pixel
Seite wählen

NETWAYS Blog

stackconf online 2021: Data Driven Security

This entry is part 10 of 5 in the series Stackconf online 2021

This year’s stackconf is over and was a big success. The three-day conference this summer was all about open source infrastructures where trendsetting concepts, state-of-the-art technical expertise, top-level discussions and new perspectives have shaped the event.

Besides our 30 amazing experts sessions we were also excited about the large amount of participants from all over the world. Our audience included renowned infrastructure spezialists, industry leaders, experienced administrators and IT architects as well as a wild bunch of open source community enthusiasts.

For all of you who couldn’t join the Open Source Infrastructure Conference I’ve something awesome today. Have you ever heard of „Data Driven Security“? Peter Elmer outlines in the following video why this is more effective than traditional research methodologies, as it combines data, human experience and logic made by machines to define the verdict. Enjoy!

 

 

stackconf 2022 will take place in Berlin. We are already looking forward to meeting you all again in person next year. The exact date of the event will be announced soon.

If you want to learn more about infrastructure solutions in advance always keep in mind that there’s our archive where you can find all slides and videos of every stackconf speaker.

Stay tuned!

Katja Kotschenreuther
Katja Kotschenreuther
Online Marketing Manager

Katja ist seit Oktober 2020 Mitglied im Marketing-Team von NETWAYS. Nach ihrem Studium in Passau vollzog sie ihren Berufseinstieg im Bereich der Suchmaschinenoptimierung und möchte sich nun neben SEO auch anderen Online Marketing-Kanälen widmen. Neben Basteln und Malen, treibt sie in ihrer Freizeit gerne Sport und spielt Klavier und Gitarre.

stackconf online 2021 | Continuous Security – Integrating Security into your Pipelines

This entry is part 2 of 5 in the series Stackconf online 2021

stackconf online 2021 is over and was a full success. It was all about open source infrastructure solutions in the spectrum of continuous integration, container, hybrid and cloud technologies. We’re still excited about all of our experts sessions and the large number of participants who joined us from all over the world. In the following you get an insight about one of our talks.

At stackconf online 2021 Matt Jarvis held a talk about the continuous security within pipelines. This is a great topic as security is not only extremly important, but more and more people are realising its importance.

Matt started off by giving us an introduction as to how Dev-ops has progressed and in the pre-cloud era the developer wrote the application and then IT operations took over the security side of things. Nowadays developers write the code, check, deploy and manage almost everything. Which can be a lot! The line has become blurred and the responsibility of security doesn’t have a rightful place, which is where Snyk comes in.

Security is usually considered to be an external practise and as it requires a higher responsibility, it needs to be made easier for developers to use. As we all know, once deployed, it is hard to implement security and having a secure system will help win over the trust of your customers. This problem only grows as each year, more and more code is written, which of course means a higher probability for errors and vunerabilities.

Dependencies and Vunerabilities

The problem with these vunerabilities isn’t always with dependencies themselves, but in fact their dependencies. Up to 70% of the vunerabilities are found here and these indirect dependencies can be used to hide malicious code.

In this example here, the code is hidden in sub dependencies and has had over 440,000 downloads/month! If people are only checking the top layer, there is a whole lot more they are missing. Sometimes all it takes is rebuilding an image or getting newer images. Up to 44% of Docker image vunerabilities can be resolved with a newer base image.

Here lies another problem and that is mainly when it comes to configuring the code. One of the most commonly seen issues is the misconfiguration of code. This is usually unintentional, but also what some developers don’t realise is that not all applications need root access. By default containers run as root and if this rule was changed before it was deployed, it could restrict access for would-be attackers. Something else to consider is the writable file systems that are mounted onto a container. By allowing this an attacker that compromises a container then has write access to the mount drive. If your containers are stateless, the attacker will have a harder time doing damage.

Integrate in a Developers Workflow

Matt went on to talk about how these security flaws can be shifted to the developers level. Security needs to be integrated into a developers workflow to help eliminate these problems at the source. Repositories need to also be taken into consideration and things like two factor authentication, strong key management practises and strong review processes are a great way to reduce weaknesses being exploited.

