 Good morning. Good afternoon. Good evening. Wherever you're hailing from welcome to another level up our I am Chris short host Showrunner producer whatever you want to call me. I will probably answer to it I am joined by the one and only the illustrious Langdon White and a special guest today who we will let Her introduce herself here in a moment Langdon. You want to kick off what we're talking about in everything today? Yeah, so as as always I'm Langdon White And this is the level of our where we talk about generally speaking we talk about containers And why they're interesting and why they can be interesting to you as like a system administrator or a developer Just kind of the near of like everyday workflow not to mention kind of all the all the hype is right around like using them in production That kind of thing, but I think a lot of people who have been adopting containers Use them all the time And so we talk about all those different kinds of usages But then we kind of talk about other things as well and today is one of the more other things discussions where we'll be talking a bit about security But I will share my awesome awesome slides That everyone I know loves Not only because there's a slide But also they're the best slides So the level of our as always you can find us on Twitter at Langdon With the one and Chris short with an oh I just I need if I need to figure out some edit on it every time I say it just for the entertainment When would short not have an oh I don't know sometimes so you can all start to us on our discord And it's the link is there and I'm sure that Chris will in the chat as well And So today we're going to be talking about some new wish buds of words DevSecOps has actually been around for a while now. I think and then shift left Is maybe maybe actually I would say isn't I would say it's more recent than DevSecOps But whatever we'll get into that We can fight but Exactly as you notice it says part one and the reason it says part one is not because we're gonna do a part two on this show But we're gonna do a part two on another show called in the clouds, which I want to say is in a couple or three weeks I had meant to look up the date and then I forgot so I think it's you know Yeah, 29 right there. It is okay the 29. So just watch the channel all the time between now and then and you won't miss That's advice right exactly. So And and Kirsten will be back on that show to talk about the same subject maybe from a slightly different perspective And then as always show notes from last time we have on the GitHub repo was episode 40 Where we talked about serverless and why you want Some serverless servers, but we won't get into the jokes we can make there and that for now is the end of our slides All right So Kirsten we like everyone who especially who works at Red Hat to when they come on the show to introduce themselves Primarily because as we were talking a little bit before the show We do enough reorgs and Stuff like that, but we're never quite sure what your title Know you're awesome So we like you to you know kind of give us a little introduction of Who you are and what you do sure so Kirsten newcomer director of cloud security strategy for The cloud platforms team as Landon said we did have a recent reorg So I'm still learning the names of the business unit. That doesn't really matter I still do what I've been doing pretty much since I joined Red Hat about five years ago Which is to focus on security for containers and Kubernetes That's kind of throughout the stack. I work with a whole bunch of other security experts throughout Red Hat Interact with the the OpenShift PM team with with the engineering team Spend a lot of time with our customers talking about security and how to help them meet their security goals With OpenShift so Cool. All right So, you know, I have a relatively long-running joke of you know, I come from a development background. So security But you know, I also I really still need to get one of those t-shirts that says, you know An angel loses its wings every time you set set before zero But so I'm much much better now. I use se linux on a regular basis You know, sometimes I run into problems or whatever and I'll turn it off But then I will actually figure out why I had to turn it off fix that thing and then sort of back on again So let's kind of talk about it from a little bit of the perspective of containers versus other kinds of You know kind of deployment styles What what would you say is the biggest difference between a security in this kind of cloud natively world Versus security on, you know, a traditional virtual machine. Yep Really one of one of the things I'm fond of saying is that containers and Kubernetes really require DevSecOps and Let me explain two things, you know, what is DevSecOps and why do I say that? So first of all DevSecOps people are probably familiar with the term DevOps, right? kind of a tighter integration of development and operations in order to make it easy for Developers to build and deploy their solutions in an automated fashion at an agile in an agile fashion quickly kind of get their code out to their end user easily and quickly without kind of going through a whole bunch of Manual gates with operations right CI and CD right continuous integration continuous deployment key parts of DevOps when when the DevOps kind of framework was initially touted and and kind of Promoted it was always intended to include security gates And and kind of the concept being that you need to think about security throughout that CI CD process Security should not be an afterthought. It's not the responsibility of the security team just for operations It really should be integrated throughout that DevOps lifecycle But people forgot and some of the reason people forgot really is that you know historically teams have been siloed There's been the development team the operations team the security team You know DevOps people heard that they said oh well will connect the development and the operations team They didn't always remember to think about integrating security For folks who haven't seen it DevOps shows up as this infinity loop, right? There