foundation and this they focused for currently tools that are built for community, for the community and also ones are part for the one vendor or another vendor or could be from one cloud provider or something like that. But you have these tools and you can explore depends for your needs and exactly how to you add these tools for your pipelines or software development lifecycle depend on the phases that you are currently have for deployed software. So we can move very quick for the demo. This demo are related for how we can explore a couple of this software inside here. Let us move here for the demo site. Let me move for that and also drop here this also close this and we can open the readme right. So we have this repository comes 22 23 devsecops and we have here exactly the step by step for generate one image here and also you can use this using I don't know could be Docker or Borman or another container application that currently you have in your company and start with that, right. So we suppose that you have here a pipeline and you clone exactly the pet link here and you download here. I currently download this source and just join this folder and move internally. And also I need to create this docker image using the Docker file. Create a docker image and also we can enable this and execute this part for applications. But we don't need exactly run that and we check this the plex clinic we have two docker files. One docker file that is related for compile the application using maven using internally configuration for Java that is a boom xml and we define exactly here that move or copy all the source code related here and when the runtime start compile this code and start the execution, right. But we have exactly the node docker file multi. When you use Docker files you can define the multistages here and you can reduce exactly the blazer I use using this multistage part and also we have the first part very similar for the previously but we have here for another phases we have here the production side and from build that is this part we package exactly this base from source code and generate the GI air packages from sprint clinic. And also we reduce the blast ready because in this part just generate the GR definition and not exactly the wall source code that we have here. So we generate the couple of images here and so we generate the first part that is related for pet clinic and we generate here the pet clinic mini using exactly the Docker mini multi file or generate that and also if we palliate here docker images and filter for pet clinic we have here these couple of images the pet clinic at mini and Pet clinic app. And also if we check the weight for everyone for each one we saw here exactly the image weight from one side another, right? And we identify exactly the app clinic mini is less image here for one site. If you validate or try to validate your docker deployments you can start for this validation site. That is the first scan that you need to execute for your operation infrastructure because this is part for your currently definition on the docker side. So at this part we define the continuous trust that is our currently installation for Docker and also we mount from our etc for the operation system in my case for my arch Linux inside of the container and date mount in the read only and also we mount the container the application in read only. Also the run c two, the system d two and here the Bart lib and the sock for docker that they need this execution for these container needs that is related for docker bench security and also this generate these awesome results for your docker configuration and you can check this one about what happened internally for your configuration and provision in your infrastructure site and validate exactly what happened if your docker was misconfigured right that is the one part for the misconfiguration for your docker and also if you generate this unconfigured installation for your docker you can move in my site. I propose this for tls because I open in my port because I use for another pucs but I don't enable the TLS communication just open the plain communication for my docker site. So you can check this and also validate exactly what happened with this one. And if you want or you need to check exactly for your move and depends for your postgrad also depends for your time for your team time about for generate and reduce these lags about for security posture. That is the one side. The second part here that is related for mass configuration detection and also we generate for the pet clinic the application. If you remember we generate two images. One images that is related for the PET clinic that contains the wall source code and we validate here this part for the validate this image and also we validate another image that is related for the pet clinic mini, right? When we saw these files that has par for here and compare these files compare selected we saw here a couple of differences from one side to another. But in general there are the same image when we build the images and also we have the same results here, right? Because the pet clinic and the pet clinic mini are defined using an Ubuntu base and also this ubuntu base are born out for this CBA and if you want to validate what is the CBA you have here the link for validate that and if you check here we can show exactly what is exactly a severity for this. At this case it's low and also if you drop here we can find for another medium but not in high level, right? So that is the once part how do you can generate these misconfigurations for your application, right? Another part is related for the vulnerability detection because you have for the misconfiguration detection site but for the vulnerability this generate one report and also you can move for your application and drop here for your security team and bank will be generating a couple of alerts