With the help of Snyk a developer is able to identify a lot of these flaws with monitoring scans and checks. These scans and checks can be automated into pipelines and relieve a lot of the responsibility. This was shown in the demo that Matt gave us and with these checks, the vunerabilities were able to be fixed with the Snyk wizard, amazing! This means that errors are found and corrected before they are even deployed. This is what was meant by moving the responsibility back and fixing the problem at the source. By integrating Snyk into the IDE, it fixes issues right away and elimates the need to worry about containers that are already deployed. Snyk is even smart enough to check packages and repos before they are pulled.

This is exactly the right approach to fixing the problem and by making the whole process easier, there really is no reason not to start implementing Snyk in you setups. Matt has identified the problem and shifted the responsibility to developer, but at the same time made it easy to implement. These tools give developers the help they need in order to secure their containers at the source and not cause future problem that can be easily solved with a few checks and corrections. Snyk helps developers at every step on the way and takes care of the security aspect allowing to release code faster and more securely.

Full talk and more from and about stackconf

Watch the the whole talk by Matt Jarvis:

 

stackconf 2022 will take place in Berlin. The final date will be announced soon. If you want to learn more about infrastructure solutions in advance you have the possibility to take look at our archive where you can find all slides and videos from this year’s stackconf.

Stay tuned!

Andrew Constant
Andrew Constant
Junior Systems Engineer

Andrew ist der NETWAYS Familie 2020 beigetreten. Er absolviert derzeit seine Ausbildung zum Fachinformatiker für Systemintegration im Bereich der NETWAYS Web Services. Der ehemalige Fremdsprachenkorrespondent und aus Northamptonshire stammende Engländer besticht durch seinen Humor und ergänzt das Team sehr gut. Seine Freizeit verbringt er gerne mit der Fotografie aber auch nach wie vor als Tandem Partner für neue Sprachen.

stackconf online 2021 | Policy-as-code in Kubernetes with Gatekeeper

This entry is part 3 of 5 in the series Stackconf online 2021

stackconf online 2021 is over and was a full success. It was all about open source infrastructure solutions in the spectrum of continuous integration, container, hybrid and cloud technologies. We’re still excited about all of our experts sessions and the large number of participants who joined us from all over the world. In the following you get an insight about one of our talks.

At stackconf online 2021 Ara Pulido from Datadog talked about “Embracing change: Policy-as-code for Kubernetes with OPA and Gatekeeper”.

What is Kubernetes

Kubernetes is a Container orchestration platform to help you run your containerized applications in production. It provides Role-based Access Control (RBAC) which allows operators to define in a very granular manner which identity is allowed to create or manage which resource. But RBAC does not allow us to control the specification of those resources. So the use of the Open Policy Agent (OPA) Gatekeeper.

What is Open Policy Agent (OPA)

A Policy Rule that governs the behavior of a software service.

The Open Policy Agent (OPA) is an open source project, a policy engine for Cloud Native environments and also a policy engine that can be located with your service. It can be integrated as a sidecar, host-level daemon, or library. On the OPA Website we can find a list of OPA Integrations, use-cases and related projects.

What is Open Policy Agent Gatekeeper

The Open Policy Agent (OPA) Gatekeeper is an admission controller that validates requests to create and update Pods on Kubernetes clusters, using JSON over HTTPS.

Example

In this example, we want to make sure that all labels required by the policy are present in the Kubernetes resource manifest.

To do this, we have to build our Rego query with th help of Gatekeeper. This consists of a package containing a violation definition. The violation defined the input data, the condition to be matched, and a message which gets returned in case of a violation.

