Michael Lihs michaellihs

Container Security

Overview of Container Security Threats

Image Development
- Installing SW without proper configuration, e.g. default passwords...
- Exposed credentials in Dockerfiles
Malware in 3rd party resources used to build the image

STRIDE

STRIDE is a method to categorize security threats:

Spoofing identity. Can someone spoof an identity and then abuse its authority? Spoofing identity allows attackers to do things they are not supposed to do.
Tampering with data. How hard is it for an attacker to modify the data they submit to your system? Can they break a trust boundary and modify the code which runs as part of your system?
Repudiation (Nichtanerkennung). How hard is it for users to deny performing an action? What evidence does the system collect to help you to prove otherwise? Non-repudiation refers to the ability of a system to ensure people are accountable for their actions.

Feedback Cheatsheet

Initiating 1:1s

Questions you can ask regarding giving feedback:

Are there any topics about which you want to receive feedback from me?
Is there something I can watch out for (and give you feedback upon later on)?

Audax Suisse Tipps & Tricks

Bike

Maschine

Übersetzung / Ritzel
32er mit Kompaktkurbel - sicher ist sicher

Linux Cheat Sheet

Mounting additional Disks in Vagrant

fdisk /dev/sdc                   # create new partition with <n>, ... all defaults
ls -la /dev/sd*                  # check for new device name
sudo mkfs.ext4 /dev/sdc1         # format new partition with ext4
sudo mount /dev/sdc1 /mount/sdc  # mount partition

What do I want to do

I want to run Inspec within a Linux container (as provided by learnchef/inspec_workstation)
my testing target is a ARM board running a Yocto Linux with .deb packages
the connection to the target is made via SSH

My control

# encoding: utf-8

Patterns and Anti-Patterns for CI/CD

The Developer Experience

The developer journey
- visualize devs' emotions during their workflow
make sure to provide a good experience for your devs as well (not only for customers and users)

Working Models

Meetup: Automated Security Testing in Continuous Integration

This is a short summary of our DevOps Stuttgart Meetup from March 5th about automated security testing in Continuous Integration. For the meetup we had Christian Kühn and Arnold Franke from Synyx with us as speakers.

Chris started the presentation with a question who is currently running security tests in their pipelines and I was surprised by the majority of hands being raised. Also it seems like nowadays more then half of the audience is running production workloads in containers.

For motivating the topic of security testing, we've been introduced to a recent security incident at Euquifax, where a huge amount of private data (i.e. social security numbers and credit card data) leaked, due to a

Meetup: Work Remotely

META: Ideas for moderation

collect topics upfront, cluster them and give people slots to present them during the meetup
try to get people from remote companies involved (e.g. GitLab), to share their experience
have a Mattermost chat in parallel where you cancollect topics before bringing them into the stream

	package main

	import (
	"bufio"
	"bytes"
	"encoding/json"
	"flag"
	"fmt"
	"github.com/danicat/simpleansi"
	"log"