are different stages in it But it's really intended to be a closed loop because it's not you're not just done once you've deployed You may find issues during a production environment But then need to be fed back to the development team so that those issues can be addressed and you restart that cycle again So the reason that I see DevSecOps is so crucial for containers is that containers are designed to carry all of the system dependencies the runtime dependencies with the application code and Especially in a Kubernetes environment You're deploying you're always deploying from a container image that image is immutable unless it's rebuilt right so When a problem shows up in production and again, let's say we're using kubernetes We said I want three instances of my web front end to be running as Soon as one of those instances goes down kubernetes is going to notice and it's going to redeploy another one from the container image If a new CVE is discovered in the code in that image and you step into a running container and Fix it there you lose your fix as soon as the redeployment happens Right so best practice never patch a running container always rebuild and redeploy and in this yeah Sorry, that's so that really just means you need that infinity loop You need DevSecOps. Well, and the infinity loop needs to include security in it. Yes, not just like a break in the loop somewhere Yeah, it's not like a touch point where you physical humans come in and tell you hey Here's a stack of papers that you need to fix right, right? So just kind of by way of background At least for me. I don't know how pervasive the term CVE has gotten. I think it's gotten pretty pervasive But basically a CVE common vulnerability Numeration Numerations. Yeah, so basically it's a label of all the big bad ugly Bugs that we discover on the internet, right? So or in anywhere kind of been in the software And so it's gotten to shorten to CVE but if you think about it in terms of this is a kind of a known bug to the industry and You know, hopefully there's also a patch that's available for us at CVE, but not always, right? So just like I said by way of context to your point though is that Even if you know whenever a CVE comes out or whenever an issue comes out when the patch becomes available That does not mean that you should go and slap that into your production environment if you're thinking about containers, right? You should be as as I like to say one of the hallmarks of like an SRE or a DevOps environment Is you fix the recipe not the cake, right? So when you when you make a really bad cake, you can sometimes fix it with frosting But you know as long as it's not the flavor but the look of it I kind of mean But you're better off if next time you actually remember to grease the pan, right? You fix the recipe so that you can make the next cake a little bit better without having to cover it up with with frosting so in kind of the same way you want to introduce those patches into your container environment and Preferably with a fair amount of testing That's where we get into that continuous integration side of it so that you know that you don't have a developer who took advantage of A bug and did some sort of work around or had some sort of cheat code That allowed them to solve some problem and doesn't introduce a new security ballroom So there's all these things to think about but the point being is that you you want to bring those those patches those fixes those problems into the the base of your deployment environment so that you can roll that out So that's so basically I think what you're saying when you say DevSecOps, right is that It's it's a first-class citizen, right? In that you you want it you want it in the the catchphrase, right? So that it's considered just a part of doing business. It's not, you know, something that is added on to the side You know, I would very much in a lot of ways like to see it be, you know, DevSecQEOps You're gonna make me pull out a tweet that was really funny last week Yeah So so this other term Which I certainly haven't heard as much. Maybe it's maybe it's older and I just hasn't crossed my path as much But so what's this idea shift left? Yeah, so shift left is is absolutely tied to DevSecOps It's all about ensuring that you think about security As early in the life cycle as possible, right? So that infinity loop is typically made up of stages that include, you know design, develop You know CI which should include test CD Operations, etc. There's there's a whole set of stages. So Oftentimes kind of with traditional architectures, what would happen is the developers would work work work on their code They'd get it ready to release it be ready for deployment and the security team would run an analysis on it And then they'd feed back this huge list of Unprioritized information back to the development team and the dev team might have been working for three months and suddenly Right, they're stopped in their tracks. They can't get their code deployed until they address these vulnerabilities So shifting left in that life cycle if instead of taking and the left-hand side of that infinity loop typically is that That development side and the right-hand side of the infinity loop tends to be the operations side And so shifting left means we're going to move our security analysis As early into that life cycle as possible and we're going to use automated tools that Can provide information to the developers in a way that they can consume easily And respond to easily Without having to have that separate step just before you deploy Of a silo another team kind of doing this analysis and then throwing the information over the wall So I want tools integrated into my security tools integrated into my ci process But maybe not just my ci process. In fact red hat offers IDE plugins that do security and dependency analysis right in the IDE So the developer gets data About whether there are known vulnerabilities in their source code right at the beginning, right? You want to do this as early as possible and empower the development team To to take action with good information Well, and uh, one of the things