This is done by wrapping our query into a ContrainTemplate resource:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
listKind: K8sRequiredLabelsList
plural: k8srequiredlabels
singular: k8srequiredlabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
labels:
type: array
items: string
targets:
– target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels

violation[{“msg”: msg, “details”: {“missing_labels”: missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required – provided
count(missing) > 0
msg := sprintf(“you must provide labels: %v”, [missing])
}

We not yet defined which label we require our Kubernetes resources to have. We also did not yet define on which Kubernetes resources we like to have this policy applied too. To do this, we have to create another manifest called Constraints:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ns-must-have-gk
spec:
match:
kinds:
– apiGroups: [“”]
kinds: [“Namespace”]
parameters:
labels: [“gatekeeper”]

So Gatekeeper makes reuse of policy simple and the Host must be unique among all Ingresses.

Under https://github.com/open-policy-agent/gatekeeper-library we find all Gatekeeper library.

I liked that the topic was told explicitly with even live examples, and found the speaker awesome. In the comments you could tell people were happy to be at the conference.

Full talk and more from and about stackconf

Watch the the whole talk by Ara Pulido:

 

stackconf 2022 will take place in Berlin. The final date will be announced soon. If you want to learn more about infrastructure solutions in advance you have the possibility to take look at our archive where you can find all slides and videos from this year’s stackconf.

Stay tuned!

Claude Weladji
Claude Weladji
Junior Systems Engineer

Claude ist seit April 2021 bei NETWAYS. Sie macht ein Praktikum in der Abteilung NETWAYS Web Services im Zuge ihrer Umschulung zur Fachinformatikerin für Systemintegration. Davor hat sie in Heilbronn Software Engineering studiert. In ihrer Freizeit reist und kocht Claude gerne, geht spazieren, hört Musik und treibt Sport.

stackconf online 2021 | Stretching the Service Mesh Beyond the Clouds

This entry is part 4 of 5 in the series Stackconf online 2021

stackconf online 2021 is over and was a full success. It was all about open source infrastructure solutions in the spectrum of continuous integration, container, hybrid and cloud technologies. We’re still excited about all of our experts sessions and the large number of participants who joined us from all over the world. In the following you get an insight about one of our talks.

At stackconf online 2021 Rosemary Wang was with us, and she had a great topic on how to extend a service network beyond clouds. At the beginning she told us about her work at an organization, where different environments were used. These environments were running applications, some in AWS, data centres, Kubernetes, virtual machines, or Azure. The last thing that is missing is a way to control everything from one point.

So, what is needed is an infrastructure layer and an automation that controls the infrastructure layer. The combination of these is a service mesh. She showed us a solution with a Consul cluster, which is used in the datacenter and in the cloud.

This means that everything that is service to service goes through the proxies first. For example, in the data centre, the UI goes through the proxies to communicate with the application. Consul takes care of the configuration of the proxies and controls the rules and placement of where traffic is allowed to go within the environment.

The UI can also use the proxies to reach the application in the cloud. This allows cross cloud access. But aren’t there more problems with a service mesh? The answer is yes, you do have certain issues that you need to address, but you need to consider whether or not to avoid the service mesh. If you do not use a service mesh you end up with little automation and multiple checkpoints for the environments.

Several Types of Topologies

To get back on topic, we won’t try to get the service mesh across all environments, but Rosmary would like to show us the several types of topologies you have.

First, the service mesh is deployed in the cloud and then a network automation piece is added to synchronize. The benefits in the service mesh are controlled retries and error handling to non-service mesh and progressive delivery techniques such as canary, A/B testing and feature flagging. On the other hand, we have the benefits in the non-service mesh like automated control and no change to existing applications.

Let’s move on. After deploying the service mesh in the cloud, you deploy an ingress gateway that helps control traffic from the ingress to the cluster. The information it receives is transmitted to a Consul Terraform Sync, which configures the application load balancer.

How Consul Terraform Sync Works

Here Rosmary explains the advantages and disadvantages as well as how Consul Terraform Sync works. Afterwards there was a demo of how everything works together.
On the whole, I can say that Rosmary’s talk was very successful. I was able to learn a lot about the topic myself, even though I didn’t know a lot about it before. I hope the talk can convince you as much as it convinced me.

I could go on explaining in detail what Rosmary mentioned in her talk, but I would like to leave you with this.
If you want to learn more about the talk you can watch it in full length, I really recommend it.

