Contact
  • Home
  • Innovating without compromising security: WAX Conf 2024
Back

Innovating without compromising security: WAX Conf 2024

Image Slider

July 17, 2024

The hacker's nightmare: an infrastructure with no secrets

In the world of cybersecurity, managing secrets is a real headache. Imagine a safe filled with passwords, API keys, and certificates... It's enough to make cybercriminals salivate! At WAX CONF 2024, Thibault Lengagne shared his journey toward a "Zero-Creds" (secret-free) infrastructure, where these precious treasures disappear as if by magic. Ready for the magic trick?

Background and Zero-Creds solution 

According to Verizon, 49% of cyberattacks exploit stolen secrets. Yes, your passwords and keys can be used long after they have been stolen, like an old movie that keeps getting rerun on TV. But what if we could build a world without long-term secrets, thereby reducing opportunities for hacking? Well, Thibault says it's possible!

He proposed a series of technological gadgets to rid us of these cumbersome secrets:

  • SSO (Single Sign-On) and OIDC (OpenID Connect)for centralized authentication without having to remember a thousand and one passwords. Just one is enough!
  • Cloud IAM (Identity and Access Management)andWorkload Identityfor highly secure and integrated identity and access management.
  • Vault credential brokeringandJust-in-Time accessfor dynamic and temporary access management. Say goodbye to permanent passwords!

Mechanisms and tools for secret rotation

Rotate, rotate, that's the key! Thibault showed how to automate the rotation and management of secrets:

  • Vaultto securely store your secrets and quietly distribute them to the applications that need them.
  • SOPS (Secrets OPerationS)to encrypt secrets directly in the source code. We add a layer of security, unseen and unnoticed.
  • External secretsfor referencing the necessary secrets from a secret store, without any hassle.

Benefits of a zero-credentials approach

Switching to the Zero-Creds model is a bit like switching to light speed:

  • 60% reduction in the risk of attack. No more reselling stolen secrets, and hackers forced to leave traces! They're already crying about it.
  • Facilitating development. Less complexity, more fun! Your developers will thank you.
  • Enhanced compliance and securityby design, with simplified access audits and more efficient emergency procedures. Everyone wins!

Limitations encountered? 

Okay, so not everything is rosy in the Zero-Creds world. There are challenges, especially with older apps that don't like new authentication systems such as SSO. But don't panic! Integrating technologies such as Boundary or specific adaptations for these IT dinosaurs can save the day.

By eliminating long-term secrets, we can secure our environments and simplify life for development teams. So, are you ready to say goodbye to secrets and turn a new page in the fight against cyberattacks? Let's go Zero-Creds!

 

Survival guide for a HA application on a shared Kubernetes cluster

Welcome to the dynamic world of observability and high availability! François Berthault shared his two years of exciting experiences with a homemade observability platform on a shared Kubernetes cluster. This survival guide is full of practical advice for maintaining top performance in a shared environment.

François' observability stack 

He started off strong by presenting his observability stack, the centerpiece of any self-respecting Kubernetes infrastructure:

  • Logs: Quickwit, Elastic, and Kibana are the champions for smooth and efficient event log management.
  • Metrics: Victoria Metrics, Prometheus, and Grafana Mimir rigorously monitor metrics, with alerts and precision monitoring.
  • Traces and APM: Tracing systems to track every request and identify even the smallest performance issues.

Profiling and stress testing: bulletproof

For rock-solid applications, François uses advanced profiling techniques:

  • Stress testingwith k6 andchaos engineeringvia Chaoskube and Litmus, to test resilience by saturating resources such as disks and RAM.
  • Kyvernofor Static Application Security Testing (SAST) on Kubernetes manifests, ensuring proactive security.

Mastering resource management

In a shared cluster, resource management is crucial. Here's how to do it:

  • Pod evictions: Analysis of evictions to optimize application stability.
  • Memory and CPU limits: Strict limits to ensure balanced resource allocation and avoid contention.
  • Quality of Service (QoS): QoS policies to prioritize critical workloads and ensure optimal performance.

Smooth deployments like never before

François has pro tips for smooth deployments:

  • Canary releasesandblue-green deployments: for stress-free testing of new versions in production.
  • Keda for Horizontal Pod Autoscaler (HPA): Using custom metrics for dynamic scalability based on actual application performance.