that I think is important and um That you kind of alluded to that I want to kind of really call out. This is uh, When I was doing waterfall development 20 years ago on uh, particularly on windows Windows has always had a long habit of pushing updates automatically And the problem as a developer is that it came in in an uncontrolled way, right? So I would just turn off updates until I was ready for you know, quote unquote patch day, right? So, you know, if I was in the middle of a critical, you know development cycle I would try to bottle all that up into one step towards the end Where I could deal with all those changes Good and bad, right? So like as in I could then contain the work into that sort of scenario But it means that I may have a large volume of it I especially now we're getting so many attacks, right? We have so much code in place, you know I have my kind of running joke, you know my stupid hdmo website's running on like Like at least a million lines of code, right? I didn't write any of it But it's you know, if there's a ton of code in there, there's tons of places for bugs And so it's really important that we even if we're we don't have a ci system Or things like that we need to be doing continuous integration all the time as developers, right? We need to know Hey, there's you know, there's these vulnerabilities out there We need to be incorporating those changes all the way along as we go And actually that might be you know because of testing it might be because of security It might be because of requirements change. There's lots of different reasons, but you continuously need to be reevaluating and looking at your code Just as a human right like not even in some sort of magical deployment environment No, absolutely and and honestly it's it You know as as developers you want that code to get out there so that your users have access, right? and so anything you can do to Prevent roadblocks down the down the road is to your benefit, right? And it might mean you need to learn a couple of things I mean one of the things so part of my history is I've worked on developer tools For many years prior to prior to joining red hat and prior to joining black duck before that It was with rational software and I watched the open-source community take over The developer tools market which has actually been a real win, right? So things like cvs is an open-source source code control system now everybody's using git Right, but but it's just been there a plethora of plethora of open-source tools available to the developers So if if you're working in an environment where somebody isn't yet, you know, you don't have Easy access to a pipeline or something go go find one go play around with tecton for containers Use claire for vulnerability scanning in your environment Um, you know find some of these open-source tools and incorporate them into what you're doing So that you've saved yourself the hassle of hearing down the road that something's not ready Or if you or if it's your own code you're managing your own deployment, right? You don't want to deal with having to scramble at the last minute To address now there's no way there's no way to predict all the vulnerabilities that we're going to be dealing with Right new vulnerabilities are discovered in existing code all the time That's the other reason that automation is so important You because you're going to need to respond to something at some point Right right and and the thing This is one of those uh, you know, perfect is the enemy of the good. Um Things where you as an individual can make some of those pipelines for your own stuff Without relying on you know, your infrastructure team or you know, your boss or whatever Where you can just incorporate some of these tools as you're pointing out, right? Like they're all open source, you know And you know, which means two things one they're continuously getting better, but they're also free Um, and so you can you know, aside from having to spend the time and the energy to set it up While I would prefer my infrastructure team provide me this stuff kind of in a way that I can consume it As a developer or even as an administrator. I want to you know, I can still do it myself, right? I can still incorporate my own components. Um I just wanted to pause there briefly because uh chris, were there questions There are some questions We have somebody that is very new to dev sec ops and is interested in what kinds of tools That people are using. I mean we've mentioned claire already dropped the link to that in chat But kirsten, I don't want you to focus necessarily specifically on tools but classes of tools What would you recommend, you know, everybody needs in their dev sec ops pipeline? Yep. Great question So there are a couple of things most people are familiar with vulnerability analysis Um oftentimes, you know, it used to be that that a lot of that analysis was focused on Packages like jar files, etc. Now, of course, there are plenty or binaries There are plenty of scanners out there that will scan container images When you're building a container you always need a base image with your os dependencies So you still need a container image scanner and that's one of the things claire does, right? And and so that's key another really good thing to look at is a static sast static analysis Security tool, right? So this is something that's going to be run on your source code As and it's going to look for patterns of known Coding practices or poor coding that that can lead to vulnerabilities So often the the sast tooling like especially again if we're talking web apps There's something called the o wasp 10 Which is the top 10 vulnerabilities that are that are known to be or In this case, I'm not talking cvs, but but again challenges with with coding practices that can create that can lead to vulnerabilities Things like cross-site scripting. So you want a sast tool that can look for those kinds of challenges Those are kind of two of the key ones one of the newer things to think about in a kubernetes environment again You're not just deploying a container image. You have to have instructions to kubernetes about how to