 Good morning. Good afternoon. Good evening and welcome to a very special level of power today here on redhead live streaming I am Chris short host and showrunner of this thing we call redhead live streaming I am joined by the one and only the The illustrious Langdon white and free to say. Yeah That's a tongue tongue full in the morning. I guess tongue tie in the morning. Whatever it is Langdon we have lots of people here. What's going on? What's happening today? You know the usual We clearly are are still struggling with coffee. We're all very glad that Chris has his power back. Yes, that's kind of nice Yeah, and hopefully we're all costing fingers for no more tornadoes I like the the power map that you had like all I could think of was a new England ice storm and do you Yeah, it it was it was a lot like a hurricane hitting here Except we didn't have that advanced notice, right? Like the only notice we actually had was chance of severe storms, which we hear literally every day in the summer, right? It's like, okay. Now, there's a tornado watch. Okay. Now, there's a tornado warning and it's like, okay to the basement we go and Spent 48 hours without power almost We had no cell service cell service is still spotty throughout the region think about that from an infrastructure perspective, right? Like how impactful that is to not just you but like fire safety all the other things that are involved, right? So, yeah, it was it was interesting. Hi. Yeah That's that's a very polite way of putting it. Yeah, I have a solar powered battery pack now Yeah, right, right So as I said before I'm laying the white we have a bunch of special guests today However, we will talk to them in just a minute. First, we need to do my awesome awesome slides Because I spent so much energy on these and I will give the caveat to the people who designed the new logo the people who designed some graphics here They're good at stuff. I just slapped it on to a page and called it red and said hey, it's red hat now So this is the level up our what we talked about Why containers are cool and why they might be useful to you just kind of in your everyday life as a Assistant administrator or as a developer as well as kind of you know, so it's not just the hype about why You want to kind of convince your developers to kind of move into the containerized world or this cloud native thing or that kind of stuff? Containers are super useful in lots and lots of scenarios. And so we talk about those on the show And so last time oh before we get to last time. Let's talk about us. So I'm Langdon white on Twitter and with one and Chris short is Chris short with One eye two s's. I just like to make random like I want to make a comment about his Twitter handle Like I have to make about mine So it's very two very common words, right, right? Well, there's a very you know, I'm sure a very lovely doctor in Canada who has Langdon and is an active Twitter user So I'm very happy with Langdon with him with the one Join us on our discord where we chitchat on occasion It kind of goes seems to go in cycles about how how much we end up talking there But feel free to join us there and chitchat all the channels Or the there's every every show kind of does some content there So, you know, feel free to ask about any of the shows but mine obviously in particular because you know And then so last time We talked about dev sec ops and Kind of the shift left idea and I kind of realized it was that maybe we should talk kind of a little bit more basics about security So I invited some people who I think would be good Good to talk about it And they are here with us today, but I've stopped the slides now So I don't give away our sweet sweet internet points Not just yet. Not just yet so Why don't we start we'll start with Randy just because he is in the top right corner of my screen and so Why don't you can you just tell us a little bit about your background introduce yourself and as we you know My terrible joke, but you know redhead rearranges itself all the time. So I never know what each department is called So, you know, if you can give us a little that too. Well Hey everybody and good morning. I'm Randy Russell and oddly enough Across reorgs and rearranging of the deck chairs somehow. I seem we always stay where I am Or it's like you just kind of get put back in place every time hey, you know what an automated process declarative Randy Exactly So I I am the director of certification at red hat and so if if you've ever heard the term red hat certified system administrator or red hat certified engineer or red hat certified architect any of those I Managed the team that runs those programs and produces those lovely exams that people enjoy taking so much I've been a red hat for quite a few years and My experience with red hat precedes my working at red hat I came to red hat as somebody who had also been a customer and a user of technology from this company and so long association Nice All right, so now just arbitrarily let's go to Jafar and I'm gonna I'm gonna hazard your last name is Chirabi. Is that right? Yeah, it's it's try be better. It's okay. I know it's it's hard to pronounce so No, no hot things. All right, so thanks for inviting me here today. So my name is Jafar Shraibi and I work as a TMM technical marketing manager for OpenShift So within the same team as LinkedIn and so I'm I'm the director of nothing, but I am I've been playing with OpenShift For quite few years. So I've been with red hat for about five years now and I've worked especially in EMEA region in France, so I'm based in Paris And yeah, I'm happy here to basically talk about Things that relate to OpenShift the containers Maybe it seems like today we're gonna be speaking about security and how it ties to two containers So I'll be happy to to to give my two cents about that and yeah Mostly I focus on pipelines and and DevOps things. So since we are talking about desiccups That might be a good topic to to bring Up today put it in the pipeline. That's right So Scott McFryan Who I have known for quite a long time? Mostly when we used to do summit labs together Which I think was his most painful experience and one of my fun more fun experiences So yeah, Scott saying a Scott was in charge. Okay, good. Oh, yeah. Yeah. Yeah I'm Scott McFryan. You may know me from such things as Enterprise Linux presents Oh No, so my name is Scott and I have been with Red Hat for quite some time as well Interesting fun fact Randy was my first manager at Red Hat. Oh, that's interesting. Yeah, he made a mistake of hiring me Lame Randy, yeah, right. That's I see how this is going. This is yeah. Yeah The clarity brand so I'm a technical contributor over in the Red Hat Enterprise Linux business unit Blinding you've had Scott McCarty on a few times. He's the product manager for containers and the universal base image Yeah, he does and I work with him a lot Meetings we have two Scott mix right. Yeah. Yeah We do have a time we have three of them in a meeting. Yeah, yeah we had a time in The relb you where basically it seems like we're only allowed to hire mics There were like six mics on a team of like 10. It was like what? Yeah, so this current team I'm on it. It seems to be Chris is the only allowed We didn't do that in that red. Yeah, it seems like yeah, it's really kind of weird So awesome. Thank you so much for joining me. I really appreciate it, you know as always And why don't we so what I was kind of thinking was We kind of would offer up First and foremost, what is that kind of one security thing as a developer assist admin that? You know you kind of even to this day still find confusing or need to You know kind of think about when before you do it and for me And I think for a lot of people I'll start just to give you a little bit of time to think about the insert