› wp-content › uploads › 2018 › 10 › webinar-slides-managing... Runtime Security Managing Dependencies andFlask = "==1.0.1" [dev-packages] [requires] python_version = "3.6"

Managing Dependencies and Runtime Security

ActiveState Deminar

About ActiveState

● Track-record: 97% of Fortune 1000, 20+ years open source

● Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby

● Runtime Focus: concept to development to production

Welcome

Pete Garcin, Developer Advocate, ActiveState (@rawktron)

Overview

● Managing Project Dependencies○ Pip/requirements○ ActivePython

● Virtual Environments○ PipEnv

● Runtime Security● Q&A

Configuring Dev Environment

git clone https://github.com/ActiveState/activedeminar

Your dependency tree:

Managing Deps

● Vendored Deps○ Advantages: guaranteed security, compatibility, stability,

availability○ Disadvantages: larger repo, you have to manually

maintain - could be out of date, conflicts with system installs

Managing Deps

● Requirements.txt/Pipfile○ Have to ‘install’ and build from a repo BUT you don’t

have to maintain the code and ship it yourself○ You need to pin versions to prevent bleeding edge○ Use a virtualenv for isolation

Managing Deps

● Pre-built distributions○ No discipline approach○ Most popular packages already pre-built, tested, and

included in your distro, quarterly updates○ As the standard install across a large org or team can

work well○ Not updated frequently○ Not customized to your needs○ Overall may not fit your use case

Vendoring Deps in Python

● Requires a virtualenv to prevent conflicts● May involve generating your own wheels for local pip servers● Not widely used● Higher maintenance overhead● Can be good/necessary if you have custom patches

Creating requirements.txt

● Can use “pip freeze” but this gives us everything in our system environment.

● Let’s use pipreqs:○ https://github.com/bndr/pipreqs○ pip3 install pipreqs○ pipreqs .

Pinning Versions

● Pinning means forcing a specific version to be installed

● Why? Reproducible builds.

● Syntax:

○ Framework==0.9.4

○ Library>=0.2

Reproducible Builds

● Guarantee the exact same build in two locations

● Ensure you have the same versions of every package

● Requires a lockfile, or a “pip freeze”

Virtual Environments

● A Virtual Environment is a self-contained, sandboxed environment -- just for your app.

● It only has the packages you specify and they are totally distinct from the system installed ones.

Virtual Environments

● Complex but critical for app deployment, development.● Can use ‘virtualenv’ to create and manage them but there

is a new tool combining pip and virtualenv.

PipEnv

● Enter PipEnv: New “Community Standard” application combines Pip/virtualenv and extends their functionality in a single app.

● Let’s install it here:○ https://github.com/pypa/pipenv

pip3 install pipenv● You can initialize a clean environment, Python 3:

pipenv -three

Generating Pipfile

● We can generate a pipfile from our requirements.txt using the following command:

pipenv install

HANDY TIP

We can generate a virtualenv of ActivePython using:

pipenv --python="/home/parallels/AP36/bin/python3" --site-packages install

Generating Pipfile

[[source]]url = "https://pypi.python.org/simple"verify_ssl = truename = "pypi"

[packages]numpy = "==1.14.3"tensorflow = "==1.8.0"Flask = "==1.0.1"

[dev-packages]

[requires]python_version = "3.6"

Generating Pipfile.lock

● Generate a lockfile that contains the fully resolved dep tree for our project:

pipenv lock● Required for a deterministic build.● Warning: could fail to resolve a dependency conflict!

Install all Dependencies

● Let’s spawn a shell inside our virtualenv:pipenv shell

● The “sync” command will install everything in the .lock file:

pipenv sync

Project Complete

● We now have a project that has:○ A virtualenv created for it distinct from our system install○ A pipfile that defines all the deps for our project generated

from our requirements.txt○ A lockfile that is a fully resolved version of all deps for this

project.○ All deps installed for our project in that virtualenv○ Our project ready to go!

Running Project

● Remember to spawn a shell inside our virtualenv:pipenv shell

● We can deploy our flask server using this command:python3 app.py

Verify it works

● Let’s check that our service is running:curl http://localhost:8000?file=./mypoodle.jpg

Success!

Packaging and Distribution

● Further topics:○ Generating a setup.py○ Generating a docker image

Installing ActivePython

● Easy option: Install ActivePython (includes everything we need)

● https://www.activestate.com/activepython/downloads

Future Platform Support

What if we could reduce ALL of what we just did to a single command?