Full talk and more from and about stackconf

Watch the the whole talk by Rosemary Wang:

 

stackconf 2022 will take place in Berlin. The final date will be announced soon. If you want to learn more about infrastructure solutions in advance you have the possibility to take look at our archive where you can find all slides and videos from this year’s stackconf.

Stay tuned!

Joshua Hartmann
Joshua Hartmann
Junior Systems Engineer

Joshua startete im Sommer 2020 seine Ausbildung zum Fachinformatiker für Systemintegration im Bereich der NETWAYS Web Services. Zusammen mit seinen Kollegen kümmert er sich hier derzeit um die Kundenbetreuung sowie die Weiterentwicklung der SaaS Apps. Joshua ist musikalisch und spielt gerne Klavier, entdeckte vor einiger Zeit aber auch seine Liebe zum Wintersport. Außerdem hat Joshua eine Karriere in der Amateur Liga eines PC Spiels als professioneller Spieler hinter sich, verbringt heute seine Zeit aber lieber...

stackconf online 2021 | Spot the Anti-Pattern

This entry is part 5 of 5 in the series Stackconf online 2021

stackconf online 2021 is over and was a full success. It was all about open source infrastructure solutions in the spectrum of continuous integration, container, hybrid and cloud technologies. We’re still excited about all of our experts sessions and the large number of participants who joined us from all over the world. In the following you get an insight about one of our talks.

Arushi Jain, a senior software engineer at Reddit, talked about anti-pattern in her speech at stackconf 2021.

The talk on “Spot the Anti-Pattern” dives deep into the study of anti-patterns. How it helps to create a common language and focus the stakeholders on it. It helps to analyse the past and find out how to interrupt the patterns in the future to avoid the same mistakes. The presence of anti-patterns and how to find one, this information is properly communicated, such as a commonly implemented practice with negative effects when used in varying degrees of severity.  A common example of an anti-pattern is the fart system at work. Every system needs an upgrade after time and a variety of frameworks to develop the concerns and the need to show continuous upgrades.  To develop a solution for any kind of anti-pattern, the one common thing is to analyse the record consisting of a particular volume to find out the pattern and then work towards the alternative things to design a better way. 

Anti-patterns can be identified in almost everything and architectural and some micro-organisational examples that occur in everyday life were discussed. The follow up work is to keep all stakeholders informed and then have meaningful conversations to identify the counter plan by collecting the data and identifying the root cause. It also takes a team effort to identify the counter pattern and then work on the solution because nothing will happen in one go. Some patterns are complex and require multi-layered iteration to address.

About Patterns and Anti-Patterns

Following are some questions and answers that summarise the subject:

What is a pattern? 

A pattern is a general repeatable solution to a commonly occurring problem.

What is an anti-pattern? 

An anti-pattern is a common response to a recurring problem that is usually ineffective and risks being highly counterproductive.

Note the reference to “a common response”. Anti-patterns are not occasional mistakes, they are common ones, and are nearly always followed with good intentions.

Why anti-patterns exist? 

Patterns exist because humans are flawed thinkers. Cognitive bias is a systemic error in thinking that occurs when people process and interpret information from their environment and then use that information to influence the decisions and judgements they make.

How can you identify an anti-pattern?

Identify human conflict.

Incomprehensible systems are a sign.

Look for teams who are constantly behind.

More from and about stackconf

stackconf 2022 will take place in Berlin. The final date will be announced soon. If you want to learn more about infrastructure solutions in advance you have the possibility to take look at our archive where you can find all slides and videos from this year’s stackconf.

Stay tuned!

Sukhwinder Dhillon
Sukhwinder Dhillon
Developer

Sukhwinder hat 2021 seine Ausbildung als Fachinformatiker für Anwendungsentwicklung bei NETWAYS erfolgreich abgeschlossen. In seiner Freizeit fährt er gerne Fahrrad, trifft sich mit Freunden, geht Joggen oder sitzt vorm Computer und lernt etwas Neues.