is Authentication and authorization And I think this is a pretty common one and so but I kind of cheat sheet it out or have to kind of think about it for a few minutes And so authentication is basically the login side of the of the question And so basically are you allowed access to this system at all, right? And then authorization is okay now that you're in the system. What things are you allowed access to? and so I Don't you know, I don't have a mnemonic I don't have a whatever it's one of those things I just kind of have to you know kind of periodically like catch myself step back think about it for a second And remember which ones which and then the latest one of at a station It's not really the latest, but it's one that's become much more important in recent years because of basically the proliferation of like tiny little devices and you know things like that at a station is this idea that You're you're provably running some software on some hardware and then mechanisms for doing that But with another a word in the mix that now throws off the other two for me kind of even worse So so those are those are kind of my example I don't know just any of you have a good example like that. Please shout it out or volunteer Okay, so I struggle with firewall rules like oh Blocking and that kind of stuff pretty pretty good with that, but especially in the container space There's a lot of forwarding that happens and that's messed that up I May or may not have had to drive to one or more data centers because I locked myself You would never admit that bad had actually occurred Never happens right and and you know that in that scenario that it's very very secure Yeah, that is rather stable. Yeah, is it though or did I just allow a whole bunch of other people access? That's yeah, I definitely and then with the kind of with far well D The fact that it's kind of like IP tables, but not quite You know, I actually the thing I struggle with there in particular is multiple zones so Like if I say, you know, if I make an operation in firewall D It will operate on the active zone Except if you have more than one active zone It will only operate at one of them and I'm not sure which one Maybe, you know, Randy who's kind of more on the training side of things I don't know. Maybe you know how to figure out which of the active zones it's gonna operate on But as far as I can tell it's basically random. So that seems fun Yeah, no, don't look for any guidance on me Look, I learned if what them as it used to be called. I learned IP chains is it, you know I learned IP tables at some point. I got left behind with firewall D as well Right, right. Yeah, so just you know, just turn them off. It's it's fine. You know, it'll be Right, right. Yeah We're on a Bitcoin miner Do you so Jafar Randy either of you have any examples of kind of those those security sticking points that You know, you get stuck up on all the time Well, I know one of the things that come up quite often with containers is like the capabilities that you that are allowed within the container image So I'm the things we handle with the SCC's and such things It can be pretty daunting to understand exactly How to define those within Containers and Kubernetes space. I don't know if those were discussed previously, but that's Yeah, so that security topic. That's a really good one. I you know, we actually we had Dan Walsh on the show a bunch of episodes ago and One of the things that I think Particularly even newcomers today to Linux, you know, or system administration, you know, whatever Think of root as this like, you know block, right? You know, it's like you are root And it kind of is but at the same time it's gotten so much more sophisticated than that Now you have all these things these capabilities, right of which root has all of you know but you can kind of parcel them out individual or individual pieces and You know, so there's it's this whole breakdown of much more sophisticated kind of security model That allows containers to do their thing and allows containers to do more than their normal thing, but not as much as like You know that are really important and they're just getting more sophisticated So, you know, really think of thinking of root as a non monolith in a sense It's really really important these days and and I find it, you know, like it's it's new You know, right to Randy's point. It's like, you know, you keep changing the stuff on me I've got it. I've got to catch up again every time and the capabilities are tough like that So, yeah, I think that's a great example as well I don't know any other examples, you know, or I mean, I know Chris is perfect in every way. So yeah I've never had a security issue ever. I will say, you know, I Once was in charge of an intrusion detection and prevention system and Our storage network ran across it somehow we didn't realize this was happening, right? But that storage Vlan somehow ran across it between our data centers So we had to like create a carve out for that Vlan to just kind of bypass the IPS and ideas because it was picking up Like random strings as like vulnerabilities and stuff when we were just backing up stuff from primary to secondary data center, right? Like, right. So it was like, how did this Vlan end up way over here on the edge? That's not good Right. So then that was like a whole breakdown of like, okay, where are Vlan's? Yeah, good stuff. Yeah. Yeah pain pain For me I've given up on trying to keep up with the the latest DNS security issue and Corresponding, you know a new way of thinking and and corrective measure to try to Prevent it in the future until the next DNS security issue comes along One of the funny thing about that was like Bind was actually pretty good. Like we stopped getting those all the time So we had to go and invent things like unbound and DNS mask Yeah Yeah, you know, otherwise they get lonely I will say speaking of DNS that like one of the most fascinating kind of tech stories I think I've ever read was wired did a really good piece years ago about the vulnerability they discovered in DNS that was basically what was it like that a name like root name server pack And it was basically a protocol design flaw. And so they basically flew in people from around the world You know, basically security, you know, like government security You know took over and we're like we we need this solve. Please all get in a room and fix it And it basically changed the protocol around. I think it also led to DNS sec kind of eventually or by extension But like if you can go find that old wired article, it was it was really good Really interesting You know, not not as crazy as like the story is about McAfee in Belize, but you know, like still it's still a good story God Throw that in there. Yeah, of course you did. Yeah, no the this this is the legitimately good story versus McAfee story Which is just kind of crazy but All right, so so those are kind of some of those examples. I Was hoping we would talk about some other things, you know We haven't got any questions. I don't think or haven't No, we have not and I'm curious out there in user land What kind of security problems are you hitting today as far as you know, you're running containers You're trying to run them in production. Maybe your security team is pushing back and needing some things like agents installed That's a common question we get to far. I know And you know having that paradigm shift from you know, your traditional like hey all these VMs have all these agents and AV and all those other stuff on it to now your container needs to be secure, but That container itself is not going to run agents, right? Like it's just going to run your application So actually, sorry Chris. There's something that came up to my mind while you were speaking about the paradigm shift and