managing dependencies and runtime security
play

Managing Dependencies and Runtime Security ActiveState Deminar - PowerPoint PPT Presentation

Mar 02, 2023 •247 likes •727 views

Managing Dependencies and Runtime Security ActiveState Deminar Managing Dependencies and Runtime Security About ActiveState Track-record: 97% of Fortune 1000, 20+ years open source Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby

  1. Managing Dependencies and Runtime Security ActiveState Deminar

  2. Managing Dependencies and Runtime Security About ActiveState Track-record: 97% of Fortune 1000, 20+ years open source ● Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby ● Runtime Focus: concept to development to production ●

  3. Managing Dependencies and Runtime Security Welcome Pete Garcin, Developer Advocate, ActiveState (@rawktron)

  4. Managing Dependencies and Runtime Security Overview Managing Project Dependencies ● Pip/requirements ○ ActivePython ○ Virtual Environments ● PipEnv ○ Runtime Security ● Q&A ●

  5. Managing Dependencies and Runtime Security Configuring Dev Environment git clone https://github.com/ActiveState/activedeminar

  6. Managing Dependencies and Runtime Security Your dependency tree:

  7. Managing Dependencies and Runtime Security Managing Deps Vendored Deps ● Advantages: guaranteed security, compatibility, stability, ○ availability Disadvantages: larger repo, you have to manually ○ maintain - could be out of date, conflicts with system installs

  8. Managing Dependencies and Runtime Security Managing Deps Requirements.txt/Pipfile ● Have to ‘install’ and build from a repo BUT you don’t ○ have to maintain the code and ship it yourself You need to pin versions to prevent bleeding edge ○ Use a virtualenv for isolation ○

  9. Managing Dependencies and Runtime Security Managing Deps Pre-built distributions ● No discipline approach ○ Most popular packages already pre-built, tested, and ○ included in your distro, quarterly updates As the standard install across a large org or team can ○ work well Not updated frequently ○ Not customized to your needs ○ Overall may not fit your use case ○

  10. Managing Dependencies and Runtime Security Vendoring Deps in Python Requires a virtualenv to prevent conflicts ● May involve generating your own wheels for local pip servers ● Not widely used ● Higher maintenance overhead ● Can be good/necessary if you have custom patches ●

  11. Managing Dependencies and Runtime Security Creating requirements.txt Can use “pip freeze” but this gives us everything in our ● system environment. Let’s use pipreqs: ● ○ https://github.com/bndr/pipreqs ○ pip3 install pipreqs ○ pipreqs .

  12. Managing Dependencies and Runtime Security Pinning Versions Pinning means forcing a specific version to be installed ● Why? Reproducible builds. ● Syntax: ● Framework==0.9.4 ○ Library>=0.2 ○

  13. Managing Dependencies and Runtime Security Reproducible Builds Guarantee the exact same build in two locations ● Ensure you have the same versions of every package ● Requires a lockfile, or a “pip freeze” ●

  14. Managing Dependencies and Runtime Security Virtual Environments A Virtual Environment is a self-contained, sandboxed ● environment -- just for your app. It only has the packages you specify and they are totally ● distinct from the system installed ones.

  15. Managing Dependencies and Runtime Security Virtual Environments Complex but critical for app deployment, development. ● Can use ‘virtualenv’ to create and manage them but there ● is a new tool combining pip and virtualenv.

  16. Managing Dependencies and Runtime Security PipEnv Enter PipEnv: New “Community Standard” application ● combines Pip/virtualenv and extends their functionality in a single app. Let’s install it here: ● https://github.com/pypa/pipenv ○ pip3 install pipenv You can initialize a clean environment, Python 3: ● pipenv -three

  17. Managing Dependencies and Runtime Security Generating Pipfile We can generate a pipfile from our HANDY TIP ● requirements.txt using the following We can generate a virtualenv of command: ActivePython using: pipenv pipenv install --python="/home/para llels/AP36/bin/pytho n3" --site-packages install

  18. Managing Dependencies and Runtime Security Generating Pipfile [[source]] url = "https://pypi.python.org/simple" verify_ssl = true name = "pypi" [packages] numpy = "==1.14.3" tensorflow = "==1.8.0" Flask = "==1.0.1" [dev-packages] [requires] python_version = "3.6"

