› wp-content › uploads › 2018 › 10 › webinar-slides-managing... runtime security managing...

Managing Dependencies and Runtime Security

ActiveState Deminar

About ActiveState


● Track-record: 97% of Fortune 1000, 20+ years open source

● Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby

● Runtime Focus: concept to development to production

Welcome


Pete Garcin, Developer Advocate, ActiveState (@rawktron)

Overview


● Managing Project Dependencies○ Pip/requirements○ ActivePython

● Virtual Environments○ PipEnv

● Runtime Security● Q&A

Configuring Dev Environment


git clone https://github.com/ActiveState/activedeminar

Your dependency tree:


Managing Deps


● Vendored Deps○ Advantages: guaranteed security, compatibility, stability,

availability○ Disadvantages: larger repo, you have to manually

maintain - could be out of date, conflicts with system installs

Managing Deps


● Requirements.txt/Pipfile○ Have to ‘install’ and build from a repo BUT you don’t

have to maintain the code and ship it yourself○ You need to pin versions to prevent bleeding edge○ Use a virtualenv for isolation

Managing Deps


● Pre-built distributions○ No discipline approach○ Most popular packages already pre-built, tested, and

included in your distro, quarterly updates○ As the standard install across a large org or team can

work well○ Not updated frequently○ Not customized to your needs○ Overall may not fit your use case

Vendoring Deps in Python


● Requires a virtualenv to prevent conflicts● May involve generating your own wheels for local pip servers● Not widely used● Higher maintenance overhead● Can be good/necessary if you have custom patches

Creating requirements.txt


● Can use “pip freeze” but this gives us everything in our system environment.

● Let’s use pipreqs:○ https://github.com/bndr/pipreqs○ pip3 install pipreqs○ pipreqs .

https://github.com/bndr/pipreqs

Pinning Versions


● Pinning means forcing a specific version to be installed

● Why? Reproducible builds.

● Syntax:

○ Framework==0.9.4

○ Library>=0.2

Reproducible Builds


● Guarantee the exact same build in two locations

● Ensure you have the same versions of every package

● Requires a lockfile, or a “pip freeze”

Virtual Environments


● A Virtual Environment is a self-contained, sandboxed environment -- just for your app.

● It only has the packages you specify and they are totally distinct from the system installed ones.

Virtual Environments


● Complex but critical for app deployment, development.● Can use ‘virtualenv’ to create and manage them but there

is a new tool combining pip and virtualenv.

PipEnv


● Enter PipEnv: New “Community Standard” application combines Pip/virtualenv and extends their functionality in a single app.

● Let’s install it here:○ https://github.com/pypa/pipenv

pip3 install pipenv● You can initialize a clean environment, Python 3:

pipenv -three

https://github.com/pypa/pipenv

Generating Pipfile


● We can generate a pipfile from our requirements.txt using the following command:

pipenv install

HANDY TIP

We can generate a virtualenv of ActivePython using:

pipenv --python="/home/parallels/AP36/bin/python3" --site-packages install

Generating Pipfile


[[source]]url = "https://pypi.python.org/simple"verify_ssl = truename = "pypi"

[packages]numpy = "==1.14.3"tensorflow = "==1.8.0"Flask = "==1.0.1"

[dev-packages]

[requires]python_version = "3.6"

Generating Pipfile.lock


● Generate a lockfile that contains the fully resolved dep tree for our project:

pipenv lock● Required for a deterministic build.● Warning: could fail to resolve a dependency conflict!

Install all Dependencies


● Let’s spawn a shell inside our virtualenv:pipenv shell

● The “sync” command will install everything in the .lock file:

pipenv sync

Project Complete


● We now have a project that has:○ A virtualenv created for it distinct from our system install○ A pipfile that defines all the deps for our project generated

from our requirements.txt○ A lockfile that is a fully resolved version of all deps for this

project.○ All deps installed for our project in that virtualenv○ Our project ready to go!

Running Project


● Remember to spawn a shell inside our virtualenv:pipenv shell

● We can deploy our flask server using this command:python3 app.py

Verify it works


● Let’s check that our service is running:curl http://localhost:8000?file=./mypoodle.jpg

Success!