For for the many years where I was working as an essay on OpenShift one of the biggest security I would say talking points that we where we had issues with the customers were How? How how they could trust the SDN like how right? Change the paradigm from something where everything is defined within their firewalls and they have application tiers where something is Hardly, you know bounded by by four fire rolling rules and now you start talking about about network Networking managed directly by OpenShift with with network policies and such things and It was something that took a lot of time because before they they could start thinking about Okay, we can delegate security networking security to To the platform itself and not try to to control everything, you know from the traditional standpoint, right and yeah, so I think that up to now it's something that you know some Some CIS admins or network security guys still prefer to handle things the old way but as things are evolving and as the container ecosystem also is is maturing up in terms of giving some visibility allowing us to to get some alerts whenever you have some networking breaches and such things People are starting to change their minds and and start to embrace that new modern way of handling network security within the containers work, so Yeah, that was you know, I wanted to say it before I forget it no, it's a good point and Red Hat is actually giving away a great book. I contributed a part of it as well as many other Very very smarter people or very much smarter people or however you say that than I But it's you know, I touch on security in the book and a cloud native context kind of from a high level, but then Other people do as well and I would highly recommend you downloading this book It's just basically a book of 97 essays from 97 different authors Some of them have been on this channel before including myself obviously but Check that book out right like if you're just getting started or if you're really wanting to have you know an opinion on something So to Chris. Yes, you couldn't find three more people. I Couldn't find three more people or whoever was the editor of this book I mean 97 wasn't my choice that was an O'Reilly thing I just contributed to it Emily Freeman and maybe it's Harvey Nathan actually or Nathan Harvey. You actually wrote it. So yeah It could be a reference, you know to a set of theses that were you know, nailed to a door perhaps So Yeah, yeah, you never you never can tell so let's see what else what I would I wanted Another one I wanted to talk about was So Another one that comes up, I guess a lot for for people this one I Really, I think I usually get it because I I watched too much GI Joe the cartoon But so red team versus blue team So I'm gonna pick on, you know, whoever or whoever wants to answer that, you know What are what is a red team versus a blue team when you talk about? Security or test, you know, like security testing I Mean I can answer that but I talking off I think Scott was thinking about Scott was about to unmute I feel like I was So red team versus blue team is basically you have a team of attackers on your product and a team of defenders on your product And usually it's a blue team is the defenders and the attackers of the red team and so it's a way that you can It interactively Kind of get real people to test the the efficacy of your security stuff By telling them no holds barred. Do what you got to do right and I mean what I like is the like this is a You know, you take these, you know, kind of the the old prominent hackers, right? and they have gone off and formed consulting companies and Become red teams and I'm like those those are the kind of people I want to hire to attack my system and ensure that it's actually secure So the reason I bring it up is because I think a lot of people mix up the red and the blue and which ones which and I don't know if this is actually its origin, but you know, at least for me it definitely gets throwback to You know cartoons and movies of you know it's like the the attacking team is always has red lasers, right and the defending team always has blue lasers and You know, I don't know about the physics of that exactly, but you know the at least in the at least in gi Joe as I recall That's that's how it always works Now that you mentioned that there's what you know, one of the famous movies that where they speak about force and stuff like that where the attackers indeed have red sabers and Have blue sabers. Yeah, so now that you say it makes sense. Yeah, I think that's the theme there Now I know how to explain it to my son He asked me why would these have red sabers and the other ones have to one so now I can tie it back to this Right. Yeah, just definitely explain the movie in terms of you know network security Oh lightsabers in the force. Yeah, that's gonna make security great Just like go cringing Crystal that they have found in the cave so many Star Wars people are just When you switch to the dark side, right, right So I think the next time one of like my kids like gets into something right pulls it apart or whatever I'm just gonna refer to it as a pen testing event is is the No, trust me like My son is going to be the pen tester of this household Trust me He finds ways to do things that I didn't know were possible at times on an iPad So it's like, how did you get to this like maintenance mode screen? Trying to open noggin All right, so in in the in the context of the show or whatever, okay So somebody want to explain what pen testing is because I brought it up But did gave no explanation of what it means so To far you want to take that one? So I'm looking for a pen and trying to write some stuff with it Is that what we call testing or I mean you're testing your pen We're going to Yeah The other the other meaning I know about About it is like you're trying to penetrate the system and like trying to find security holes and basically as he said you are you know Trying to hire some people who are very skilled at finding Bridges and trying to make sure that You you you find that ahead of time before releasing your products So you can fix the security holes before they are into the The outside work right is that is that correct? Yeah, and often times. Yeah, oftentimes people will pen test like routinely right like they have a Contract firm or whatever yeah a consultancy or whatever to come and pen test things on a regular basis so that they can Just have more robust infrastructure and security practices For a long time. I always heard people saying pin test like the pointy pin Like righty Well, that's one of those that's one of those accident problems you have in the US right is that pen and pin depending on where you are Sound very very similar Does anybody know why it's called pen testing? I have no idea Yeah, you didn't know that You're the professor here, I mean yeah, right, right Yeah, I mean so on the security side right like I've never kind of worked in a place where I would like hire a red team Right like I've always been you know more kind of on the application side in a sense of like looking at like sequel injection Attacks and things like that and making sure kind of that the code looks good. So a bunch of that When you're looking at kind of the an external to internal You know, I don't actually have that much experience with it, but yeah, it's so nice to learn more stuff So so since you're mentioning it one of the craziest RFPs we had to to answer to had a whole pen test Section where actually the guys will be in the RFP submitted like the pen test that they are planning to execute And it was something for open shift and they had like 10 pages of here are the inject the code injections that we are Going to try on this this this this component and please make sure that you know do