› wp-content › uploads › 2018 › 10 › webinar-slides-managing... runtime security managing...
TRANSCRIPT
Managing Dependencies and Runtime Security
ActiveState Deminar
About ActiveState
Managing Dependencies and Runtime Security
● Track-record: 97% of Fortune 1000, 20+ years open source
● Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby
● Runtime Focus: concept to development to production
Welcome
Managing Dependencies and Runtime Security
Pete Garcin, Developer Advocate, ActiveState (@rawktron)
Overview
Managing Dependencies and Runtime Security
● Managing Project Dependencies○ Pip/requirements○ ActivePython
● Virtual Environments○ PipEnv
● Runtime Security● Q&A
Configuring Dev Environment
Managing Dependencies and Runtime Security
git clone https://github.com/ActiveState/activedeminar
Your dependency tree:
Managing Dependencies and Runtime Security
Managing Deps
Managing Dependencies and Runtime Security
● Vendored Deps○ Advantages: guaranteed security, compatibility, stability,
availability○ Disadvantages: larger repo, you have to manually
maintain - could be out of date, conflicts with system installs
Managing Deps
Managing Dependencies and Runtime Security
● Requirements.txt/Pipfile○ Have to ‘install’ and build from a repo BUT you don’t
have to maintain the code and ship it yourself○ You need to pin versions to prevent bleeding edge○ Use a virtualenv for isolation
Managing Deps
Managing Dependencies and Runtime Security
● Pre-built distributions○ No discipline approach○ Most popular packages already pre-built, tested, and
included in your distro, quarterly updates○ As the standard install across a large org or team can
work well○ Not updated frequently○ Not customized to your needs○ Overall may not fit your use case
Vendoring Deps in Python
Managing Dependencies and Runtime Security
● Requires a virtualenv to prevent conflicts● May involve generating your own wheels for local pip servers● Not widely used● Higher maintenance overhead● Can be good/necessary if you have custom patches
Creating requirements.txt
Managing Dependencies and Runtime Security
● Can use “pip freeze” but this gives us everything in our system environment.
● Let’s use pipreqs:○ https://github.com/bndr/pipreqs○ pip3 install pipreqs○ pipreqs .
Pinning Versions
Managing Dependencies and Runtime Security
● Pinning means forcing a specific version to be installed
● Why? Reproducible builds.
● Syntax:
○ Framework==0.9.4
○ Library>=0.2
Reproducible Builds
Managing Dependencies and Runtime Security
● Guarantee the exact same build in two locations
● Ensure you have the same versions of every package
● Requires a lockfile, or a “pip freeze”
Virtual Environments
Managing Dependencies and Runtime Security
● A Virtual Environment is a self-contained, sandboxed environment -- just for your app.
● It only has the packages you specify and they are totally distinct from the system installed ones.
Virtual Environments
Managing Dependencies and Runtime Security
● Complex but critical for app deployment, development.● Can use ‘virtualenv’ to create and manage them but there
is a new tool combining pip and virtualenv.
PipEnv
Managing Dependencies and Runtime Security
● Enter PipEnv: New “Community Standard” application combines Pip/virtualenv and extends their functionality in a single app.
● Let’s install it here:○ https://github.com/pypa/pipenv
pip3 install pipenv● You can initialize a clean environment, Python 3:
pipenv -three
Generating Pipfile
Managing Dependencies and Runtime Security
● We can generate a pipfile from our requirements.txt using the following command:
pipenv install
HANDY TIP
We can generate a virtualenv of ActivePython using:
pipenv --python="/home/parallels/AP36/bin/python3" --site-packages install
Generating Pipfile
Managing Dependencies and Runtime Security
[[source]]url = "https://pypi.python.org/simple"verify_ssl = truename = "pypi"
[packages]numpy = "==1.14.3"tensorflow = "==1.8.0"Flask = "==1.0.1"
[dev-packages]
[requires]python_version = "3.6"
Generating Pipfile.lock
Managing Dependencies and Runtime Security
● Generate a lockfile that contains the fully resolved dep tree for our project:
pipenv lock● Required for a deterministic build.● Warning: could fail to resolve a dependency conflict!
Install all Dependencies
Managing Dependencies and Runtime Security
● Let’s spawn a shell inside our virtualenv:pipenv shell
● The “sync” command will install everything in the .lock file:
pipenv sync
Project Complete
Managing Dependencies and Runtime Security
● We now have a project that has:○ A virtualenv created for it distinct from our system install○ A pipfile that defines all the deps for our project generated
from our requirements.txt○ A lockfile that is a fully resolved version of all deps for this
project.○ All deps installed for our project in that virtualenv○ Our project ready to go!
Running Project
Managing Dependencies and Runtime Security
● Remember to spawn a shell inside our virtualenv:pipenv shell
● We can deploy our flask server using this command:python3 app.py
Verify it works
Managing Dependencies and Runtime Security
● Let’s check that our service is running:curl http://localhost:8000?file=./mypoodle.jpg
Success!