here. But when you use a sneak that is very similar we can create here one folder and move internally for this folder we download the sneak for Linux and added the permissions for executable site and also I just generate this path and adding this folder for the current site for execute and we execute exactly in this part the latest images that we generated internally or generate this report internally for the sneak account right. When we send and execute this command here as previous for this ethnic authentication and generate and communicate your terminal with the ethnic account. And also if we move very quick here for the website the sneak we saw here login here and also we saw here our dashboard and we have internally here the two projects, the Pet clinic app and the pet clinic mini and we saw here exactly the target for AoS. When we change for this that is the same OS here and if we drop the move for these results we have 40 issues from one side here 40 issues too and also we have Sony medium and not in low at the same because the image that we scan at this moment is the same, we just reduce exactly the weight but the image when we define for the docker site let me move here we define for our docker site for this file and another is the same basic that is eclipse tamarine. This eclipse tamarind we found that is based on unto site right? So we continue here we can also execute declare definitions and sincerely I test this for my site was very unstable because I need to generate more space on my disk so I can continue for this POC but when we start for the supply chain chains and the am enforcement we generate here a lot of comments around for that because these tools generate these reports and when you generate these reports you can also enable the capabilities for your team or something like that. So you need start to how do you can verify the image and the pronounce for this image? At this case we generate using the Docker file scan containers and images. We can check strong pipeline and also we can access here and include access control code reviews and vulnerability scanning and we check educate your development teams. That is the biggest task here because don't depend exactly the tools start to depend exactly the teams and it's very difficult for outside. Another part for adding this monitoring activity and another part that I love sincerely is how do you can monitor in engineering observability for the different components around for the teams and you can add it here. This part depends on how you can deploy the application and how you can use this application. How do you can explore your application and generate this observability stack for this application. And when we move for the aim enforcement we define here the less privileged principle and if you saw here the reference more in the talk I dropped a couple of links around for Docker side and also the OASP and they mentioned how you can generate this and using the less privileged and generate groups internally for your operation system. What's the kind of user execute application centralized IAM. So how you can generate this access for the another components around for the application continuous authorization, audit and monitoring then again monitoring and monitor your application that it's one part for identify exactly in a predictably way for when you start for the epsicob site and automate this IAM task for validate exactly what kind of access the application had to another component set up for this. So we can return here and also return for the slides and continue here. So our conclusions continuous deployment reliable we had this reliable when we enable these security tools and also if we drop here these tools and also add it to the SoT fatalm lifecycle and adding that for the pipeline are pretty awesome because you generate and reduce the scope for these security vulnerabilities on your teams and also you can stop this misconfiguration, stop this im enformentment and stop and reduce this blast for all. Principal challenge that we have internally for the software development alcohol and when you deploy the application generate the commitment for our teams that is again returned for the teams and how do they access the security side and access to the security training internally and start the security culture in our teams. It's very difficult. I think this to latest conclusion because when you involve the teams are pretty difficult because not all dev teams are open to start for this journey. When you start for security site right then you start first for the tools but you need to involve exactly the teams for made more easily your work because at the end of the day is the company valuable then you need to make more valuable using these component bonus around that. So a brief resume for today. We talk about for continuous the satorial lifecycle what kind of content I rise set application are not the SOT for DNM lifecycle. The general challenges here address the challenge using the soda lifecycle the Kubernetes Computer foundation about the glossary about the tools and how to these open source tools are enabled for us and validate what kind of components we can check for the community and also you can join for that this a little survey please if you can help me. I appreciate a lot you could take 1 minute for fill that also for today. Thank you for joining for this session. I pretty happy to be here so I appreciate this time with you and also they see in the comf 22 team. Thanks for invite me and also for doing this today better so let me return here and share with you this reference exactly that I talked for the OAS that is related for this. Let me move here the top ten and you can access this and this this you can check exactly what kind of component you can drift for your container best applications and that's it for today. Thank you very much for access to this talk. Thank you.