Dynamic adjustments and Kubernetes API

He also explores cutting-edge solutions for top-notch resource management:

  • Vertical Pod Autoscaler (VPA): With an "InPlace" resizing policy, resources are adjusted without restarting the pods.
  • Kubernetes API: Integrated monitoring of CPU and RAM metrics for responsive and accurate workload management.

Conclusion: toward proactive observability

In conclusion, he emphasizes the importance of observability and proactive management in shared Kubernetes environments. Observe, investigate, understand, implement, and share: this cycle helps maintain optimal performance and availability, while contributing to the continuous evolution of the Kubernetes ecosystem. With this survival guide, you are ready to face future challenges with confidence and expertise!

 

CI/CD Pipeline Check-Up: Towards an Ideal Pipeline

Thomas Boni invites us to explore the development and optimization of CI/CD pipelines, emphasizing the importance of functionality, security, maintainability, and observability. This journey is marked by proven strategies, common mistakes, and valuable lessons.

Fundamentals of CI/CD

Thomas reviews the basic principles of CI/CD, which are crucial for understanding the challenges and objectives of pipeline optimization. Continuous Integration/Continuous Deployment is essential for automating testing, integration, and application deployment.

Feedback

One relevant REX mentioned concerned the implementation of a CI/CD pipeline for a client. Creating a.gitlab-ci.yml fileseemssimple on the surface, but requires a deep understanding of many aspects:

  • Learning the syntaxspecific to the tool.
  • Identification of tasks that can be automatedwithout human intervention.
  • Selection ofappropriate tools and images.
  • Job testingand quality assurance of results.

Audits and common errors 

Thomas emphasized the importance of auditing pipelines to identify security flaws and suboptimal practices, such as:

  1. Copy and pastethe same pipeline code into multiple projects without adequate documentation.
  2. Inappropriate response tocritical vulnerabilities(e.g., commenting on the CI job instead of resolving the issue).
  3. Inadequate authentication management, such as exposing tokens in configuration files.
  4. Careless use of new dependencies, opting for unverified and potentially dangerous Docker images.

To address these challenges, Thomas proposed several strategies:

  • Creation of centralized, versioned, documented, and configurable templates for different languages and frameworks.
  • Use CI/CD variablesor, ideally, an external secret management service to secure access to and use of sensitive information.
  • Establishment of a registry whitelistto ensure that only verified and secure images are used.
  • Simplified workflowsandaccurate version referencingfor all external dependencies.
  • Regular audits of pipelinesto maintain safety and performance standards.

 

In conclusion, Thomas presents theR2DevOps tool, designed to help teams adhere to security and performance best practices in their CI/CD pipelines. He also mentions essential resources such as the OWASP Top Ten CI/CD Security Risks, CIS Benchmarks, NIS2 guidelines, and SLSA standards to guide future developments.

This presentation provided us with valuable insights into the challenges and solutions involved in optimizing CI/CD pipelines. By following its advice and implementing the best practices proposed, organizations can not only improve the efficiency of their pipelines but also significantly enhance their security.

 

Managing Kubernetes clusters without the Internet: strategies and tools

Christophe Jauffret addressed a common but complex challenge: operating Kubernetes clusters in environments with limited or no internet access. This situation is common in enterprise contexts where security and regulatory compliance dictate severe restrictions on network connectivity.

In many companies, Internet access is not a given. Constraints such as firewalls, proxies, DMZs, and ACLs create an environment where every network resource must be carefully planned and justified. Hence the importance of adapting tools and practices to ensure effective management of Kubernetes clusters under these conditions.

Tools and strategies for managing without the Internet

During his presentation, Christophe introduced several solutions and tools to facilitate the management of Kubernetes clusters without a direct internet connection:

  • Container Runtime and Registry: Adapt container runtimes and use internal registries to manage images and configurations locally.
  • Crane and Skopeo: Use tools such as Crane to check where images are stored and avoid issues related to using CDNs. Skopeo can be used to synchronize public Docker registries with an internal registry, facilitating image management in an air-gapped environment.
  • Policy Management with Kyverno: Configure Kyverno to validate and modify requests in real time, and to automate policy management, including redirecting requests to local registries.

