5. WHAT DO WE GET FROM DEVSECOPS
6
Predictable
Control over the
environment
Traceable
Provides auditing
Trusted
Scanned and signed
artifacts
Consistent
Avoids configuration drifts
8. STARTING ON A SOLID FOUNDATION:
TOOLS AND PRACTICES
Qualityand security cannot be injected: need
to be embedded in the code.
• TDD
• OWASP Top 10 https://owasp.org/
• Spring Cloud Contract
• Static Application Security Testing
• Code analysis
9
Test
11. SECURITY OF CONTAINERS STARTS WITH A SECURE
BASE IMAGE.
12
Control over the billing of material:
•Source code
•Dependent libraries
•Base OS
Reduce time to rebuild
Reuse components
Apply CVE
Build
13. 15
• Based on CNBP
• Best practices in each ecosystem
• Base images for build and run
• Constantly updated
SECURITY OF CONTAINERS STARTS WITH A SECURE
BASE IMAGE
Build
14. IMAGE SCANNING AND SIGNING
17
• Role-Based Access Control (RBAC)
• LDAP/AD Integration
• Image Vulnerability Scanning (Clair)
• Notary Image Signing
• Policy-Based Image Replication
• Graphical User Portal & RESTful API
• Image Deletion & Garbage Collection
• Auditing
CLAIRE
(scan)
IMAGE
REGISTRY
NOTARY
(sign)
R
E
PL
IC
A
TI
O
N
Scan Sign
15. MESH SOLUTION FOR MULTI OR HYBRID CLOUD:
SERVICE MESH
18
Tanzu Service Meshplatform addresses a multitude of
connectivity and security use cases in hybrid cloud
environments.
Global Name Space
extends traffic control, security and
observability
across clusters and IaaS
Global control plane
controls many data plane Istio deployments
manages the lifecycle of Istio from onboarding
to Day2 and Day3 operations.
Security
expandsworkloadstrusted identity
across multiple clusters and clouds
Deploy Monitor
17. DEMO
o Push change to git
o Automatic build
o Automatic test Junit+testcontainers
o Automatic image scanning + signing
o New Version Rollout (Canary style)
o Metrics collection
o Automatic Promotion/Rollback
20
18. • CONCLUSIONS: SHIFT LEFT TO
21
Reduce
Reduce risks
Maintain
Maintain
developer
speed
Embed
Embed
compliance in
the pipeline's
stages
Improve
Improve
Observability
Avoid
Avoid
configuration
drifts
19. NEXT STEPS FOR A COMPLETE COVERAGE
Tools to manageat
scale
Cluster security SystemObservability