Packaging and Distribution


● Further topics:○ Generating a setup.py○ Generating a docker image

Installing ActivePython


● Easy option: Install ActivePython (includes everything we need)

● https://www.activestate.com/activepython/downloads

https://www.activestate.com/activepython/downloads


Future Platform Support


What if we could reduce ALL of what we just did to a single command?



● Working to streamline and simplify this process.● Tight integration and compatibility with community tools is

key.● Share your pain points working with dependency

management and environment configuration:○ [email protected]



● Dependency Resolution.● Reproducible Builds.● Customized Builds/Environments.● “One click” Environment Configuration.

● https://start.activestate.com/platform-home/

Platform: Runtime Security


● Available now: https://www.activestate.com/platform



● Questions to consider:○ What do we do when there are security vulnerabilities

in one of your dependencies? ○ How many times have you had an application

deployed that sits live on the production server but might not be updated frequently?

○ It was secure when you built it, but is it still secure?



● As one component of the evolving ActiveState Platform, our security and compliance plugin for Python can give you zero discipline runtime security checks on your applications.

● Let’s take a look at how we configure that and what kind of results it can give us.

Platform: Signing In


● Step 1: The first thing we need to do is sign into for the ActiveState Platform. Get there by going to platform.activestate.com.○ We’ve pre-created some credentials to use. They’re

shared in the README:■ User: asguest■ Pass: asdeminar

Platform: Dashboard Tour


● Let’s take a walk through the dashboard...

Platform: Installing Plugin


● The first thing we need to do is install the interpreter plugin. This language extension hooks directly into your python interpreter. There’s no extra code in your program -- it will just hook in and work invisibly.

Platform: Installing Plugin


● Once we’ve downloaded, we need to install it:pipenv install ActiveState-SecurityScanner-0.5.5.tar.gz

● ...or...pipenv shell

pip3 install ActiveState-SecurityScanner-0.5.5.tar.gz

Platform: Creating an Identity


● Next, we’ll need to create an identity for our project. We use an identity to encapsulate any connected set of similar functionality, a project, a series of related services, something like that. So let’s create one.

Platform: Configuring Plugin


● We need a configuration file to point the plugin to our identity.

● Create a file activestate.config in the working folder of our application.

# activestate.config file generated by asguest

Identity = 96339c86-20a9-44aa-8363-6e5df85003bf # DeminarURL = https://platform.activestate.com/Debug = False

Platform: Configuring Plugin


● Notice that we need to replace that identity UUID with the UUID of the identity we just created.

Identity = <OUR NEW IDENTITY UUID>

● Now once this file exists, any time we run our interpreter it will be operating on this identity.

Identity Configuration Tips


● Save the file to your home directory (~/activestate.config ) to have it apply to just the applications you run, or

● Save the file in the /etc directory to have it apply to all applications running on the computer (/etc/activestate.config ), or

● Create an environment variable named ACTIVESTATE_CONFIG and set it to the location of the activestate.config file to have it apply to all applications running on the computer, or

● Save it to the working directories for individual applications to have it only apply to those applications.

Platform: Alerts and Results


● Whenever we run our program, we receive scan information on our dashboard.

● And if it had any warnings...

Why We’re Doing This


Three Key Benefits1. Simplicity:

○ Shrink-your-build to what you need

○ Dependencies managed

○ 1 tool that matches your Dev Needs with everyone else in your SDLC

2. Less Risk:

○ Real-time runtime monitoring

○ Security, compliance & package restrictions considered & managed at build

3. More Speed:

○ Shift-left approach at source code removes roadblocks.

○ Predictable build pipelines.

○ 1 click environment configuration


Thank you!● Learn more about our Platform:

https://www.activestate.com/platform

● Download & try our ActivePython: https://www.activestate.com/activepython

● Contact [email protected] for more information.

https://platform.activestate.com


mailto:[email protected]

› wp-content › uploads › 2018 › 10 › webinar-slides-managing... runtime security managing...

Documents