● Working to streamline and simplify this process.● Tight integration and compatibility with community tools is

key.● Share your pain points working with dependency

management and environment configuration:○ peteg@activestate.com

● Dependency Resolution.● Reproducible Builds.● Customized Builds/Environments.● “One click” Environment Configuration.

● https://start.activestate.com/platform-home/

Platform: Runtime Security

● Available now: https://www.activestate.com/platform

● Questions to consider:○ What do we do when there are security vulnerabilities

in one of your dependencies? ○ How many times have you had an application

deployed that sits live on the production server but might not be updated frequently?

○ It was secure when you built it, but is it still secure?

● As one component of the evolving ActiveState Platform, our security and compliance plugin for Python can give you zero discipline runtime security checks on your applications.

● Let’s take a look at how we configure that and what kind of results it can give us.

Platform: Signing In

● Step 1: The first thing we need to do is sign into for the ActiveState Platform. Get there by going to platform.activestate.com.○ We’ve pre-created some credentials to use. They’re

shared in the README:■ User: asguest■ Pass: asdeminar

Platform: Dashboard Tour

● Let’s take a walk through the dashboard...

Platform: Installing Plugin

● The first thing we need to do is install the interpreter plugin. This language extension hooks directly into your python interpreter. There’s no extra code in your program -- it will just hook in and work invisibly.

Platform: Installing Plugin

● Once we’ve downloaded, we need to install it:pipenv install ActiveState-SecurityScanner-0.5.5.tar.gz

● ...or...pipenv shell

pip3 install ActiveState-SecurityScanner-0.5.5.tar.gz

Platform: Creating an Identity

● Next, we’ll need to create an identity for our project. We use an identity to encapsulate any connected set of similar functionality, a project, a series of related services, something like that. So let’s create one.

Platform: Configuring Plugin

● We need a configuration file to point the plugin to our identity.

● Create a file activestate.config in the working folder of our application.

# activestate.config file generated by asguest

Identity = 96339c86-20a9-44aa-8363-6e5df85003bf # DeminarURL = https://platform.activestate.com/Debug = False

Platform: Configuring Plugin

● Notice that we need to replace that identity UUID with the UUID of the identity we just created.

Identity = <OUR NEW IDENTITY UUID>

● Now once this file exists, any time we run our interpreter it will be operating on this identity.

Identity Configuration Tips

● Save the file to your home directory (~/activestate.config ) to have it apply to just the applications you run, or

● Save the file in the /etc directory to have it apply to all applications running on the computer (/etc/activestate.config ), or

● Create an environment variable named ACTIVESTATE_CONFIG and set it to the location of the activestate.config file to have it apply to all applications running on the computer, or

● Save it to the working directories for individual applications to have it only apply to those applications.

Platform: Alerts and Results

● Whenever we run our program, we receive scan information on our dashboard.

● And if it had any warnings...

Why We’re Doing This

Three Key Benefits1. Simplicity:

○ Shrink-your-build to what you need

○ Dependencies managed

○ 1 tool that matches your Dev Needs with everyone else in your SDLC

2. Less Risk:

○ Real-time runtime monitoring

○ Security, compliance & package restrictions considered & managed at build

3. More Speed:

○ Shift-left approach at source code removes roadblocks.

○ Predictable build pipelines.

○ 1 click environment configuration

Thank you!● Learn more about our Platform:

https://www.activestate.com/platform

● Download & try our ActivePython: https://www.activestate.com/activepython

● Contact platform@activestate.com for more information.

› wp-content › uploads › 2018 › 10 › webinar-slides-managing... Runtime Security Managing Dependencies andFlask = "==1.0.1" [dev-packages] [requires] python_version = "3.6"

Documents

1.0.1 RELACIONES GEOMÉTRICAS

Sattose keynote 2015: Managing Socio-Technical Dependencies....

AA Motorpool 1.0.1

Cloud 1.0.1 para pymes

09 Managing Dependencies

Building stuff with monadic dependencies + unchanging...

Openvas Compendium 1.0.1

NLOS Infinet Version 1.0.1

Living alone V.1.0.1

HandsOn DB: Managing Data Dependencies involving Human …

Managing Dependencies -...

Survival Guide SC09_v.1.0.1.

Managing Data Dependencies to Support Conflict Management

Locating assets Knowing what is connected to what (managing....

Managing Multiple Projects Lesson 9. Skills Matrix...

4. Easy-Sync-1.0.1