Manage that deployment and that's called a deployment or sometimes an open shift a deployment config You might have a helm chart that you're using you might have a kubernetes operator those instructions Should be analyzed as well. Uh, and so there are things there that's kind of an emerging space So I call it app config analysis It's less it's it's newer, but there's something like kubernetes, which is an open source project where you can assess What are the privilege requests that are being made in those deployments or those helm charts? Are they appropriate for the environment? If you want to get so those are kind of the the three basics right vulnerability and you know cde analysis Uh, or sometimes also called a software configuration analysis tool Assessed tool force and analyzing your code And then analyzing your application config data. If you want to get fancier, there's dynamic application security testing There's runtime application security testing But I would start with those those minimum three That's funny. You say three, but I managed to write out five That's because The last two many layers. Yeah Dast dast and rast right dynamic and runtime are things that I would consider You can add them on after you've gotten comfortable with the first three, right? And I think Like the oas top 10 is something that you continuously need to look at because it does get updated, right? Right and these are the like top 10 You know most known bad Security practices that are happening out in the world and oasp is trying to focus people to mitigate them And their intention is to build every, you know cycle of their top 10 on their security stacks of suggestions so Great question. There's a lot of tooling that covers that entire space. I mean, I will link to the cncf landscape It'll give you an idea The overwhelming amount of tooling that's out there But that's basically the the gist of what you need to be looking for I was going to also add there too another way to think about it. It's like There's kind of like looking at your code Like from the outside, which is kind of the vulnerability analysis There's kind of looking at the code from the inside Which is kind of static analysis and then there's looking at the code from Where it's going to run in production, which is right And those three things are actually important in any development environment, right? Like whether you use containers or not containers or whatever It's the it's the mechanics of how you do that or where the where the stuff lives or how many of the places can introduce new problems Which is the difference between doing that in bare metal or doing that in kind of containers You know, it's just in the Kubernetes environment. You get all these advantages about making sure that You know bit like things kind of like around uptime right the downside is that You need to be really need to be much more aware of the environment in which that container is playing in So all the things around your code To be sure that you're not introducing holes there that That you wouldn't necessarily see On kind of a physical deployment or something. Yeah, I'm gonna I'm gonna pick at that a little bit Langdon, so I can pick at it too. Yeah So yeah, so so first of all you can run containers on bare metal, right? You can run containers anywhere linux runs or windows if you're doing windows containers So I I think it's actually There the the difference that I would call out between a traditional environment And a containerized environment is in two levels and and you're absolutely right about those three categories applying to both Traditional architectures and containerized architectures The the difference is that in a traditional environment You can More easily step into That environment and view the configuration In a when in a running container, it's still a linux process But that container image it's one of the that container image is Not as it's a little bit more opaque initially when it's deployed And that running process you can still step into it, but generally it's You don't generally and and so it's so again, there's that that bit of opaqueness and the tools Had to evolve to address that Um, so these tools these these categories of tools have been around for a long time to your point, right? They've they've been used in traditional environments They needed to be updated to be able to understand container images container processes And kubernetes and and a lot of the original security tools, you know, some of the the perimeter tools, etc They they assumed that a An application was running with a specific ip address, etc It was stat in one place Containers if they're being managed by kubernetes, they're moving around you don't know what hosts they're deployed on They don't have static ip addresses And so the security principles for traditional and containerized apps are the same the tooling had to be updated and Some of the approaches like at the point in time at which you apply security or how you track Security when when you're not relying on an ip address, right? You need to Instead of using firewalls, etc You use what some people call as cloud native firewalls or container native, but Let's let's call it kubernetes network policies So so you take a different approach you're using the same principles, but you're thinking differently So i'm not sure It's more that we're so used to the traditional architecture that we kind of know how to step into that environment and debug There's a learning curve that people are still On around containers and kubernetes and there's some elements about the amount of Of data that you wind up collecting like if you're following an audit trail to debug or something the amount of data And in the context that you need to really pull on those threads in a container and container and kubernetes environment That's more complex for sure Yeah, I was I was also kind of getting at that The the thing that is hosting your environment is also significantly more complex. So there's a lot more opportunities for Uh, inadvertent failure because of poor config, right? It's kind of like a difference between running a java application and