you Head of time do you validate that it's gonna be okay or or not? So I've never seen that before like in an RFP Yeah, but those guys were like really serious about their security Politics or policies Politics too You have you have both of them generally right right So we had a really good question in the chat That I was gonna bring up these two, but it was followed up by another great question, too. So okay, so So the kind of author writes Vipple writes You know open shift has very clear kind of ingress egress denial network policies are back at Tana coast What are the things that are not kind of generally covered by the obvious security components in open shift That you you know that you try to keep an eye on like where are the loopholes or where the gaps That you know or even just one that you think that people need to be aware of and I would start with One quick one, which is that I Well, I was a section I was gonna say is that I think a lot of people think that the platform is gonna fix problems in your application right Your flaws will persist right right so, you know Usually the weakest point of any of these platforms whether it's an application running directly on a relvm or running in a container or running an open ship the first Problem is gonna be the kind of added on code So I think that's a really important thing to remember You know, yeah, I commonly will say things like you know when I write a software application today There's like a million lines of code maybe maybe more underneath it that are provided by third parties But kind of this is the beauty of open source, you know, all bugs are shallow right with enough eyes So it's unlikely that the problems are gonna be in that million lines of code or Undiscovered at least right. This is the whole idea behind CVE's and the jokes we were making about DNS So most you know, the first thing to really watch for is kind of we're talking about a bit last episode You know look at OAS look at those kinds of things and look at your application to make sure there's nothing missing So that's kind of the first thing Where where else would you go look? You know, what what other kind of examples would any of you have? Oh, I actually think God Scott that Maintenance of your container image and stuff that you sticking your container is Crucial and not enough people care about it But like right once run anywhere does not mean you have can't rewrite it, right? I don't want them to rewrite it, but like if they want to take some library from somewhere and they shove it in there They need to make sure that if that library gets updated with something that they Redownload that library and shove it into a new copy of that container So for example, if you're based your stuff on the universal base image on July 20th There was a important CVE issued against system D Yes, which affected the universal base image if you're using the standard UBI or UBI knit images And so we Re-based or rebuilt the UBI images to account for that for that updated system D package that was released by Red Hat But if you're running a universal base image from four weeks ago You you don't have that update So you'd need to like repull it and restage your software into it and then redeploy it And that's something that people have not built a good Practice around yeah, so so it's interesting that you bring this up because It's actually well one of the things that OpenShift was good at from the beginning like the ability to cascade Rebuild applications when you are rebuilding one of the base images and such things and Actually, what I saw and what was the most impressive in terms of taking this thing seriously When it comes to fixing CVE is inside base images and stuff like that one of our My customers Was taking that so seriously that they had a dashboard built into the CIO's office that showed how many base images were having CVE's and How behind in terms of versions they were and like so he was monitoring that every week and if like he had a A Lot of Images that show up as not being patched. There was like, you know, a tough down Hammer that was You know going through the to the IT guys to the project guys To make sure that they are patching their images accurately and not staying behind X many, you know X versions Compared to to the latest one that were rebuilt So they built a specific dashboard that pulled tags from like the Red Hat Registry and that compared that to the base images that they were using and The it was checking if there were some CVE's in those images and basically showing up some others and depending on, you know, the gravity, you know the not the gravity but the The Impact the impact of that of that security issue The CIO was Managing that himself So I found that it was pretty impressive to see that they were taking That specific topic that seriously because as you said It's you know, it's the base of everything you run on the platform, right? So if your if your base images are corrupt and they are not Correctly patched then it can spread out to the whole platform very easily. Yeah and Yeah, you want to talk about having a bad day like let's have all your applications be running the same base image when a vulnerability is like Added to Metaspoids so people can just easily take advantage of it, right? That's a bad day Thank you. And So for folks that don't know Metaspoids is It was an open-source tool. I think it was acquired by Rapid7. I think a few years ago But yeah, it's like a toolbox basically for you know, pen testing and you know, any kind of you know exploit You know testing of your choice You know back when my security days It was a common tool that I would just constantly run against certain, you know APIs and URLs just to make sure we weren't exposing ourselves to anything obvious But I bring it up because when zero days are released There's always like a couple like days maybe even hours sometimes is getting down to the point where an Actual like tool will be added to Metaspoid to take advantage of that zero day. So You you know, you have to be careful when you're using these tools because you can penetrate your own systems and break things but also you have to be very cognizant that so can others and Metaspoid keeps adding those zero days faster and faster and faster. So Like and that's like becoming for you know security beginners like the first tool they really learn and dive into I feel like And it can you know pop your container wide open if you have any kind of vulnerability real quick So apologies there my computer completely crashed. Oh fun I did try to open g-chat running in a flat pack. So You know, maybe maybe that was maybe it's g-chat is the problem took out final I was I was kind of impressed. So, yeah, so apologies if I missed a little bit of the context But did we want to move on to another question from the chat? I heard you guys talking about that a split, but I wasn't sure if that was the next question in the chat no, I mean the the That was part of the question right like any ways to automate pen testing any tooling to automate Kind of penetration testing your network Metaspoid was the first thing I thought of Just because you can't kind of script that together and test certain end points and so forth Yeah, there's other there are other, you know, what we you know, probably You know loosely referred to as script kitty tools, right? That are so so just by way of explanation, right? So there's this There's this kind of new class in a sense and not really that new of hacker or attacker really And if you want real throwback, you know We're not supposed to use the word hacker. We're supposed to use crackers, but we'll get into that some other day but I think that ship is sale, but this idea that But the This idea that you know There's a lot of new people who are starting to