managing dependencies and runtime security
play

Managing Dependencies and Runtime Security ActiveState Deminar - PowerPoint PPT Presentation

Mar 02, 2023 •247 likes •727 views

Managing Dependencies and Runtime Security ActiveState Deminar Managing Dependencies and Runtime Security About ActiveState Track-record: 97% of Fortune 1000, 20+ years open source Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby

  1. Managing Dependencies and Runtime Security ActiveState Deminar

  2. Managing Dependencies and Runtime Security About ActiveState Track-record: 97% of Fortune 1000, 20+ years open source ● Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby ● Runtime Focus: concept to development to production ●

  3. Managing Dependencies and Runtime Security Welcome Pete Garcin, Developer Advocate, ActiveState (@rawktron)

  4. Managing Dependencies and Runtime Security Overview Managing Project Dependencies ● Pip/requirements ○ ActivePython ○ Virtual Environments ● PipEnv ○ Runtime Security ● Q&A ●

  5. Managing Dependencies and Runtime Security Configuring Dev Environment git clone https://github.com/ActiveState/activedeminar

  6. Managing Dependencies and Runtime Security Your dependency tree:

  7. Managing Dependencies and Runtime Security Managing Deps Vendored Deps ● Advantages: guaranteed security, compatibility, stability, ○ availability Disadvantages: larger repo, you have to manually ○ maintain - could be out of date, conflicts with system installs

  8. Managing Dependencies and Runtime Security Managing Deps Requirements.txt/Pipfile ● Have to ‘install’ and build from a repo BUT you don’t ○ have to maintain the code and ship it yourself You need to pin versions to prevent bleeding edge ○ Use a virtualenv for isolation ○

  9. Managing Dependencies and Runtime Security Managing Deps Pre-built distributions ● No discipline approach ○ Most popular packages already pre-built, tested, and ○ included in your distro, quarterly updates As the standard install across a large org or team can ○ work well Not updated frequently ○ Not customized to your needs ○ Overall may not fit your use case ○

  10. Managing Dependencies and Runtime Security Vendoring Deps in Python Requires a virtualenv to prevent conflicts ● May involve generating your own wheels for local pip servers ● Not widely used ● Higher maintenance overhead ● Can be good/necessary if you have custom patches ●

  11. Managing Dependencies and Runtime Security Creating requirements.txt Can use “pip freeze” but this gives us everything in our ● system environment. Let’s use pipreqs: ● ○ https://github.com/bndr/pipreqs ○ pip3 install pipreqs ○ pipreqs .

  12. Managing Dependencies and Runtime Security Pinning Versions Pinning means forcing a specific version to be installed ● Why? Reproducible builds. ● Syntax: ● Framework==0.9.4 ○ Library>=0.2 ○

  13. Managing Dependencies and Runtime Security Reproducible Builds Guarantee the exact same build in two locations ● Ensure you have the same versions of every package ● Requires a lockfile, or a “pip freeze” ●

  14. Managing Dependencies and Runtime Security Virtual Environments A Virtual Environment is a self-contained, sandboxed ● environment -- just for your app. It only has the packages you specify and they are totally ● distinct from the system installed ones.

  15. Managing Dependencies and Runtime Security Virtual Environments Complex but critical for app deployment, development. ● Can use ‘virtualenv’ to create and manage them but there ● is a new tool combining pip and virtualenv.

  16. Managing Dependencies and Runtime Security PipEnv Enter PipEnv: New “Community Standard” application ● combines Pip/virtualenv and extends their functionality in a single app. Let’s install it here: ● https://github.com/pypa/pipenv ○ pip3 install pipenv You can initialize a clean environment, Python 3: ● pipenv -three

  17. Managing Dependencies and Runtime Security Generating Pipfile We can generate a pipfile from our HANDY TIP ● requirements.txt using the following We can generate a virtualenv of command: ActivePython using: pipenv pipenv install --python="/home/para llels/AP36/bin/pytho n3" --site-packages install

  18. Managing Dependencies and Runtime Security Generating Pipfile [[source]] url = "https://pypi.python.org/simple" verify_ssl = true name = "pypi" [packages] numpy = "==1.14.3" tensorflow = "==1.8.0" Flask = "==1.0.1" [dev-packages] [requires] python_version = "3.6"

  19. Managing Dependencies and Runtime Security Generating Pipfile.lock Generate a lockfile that contains the fully resolved dep ● tree for our project: pipenv lock Required for a deterministic build. ● Warning : could fail to resolve a dependency conflict! ●