Packaging and Distribution
Managing Dependencies and Runtime Security
● Further topics:○ Generating a setup.py○ Generating a docker image
Installing ActivePython
Managing Dependencies and Runtime Security
● Easy option: Install ActivePython (includes everything we need)
● https://www.activestate.com/activepython/downloads
Future Platform Support
Managing Dependencies and Runtime Security
What if we could reduce ALL of what we just did to a single command?
Future Platform Support
Managing Dependencies and Runtime Security
● Working to streamline and simplify this process.● Tight integration and compatibility with community tools is
key.● Share your pain points working with dependency
management and environment configuration:○ [email protected]
Future Platform Support
Managing Dependencies and Runtime Security
● Dependency Resolution.● Reproducible Builds.● Customized Builds/Environments.● “One click” Environment Configuration.
● https://start.activestate.com/platform-home/
Platform: Runtime Security
Managing Dependencies and Runtime Security
● Available now: https://www.activestate.com/platform
Platform: Runtime Security
Managing Dependencies and Runtime Security
Platform: Runtime Security
Managing Dependencies and Runtime Security
● Questions to consider:○ What do we do when there are security vulnerabilities
in one of your dependencies? ○ How many times have you had an application
deployed that sits live on the production server but might not be updated frequently?
○ It was secure when you built it, but is it still secure?
Platform: Runtime Security
Managing Dependencies and Runtime Security
● As one component of the evolving ActiveState Platform, our security and compliance plugin for Python can give you zero discipline runtime security checks on your applications.
● Let’s take a look at how we configure that and what kind of results it can give us.
Platform: Signing In
Managing Dependencies and Runtime Security
● Step 1: The first thing we need to do is sign into for the ActiveState Platform. Get there by going to platform.activestate.com.○ We’ve pre-created some credentials to use. They’re
shared in the README:■ User: asguest■ Pass: asdeminar
Platform: Dashboard Tour
Managing Dependencies and Runtime Security
● Let’s take a walk through the dashboard...
Platform: Installing Plugin
Managing Dependencies and Runtime Security
● The first thing we need to do is install the interpreter plugin. This language extension hooks directly into your python interpreter. There’s no extra code in your program -- it will just hook in and work invisibly.
Platform: Installing Plugin
Managing Dependencies and Runtime Security
● Once we’ve downloaded, we need to install it:pipenv install ActiveState-SecurityScanner-0.5.5.tar.gz
● ...or...pipenv shell
pip3 install ActiveState-SecurityScanner-0.5.5.tar.gz
Platform: Creating an Identity
Managing Dependencies and Runtime Security
● Next, we’ll need to create an identity for our project. We use an identity to encapsulate any connected set of similar functionality, a project, a series of related services, something like that. So let’s create one.
Platform: Configuring Plugin
Managing Dependencies and Runtime Security
● We need a configuration file to point the plugin to our identity.
● Create a file activestate.config in the working folder of our application.
# activestate.config file generated by asguest
Identity = 96339c86-20a9-44aa-8363-6e5df85003bf # DeminarURL = https://platform.activestate.com/Debug = False
Platform: Configuring Plugin
Managing Dependencies and Runtime Security
● Notice that we need to replace that identity UUID with the UUID of the identity we just created.
Identity = <OUR NEW IDENTITY UUID>
● Now once this file exists, any time we run our interpreter it will be operating on this identity.
Identity Configuration Tips
Managing Dependencies and Runtime Security
● Save the file to your home directory (~/activestate.config ) to have it apply to just the applications you run, or
● Save the file in the /etc directory to have it apply to all applications running on the computer (/etc/activestate.config ), or
● Create an environment variable named ACTIVESTATE_CONFIG and set it to the location of the activestate.config file to have it apply to all applications running on the computer, or
● Save it to the working directories for individual applications to have it only apply to those applications.
Platform: Alerts and Results
Managing Dependencies and Runtime Security
● Whenever we run our program, we receive scan information on our dashboard.
● And if it had any warnings...
Why We’re Doing This
Managing Dependencies and Runtime Security
Managing Dependencies and Runtime Security
Three Key Benefits1. Simplicity:
○ Shrink-your-build to what you need
○ Dependencies managed
○ 1 tool that matches your Dev Needs with everyone else in your SDLC
2. Less Risk:
○ Real-time runtime monitoring
○ Security, compliance & package restrictions considered & managed at build
3. More Speed:
○ Shift-left approach at source code removes roadblocks.
○ Predictable build pipelines.
○ 1 click environment configuration
Managing Dependencies and Runtime Security
Q & A
Thank you!● Learn more about our Platform:
https://www.activestate.com/platform
● Download & try our ActivePython: https://www.activestate.com/activepython
● Contact [email protected] for more information.