use the internet on a pretty regular basis, you know 12 year olds 15 year olds and they Learn and they want to get into they want to break into stuff, right because they think and So there they but they don't really know enough about technology to kind of really work out these, you know How to crack a zero day or how to crack a CBE? Themselves and so they are pejoratively referred to sometimes as script kitties Because they they just use scripts they find on the internet and then run them as a tax There are a lot of those scripts out there and by scripts I mean things like metasploit, which is very sophisticated, but there's stuff that kind of runs the whole gamut So also kind of being aware that there's other stuff out there that you can kind of throw at your network And usually you can find them pretty easily with you know, I want to you know, I want to hack But you know, I want to hack something, you know But it kind of goes and actually this brings up another term when I was doing a little research for the show Apparently black hat and white hat are also terms that people mix up Which that one I find Interesting as well, so but a white also offensive, but yes So the but basically the idea being is that there's There are people who are attacking places or whatever for with legitimate reason this goes back to the red team discussion Right you went out and hired a team to attack your network intentionally. It's it's all above board You know, but you're testing it out versus people who are trying to break into your network or your environment, let's say Without legitimate reason And so there's a lot of that stuff out there and you know, you can usually it's usually pretty easy to find Even if they're not as sophisticated as metasploit So yeah That was kind of a long-winded way of answering that but the you know, there's there's a lot of stuff and it continues to grow a Friend of mine actually in high school like he was in high school. I was in college wrote one for example That was like a similar to metasploit You know because he couldn't And that's you know, that's what you do when you can But the flip side is, you know, you never know what use it will be put to you so So Yeah, yeah, so somebody throw up there the magic word in the chat. So somebody said death sick ups So that that forces us to So we talked about life more. Yeah, yeah, so we talked about it with Kirsten Last week on the last episode we talked about depth sec ops and kind of shifting left but you know Like whether we put a buzzword on it or not, right? The it is becoming ridiculously important to make security at first-class citizen they call it right in your software application design in your application deployment and You really need security to be a part of your everyday life when you are a developer a sysad then or whatever Because it's getting so easy For people to attack you right, you know, right my like I want to be able to ssh into my house But I either have to like have the ports jump around or something or like because I just get I get bombarded all day Every day on with full port scans You know and it's like it's nearly impossible these days to kind of be able to do anything and not get attacked Actually, I have so many devices on my network now that I've had to decouple Like the security component from the actual like service delivery component. So yeah The little like consumer devices just can't keep up sometimes Yeah, well for me, I have like my own work a network and then I have my Other networking for like TV cameras and like two separate networks where my computers ran on dedicated networks and then the rest runs separately, so I Like to keep things separated I'm surprised honestly that we're not seeing more kind of consumer level like, you know, we're your wireless AP right? Which is usually your router and everything here all outs I'm kind of surprised you're not seeing more of them coming out with Separate IOT it works from home network from, you know, I don't know You know consoles network, you know that those aren't kind of getting built right into the devices Because because it's a Christmas point right like I think I have 50 70 yeah devices on my network now. That's not even running that crazy You know and you know, and I really don't want a lot of those IOT devices talk or anywhere near My actual computers, you know, because they're so ludicrously and secure As as a well-known Twitter handle, which I will not repeat is fond of commenting But there's other things right like when it comes to security and I'm just gonna read this Scott because I think Vipple is on YouTube so Scott couldn't type in chat he's working on that but Scott gave one example of a CDE that one may not put your thing at risk But in my experience if you don't put in mechanisms for dealing with this kind of situation You end up reinventing the wheel at really inconvenient times whereas if you build procedures or build pipelines Jafar that assume that updates are going to happen. You're going to be Surprise did you mean to say surprised and unhappy when you get a fire drill? I'm making up as do you mean to say surprised or unsurprised? It's more like that that one CDE that I was referencing of the system D update like that might not affect Vipoles application. Yeah, it may affect someone else's application that provides direct access to the container shell or something weird Right, but just because that doesn't apply to you that one doesn't apply to you that one time Doesn't mean you shouldn't build a methodology for handling updates in a repeatable Automatable way Otherwise when this when you do run into one that affects your thing You have to fix it now and then you get to invent all of that stuff on the fly because you have to fix it now Right and crises are not great for you know life doing things Experimenting yeah So so I have to admit that I haven't seen yet the previous show about it. Although I sort of I Think I kind of know what the content was was it like the ACS stuff like how you how you use Pipelines with ACS and those type of No, we were talking more we were talking about more from kind of More about like what is that? Okay, okay, and why is it matter? Okay, because we had another show on the open shift coffee break where we We we did a demo of like a big sec of pipeline with with ACS and such things But basically to because I think though this topic is quite important But maybe to to to give some you know food for for thought for our viewers on this episode I think We can all agree that there's not one single aspect when you are speaking about security It's like it's spread everywhere and it's something that you need to take care of at every stage of Your applications life cycle so it all starts with you know If you are using an OS that has some corrupt stuff in it Then you you might have a security issue as you're writing your application in there But if as a developer you are writing some code that is not properly, you know Secure you are introducing loop holes or security breach if you are using some libraries that have some Security holes in there as a developer, you know, even in the early phases were introducing some security Issues in your application. So we are not yet speaking about the container aspect of it You are still in the regular application and development phases once once you publish your application, so I would say okay, we have written some lines of codes and we have Build the application and we've submitted the the binary Then your binary is stored somewhere in an enterprise repo But I believe Langdon said mentioned something about attestation. So what? What So I can find my words English But what proof do you have that the binary that you are Building into your container image is actually the one that has passed all the tests, etc So