  20. Managing Dependencies and Runtime Security Install all Dependencies Let’s spawn a shell inside our virtualenv: ● pipenv shell The “sync” command will install everything in the .lock ● file: pipenv sync

  21. Managing Dependencies and Runtime Security Project Complete We now have a project that has: ● A virtualenv created for it distinct from our system install ○ A pipfile that defines all the deps for our project generated ○ from our requirements.txt A lockfile that is a fully resolved version of all deps for this ○ project. All deps installed for our project in that virtualenv ○ Our project ready to go! ○

  22. Managing Dependencies and Runtime Security Running Project Remember to spawn a shell inside our virtualenv: ● pipenv shell We can deploy our flask server using this command: ● python3 app.py

  23. Managing Dependencies and Runtime Security Verify it works Let’s check that our service is running: ● curl http://localhost:8000?file=./mypoodle.jpg

  24. Success!

  25. Managing Dependencies and Runtime Security Packaging and Distribution Further topics: ● Generating a setup.py ○ Generating a docker image ○

  26. Managing Dependencies and Runtime Security Installing ActivePython Easy option: Install ActivePython ● (includes everything we need) https://www.activestate.com/act ● ivepython/downloads

  27. Managing Dependencies and Runtime Security Future Platform Support What if we could reduce ALL of what we just did to a single command?

  28. Managing Dependencies and Runtime Security Future Platform Support Working to streamline and simplify this process. ● Tight integration and compatibility with community tools is ● key. Share your pain points working with dependency ● management and environment configuration: peteg@activestate.com ○

  29. Managing Dependencies and Runtime Security Future Platform Support Dependency Resolution. ● Reproducible Builds. ● Customized Builds/Environments. ● “One click” Environment Configuration. ● ● https://start.activestate.com/platform-home/

  30. Managing Dependencies and Runtime Security Platform: Runtime Security Available now: https://www.activestate.com/platform ●

  31. Managing Dependencies and Runtime Security Platform: Runtime Security

  32. Managing Dependencies and Runtime Security Platform: Runtime Security Questions to consider: ● What do we do when there are security vulnerabilities ○ in one of your dependencies? How many times have you had an application ○ deployed that sits live on the production server but might not be updated frequently? It was secure when you built it, but is it still secure? ○

  33. Managing Dependencies and Runtime Security Platform: Runtime Security As one component of the evolving ActiveState Platform, ● our security and compliance plugin for Python can give you zero discipline runtime security checks on your applications. Let’s take a look at how we configure that and what kind ● of results it can give us.

  34. Managing Dependencies and Runtime Security Platform: Signing In Step 1 : The first thing we need to do is sign into for the ● ActiveState Platform. Get there by going to platform.activestate.com. We’ve pre-created some credentials to use. They’re ○ shared in the README: User : asguest ■ Pass : asdeminar ■

  35. Managing Dependencies and Runtime Security Platform: Dashboard Tour Let’s take a walk through the dashboard... ●

  36. Managing Dependencies and Runtime Security Platform: Installing Plugin The first thing we need to do is install the interpreter plugin. ● This language extension hooks directly into your python interpreter. There’s no extra code in your program -- it will just hook in and work invisibly.

  37. Managing Dependencies and Runtime Security Platform: Installing Plugin Once we’ve downloaded, we need to install it: ● pipenv install ActiveState-SecurityScanner-0.5.5.tar.gz ...or... ● pipenv shell pip3 install ActiveState-SecurityScanner-0.5.5.tar.gz

  38. Managing Dependencies and Runtime Security Platform: Creating an Identity Next, we’ll need to create an identity for our project. We use ● an identity to encapsulate any connected set of similar functionality, a project, a series of related services, something like that. So let’s create one.