running a java application in an application server like You're still got the same problems just that the the volume Of places where you can kind of screw up around your code kind of has gone up Um, I don't know. So I just think that there's and that's also for your typical developer. It's also not the kind of Thing I guess, you know languages programming whatever you're used to looking at right? And so when you're looking at like deployment configs If you are normally, uh, you know, what let's say a c developer, you know every day Looking at a deployment config. It's not your normal wheel. It's nice. It's right. Yeah And in frequency. So even as you learn it, right, you have to kind of relearn it each time. Um, so So a little bit of distinction without a difference Sorry, I didn't mean to cut you out there like now. Are you done? Uh, sure. Okay I thought you were done my bad so like I remember walking into a startup that I worked at in 2015 And I ran some of these traditional tools against the repos and then, you know This is just me coming in with my knowledge and saying, all right You know, we need to cure these tools and we need to use them The second I started using them The developers realized that everything is vulnerable and they have to completely change the way they develop things Don't be surprised if you're new to this and you start running stuff That there's some like practices that have to change and people will learn new things about like why their code is vulnerable You need to be able to educate people as to the why behind that So it's almost as hard learning the stuff as it is explaining it to others That they have to change some way they do things or there's a new tool in the process That's going to start kicking back their prs because something's wrong, right? So I also dropped a link In chat to our 97 things for cloud Native environments. I can't remember the name of the book to be honest with you, but I contributed to it If that counts for anything You can get it for free. It's 97 things every cloud engineer should know we talk about containers in the book There's a lot of you know, my friends that wrote part of the book As well as some folks that have appeared on the channel like dr. Holly Cummings and Uh kirsten, I think you contributed this book to I forget. I don't know But yes, that book will help you kind of get that high level overview Of cloud natives, you know security and your your musts have Four things that are out there in your environment And and then as you're saying right so we we mentioned awasp.org earlier, right? There's there's some interesting information there The linux foundation likely has some good content as well for kind of how do you learn about some of these things? Definitely looking for Various, you know various places to get educated Is is useful So and it's it's important that you keep up with it too. Yeah, and like it is very dynamic It is very dynamic You don't have but you don't have to know every cd that drops as much as you need to know like What are the new ways you can do a bad job of writing, right? Or what are the new ways? And you know and really if you start to see I think what also helps is this is where the experience comes into Is the more you see of like how things like the os top 10 Work the the more you'll start to kind of incorporate best practices kind of into your own coding style Where you'll second guess yourself when you start to say Well, maybe maybe I shouldn't approach this problem this way, right? Well, and and here's a radical idea, right? Can you make friends with someone on your security team? Some companies actually and and and maybe not as many as as need to but some organizations really have started To embed somebody from the security team into the lines of business So that they can participate with the development in developers at the app dev team In the design process in the development process And collaborate and and honestly this has to be a two-way street the the security team needs to learn some things too Um in that you know security there's first of all, there's no such thing as 100 security. There's there's always some level of risk Um, and so you're really looking at balancing risk and business benefit or or you know And and so you want to have a conversation and and frankly because of some of the historical silos Security teams also haven't yet gotten necessarily up to speed on containers and kubernetes And they may not understand all of the business goals of the application that you're building And so having a conversation That talks where you kind of can go back and forth about Why is security asking for abc? And you as a developer can think about well, is there an alternate way to meet that goal? Right, you can still get to the use case Maybe it's not in the way the security team originally thought like one of the things we do I do see a lot of right is there's a lot of practice there are a lot of Implementation practices or security guidelines that have evolved for traditional architectures And they actually create Some challenges for for kubernetes, but also for speed to delivery So for example, you know, it's funny when landon when you were talking about the the complexity and kubernetes is complex It's absolutely true but Also when vms first came Into the world right that was a new type of complexity right everybody had to adjust for vms And everybody has right right the tools caught up Right, yeah, I simplified the experience right and so actually Absolutely, so we're on that same trajectory with containers and kube But so, you know, so for example a common process is like i'm deploying my app and I need to get a cert for my app from The corporate ca and that's often I put in a request and service now and I wait and you know I wait and I wait And eventually I get a cert and I can deploy my app So in a kubernetes environment again because my containers might go down and be redeployed And they need that that cert automatically You really need to have an environment where Where that can be done in an automated fashion And so to meet that use case There are tools that are evolving in this