 also amazing it's like it's no really it's five twenty five it's it's you know it's late and you're all here so give it up for yourself for being awake still come on at least I'm excited about it so to start off I have a question like how many of you are developers or call yourself engineers okay good so when you are working in any day-to-day scenario you're deploying a new application or you're trying to do some as your e-work how many tabs on average do you have open is it 10 or more 20 or more 40 or more no way okay so you've come to the right session because we are gonna talk about developer portal called backstage and how you can leverage it by creating a plug-in we'll also talk about Kubernetes security of course because we have Armo in the house so yeah we're going to combine those things right that's hard but we will do that yeah so let me introduce myself I am Susanna Daniels I work at the company called port we have a developer portal and I come from the Netherlands actually I come from the lowest part of the Netherlands and I live on a dyke above it so I can just watch down like 10 meters below me it's it's more than 6 meters below sea level which is weird because like it's basically underwater here anyways I like snowboarding but I like even more talking about developer experience and how you can improve it thus I talk about the fellow for portals a lot and I am Rotem Raphael I'm director engineering at Armo and I have tons of years of developing like really into details and in the past few years I'm into a Kubernetes and to a Kubernetes security in my role of course and like fun fact that I'm doing is practicing yoga a lot and I really like to watch my basketball team you know it's weird I'm a woman I'm watching basketball but I'm going to court they have a game in half an hour so I hope we'll finish by then and that does those are my favorite things that I am doing so without further ado yeah there's also some overlap by the way well you practice yoga and probably lie on the floor a lot me doing snowboarding is practically the same but anyways I am well you can probably tell I'm old I started doing software development many many years ago and back then it was fun just as it is now it was just a lot simpler I had an application which was a monolith we had to know everything to extend it there were just a few programming languages available that you could actually use to build modern applications modern you needed to build basically everything yourself there were not many frameworks around and life was good we had to do complex things to solve simple problems so much different as it is as it is today because if you look at modern day software development it is quite complex we are talking about microservices of course we all love microservices here and to build one single application you need a lot more expertise different expertise you need a lot more different types of technologies because there's so many platforms you need to run your software on so many platforms you need to be able to use the software there is all these things that we like to do to extend the functionality into our application we need APIs we need back end applications we need data you know basically everything GPT anyone and it takes a whole village to build an application and to run it so we solve very complex problems nowadays and for solving that complex those complex problems we need all that but to be able to do the software development we also need a lot of tooling I didn't know this landscape chart probably it has exploded in the past few years and the reason is that we need to have technology to help us we need to have technology to help us develop software so it is quite complex and you need a lot of tooling to be able to build and run and do observability so that's a lot to juggle around with right so if you deploy an application chances are that well I think that the 40 tabs I should have asked 80 I hope that then the hands go down but you need to open all those tabs you need to context switch all the time and that is problematic because it takes away the focus from what you actually try to do it's solving problems so when you are actually sitting behind your computer you want to write code and you do not want to click through various portals because everybody has a solution with a great portal and you like juggling them around on the tabs not that good so to overcome all these modern problems we try to figure out new things we try to organize ourselves we create movements we do DevOps we automate things so we can deploy faster then we say oh we are deploying so fast but we also need to operate it and we need to make sure that everything is running and we we need a series and then the latest buzzword is platform engineering which I think is an you know we need a full thing thing and that's good but it's not the only solution because you can build a platform you can automate it you can get all the tooling put all the tooling in that you need for your security for your observability but in the end of the day you're all shifting right deploying faster but all the other things come shifting left so one way to solve that is by oh yeah I figured let's put all the buzzwords on there right and let's combine them because this is this is the day-to-day reality you're not only doing the DevOps you're doing the FinOps TML ups right but let me go to the to a solution and that is an internal developer portal an internal developer portal is there not to replace all those tooling the toolings that you have not to be a single source of truth it is there to grab all those different tools take out the most essential information that you need and put that into one place it is if you have platform engineering and you have that button that you you know the tool that you can use and deploy environments or you have an SRE tool you want to create self-service for that you want to