that's why you have what you have signed binaries that cannot be altered By some somebody that just makes a change and submits a new jar somewhere in the repo, right? you have Pre-staging pre, you know, you have development jobs that you can use, etc But at no point in time should you be able to take the development jar and Put it into a container image and ship it as something that is ready to consume, right? so you have this these mechanism where your binaries are signed and Only the signed binaries can then be built Into a container image if you want then you can distribute because then you have proof that you have a secure Application itself and we are not speaking about the container image and all the base Components that it's gonna bring to the table afterwards, right? so you are secure introducing security at every every step and the reason why you want to have that notion of deaf secobs is because you want to make sure that Everything happens automatically Which means that no single while Person can alter those things Intentionally in a manual way because if anybody is able to alter things along the way Then you lose that notion of I know that it has it hasn't been tempered with within the process of shipping the application through staging through Free-prod and through production And and basically deaf secobs is is is this notion where you you put security checks at every stage of your application life cycle and make sure that nobody can temper with those and Make sure that you have proof for anything that has been Built so you have proof that your libraries are secure because you have security scanning tools like sonar That are going to analyze your code and then you're gonna have links That say here are all the security reports that are linked to this specific version of this application binary, right? So you have traceability traceability is very key I think in a deaf secobs approach because you need to have the trace back to your proof One I was just to say like one of the things that I I think you commonly hear as well as to Avoid some of those problems. You could just build your own binaries, right? And so, you know, even if you have signing like sign them themselves and One of the things that I find You know really surprising about that or whatever is that there's this belief like one of the things that like an Organization like red hat or even an organization like fedora, right? brings to the table when they ship binaries is That an expert or at least theoretically an expert is the one who's kind of packaging the code into place, right? And then kind of saying, okay, I'm gonna do a build and then I'm gonna attest that this build came from this source code But they also know what the source code looks like, right? They read that source code. They apply patches to it They're familiar with it, etc. And so then they they stream those binaries into your pipeline and then and so Like I said, I've heard commonly right many times that the you know, everyone or these people just build their own versions of Pearl or whatever Whenever they're doing these pipelines and I'm like that's in some ways even that's even less secure Right because now you have to be an expert in all the code that makes up Pearl itself, right? You can't keep up with that, right? And it's too much. It's just one library. It's just one component Maybe hundreds of components that you're gonna use a lot of research It's almost impossible to you know to do that unless you have the maintainers of that library Or you know the main committers right within your your project and which which arguably, you know If it's that important to your, you know business Maybe you should hire them, but you should also hopefully When you're doing that also distributing those those attested binaries through a channel like Fedora or some other You know open source channels so other people can take advantage of the fact that you have experts who are attesting about this binary So I just think it's it's kind of an important to note like There are actually there's not just efficiency benefits in a sense To leveraging the work of others or you know kind of the community or you know like organizations like redhead or fedora You know things like that, but just in also there are also actual security benefits There there are benefits to the product that you're delivering Because you know these people are experts or providing experts into the pipeline So yeah, so a couple things. Yeah real quick. So we have an announcement to make we need to do that and then Yeah, Vipl has a good question that we need to address and I think Randy you tried to do it in chat But we need to talk about a little bit further. Which one do you want to do first? I think we should do the points and the Announcements first and then yes visit back to the pool. I just I always try to get the points within the the level of our Hour and but obviously we have a tense a small small tendency to not actually finish within Yeah, so Yeah, so let me let me hit the slides real quick And I hope this will work well because as I mentioned a few minutes ago everything crashed So that was slides. Okay, cool. All right, cool. All right, but we are on the wrong side Let me also I have my cheat sheet for the points too But Here's where we're at. I don't know Norenda if I think missed the last episode or missed Submitting points for the last episode Netherlands hack them still neck and neck with Norenda No affriction. I think still holding steady at 4,000 But a bacon fork has surpassed his his there competitor Joe fuzz and Detective Kudo Wow, I don't know how I've missed said that so badly Detective Conan Kudo With 2,500 points is definitely kind of moving up in that chain. So We're pretty excited about the current status the points as always You can go and get your own sweet-sweet internet points by Following the links I just pushed into the chat There's a kind of a short link which will take you to the form itself And then you put in the code manually or the other one all that does is prepopulate the form with the code to make Your life a little bit easier You know, please keep in mind if you want to you can say private for the the nickname And if you do that, we won't mention you on air We won't you know, you just kind of collect the points and you can get your own status of how many points you have without you know Revealing anything about yourself if you so desire we actually had one of these participants was originally Always marked as private and then one day decided that they had come up with a cool enough nickname And so they revealed themselves With a big jump in the points. It was it was pretty funny to be honest So that is our sweet-sweet internet points we love giving them out even if they are just an intrinsic award Chris actually I think we we heard again Yeah, that we never anything are this close to Getting extrinsic rewards to be able to give out some swag or something like that for the highest level points so, you know But we we promise this every other week. Yeah, it's this is episode 42. So maybe it is the answer, right? So that's kind of what I was noticing. I think maybe it's the answer. That's that's what I'm hoping That you know, hopefully we don't have to involve any mice But you know, maybe it is the answer to you know life the universe and everything And if you haven't read the hitchhiker's guide at the galaxy, this doesn't make any sense But you should and if you haven't read it, I haven't read it, but it makes sense No, all right. All right It's a lot of fun. The funniest one of the funniest things that came up about it recently was The whole premise of the book is that it's about another book. That book is actually crowdsourced So it's basically it's the equivalent of Wikipedia, but it's kind of a really