space That that help but but that's an example too where The the use case of self-signed certs are bad or it has to come from a Corporate ca those are tied to particular architectures Maybe that changes with a new architecture and so you really kind of Need to try to find a nice way to ask your security team What's behind the requirement? What are they trying to accomplish? And then you as a developer can really help think about how to do that So so I was going to make a comment that I think sounds a little tongue-in-cheek, but I really don't mean it that way But this is kind of the argument, you know that we've made a couple times on the show And the test is like behind diversity and inclusion in software right is that Yeah, we need uh to all share different perspectives, right? So in other words, it's a lot easier to learn about what's going on in security world when I have lunch with a friend Who does security stuff for a living, right? Yeah, it's a lot more fun too and tastier And so if you get assuming you're not eating the friend We won't get into that part But so kind of the idea of that we you know the more perspectives we can incorporate into our software development and deployment and operations of testing The more likely we are to not make stupid or easy or even hard mistakes, right? Like and it might be a security mistake. It might be you know, it might be an interpretation mistake You know, I I always go back to this You know to the face recognition problems that they've been having because of who they're testing the face recognition on Yeah, the models they're building basically the data sets they have mainly Ski with certain direction or another yeah, right so so but the kind of the takeaway from that right is like The more people that you kind of can interact with about uh, kind of what you're working on and how you're working on it and What you know and to your point like what is the goal behind this rule? You know The better you will be as a you know as an engineer or as an investor or even as a security person, right? Like all of those different perspectives you need to you need to be not just living in your little world You might know everything an oasth has ever said But that doesn't mean you necessarily to your earlier point understand the goals or the business goals of the application um And so you really need to try to incorporate as many perspectives as you can And you will end up with better software. Um, and I think that's a really important point that I think is highlighted by security in particular Yeah, and you know, honestly, I it's an opportunity for security teams to learn as well Um to your point about you know YAML and helm charts these things not necessarily being things developers learn about You know deployment etc that they they they learn about earlier. It's not their main focus They're coding in java or and and you know, whatever their main language might be security teams often haven't needed Haven't been asked to do much coding either. No But YAML is a nice bridge in some ways And and again, it's there is this cultural aspect that I love your idea of lunch because that's a way to To just kind of create bridges, even if the organization hasn't yet Been willing been figured out how to do that But but I do know organizations who've asked their security teams to understand The pipeline the application pipeline the cicd pipeline and the tools in them And to start learning enough scripting whether it's YAML or whatever is required for them to be able to kind of Understand how to implement some of the security gates in that pipeline And that also means they understand more about the tools the development team relies on And they're they can have a better conversation, but it it's a challenge for sure It's going to take time right people process technology. All of these things need to adjust Right, right. And one of the things I mean, I I often I think I say this on the show But I kind of talk about it in general. It's like, you know, remember our industry is Just this person Our industry is ridiculously young, right? And so Not very long ago, right as a developer. I needed to know how to pull a hard drive and replace it, right Most most people don't know how like I it was actually funny I was trying to upgrade the hard the hard drive in my laptop to only discover I got the laptop open and it doesn't have a hard drive. It just has Just soldered No, it's a whatever that That new Yeah, PCie you know, and so We we have gotten very specialized So we kind of were at a point where everybody had to know everything Which wasn't sustainable and now we kind of went through the other end of the spectrum where Everybody only knows their thing really really well and we're trying to find that happy medium of okay I know i'm an expert in my field and I know enough where I know enough people, right? To be able to Know, you know or or to be able to cover kind of all the other things In software development, and I think we're still Still working through that and we may be for a long time Yeah, and I think, you know, I'm thinking back to something you said right at the beginning Langdon Where you're talking about se linux And and needing to turn it off and and frankly even a lot of people Haven't heard of se linux right security enhanced linux And in traditional architectures a lot of admins turn it off because the custom apps or even the off the shelf apps that they deploy On their server don't understand how to work with se linux So one of the advantages That a solution like open shift has is it understands how to work with se linux So when you code your container images you're They don't have to understand se linux right open shift takes care of that for you But it calls out the need to really simplify to assist developers with security And this is another place where You know Open source can help and and red hat has been investing right because there are a complex set of interactions between Like some of these terms may not mean anything to our audience yet secure computing profiles sec comp It's a linux os thing right c groups se linux all of these things that in linux help to