Conference:  Global AppSec San Francisco 2022

Authors: Aakash Shah

2022-11-18

Infrastructure-as-code adoption continues to grow as more organizations seek to automate deployments and better manage the complexity of their cloud applications. Increasingly, development teams are taking ownership of IaC for their application as the boundaries between the application and infrastructure layers continue to blur in the Cloud. Terraform (more accurately - Hashicrop Configuration Language (HCL)) is one of the most widely used infrastructure-as-code (IaC) languages at the forefront of this transformation with over 100M open-source downloads.There are a lot of public Terraform projects available to developers to quickly learn and build from. Terraform also offers modules - an abstraction that allows infrastructure developers to write modular and clean code, allowing them to accelerate development and better maintain this code. And there are many community-driven open-source Terraform modules available for developers to reference in their Terraform code to quickly design & deliver changes to infrastructure.As of today, there are over 90k public repositories on GitHub with Terraform (HCL) code and over 15k open-source terraform modules. As an infrastructure developer if you utilize a community Terraform module or build from an existing example, how can you be assured that your infrastructure design will meet your security needs? What steps do you need to take to ensure that your cloud-native deployment is both secure & compliant?We used automation to assess public Terraform repositories and modules across Github to identify the most common security gaps against industry best practices. We selected best practices based on Cloud Service Provider reference architectures, Cloud Security Alliance, CIS benchmarks and OWASP. To limit the scope, we focused on Terraform for AWS and Azure resources. In this talk, we will share results of this assessment and provide lessons learned. Since this is OWASP, we’ll present the top 10 classes of security issues we found. We will then discuss security best practices for using community Terraform modules and building your cloud architectures from public Terraform repositories.

Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Jerome Kuptz, Ameen Radwan

2022-10-28

Cello is a Cloud agnostic tool that abstracts the nitty-gritty parts of deployment away from developers, allowing them to use tools like Jenkins and GitHub to create their resources or application code. The tool is designed to support multiple Cloud providers, but currently only supports AWS.

• Cello was developed to support Intuit's 6,000 engineers who traditionally picked their own deployment mechanisms.
• The tool abstracts the credential provider and token rotation processes away from developers.
• Developers interact with Cello through tooling within Jenkins and an onboarding UI, and mostly interact with GitHub and their code.
• Cello's long-term plan is to support multiple Cloud providers, but currently only supports AWS.
• Future plans for Cello include a user interface for easier deployment and operation processes.

Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Jesse Sanford, Jason Hall

2022-10-26

Secure software supply chain practices have begun to permeate all aspects of software development. But what about the orchestration of our infrastructure? With the proliferation of infrastructure as code, many of the same threats posed to software supply chains are also threats to our IaC ecosystems. IaC provides clear advantages to platform teams, bringing uniformity and productivity to developers, but with the great power bestowed to it, it also presents a juicy target for supply chain attacks, often while no one is looking. It's only a matter of time before our Site Reliability Engineers will need to defend against the same attack vectors as their Software Engineer counterparts. How can DevSecOps practitioners learn from the patterns and practices being developed by projects like SLSA? Can IaC pipelines build on tooling like Sigstore and in-toto? This talk covers the application of software supply chain security principles to modern IaC pipelines. Jesse and Jason discuss design changes to the Crossplane package management system and it’s forthcoming integration with Sigstore, enabling IaC provenance and attestations. Finally, a demo showcasing the equivalent of “admission control” for IaC will provide inspiration for further work on Secure IaC Supply Chains.

Conference:  CloudOpen 2022

Authors: Ran Regenstreif

2022-06-22

The talk focuses on utilizing open source security tools to reduce threats and risks in cloud systems, environments, and products. The speaker emphasizes the importance of a programmatic approach to security and shifting left.

• Shift left movement empowers developers with security tools and processes
• Open source security tools are important in minimizing risks
• A broader set of risks should be considered when selecting tools
• Utilizing a toolkit and tool belt can help minimize risks
• Programmatic approach to security is crucial