hilarious example of open source in action so Now to the announcement which is I Sadly, I'm planning to leave the show And not just the show What? Yes I'm going to be Leaving red hat and what I blame Chris short He regularly refers to me as the professor on the show And so I am going to go and become a professor over at Boston University And hey, what do you know a new group which is all about computing and data science and teaching people about Like kind of approaching how we teach computing a little bit differently Also reaching out into other organizations so that or like other majors kind of so that we can kind of leverage data science and things like Journalism and give them kind of the formal teaching and that kind of stuff. Yeah, so I am going forward I am leaving you in the capable hands of our current guests and Randy. I'm sorry. I find Mr. Twitter handle But these are their Twitter handles so you should find them on Twitter You can also talk to me on Twitter still. I will still be there I will still also be of my expectation as I will be heavily involved with to Dora. I also Think because red hat and be you Boston University. Sorry. I have a very strong relationship And so I continue or I hope to continue to work with red hat on the regular basis I also find all of this quite confusing because my son is also starting college He is also going to be you which is Bucknell University. Yeah So it's like I got I got be you like So you're moving from be you to be you to be you exactly so I currently work in a view And I'm working and then in about a week I will be taking my son to be you and then I will be you know working at the you and So, yeah, it's not confusing at all So it is the 42nd episode it is been an awesome run, I think it's been a lot of fun and Yeah, I don't know. I'll miss you all Hopefully I will still be around in the chat periodically Maybe they will invite me back as a guest periodically But that's our playing. Yeah, so Randy will be taking over the hosting duties I will be in the background executive producing producing as need be and Scott and Jafar will be the Open shift and rel experts of Dajor To talk about all the things that we come up with in the future So next week Langdon, you had something planned. So, yeah, so next week we are planning Or you know, so so these folks will be talking to the crane team, which is part of conveyor. So we had For some reason I always want to call it trackle. I don't know why but tackle A few weeks ago and so there's this overarching thing about moving applications into containers called conveyor Tackles a piece crane is another piece and then there's a third piece that we thought would be good for the show Which would be in another I want to say it's not not for another month after that But so crane is is next week. We actually were are not having a show the following two weeks after that because We already scheduled it because that's when I was supposed to be taking the Sun to be you and So it's kind of already set. So there'll be two weeks dark sadly, but then you'll be back in action Let's see. So we have the crane show is on the 4th of August sorry and then Back into action on the 25th. Yes And and that will be the the whole new show Yeah, but I'm not sure that we know we don't 100% know, you know the whole like people's calendars and stuff like that We're not 100% sure what the 28th episode is going to be or I say 25th. Sorry Looking at calendar again. I'm very bad with dates the 25th the episode on the 25th We're not entirely sure what that content is going to be so watch the Twitter's where we announced that pretty regularly or you know Click like and subscribe Or join the streaming Cal And we had I was very impressed. We had on my other show. We had Alana Huffman yesterday and when I said that she very conveniently pointed down. So Scott, I'm a little disappointed I thought you would I thought you would help me out with the click like and subscribe Yeah, so I will miss you all I will miss doing the show And I'm going to be doing it apparently more like live and in person except about data science Yes, starting in about three or four weeks And this is a big deal for you Langdon personally because your whole family is professors really Yeah, so you finally get to join the ranks and right and wear your tweed jacket with the real elbow patches. Yes, exactly Exactly. So well, I'm also I'm really excited because like this whole group that I'm joining is in place to try to be to try to bring more People into the fold in computing and data science and as you know probably from watching the show This is something that's important to both Chris and I I'm sure it's important to Randy and Scott DeFar But you probably haven't heard that from them on our show But you know, I will really want to see a lot fewer people who look like Chris and I And you know or by percentage I would like to see much higher percentages of everything else because without perspectives. We can't make good software Yeah, M. Roche wants to know if we can get your lectures in section session streamed online To a large extent, I'm hoping so because I would really like part of this You know, this can be this new faculty. It's called. It's like a college, but Just interdisciplinary. I Really would like everything that we do to be open source But I can't make any promises yet because I don't know there. Yeah, so but that's my goal. Yes So Langdon, it's been an incredible ride with you. I really appreciate, you know Doing this every every week for the past 42 weeks the the amount of information I've learned from you over the year year plus we've been working together is I Mean, I can't put it into words So thank you very much for all everything you've done for the channel for me for helping me learn things so forth so on But yes, we will be hacking away at all your stuff that you Yes, yes, I yeah, I very much appreciate it You know, like as many of you can guess right my my stronger background is on the development side and on the Linux side And so it's been really great to kind of take the perspective of you know, a stronger, you know Somebody who's been full-time sys admins, you know much deeper into open shifts and Kubernetes than I have been So I think it's been a really good learning journey I hope along the way for the show and I really hope you know bringing some new perspectives We'll really kind of take the show to the next level, you know Scott might even know well better than I do. I know Jafar knows open ship better than I do you know So as as evidenced by our slam to do the Kodi Awards a few months ago It's been already said privately, but yeah, I wanted to say publicly also you you're certainly gonna be missed and It's been a shock, you know, and I heard Not so long ago that you were leaving but we can only be happy for you because it's for the better. It's like something for your personal Accomplishment and there's no hard feelings with red hats. So everything is you know on the best Way for for you at red hats and we can only wish you the best for your new adventure and Certainly Hope we're gonna have you come back and tell us about your you know your new life and I just want I just want you to come back and tell us like yeah, what you learned like immediately Yeah One of the things I'm really been learning because I've been teaching a couple of classes like kind of on the side, you know For a while now overview is what I'm really starting to learn is how Much more sophisticated teaching is Then I quite realized like you know, I thought it was basically just going into a room once a week and basically giving a talk and it's not like it's it's quite different and You know, and I'm starting to like grok the nuanced differences And and so yeah, I I look forward to coming back You know, maybe in