protect a running container process But how do I work with those as a developer? What do I need to know about those? How do I learn about those? And so One of the things there's this open source project called udisa. I never pronounce it u d i c a And and and it's all about Giving developers a tool that they can use To create an se linux context to better protect their container image So recognizing nice right that it's not and and that's becoming I think that's morphing into something called There's gonna there's an upstream container security operator Again, try trying to give developers tools That will assess their environment their solution and what it needs And and provide recommendations on how to better secure it so that they don't have to get as as deep in these different tools Right and sharing that one out. Yeah, we'll definitely be looking at that one On a number of times on this show we've we've talked about like, you know Using volumes and you know colon little z and colon capital z and You know and like and what those different things mean and how sometimes those things don't work actually across like nfs mounts and things like that, um, you know, so Se linux is something when i'm using containers I have to be a lot closer to Then I have been on with se linux as a developer for quite some time You know, uh, the nice the really nice thing about how se linux in particular Has gotten over the years is it really has faded into the background? It's just doing its thing and it doesn't cause me problems anymore, right? Um, or if it does I have this cool se troubleshooter that pops up and says, you know Go go follow these things and this is where, you know, how you can fix the problem you're running into um So I really look forward to some of that, uh, you know that stuff like I said all that I really like it when the kind of security The basics at least can fade into the background then I can just worry about my stupid mistakes, right? I don't have to worry about like the entire environment as well So should we pause here and uh talk about our sweet sweet internet points? Yeah, I just asked the audience they had any more questions for kirsten So I think now's a good time for let those roll in feel free to ask your questions before we sign off You know, we want to make sure you get those answered but go ahead Langham and for kirsten sake, um All right, so we internet points we like to do a little thing on the show that we uh refer to as sweet sweet internet points Uh, and sweet sweet internet points are have no extrinsic value whatsoever But they have the intrinsic value of you are awesome if you have uh gotten a lot of sweet sweet internet points You too can be awesome You too can be awesome. Uh, and right now we have on our leaderboard. We have the rendef uh with 6100 points Which is just a ridiculous amount of points. Uh followed closely as always by netherland hackham. They've gone back and forth a few times Um, no friction. Uh, still I don't we have to go find out what happened to them. Uh, that we they're pretty static at the at the 4 000 along with uh, joe fuzz However, if you notice detective kono kudo has actually surpassed joe fuzz with 2400 points And bacon fork tightly behind. Uh, and so uh, we look forward to some more mixing up of the of the point scale As always, uh, there is the activities page on the uh episodes repo, uh, which has kind of how you can earn points But one of the ways is by entering this code that you see right here on the screen In an awesome awesome probably very secure google form um that uh has Uh unit points and I will cut and paste that into the link just to make your life easier. Um So here's a good. Oh go ahead finish up. Yeah. Yeah, I was just gonna say and uh, you know So please enter your points and and you can you can also have cool cool or sweet sweet internet points That may actually be worth something someday like we promised for we we we know they're going to be time So kirsten, you know, I think I think like most of us at readout you can attest to we're actually pretty good at swag We are yeah, we are except for this show. Yeah It's minus the show But uh, so here's a good question from the same person Jessica at Sorry if I say your name wrong that prompted the you know, the question of you know, what kind of tooling we need Are there any playgrounds where people can practice that? That like because there's a lot of tools that you could practice with right? I know we have our own playground on the learn site. I know we have uh, the developer sandbox Which focuses your URL for that like your code at the bottom of the screen But like I don't know if you can play with all the tools in those two places I know you can play with a lot of them in those two places That's a really good question. I am not really sure Uh that I have heard of such a thing um I mean I want to say what is the company that is get lab opa Oh, well opa styro is the company that backs opa opa is is Uh, you know rego is the policy language opa gatekeeper is an admission controller, right? We talked about security tools kind of for the Develop the ci process. We didn't really talk about some of the security tools that that are available to gate deployments And and opa gatekeeper is one of those but i'm wondering whether you know Whether a get lab environment might be a place that you could play around That's a good point because get lab does have a free tier which ties into Another free tier for kubernetes engine. I think uh google kubernetes engine like they have a partnership So you could spin up a cluster And attach it with get lab and really start hacking away at it Looking at the styro sites, you know if they have anything go ahead Yeah, no and and I was just thinking so so certainly, you know get lab kind of You know has that whole concept of of shift left and has a has a lot of good information kind of if you just on on on their website Um, and at the same time, right? That's not the only set of tools you can use But it could give you a good example of oh and they do have integrations potentially with with other solutions Um, so so it might be an interesting place to