  19. Managing Dependencies and Runtime Security Generating Pipfile.lock Generate a lockfile that contains the fully resolved dep ● tree for our project: pipenv lock Required for a deterministic build. ● Warning : could fail to resolve a dependency conflict! ●

  20. Managing Dependencies and Runtime Security Install all Dependencies Let’s spawn a shell inside our virtualenv: ● pipenv shell The “sync” command will install everything in the .lock ● file: pipenv sync

  21. Managing Dependencies and Runtime Security Project Complete We now have a project that has: ● A virtualenv created for it distinct from our system install ○ A pipfile that defines all the deps for our project generated ○ from our requirements.txt A lockfile that is a fully resolved version of all deps for this ○ project. All deps installed for our project in that virtualenv ○ Our project ready to go! ○

  22. Managing Dependencies and Runtime Security Running Project Remember to spawn a shell inside our virtualenv: ● pipenv shell We can deploy our flask server using this command: ● python3 app.py

  23. Managing Dependencies and Runtime Security Verify it works Let’s check that our service is running: ● curl http://localhost:8000?file=./mypoodle.jpg

  24. Success!

  25. Managing Dependencies and Runtime Security Packaging and Distribution Further topics: ● Generating a setup.py ○ Generating a docker image ○

  26. Managing Dependencies and Runtime Security Installing ActivePython Easy option: Install ActivePython ● (includes everything we need) https://www.activestate.com/act ● ivepython/downloads

  27. Managing Dependencies and Runtime Security Future Platform Support What if we could reduce ALL of what we just did to a single command?

  28. Managing Dependencies and Runtime Security Future Platform Support Working to streamline and simplify this process. ● Tight integration and compatibility with community tools is ● key. Share your pain points working with dependency ● management and environment configuration: peteg@activestate.com ○

  29. Managing Dependencies and Runtime Security Future Platform Support Dependency Resolution. ● Reproducible Builds. ● Customized Builds/Environments. ● “One click” Environment Configuration. ● ● https://start.activestate.com/platform-home/

  30. Managing Dependencies and Runtime Security Platform: Runtime Security Available now: https://www.activestate.com/platform ●

  31. Managing Dependencies and Runtime Security Platform: Runtime Security

  32. Managing Dependencies and Runtime Security Platform: Runtime Security Questions to consider: ● What do we do when there are security vulnerabilities ○ in one of your dependencies? How many times have you had an application ○ deployed that sits live on the production server but might not be updated frequently? It was secure when you built it, but is it still secure? ○

  33. Managing Dependencies and Runtime Security Platform: Runtime Security As one component of the evolving ActiveState Platform, ● our security and compliance plugin for Python can give you zero discipline runtime security checks on your applications. Let’s take a look at how we configure that and what kind ● of results it can give us.

  34. Managing Dependencies and Runtime Security Platform: Signing In Step 1 : The first thing we need to do is sign into for the ● ActiveState Platform. Get there by going to platform.activestate.com. We’ve pre-created some credentials to use. They’re ○ shared in the README: User : asguest ■ Pass : asdeminar ■

  35. Managing Dependencies and Runtime Security Platform: Dashboard Tour Let’s take a walk through the dashboard... ●

  36. Managing Dependencies and Runtime Security Platform: Installing Plugin The first thing we need to do is install the interpreter plugin. ● This language extension hooks directly into your python interpreter. There’s no extra code in your program -- it will just hook in and work invisibly.

  37. Managing Dependencies and Runtime Security Platform: Installing Plugin Once we’ve downloaded, we need to install it: ● pipenv install ActiveState-SecurityScanner-0.5.5.tar.gz ...or... ● pipenv shell pip3 install ActiveState-SecurityScanner-0.5.5.tar.gz

  38. Managing Dependencies and Runtime Security Platform: Creating an Identity Next, we’ll need to create an identity for our project. We use ● an identity to encapsulate any connected set of similar functionality, a project, a series of related services, something like that. So let’s create one.