Security and compliance

Safety rules are crucial in confined spaces:

  • Destination filtering and network proxies: Establish strict rules for destination filtering and configure proxies at the container runtime level to ensure secure and controlled communication.
  • Authentication and DMZ: Implement authentication policies for users and configure demilitarized zones to protect internal networks.

Practical examples

Christophe shared several examples of how these tools and strategies have been implemented:

  • Harbor: Use Harbor as a local registry to manage container images in an air-gapped environment, enabling efficient and secure synchronization of the necessary images.
  • Image streaming with stargz-snapshotter: For large Docker images, using techniques such as multipart streaming with stargz-snapshotter significantly reduces image download times, optimizing performance in bandwidth-limited environments.

Managing Kubernetes clusters without direct Internet access is complex but manageable with the right strategies and tools. The solutions presented by Christophe Jauffret offer practical ways to overcome security, compliance, and performance challenges in highly restricted environments.

 

VM or Bare Metal: Where should you run your Kubernetes workloads?

Advantages and disadvantages of VM and Bare Metal

Performance:

  • Bare Metal: Generally offers better overall performance because there is no hypervisor consuming resources. This is particularly advantageous for resource-intensive applications.
  • VM: May offer slightly reduced performance due to hypervisor overhead, but allows for greater flexibility and efficiency in resource management.

Scaling:

  • Bare Metal: Scaling can be more expensive and time-consuming, as it often requires the purchase of additional hardware and manual configuration.
  • VM: Enables faster and more flexible scaling by quickly creating new VM instances without the need for immediate hardware investment.

Cost:

  • According to a study by Principled Technologies for VMware, although the use of VMs involves additional costs due to the hypervisor, it can also enable resource consolidation, reducing the number of physical servers required, as well as the costs associated with maintenance and hosting.

Safety:

  • Bare Metal: Fewer software layers potentially means fewer attack vectors, but it can also mean fewer segmentation options.
  • VM: Offers better opportunities for workload segregation. Virtual separation of clusters can reduce the impact of a CVE (Common Vulnerabilities and Exposures) by limiting risks to specific VM instances rather than the entire physical server.

Day-to-day management

  • Maintenance and Continuous Operations (MCO): VMs can offer simplified management through hypervisor management tools, enabling firmware updates and security patches without disrupting the entire system.
  • Kubernetes Cluster Deployment: VMs enable faster cluster deployment by allowing configurations to be duplicated and new instances to be deployed without physical intervention.

 

Gauthier Leblanc concludes that the choice between VM and Bare Metal for Kubernetes largely depends on the specific needs of the company in terms of performance, cost, security, and management. VMs offer flexibility, ease of management, and better isolation for security, while Bare Metal may be preferable for applications requiring the highest performance. The final decision should be guided by a careful assessment of specific needs and the results of tests specific to the environment and workloads under consideration.

 

Conclusion

As we draw the curtain on this edition of WAX, the ideas and innovations shared continue to resonate, preparing us to boldly tackle the technological challenges ahead. These conferences invite us to reflect deeply:

How can we continue to innovate while ensuring security and performance in a world where threats evolve as rapidly as technologies?

As we look ahead to the next chapters in our industry, let's remain committed to turning these challenges into new frontiers of opportunity.

A big thank you to the Girls and Boys of Tech team for their impeccable organization. Congratulations on this memorable and enriching event!

 

Lionel GAIROARD

DevSecOps Practice Leader

Economic warfare and personal data protection cover
September 5, 2024

Economic warfare and personal data protection

Economic warfare and personal data protection
Learn more
A pocket-sized network device for simplified penetration testing cover
August 13, 2024

A pocket-sized network device for simplified penetration testing

Thomas ESKENAZI takes a deep dive into Clovis Carlier's talk at Hack 2024.
Learn more
WAX Conf 2024: When Platform Engineering Takes Flight cover
July 10, 2024

WAX Conf 2024: When Platform Engineering Takes Flight

On June 6, I had the privilege of attending WAX Conf 2024 in Aix-en-Provence.
Learn more
Configure log collection in AWS environments with CI/CD cover
July 4, 2024

Configure log collection in AWS environments with CI/CD

When you want to send logs from various sources to a SIEM...
Learn more
Exploring the advanced features of IGA cover solutions
June 25, 2024

Exploring the advanced features of IGA solutions

Discover the essential features of IGA solutions, including management...
Learn more