  39. Managing Dependencies and Runtime Security Platform: Configuring Plugin We need a configuration file ● # activestate.config file to point the plugin to our generated by asguest identity. Create a file ● Identity = 96339c86-20a9-44aa-8363-6e5d activestate.config in the f85003bf # Deminar working folder of our URL = application. https://platform.activestate .com/ Debug = False

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies

Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies

Ninth International Workshop on Managing Technical Debt (MTD 2017) Towards Triaging Code-Smell Candidates via Runtime Scenarios and Method-Call Dependencies Thorsten Haendler, Stefan Sobernig, and Mark Strembeck Vienna University of Economics

286 views • 13 slides
INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI Security Engineering @ Research on Runtime Application Self Defence Authored MobSF, Xenotix and NodeJSScan Teach Security: opsecx.com

906 views • 55 slides
Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman Private Packagist https://packagist.com What are Dependencies? - Services - APIs - Client-side Integrations (OAuth / External JS / Analytics / )

569 views • 37 slides
Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman

Managing dependencies is more than running composer update Nils Adermann @naderman Private Packagist https://packagist.com What are Dependencies? - Services - APIs - Client-side Integrations (OAuth / External JS / Analytics / )

533 views • 32 slides
Runtime Security Lab Michael Schwarz Friday 31 st August, 2018 Graz Security Week 2018

Runtime Security Lab Michael Schwarz Friday 31 st August, 2018 Graz Security Week 2018

Runtime Security Lab Michael Schwarz Friday 31 st August, 2018 Graz Security Week 2018 https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html www.tugraz.at Large IoT Incidents September 21, 2016 > 600 Gbps on Brian Krebs

1.19k views • 71 slides
Rhizoma: A Runtime for Self-deploying, Self-managing Overlays Qin Yin * , Adrian Schpbach * ,

Rhizoma: A Runtime for Self-deploying, Self-managing Overlays Qin Yin * , Adrian Schpbach * ,

Rhizoma: A Runtime for Self-deploying, Self-managing Overlays Qin Yin * , Adrian Schpbach * , Justin Cappos + , Andrew Baumann * , Timothy Roscoe * * Systems Group, Department of Computer Science, ETH Zurich + Dept. of Computer Science and

645 views • 42 slides
Models at Runtime for Adaptive and Self-managing Software Dagstuhl Seminar on Models@run.time

Models at Runtime for Adaptive and Self-managing Software Dagstuhl Seminar on Models@run.time

Models at Runtime for Adaptive and Self-managing Software Dagstuhl Seminar on Models@run.time (2011) Holger Giese and Thomas Vogel System Analysis & Modeling Group Hasso Plattner Institute for Software Systems Engineering University of

399 views • 11 slides
Managing Cray XT MPI Runtime Environment Variables to Optimize and Scale Applications Geir

Managing Cray XT MPI Runtime Environment Variables to Optimize and Scale Applications Geir

Managing Cray XT MPI Runtime Environment Variables to Optimize and Scale Applications Geir Johansen May 5, 2008 Cray Inc. Proprietary Slide 1 Goals of the Presentation Provide users an overview of the implementation of MPI on the Cray XT.

790 views • 44 slides
Task Dependencies: ant Steven J Zeil February 25, 2013 Task Dependencies: ant Outline

Task Dependencies: ant Steven J Zeil February 25, 2013 Task Dependencies: ant Outline

Task Dependencies: ant Task Dependencies: ant Steven J Zeil February 25, 2013 Task Dependencies: ant Outline The ant Command 1 Build Files 2 Targets Properties File Sets and Lists Path Sets Filters Tasks Case Studies 3

807 views • 59 slides
Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating

Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating

Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating System Security Data and process are directly visible Application security can be circumvented from lower layers = > good scope

103 views • 8 slides
Building stuff with monadic dependencies + unchanging dependencies + polymorphic dependencies +

Building stuff with monadic dependencies + unchanging dependencies + polymorphic dependencies +

Building stuff with monadic dependencies + unchanging dependencies + polymorphic dependencies + abstraction Neil Mitchell http://nmitchell.co.uk Building stuff with Shake Neil Mitchell http://shakebuild.com What is Shake? A Haskell

813 views • 49 slides
Methods and tools for design time and runtime formal analysis of security protocols and web

Methods and tools for design time and runtime formal analysis of security protocols and web

Methods and tools for design time and runtime formal analysis of security protocols and web applications Marco Rocchetto REsearch Group in I nformation S ecurity Department of Computer Science University of Verona, Italy Verona, May 8, 2015

731 views • 62 slides
Dependencies and Hazards Lecture 17 CS301 Data Dependencies We want to keep the pipeline

Dependencies and Hazards Lecture 17 CS301 Data Dependencies We want to keep the pipeline

Dependencies and Hazards Lecture 17 CS301 Data Dependencies We want to keep the pipeline completing an instruction every cycle When a later instruction depends on the result of an earlier instruction, stalls happen There are 3

1.35k views • 122 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

975 views • 56 slides
Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and Jan-Christoph K uster Background, what Android is Developed by Android Inc. (acquired by Google in 2005) Open Handset Alliance (founded in 2007)

