-
This webinar will focus on how cybersecurity and engineering leaders can work together to encourage developers to integrate security tools and best practices into the CI/CD pipeline. Frank Kim, author of the “Cloud Security and DevSecOps Automation” SANS course, and Kiran Kamity, CEO and Founder of Deepfactor, will discuss the following topics:

Best practices for getting started with #Devsecops
Choosing the right security controls for application development in cloud-native and Kubernetes environments
Automating security controls in the CI/CD pipeline
The role of compliance in DevSecOps
Educating developers about security using contextual feedback

0:00 Introduction
11:07 Container Security Life Cycle • Developers and DevOps teams are responsible for making early decisions on containerized configuration • Security and compliance must shift left to ensure consistent policies are implemented along each step of the lifecycle • Leadership ensures that the process is followed to meet business objectives

17:11 Hadolint-Dockerfile Static Analysis Hadolint parses Dockerfiles into Abstract Syntax Trees (AST) and runs rules: • Supports an approved list of trusted registries • Suppress false positives via inline comments or a configuration file • Export formats including checkstyle, sarif, and json

18:49 Container Image Supply Chain Hardening MITRE ATT&CK Containers T1525: Implant Internal Image • Images from public registries (e.g., Docker Hub) may contain vulnerabilities or malware-easy and common attack vector • Mitigations: • Building inventory of approved base images • Downloading base images from trusted suppliers • Scanning base images for vulnerabilities ATT&CK

22:00 Project Sigstore: Software Supply Chain Security Sigstore is an Open-Source Security Foundation (OSSF) project dedicated to securing the supply chain: cosign container signing, verification, and storage in an OCI-compliant container registry. fulcio: free root Certificate Authority (CA) for code signing certificates. Issues short-lived (20 min) certificates based on an OIDC email address rekord: provides an immutable ledger of signature transparency logs.

24:21 Kubernetes feature that allows custom hooks to execute before starting a new container: • Require all container images to have a valid cosign signature • Deny privileged or misconfigured tasks and services from starting Verify custom security policies are passing (OPA)

25:13 Container Security Life Cycle Summary • Container security consists of multiple steps and best practices • Ensuring that security is integrated into the container security lifecycle can be challenging • Requires involvement from DevOps, QA, security, and leadership teams

#appsec #devsecops #developer #applicationsecurity #secure #cloudnative #kubernetes #cloudcomputing #devsecops #developer #softwareengineer #softwaredeveloper #security