Managing Dependencies and Runtime Security ActiveState Deminar - - PowerPoint PPT Presentation

Managing Dependencies and Runtime Security

ActiveState Deminar

About ActiveState

Managing Dependencies and Runtime Security

• Track-record: 97% of Fortune 1000, 20+ years open source
• Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby
• Runtime Focus: concept to development to production

Welcome

Managing Dependencies and Runtime Security

Pete Garcin, Developer Advocate, ActiveState (@rawktron)

Overview

Managing Dependencies and Runtime Security

• Managing Project Dependencies

○ Pip/requirements ○ ActivePython

• Virtual Environments

○ PipEnv

• Runtime Security
• Q&A

Configuring Dev Environment

Managing Dependencies and Runtime Security

git clone https://github.com/ActiveState/activedeminar

Your dependency tree:

Managing Dependencies and Runtime Security

Managing Deps

Managing Dependencies and Runtime Security

• Vendored Deps

○ Advantages: guaranteed security, compatibility, stability, availability ○ Disadvantages: larger repo, you have to manually maintain - could be out of date, conflicts with system installs

Managing Deps

Managing Dependencies and Runtime Security

• Requirements.txt/Pipfile

○ Have to ‘install’ and build from a repo BUT you don’t have to maintain the code and ship it yourself ○ You need to pin versions to prevent bleeding edge ○ Use a virtualenv for isolation

Managing Deps

Managing Dependencies and Runtime Security

• Pre-built distributions

○ No discipline approach ○ Most popular packages already pre-built, tested, and included in your distro, quarterly updates ○ As the standard install across a large org or team can work well ○ Not updated frequently ○ Not customized to your needs ○ Overall may not fit your use case

Vendoring Deps in Python

Managing Dependencies and Runtime Security

• Requires a virtualenv to prevent conflicts
• May involve generating your own wheels for local pip servers
• Not widely used
• Higher maintenance overhead
• Can be good/necessary if you have custom patches

Creating requirements.txt

Managing Dependencies and Runtime Security

• Can use “pip freeze” but this gives us everything in our

system environment.

• Let’s use pipreqs:

○ https://github.com/bndr/pipreqs ○ pip3 install pipreqs ○ pipreqs .

Pinning Versions

Managing Dependencies and Runtime Security

• Pinning means forcing a specific version to be installed
• Why? Reproducible builds.
• Syntax:

○ Framework==0.9.4 ○ Library>=0.2

Reproducible Builds

Managing Dependencies and Runtime Security

• Guarantee the exact same build in two locations
• Ensure you have the same versions of every package
• Requires a lockfile, or a “pip freeze”

Virtual Environments

Managing Dependencies and Runtime Security

• A Virtual Environment is a self-contained, sandboxed

environment -- just for your app.

• It only has the packages you specify and they are totally

distinct from the system installed ones.

Virtual Environments

Managing Dependencies and Runtime Security

• Complex but critical for app deployment, development.
• Can use ‘virtualenv’ to create and manage them but there

is a new tool combining pip and virtualenv.

PipEnv

Managing Dependencies and Runtime Security

• Enter PipEnv: New “Community Standard” application

combines Pip/virtualenv and extends their functionality in a single app.

• Let’s install it here:

○ https://github.com/pypa/pipenv pip3 install pipenv

• You can initialize a clean environment, Python 3:

pipenv -three

Generating Pipfile

Managing Dependencies and Runtime Security

• We can generate a pipfile from our

requirements.txt using the following command: pipenv install

HANDY TIP We can generate a virtualenv of ActivePython using: pipenv

• -python="/home/para

llels/AP36/bin/pytho n3" --site-packages install

Generating Pipfile

Managing Dependencies and Runtime Security

[[source]] url = "https://pypi.python.org/simple" verify_ssl = true name = "pypi" [packages] numpy = "==1.14.3" tensorflow = "==1.8.0" Flask = "==1.0.1" [dev-packages] [requires] python_version = "3.6"

Generating Pipfile.lock

Managing Dependencies and Runtime Security

• Generate a lockfile that contains the fully resolved dep

tree for our project: pipenv lock

• Required for a deterministic build.
• Warning: could fail to resolve a dependency conflict!

Install all Dependencies

Managing Dependencies and Runtime Security

• Let’s spawn a shell inside our virtualenv:

pipenv shell

• The “sync” command will install everything in the .lock

file: pipenv sync

Project Complete

Managing Dependencies and Runtime Security

• We now have a project that has:

○ A virtualenv created for it distinct from our system install ○ A pipfile that defines all the deps for our project generated from our requirements.txt ○ A lockfile that is a fully resolved version of all deps for this project. ○ All deps installed for our project in that virtualenv ○ Our project ready to go!

Running Project

Managing Dependencies and Runtime Security

• Remember to spawn a shell inside our virtualenv:

pipenv shell

• We can deploy our flask server using this command:

python3 app.py

Verify it works

Managing Dependencies and Runtime Security

• Let’s check that our service is running:

curl http://localhost:8000?file=./mypoodle.jpg

Success!