empower the people to actually use the technology right and in such a portal you would combine that all so when you talk about a developer portal people would expect a catalog where you can find all the services you would expect self-service you might expect documentation everything that you need to be collaborative with each other and you add to that all those different tools that you have and give the insights so that people will is eventually switch to some tool but they don't need to they will only do it when they actually need the tool not when they want to see if something's green or red so let's talk backstage backstage is an open platform for creating your developer portal open as in the sense of open source it's a CNCF project and a very great one platform in the sense of it is extensible so one of the reasons that backstage is so successful is that when you actually deploy backstage into your organization you can extend the functionality using plugins so for every tool that you have you would use a plugin and you would implement that then you can enjoy the benefits of developer portal it is open you can ingest anything that you have in your catalog and create the user experience the developer experience that you need that you want now if there's a plugin or some specific data that you have company data or something very specific you can also create your own plugins and that is actually a great way when you implemented the developer portal and you want to drive the adoption when people can get the ownership and feel the ownership and have the ownership of the portal it is a better thing because you collaborate on the same thing it's an inner source movement that you're creating actually and that is the reason why backstage was so successful at Spotify and luckily they decided to open source it so you can all benefit of the knowledge of thousands and thousands of developers around the world there's over a thousand companies who adopted backstage so you don't have to write every plugin yourself as you can see there's a lot of them available just on the website you can go there you can download them you can install them you can modify them of course because everything will be will be open open source so there's different types of plugins one of the most common ones is is the front end plugin it is a plugin which you would create when you have some data and you want to display it in your portal and that sounds simple but it is so effective because it takes away the context switching for the developers but you can also add more functionality to that and for that you would also create a back end plugin right so if you have some logic that needs to be in there you can do that you can add storage and you can expand it in that way so building your own plug-in is a very very fun thing to do because you immediately have the success you immediately can add value with your developer portal now I can tell talk a lot about you know writing your plug-in but I know for a fact that there is this company who had and this is very common by the way who had a hackathon and during the hackathon they decided hey we have this open source tool why don't we just write for open source tool a plug-in in backstage and so they did and we were at the conference and we were talking about this that they were gonna do it it was I think just November or something like that and now we're done and we decided well whenever you're you're successful with the plug-in let me know let's do a talk together yeah and here we are so let's switch to a very good example of how you can secure anything with this plug-in and with Cubescape so I know that security talks are very frightened right and I don't want to scare you but look what Gardner says that by 2025 99% of of your clusters will have at least one misconfiguration inside right and those are really scary numbers and we don't want to go there right we're all here to make it all easy to make it all work to make it all secure so what we're going to do is we're going to talk about you know shift left right how do you know this phrase well I know this phrase very well I'm talking about it a lot but the thing is that we're all talking about it but how do you make this thing practical right how do you really implement this shifting left security right developer as Susan said are really rapidly developing everything to the right very very rapidly the CI CD pipeline makes it also and in security well we stay behind and we need to shift it left and we really need to know it ahead of time so Kubernetes security right because we need to secure a cluster I heard some people told me when I was in the other company oh I'm going to move from VM to Kubernetes I'm secure now right well you know the answer so what we're doing is we're using Cubescape and we actually created Cubescape which is a open-source solution CNCF sandboxing for detecting misconfiguration and vulnerabilities and also giving you a very nice picture of RBAC misconfigurations and with this we actually make the life of the DevOps really easier because we are standing across the pipe from the code to the cluster itself and we're saying hey we're shifting left right so what do we need to do so I'll tell you a little bit about Cubescape and what we're doing with it so we have like over 150 even I think now it's already 200 tests that we call it control for misconfiguration we are we have those frameworks that you know as CIS, Mitre attack and the NSA that we just took all those not automation test manual tests and make it automatic so you can check your cluster with all those frameworks and controls and basically what we did is having a YAML a Helm chat a Kubernetes object and repositories as an input to the to the Cubescape and the control library written in rego for OPA of OPA and the output is really nice because we need to be integrated with a lot of subsystems so you can have it as