three or four years and being an expert, you know, but You know in the near term, I'm hoping to do a good job You know as I I hope on the show. I think I'm a pretty good teacher already And so I think you know, I hope everyone has learned a lot from the show And like I said, I'm really looking forward to the change in perspective as you go forward with the show and That you know, there'll be even more stuff to learn, right? It'll cover a whole bunch of things that I'm just not that good at and so I'm really excited to see it go forth So let's let's touch on you know, Vypal's point real quick Why can't you just trust the security structure of OpenShift to you know, keep all your things safe? Scott, Jafar, any ideas why you know, you patch CVEs, you update your- The same exact question with rel too, right? I mean like insert product here Like shouldn't rel keep all my apps safe? We make pretty good software. Yeah, but just like Developers of their own stacks find things that maybe don't behave as they expect the same things happen to Red Hat products as well And then Randy you brought up a really good point about combos Yeah, yeah, we have joint conditions. Okay, maybe under a particular snapshot in time everything that's in this picture is Quote-unquote secured but Maybe at some particular point There's the thing that you chose not to address in one part of the infrastructure And then there's a vulnerability that opens up in another part and it's now that joint condition a low probability condition But nevertheless a joint condition that can now be exploited And that I mean that is a lot of the problem lately Where it's like a combo pattern And the configuration of that combination right like that's the other challenge is that you know There's there's an infinite number of ways to configure these things And so you need to be conscious that you know, there's literally no way anybody could do a test of the combinatorial result, right? Yeah, and so just to return you and nuance the question or the the phrasing Many many people are trusting actually open-shift and the other components And it has a proven track record of being efficient because if you look at a very Major security issues like things things like vertical that happened on the container landscape and that affected Containers and Kubernetes distributions, etc Open-shift was not exposed to that because it was secured by default with All the enforcing we we put on a Selenium X by default and stuff like that. So we have a proven track record of of Securing the platform and having it been efficient where other maybe distributions or other ecosystems didn't succeed as much because of the Secure by default standards that we have within the platform, but again We can only test, you know, so much things within the platform But if something that is running in your in your containers Has a security issue that has something to do with your application layers or with one of the libraries that you are using within your container image Then it's not something that we are going to be able to prevent because you know There's so much combinations that can happen But yes, we have a very robust very solid platform that you can trust, but you know, you can always The security issues happen on the edge. They happen, you know on the far edge of the testing They are they don't happen in the you know your ghosts Ghosts and curves where there's the low probability of ounce and conditions They happen on the very very far extremes of things that you that can very rarely happen But once they happen, then you have the security issue. So I was just gonna say right like most attackers aren't like oh, I know the central app I'm going to get to it. No, they're gonna find some other vulnerable piece of thing Like look at the target hack right they hack their way in through some gateway between You know the POS network and the HVAC network at one store and that's how they you know Broke into all of target stuff and made basically the entire United States and brace chip and pen It's those little intricate little details that you may just overlook or not realize that are in place Like you will start at one place in your attack vector and you will end up where you want to be Because of all the configuration or vulnerabilities that may lie within your infrastructure So it's never like oh, I want to hit, you know, the main banks website Like they they don't target that they find other ways to get in to get to the thing they want to That's the biggest thing right like and and to Se Linux, you know to that point, right? Like with OpenShift and all the Kubernetes vulnerabilities that's come out over the years Se Linux has been the thing that's stopped to most of those vulnerabilities in their in their tracks, right? So that's another layer that's put on the cluster To protect you but it's not all Encompassing protection right like that's something to keep in mind that there could be some other vulnerability that somebody could exploit in your infrastructure To get inside your cluster So I think you make a really good point there is that, you know One needs to remember that security is layers right is that, you know, the reason you have a firewall is Actually to act as a layer You know, you should in theory be able to open it have a no firewall at all Because all of your software at each of your ports should in theory Not be hackable, right? Yeah, however But in layers Schedule till 1015 Yeah, let's see It's back. Hi everybody. Hi, sorry about that the zoom just really dropped Thank you for joining us today for this 42 We actually gave away the secret to how to have perfectly secure environments and applications and There were too many companies out there that would lose, you know, their consulting work And so they shut us down for the brief moment Is that a conspiracy theory or a conspiracy fact, you know, that that's a good point I'm not sure I updated the streaming rig yesterday after that zero day came out for Windows Did it update itself maybe One other quick note I was gonna offer and you know, I crack about consultants a lot just because I was one for a long time This is one of those places security is one of those places where You know, you want somebody else to take a look at your stuff if you can You know, because it's one of those You know, just like why you have somebody edit, you know or proofread your your text, right? It can be really helpful to have somebody kind of review your you know security plans and things like that You know, we talked about a bunch of like real specific examples like pen testing and bread team and you know But there are organizations out there that can kind of provide you a third-party audit or a third-party review or whatever And it can even be relatively casual You know, obviously you want to have a bunch of NBA type stuff in place But it can be relatively casual in that it doesn't have to be, you know From an on-high security audit kind of thing, but having somebody else take a look at your stuff Is often a good idea because it's really easy to miss things in a secure when you're modeling security Yes, so Thank you Langdon for your 42 episodes of awesomeness and and all the years you've spent here at Red Hat and Thank you to Randy and Scott and Jafar for trying to fill the void that you leave, right? Like it takes three people to fill one line Yeah, I mean just just to inflate your ego even more like three people replace you Without further ado, I Think it's time to sign off for now coming up next on the channel We will have Andrew Sullivan the open shift admin hour or ask an open shift admin. I'm sorry And we will be talking about I forget so I forgot to update this thing so remember next week is crane on this show Brain here and yeah, and we'll see y'all later. Yep. Thank you