161 views • 15 slides
Continuous Updating How do you keep track of your LIBRARIES? How many DEPENDENCIES do you have

Continuous Updating How do you keep track of your LIBRARIES? How many DEPENDENCIES do you have

Continuous Updating How do you keep track of your LIBRARIES? How many DEPENDENCIES do you have in your project? Which LICENSES are your dependencies using? You dont know? Goldman Sachs sent a brilliant computer scientist to JAIL ! GPL

529 views • 42 slides
Getting Involved in FBAs Standing Committees March 2, 2010 Ritz-Carlton, New Orleans 1

Getting Involved in FBAs Standing Committees March 2, 2010 Ritz-Carlton, New Orleans 1

Issue Management: Getting Involved in FBAs Standing Committees March 2, 2010 Ritz-Carlton, New Orleans 1 Todays Topics What's Issue Management? Committee(s) Overview Why you should get involved? FBA Membership Benefits FBA

445 views • 17 slides
ASTRI: Building the Technology base for Hong Kongs Future Robert J. Yang, CEO

ASTRI: Building the Technology base for Hong Kongs Future Robert J. Yang, CEO

ASTRI: Building the Technology base for Hong Kongs Future Robert J. Yang, CEO Hong Kong Applied Science and Technology Research Institute Company Ltd. (ASTRI) April 22, 2005 ASTRI

672 views • 16 slides
Managing Custom Plugin Deployments at Scale WPCampus 2019 Matt Fields (he/him) @0x6d617474

Managing Custom Plugin Deployments at Scale WPCampus 2019 Matt Fields (he/him) @0x6d617474

Managing Custom Plugin Deployments at Scale WPCampus 2019 Matt Fields (he/him) @0x6d617474 mafields@ncsu.edu About Myself - Systems Programmer at NC State University - Engineering - Started as a student web developer in 2009 - Full time

481 views • 23 slides
Cool Chips Cool Chips Markets Markets Electronics Cooling Electronics Cooling Cool

Cool Chips Cool Chips Markets Markets Electronics Cooling Electronics Cooling Cool

Slide 1 Cool Chips plc Cool Chips plc Cool Chips Cool Chips Markets Markets Electronics Cooling Electronics Cooling Cool Chips plc Proprietary and Confidential - Property of Cool Chips plc Slide 2 Active vs. Passive Cooling

100 views • 8 slides
The HEP Software Foundation and Nuclear Physics Torre Wenaus, BNL Future Trends in Nuclear

The HEP Software Foundation and Nuclear Physics Torre Wenaus, BNL Future Trends in Nuclear

The HEP Software Foundation and Nuclear Physics Torre Wenaus, BNL Future Trends in Nuclear Physics Computing Jefferson Lab May 3, 2017 hepsoftwarefoundation.org Check out the website! hepsoftwarefoundation.org T. Wenaus 2017/5/3 2 HEP

945 views • 29 slides
Using Debian for Enterprise Infrastructure Stanford University: A Case Study Russ Allbery August

Using Debian for Enterprise Infrastructure Stanford University: A Case Study Russ Allbery August

Stanford University July 26, 2014 1 Using Debian for Enterprise Infrastructure Stanford University: A Case Study Russ Allbery August 3, 2010 Russ Allbery (rra@stanford.edu) Stanford University July 26, 2014 2 Introduction Stanford

650 views • 17 slides
Reducing Power Density through Activity Migration Seongmoo Heo, Kenneth Barr, and Krste Asanovi

Reducing Power Density through Activity Migration Seongmoo Heo, Kenneth Barr, and Krste Asanovi

ISLPED 2003 8/26/2003 Reducing Power Density through Activity Migration Seongmoo Heo, Kenneth Barr, and Krste Asanovi Computer Architecture Group, MIT CSAIL Background Hot Spots Rapid rise of processor power density Uneven

511 views • 27 slides
Greetings from SlackBuilds.org David Spencer pkgsrcCon 2017 About SBo 11 years old

Greetings from SlackBuilds.org David Spencer pkgsrcCon 2017 About SBo 11 years old

Greetings from SlackBuilds.org David Spencer pkgsrcCon 2017 About SBo 11 years old conventional ports-inspired setup from source ftw shell script + metadata ~6500 packages disjoint from core Slackware (~1400 packages) lightweight

379 views • 12 slides

More recommend