a CLI and you can have it as an XML and JSON and other different file types and you can have it in our ARMA platform which is a SAS environment and you can have it as a Lens integration and in Prometheus and lately we do have it as yeah so we created this backstage plugin for a Cubescape which is another output for what we're scanning inside the cluster so this is how the CLI looks like so you see we're scanning it's a bit tiny I'm sorry but you can see we're scanning the NSA framework for example and then you can see here the table of what is the control the test and what is the risk that you're getting how many resources did we scan how many failed and what is the risk score eventually and we're doing it for all the framework that I just mentioned and here is what happened back and forth okay so and that's the ARMA platform okay the SAS version of Cubescape where we're seeing the dashboard the compliance of all abilities the RBAC as a graph and you can watch it as well but we're here not just for that because that's awesome that's my team right but we are for the hackathon so as Susan mentioned we had an hackathon like a few months ago I think and there is there was a developer says listen I know this backstage thing and developer portal that become a real thing lately so let's make initiative in this hackathon of building a plugin for backstage I told him backstage what so let's try that but we need to learn about it so it took us two days just two days to build a backstage plugin they'll show you in one minute and that is a major thing because that says that building a plugin is not an issue right it's not taking a long time it's really straightforward and you can all integrate it in with your application or just get some other plugins as Susan mentioned before so here is the backstage Cubescape plugin so first thing we're doing is creating an account right and writing the account name clicking on the create one and just copying pasting this help chart this help command to your cluster in order to run the help chart for standing for misconfiguration vulnerabilities etc and then okay look what we got we are having here all the failed controls all the failed tasks that we found into your cluster right we have some not a container Linux hardening I can't scroll down but that's what we're getting about 200 controls with their statuses so we have the status we have the name we have the failed resources that I'll drill down in a minute we have the description and the mediation like how to fix it right so also backstage give us the filters yeah okay so we have this filter which is building backstage a cup ability which is really nice so you can filter by all those columns and we have another rescan button above so you can rescan your cluster although it's a cron job that will rescan your cluster every day of course you can adopt it or you can just rescan according to what you want so that is the that is the configuration scanning and that's slow today another one okay so we talked about the resources that I clicked on this row and I see the resources that have failed for certain reason okay it can be a resource limit it can be privileged part can be naked pause we call it you know pause without any fathers and we can see here all the resources that fail but okay great what time you gave it all the resources that fail how do I fix those so we're not just giving the remediation we're also giving the fix button that you see right here and when clicking it we see this page when you can see exactly what line do you need to fix or to add or missing you know in your object if it's a YAML then you can see it right here it's a coronet is object of course and we are just putting all the lines that are problematic and you can check that out right here so that's the first part of compliance the second part is the vulnerabilities where you can see that vulnerability and basically the image the workload that failed on specific CVs and you can see it all across here and what are the severities of those CVs I must say we're getting to you see that right in your clusters and you're overwhelmed most of the times right how many CV is do you have in your clusters 10,000 I have my mini cube and I have over a hundred so what we're now doing is adding a new killer feature okay we'll be out next week in a better version and I really wanted to announce it today it's called relevancy and what does it do actually all those vulnerabilities that we're seeing here and CVs are interesting but it's not really interesting because there are a lot of packages that are not getting into the memory so we are checking exactly what's into your memory we're using Falco for that and we're checking exactly what's going on to your memory and basically we are narrowing the list I can tell you we test it in our production cluster 20% was relevant not all critical just relevant can be low can be medium all the 80% left is not relevant you don't need to mess with it so next week hopefully a better version is out you can register and just check that out of course it will be also here in the plugin of kids of backstage so some final thoughts so developer portals right are our new best friends we don't want 40 tabs open we really want a simple place to have it all and giving that we need to have their security we need to have it all the plugins that soon showed before and also you know we're always shifting right with developing and now we need to shift left and I know most of us really don't like security right it's something that I need the DevSecOps to do that no no no no no it's my CSER responsibility and then my CSER call me and then the developer and we need to update the package that thing makes it easy makes it visual makes it visible to everyone and you don't need to be an expert to understand that so what else we really thank you for being here with us today and I think that's time for questions