  39. Managing Dependencies and Runtime Security Platform: Configuring Plugin We need a configuration file ● # activestate.config file to point the plugin to our generated by asguest identity. Create a file ● Identity = 96339c86-20a9-44aa-8363-6e5d activestate.config in the f85003bf # Deminar working folder of our URL = application. https://platform.activestate .com/ Debug = False

Recommend

Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies

Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies

Ninth International Workshop on Managing Technical Debt (MTD 2017) Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies Thorsten Haendler, Stefan Sobernig, and Mark Strembeck Vienna University of Economics

286 views • 13 slides
INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI Security Engineering @ Research on Runtime Application Self Defence Authored MobSF, Xenotix and NodeJSScan Teach Security: opsecx.com

906 views • 55 slides
Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman Private Packagist https://packagist.com What are Dependencies? - Services - APIs - Client-side Integrations (OAuth / External JS / Analytics / )

569 views • 37 slides
Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman Private Packagist https://packagist.com What are Dependencies? - Services - APIs - Client-side Integrations (OAuth / External JS / Analytics / )

533 views • 32 slides
Runtime Security Lab Michael Schwarz Friday 31 st August, 2018 Graz Security Week 2018

Runtime Security Lab Michael Schwarz Friday 31 st August, 2018 Graz Security Week 2018

Runtime Security Lab Michael Schwarz Friday 31 st August, 2018 Graz Security Week 2018 https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html www.tugraz.at Large IoT Incidents September 21, 2016 > 600 Gbps on Brian Krebs

1.19k views • 71 slides
Rhizoma: A Runtime for Self-deploying, Self-managing Overlays Qin Yin * , Adrian Schpbach * ,

Rhizoma: A Runtime for Self-deploying, Self-managing Overlays Qin Yin * , Adrian Schpbach * ,

Rhizoma: A Runtime for Self-deploying, Self-managing Overlays Qin Yin * , Adrian Schpbach * , Justin Cappos + , Andrew Baumann * , Timothy Roscoe * * Systems Group, Department of Computer Science, ETH Zurich + Dept. of Computer Science and

645 views • 42 slides
Models at Runtime for Adaptive and Self-managing Software Dagstuhl Seminar on Models@run.time

Models at Runtime for Adaptive and Self-managing Software Dagstuhl Seminar on Models@run.time

Models at Runtime for Adaptive and Self-managing Software Dagstuhl Seminar on Models@run.time (2011) Holger Giese and Thomas Vogel System Analysis & Modeling Group Hasso Plattner Institute for Software Systems Engineering University of

399 views • 11 slides
Managing Cray XT MPI Runtime Environment Variables to Optimize and Scale Applications Geir

Managing Cray XT MPI Runtime Environment Variables to Optimize and Scale Applications Geir

Managing Cray XT MPI Runtime Environment Variables to Optimize and Scale Applications Geir Johansen May 5, 2008 Cray Inc. Proprietary Slide 1 Goals of the Presentation Provide users an overview of the implementation of MPI on the Cray XT.

790 views • 44 slides
Task Dependencies: ant Steven J Zeil February 25, 2013 Task Dependencies: ant Outline

Task Dependencies: ant Steven J Zeil February 25, 2013 Task Dependencies: ant Outline

Task Dependencies: ant Task Dependencies: ant Steven J Zeil February 25, 2013 Task Dependencies: ant Outline The ant Command 1 Build Files 2 Targets Properties File Sets and Lists Path Sets Filters Tasks Case Studies 3

807 views • 59 slides
Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating

Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating

Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating System Security Data and process are directly visible Application security can be circumvented from lower layers = > good scope

103 views • 8 slides
Building stuff with monadic dependencies + unchanging dependencies + polymorphic dependencies +

Building stuff with monadic dependencies + unchanging dependencies + polymorphic dependencies +

Building stuff with monadic dependencies + unchanging dependencies + polymorphic dependencies + abstraction Neil Mitchell http://nmitchell.co.uk Building stuff with Shake Neil Mitchell http://shakebuild.com What is Shake? A Haskell

813 views • 49 slides
Methods and tools for design time and runtime formal analysis of security protocols and web

Methods and tools for design time and runtime formal analysis of security protocols and web

Methods and tools for design time and runtime formal analysis of security protocols and web applications Marco Rocchetto REsearch Group in I nformation S ecurity Department of Computer Science University of Verona, Italy Verona, May 8, 2015

731 views • 62 slides
Dependencies and Hazards Lecture 17 CS301 Data Dependencies We want to keep the pipeline

Dependencies and Hazards Lecture 17 CS301 Data Dependencies We want to keep the pipeline

