<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1919858758278392&amp;ev=PageView&amp;noscript=1">

Session Name: Avoiding IAC Misconfiguration (On Multiple Platforms)

Infrastructure as Code (IaC) makes deploying cloud or container configurations scalable and faster. If you are launching a microservice into a Kubernetes cluster, or even building an entire AWS virtual infrastructure, IaC can automate the deployment. By building repeatable templates you can also ensure that deployments happen exactly as you design, every time. However, errors in infrastructure configuration are now regarded as the second biggest cause of data breaches. There are many ways to give adversaries an advantage through security misconfigurations. Overly permissive storage volumes, unauthenticated database access, or ports left open to the internet have all been a cause of compromise. The solution? Treat your infrastructure code the same as your application code. During your build process, use tools to scan for infrastructure misconfigurations. When you find them raise alerts or even break the build. While there are a few tools for a specific IaC platform, in practice DevOps use a variety of IaC platforms. Our approach to this is to be able to handle all of your IaC platforms from one tool and save you multiple scans. In this session, we will discuss common types of IaC misconfiguration (general and platform-specific) and demonstrate how using KICS open-source security tool can help you avoid them.
 

Session Name: Software Supply Chain Aspects in Infrastructure as Code, and How To Secure It

KICS is an Open Source project created to help Keep Infrastructure as Code Secure ( https://kics.io/ ). With today's DevOps best practices, we see a lot of re-use of other IaC snippets and templates (e.g. HELM charts). Which it turn, make IaC to vulnerable to similar problems as we see in software packages and their dependencies.
How often do developers or DevOps read the Docker file that just reused, went through the files of the HELM chart they just applied to Kubernetes, or made sure they used the official node.js / python container instead of taking the first result available on Docker Hub?
We anticipate that in the future we'll see more and more risks we already know in the software dependency world, applied to the IaC world, which makes the risk part of a much lower level of your software stack.
This session would discuss those risks, and how to leverage IaC scanning to avoid software supply chain problems in your infrastructure.

 

Speaker Bio:

Kaplan is a long-time Open Source community member, he has been involved in projects like Debian, PHP, and LibreOffice. As a sysadmin in the past, he enjoys working with IaC projects and helps today's DevOps to avoid common mistakes.