to play around. Yeah. Yeah, it's actually I mean, it's it's quite a good point and it is somebody's Could be working on because I mean I do know there are places where you can kind of play around with like sequel injection Right, you know like where you can just kind of go try it out and see what it feels like and you know and have Or have things do sequel injection tests against your site Um So like it it might be interesting to think about how can we Yeah, it is. Yeah, and and actually a uh dev ops or a dev sec ops kind of environment Is something that some of us at red had have been talking about so So, yeah, maybe maybe something will show up Yes, you heard it here first Exactly As we talk about a lot on the show, right? Um, we we are actually from the future. Um, and so everything everything we talk about, uh, is might be forward facing Right, right coming. Oh, so uh, but uh, let's see. Were there any other questions? No, not that I see uh, feel free to ask. We're running up on time here folks We only I was going to kind of say was uh, maybe this is a good point to wrap up I was or kerson. Is there any other like what's the What's the single biggest takeaway as uh, you know, I hate to use this term But like, you know, when I see right an individual contributor somebody who is not in control of the overall organization What's the single biggest thing they can do to incorporate secure practices into their workflow or their work As just you know, somebody who who is an employee at a company Yeah, so I so I think we we kind of touched on that a little bit earlier But do do your best to learn I think I think check out owasp.org Check out the the book that chris you mentioned earlier And you know for anybody who's got time to to try a playground You know, I think the git lab free trial would give you an idea Of what it's like to incorporate all of these things Um And actually I really lined in I so you asked for one. I'm sorry. I don't have one It's okay Have lunch with with your security, you know get to know somebody in security No, I was gonna say actually I was gonna add to it. I was like and don't forget make friends Um, yeah, and those friends can be on twitter. They could be on right, you know Instagram wherever let's just make more friends in the space is the biggest thing Exactly. Um, and just also by way of a little bit of context We kind of gloss over dev ops on a pretty regular basis If you aren't that familiar with dev ops Go read the fun little novel the phoenix project. Um, and you know, kind of learn from there It's it's a fun little book. Um, you know, it will be a good excuse to read something for work that Is not bored. Um, yeah, like the phoenix project I I do not like reading books because I don't have that long of an attention span basically But the phoenix project I picked up on Friday evening and was done by a sunday afternoon. All right, like yeah, that's how good it was It was it's really quite a good little novel. It's not a it's not a it's not like a tech book It is a real life like novel like of a fictitious environment where they're having lots of issues And dev ops and the three ways of dev ops are explained in the book and and there's a security guy And so that's that's that will very much also play into this conversation about dev sec ops And uh, you know, I I I continue to wait for the next novel that is dev sec ops or you know dev ops with quality assurance You know, but uh, I I I talked to um, uh, what's his name? Um, that guy kim The guy change him. I was like gordon. No, that's not the right one The uh, I talked to him years ago actually about like doing some of those novels You know, I was really waiting for the follow-ups, um, but I continued to wait So uh, and he went off and has been doing other stuff. Yeah, he did the unicorn project recently Which I have a copy of but I haven't read yet. So yeah, yeah Me and my books All right Thank you so much for coming. We really my pleasure Yeah, you you've given me a good blog poster right So And uh, remember you can see kind of uh, kirsten talking about it from a slightly different perspective And more of more about shift left And dev sec ops on in the cloud in a couple weeks on 29th On 29th. Yes, and uh, you should definitely check that out. Uh, chris. What else do we have on the channel today? Oh good question lyndon. So coming up at 11 a.m. Eastern 1500 utc. We're going to be talking about the open shift assisted installer Which is one of my most favorite tools from red hat in the open shift world It's actually how I spin up clusters routinely When I break mine you're at home. I use it to spin it back up again And then later on we're talking about dev sec ops again at noon So a very dev sec ops kind of day talking about protecting data in the actual open shift So like data in the environment and everything else Along with that so that'll be a good show And then I think we're off the rest of the afternoon because lord knows i'm stacked up with meetings today Like i'm literally from 8 45 until 5 p.m. I i'm in the channel is negatively impacted when uh people want to talk I know right like you invite me to a meeting that takes away from everybody else Just remember that red hatters So yes, thank you very much kirsten. This was a my pleasure. Thank you both I think the audience is thanking you as well. So You've done a fantastic job today. Thank you Anything else lyndon? No, I think we're good, uh, and we'll see you all next week. We're going to talk some more about security And uh, you know some of the buzzwords or words in the industry that you may not know things like authentication and authorization and devastation and What all those things mean and why you might care? And uh, we hopefully are going to have a few people joining us for the show uh to Uh Explain the things that I don't know how to Yes, and there will also be A super special announcement next show. Oh, yes. Yes. Yes. And so tune in for that for sure All right, folks. We will catch you here in about an hour So take it easy stay safe out there if I don't see you again And thank you very much again to kirsten and lyndon the illustrious one as always