Dependencies and Hazards Lecture 17 CS301 Data Dependencies We want to keep the pipeline completing an instruction every cycle When a later instruction depends on the result of an earlier instruction, stalls happen There are 3

1.35k views • 122 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

975 views • 56 slides
Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and Jan-Christoph K uster Background, what Android is Developed by Android Inc. (acquired by Google in 2005) Open Handset Alliance (founded in 2007)

161 views • 15 slides
Continuous Updating How do you keep track of your LIBRARIES? How many DEPENDENCIES do you have

Continuous Updating How do you keep track of your LIBRARIES? How many DEPENDENCIES do you have

Continuous Updating How do you keep track of your LIBRARIES? How many DEPENDENCIES do you have in your project? Which LICENSES are your dependencies using? You dont know? Goldman Sachs sent a brilliant computer scientist to JAIL ! GPL

529 views • 42 slides
Dependencies in Interval- -valued valued Dependencies in Interval Symbolic Data Symbolic Data

Dependencies in Interval- -valued valued Dependencies in Interval Symbolic Data Symbolic Data

Dependencies in Interval- -valued valued Dependencies in Interval Symbolic Data Symbolic Data Lynne Billard University of Georgia lynne@stat.uga.edu Tribute to Professor Edwin Diday: Paris, France; 5 September 2007 Naturally occurring

635 views • 44 slides
MANAGING SOIL FOR MANAGING SOIL FOR MANAGING SOIL FOR MANAGING SOIL FOR ADVANCING FOOD

MANAGING SOIL FOR MANAGING SOIL FOR MANAGING SOIL FOR MANAGING SOIL FOR ADVANCING FOOD

MANAGING SOIL FOR MANAGING SOIL FOR MANAGING SOIL FOR MANAGING SOIL FOR ADVANCING FOOD ADVANCING FOOD SECURITY AND ADAPTING SECURITY AND ADAPTING TO CLIMATE CHANGE TO CLIMATE CHANGE R. Lal Carbon Management and Sequestration Center g q

582 views • 55 slides
Runtime Considerations Were moving towards actually producing target code. This means we need

Runtime Considerations Were moving towards actually producing target code. This means we need

10/29/2012 Runtime Considerations Were moving towards actually producing target code. This means we need to consider the runtime actions of the program. CS 1622: Runtime support: Functions and local variable storage Activation

160 views • 4 slides
Runtime systems Runtime systems Functional program are very high-level: its not obvious how to

Runtime systems Runtime systems Functional program are very high-level: its not obvious how to

Runtime systems Runtime systems Functional program are very high-level: its not obvious how to Programmation Fonctionnelle Avance implement them. http://www-lipn.univ-paris13.fr/~saiu/teaching/PFA-2010 Complex library support at run time

220 views • 8 slides
Adaptation and Abstract Runtime Models 5th Workshop on Software Engineering for Adaptive and

Adaptation and Abstract Runtime Models 5th Workshop on Software Engineering for Adaptive and

Adaptation and Abstract Runtime Models 5th Workshop on Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2010) Cape Town, South Africa, 3-4 May 2010 Thomas Vogel and Holger Giese System Analysis and Modeling Group Hasso

377 views • 21 slides
Another approach to runtime checking Typical runtime checking is by duplicating entire CPU

Another approach to runtime checking Typical runtime checking is by duplicating entire CPU

Another approach to runtime checking Typical runtime checking is by duplicating entire CPU Expensive in power, area No protection from design errors Does not survive permanent faults Last time we saw an approach that leveraged

246 views • 7 slides
AngularJS Dependencies and Services Dependencies & Services App can get cluttered if all

AngularJS Dependencies and Services Dependencies & Services App can get cluttered if all

AngularJS Dependencies and Services Dependencies & Services App can get cluttered if all logic in one module Mingling directives and controllers and data in one module can clutter that module Can some logic or data be factored out

484 views • 14 slides
Architecture in Practice: Chrome Reid Holmes Chrome Online content is insecure and can

Architecture in Practice: Chrome Reid Holmes Chrome Online content is insecure and can

Material and some slide content from: Taylor et. al. http://queue.acm.org/detail.cfm?id=1556050 http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf OS-Level Sandbox OS/Runtime OS/Runtime Exploit Barriers Exploit

415 views • 3 slides

More recommend