Packaging and Distribution

Managing Dependencies and Runtime Security

• Further topics:

○ Generating a setup.py ○ Generating a docker image

Installing ActivePython

Managing Dependencies and Runtime Security

• Easy option: Install ActivePython

(includes everything we need)

• https://www.activestate.com/act

ivepython/downloads

Future Platform Support

Managing Dependencies and Runtime Security

What if we could reduce ALL of what we just did to a single command?

Future Platform Support

Managing Dependencies and Runtime Security

• Working to streamline and simplify this process.
• Tight integration and compatibility with community tools is

key.

• Share your pain points working with dependency

management and environment configuration: ○ peteg@activestate.com

Future Platform Support

Managing Dependencies and Runtime Security

• Dependency Resolution.
• Reproducible Builds.
• Customized Builds/Environments.
• “One click” Environment Configuration.
• https://start.activestate.com/platform-home/

Platform: Runtime Security

Managing Dependencies and Runtime Security

• Available now: https://www.activestate.com/platform

Platform: Runtime Security

Managing Dependencies and Runtime Security

Platform: Runtime Security

Managing Dependencies and Runtime Security

• Questions to consider:

○ What do we do when there are security vulnerabilities in one of your dependencies? ○ How many times have you had an application deployed that sits live on the production server but might not be updated frequently? ○ It was secure when you built it, but is it still secure?

Platform: Runtime Security

Managing Dependencies and Runtime Security

• As one component of the evolving ActiveState Platform,
• ur security and compliance plugin for Python can give

you zero discipline runtime security checks on your applications.

• Let’s take a look at how we configure that and what kind
• f results it can give us.

Platform: Signing In

Managing Dependencies and Runtime Security

• Step 1: The first thing we need to do is sign into for the

ActiveState Platform. Get there by going to platform.activestate.com. ○ We’ve pre-created some credentials to use. They’re shared in the README: ■ User: asguest ■ Pass: asdeminar

Platform: Dashboard Tour

Managing Dependencies and Runtime Security

• Let’s take a walk through the dashboard...

Platform: Installing Plugin

Managing Dependencies and Runtime Security

• The first thing we need to do is install the interpreter plugin.

This language extension hooks directly into your python

• interpreter. There’s no extra code in your program -- it will

just hook in and work invisibly.

Platform: Installing Plugin

Managing Dependencies and Runtime Security

• Once we’ve downloaded, we need to install it:

pipenv install ActiveState-SecurityScanner-0.5.5.tar.gz

• ...or...

pipenv shell pip3 install ActiveState-SecurityScanner-0.5.5.tar.gz

Platform: Creating an Identity

Managing Dependencies and Runtime Security

• Next, we’ll need to create an identity for our project. We use

an identity to encapsulate any connected set of similar functionality, a project, a series of related services, something like that. So let’s create one.

Platform: Configuring Plugin

Managing Dependencies and Runtime Security

• We need a configuration file

to point the plugin to our identity.

• Create a file

activestate.config in the working folder of our application.

# activestate.config file generated by asguest Identity = 96339c86-20a9-44aa-8363-6e5d f85003bf # Deminar URL = https://platform.activestate .com/ Debug = False

Platform: Configuring Plugin

Managing Dependencies and Runtime Security

• Notice that we need to replace that identity UUID with the

UUID of the identity we just created. Identity = <OUR NEW IDENTITY UUID>

• Now once this file exists, any time we run our interpreter it

will be operating on this identity.

Identity Configuration Tips

Managing Dependencies and Runtime Security

• Save the file to your home directory (~/activestate.config ) to have it apply

to just the applications you run, or

• Save the file in the /etc directory to have it apply to all applications running on

the computer (/etc/activestate.config ), or

• Create an environment variable named ACTIVESTATE_CONFIG and set it to the

location of the activestate.config file to have it apply to all applications running on the computer, or

• Save it to the working directories for individual applications to have it only

apply to those applications.

Platform: Alerts and Results

Managing Dependencies and Runtime Security

• Whenever we run our program, we receive scan

information on our dashboard.

• And if it had any warnings...

Why We’re Doing This

Managing Dependencies and Runtime Security

Managing Dependencies and Runtime Security

Three Key Benefits

1. Simplicity: ○ Shrink-your-build to what you need ○ Dependencies managed ○ 1 tool that matches your Dev Needs with everyone else in your SDLC 2. Less Risk: ○ Real-time runtime monitoring ○ Security, compliance & package restrictions considered & managed at build 3. More Speed: ○ Shift-left approach at source code removes roadblocks. ○ Predictable build pipelines. ○ 1 click environment configuration

Managing Dependencies and Runtime Security

Q & A

Thank you!

• Learn more about our Platform:

https://www.activestate.com/platform

• Download & try our ActivePython:

https://www.activestate.com/activepython

• Contact platform@activestate.com for more

information.