logo
allArticlesConferencesPresentations

Empowering the Guardians of Your Code Kingdom

Conference:  Global AppSec Dublin 2023

2023-02-15

Authors:   Gabriel L. Manor

Summary

The talk discusses the importance of maintaining good security hygiene for large mono-repos by adopting the hierarchical repo model and using a combination of static analysis tools and Open Policy Agent (OPA) to enforce security policies on the code itself without compromising developer velocity.
  • Comparison of OSP top 10 lists from 2003 and 2023 to show how applications have shifted over the years
  • The most effective way to avoid insecure application is to not deploy
  • The need for a permission model and policy engines to streamline access control and decision-making
  • Open Policy Agent (OPA) as a popular policy engine that can be configured using the Rigo language
  • The importance of writing queries to understand the permission we want to give for every deployment process
  • Illustration of a simple deployment process using OPA and queries
The speaker shared a story about the old days of deployment where a single credential could deploy everything, leading to insecure practices. He emphasized the need for a permission model and policy engines to streamline access control and decision-making, and how Open Policy Agent (OPA) can be used to enforce security policies on the code itself without compromising developer velocity.

Abstract

When it comes to repo protection and security - we often have the tradeoff between two extremes, general rules that cause a lot of friction and result in reduced velocity or GitOps policy tools that provide little coverage for the code itself.In the context of the age-old mono vs. multi-repo debate, it is actually much harder to secure the mono repo (due to its size and complexity) - and all too often developers will choose velocity over security. A good way to maintain good security hygiene for large mono-repos is by adopting the hierarchal repo model, that enables the enforcement of policy and access control for specific code folders - meaning DevOps can be sure no one has overly privileged access to IaC, and developers will have the ability to ensure greater quality and security than just some simple git checks.In this talk we'll demo with a working code example how to build custom policies and rules using a combination of static analysis tools and Open Policy Agent (OPA), git actions and native git tools to enforce security policies on the code itself without compromising developer velocity.
Materials:
Tags:
repo security
tradeoffs
policy tools
mono repos
hierarchal repos

Post a comment

Related work

How Intuit Manages Cloud Resources Via GitOps

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Jerome Kuptz, Ameen Radwan
2022-10-28

⚡ Lightning Talk: A Secure Software Supply Chain for Open Policy Agency (OPA) Policies

Conference:  Cloud Native SecurityCon North America 2023
Authors: Omri Gazitt

Prevent Embarrassing Cluster Takeovers with This One Simple Trick!

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Shane Lawrence, Daniele Santos
2023-04-21

Secure Containers Deployments: Time for Refresh

Conference:  ContainerCon 2022
Authors: Ariel Shuper
2022-06-21

⚡ Lightning Talk: OPAL: The Open Source GitOps Enabled Platform for Building Authorization

Conference:  Cloud Native SecurityCon North America 2022
Authors: Asaf Cohen
2022-10-25

Sponsored Keynote: Why Developer Laptop Security is Key to Securing Your CI/CD Pipeline

Conference:  Cloud Native SecurityCon North America 2023
Authors: Saurabh Wadhwa