The document discusses the importance of Kubernetes security, emphasizing the reliance on open-source components in software development and the rising number of vulnerabilities. It highlights best practices for handling vulnerabilities, integrates security into existing workflows, and offers specific tools like Alcide Advisor for ensuring continuous security from development to production. The agenda includes an overview of handling vulnerabilities, a demo of Alcide Advisor, and discusses strategies for maintaining secure Kubernetes environments.

1. Company Confidential & Proprietary
360° Kubernetes Security:
From Source Code to
K8s Configuration Security
Shiri Arad Ivtsan, Senior Product Manager at WhiteSource
Yaniv Peleg Tsabari, Product Manager at Alcide

2. Company Confidential & Proprietary
about# yaniv.peleg.tsabari
--from tel_aviv
--enjoy running,swimming baking
bread
--engineering @ECI Telecom
--product @Imperva
--product @alcide
--linkedIn Yaniv Peleg Tsabari
run
about# shiri.arad.ivtsan
--from givatayim
--enjoy reading, yoga,
pilates
--Former_CSM @Spotinst
--product @Whitesource
--podcaster @Mozzarella
--linkedIn Shiri Arad Ivtsan
run
Shiri Arad Ivtsan
Meet Shiri and Yaniv

3. Company Confidential & Proprietary
The Agenda
▪ Open Source Usage Summary
▪ Handling Vulnerabilities The Common Way
▪ Best Practices for Handling Vulnerabilities
▪ Alcide Overview - Drivers for Kubernetes security
▪ Kubernetes Dev to production security building blocks
▪ Alcide Advisor - Continuous K8s Security from Cluster Hygiene
to Drift Prevention
▪ Alcide Advisor short demo
▪ Q&A

4. Company Confidential & ProprietaryCompany Confidential & Proprietary
96.8%
of developers rely on open
source components
Frequency of Use of Open Source Components

5. Company Confidential & ProprietaryCompany Confidential & Proprietary
80% of the Code Base is Open Source Components
5%-10%
1998
30%-50%
2008
60%-80%
2016
Proprietary Code
Open Source Code
Source: North Bridge Future Of Open Source Survey
Open Source Code
Proprietary Code

6. Company Confidential & ProprietaryCompany Confidential & Proprietary
The Number of Reported Vulnerabilities is Rising

7. Company Confidential & ProprietaryCompany Confidential & Proprietary
of all reported vulnerabilities have at
least one suggested fix in the open
source community
97.4%
The rise in awareness also led to a
sharp rise in suggested fixes…
But it’s not all bad..

8. Company Confidential & ProprietaryCompany Confidential & Proprietary
Information about vulnerabilities is scattered
across hundreds of resources, usually poorly
indexed and therefore unsearchable
OF REPORTED OPEN SOURCE
VULNERABILITIES APPEAR
IN THE CVE DATABASE
86%OVER

9. Company Confidential & ProprietaryCompany Confidential & Proprietary
Detect Issues As Early As Possible

10. Company Confidential & Proprietary
Handling Security
Vulnerabilities
The Common Way

11. Company Confidential & Proprietary
The Common Way of Handling Security Vulnerabilities
Security teams
analyze and
prioritize
vulnerabilities
Sending emails or
opening
issues/tickets
Closing the loop on
resolution is hard

12. Company Confidential & Proprietary
The Common Way of Handling Security Vulnerabilities
Security DevOps Developers
Bridging the Gap is a Must

13. Company Confidential & Proprietary
How to Bake Security
Into Existing Workflows

14. Company Confidential & Proprietary
Containers: Software Development Lifecycle

15. Company Confidential & ProprietaryCompany Confidential & Proprietary
▪ Scans the entire cluster as a baseline for future
changes
▪ Visibility of libraries, images, alerts and
vulnerabilities
▪ Tracks changes in the cluster
▪ Scans the container images and reports cluster
security-related information
▪ Designated reports and dashboards
Orchestration Controller

16. Company Confidential & ProprietaryCompany Confidential & Proprietary
▪ Get a baseline of resources in the cluster, including all open source
components
▪ Include/Exclude specific resources from the scan
▪ Adjust performance limits: parallel resources scanned
Initial Scan

17. Company Confidential & ProprietaryCompany Confidential & Proprietary
Real-Time Alerts for Vulnerabilities
▪ Get automated alerts for vulnerabilities, upon new
resource deployment
▪ Get alerts for new vulnerabilities in existing resources

18. Company Confidential & ProprietaryCompany Confidential & Proprietary
▪ Configurable way to enforce security policies as a final gate before
production
▪ The controller uses Kubernetes built-in admission controller to
reject vulnerable resources
Enforcement

19. Company Confidential & Proprietary
Keep your
Kubernetes Cluster
Secure

20. Copyright ©2019 Alcide.io, All Rights Reserved
Kubernetes Security Surface
20
More Than Just Dockers and Images

21. Copyright ©2019 Alcide.io, All Rights Reserved
Kubernetes Security Surface
21
Docker/Image Security

22. Copyright ©2019 Alcide.io, All Rights Reserved
Kubernetes Security Surface
22
Cluster Hygiene with Alcide Advisor and WhiteSource

23. Copyright ©2019 Alcide.io, All Rights Reserved
Access to VMs
Access vis K8s API or Proxy
Access to etcd API
Intercept/manipulate control
traffic
Intercept/manipulate app
traffic
Espace
container/pod to
host
Cluster
The Kubernetes Attack Surface

24. Copyright ©2019 Alcide.io, All Rights Reserved
K8s, Like All Software, Isn’t Immune to Security Issues
Metadata DNS IAM

25. Copyright ©2019 Alcide.io, All Rights Reserved
Alcide Continuous Security from Dev-to-Production
25
Ensuring the Security of Kubernetes & Istio based Applications. Continuously.

26. Copyright ©2018 Alcide.io, All Rights Reserved
Code Build Deploy Test Release Test Operate Test
Snapshot of Cluster’s
Risks & Hygiene
Drift PreventionDetecting Hygiene Drifts /
1
2 3
Harden Production Environment By Shifting-Left and
Resolving Security Issues in Development Stage

27. Copyright ©2019 Alcide.io, All Rights Reserved
App Formation
Learn & Enforce cluster deployed
components
Network Policies
Kubernetes network policies
Alcide embedded policies
Secret Hunting
ConfigMaps
Pod environments variables
RBAC permissions for Secret objects
Pod Security
Security context
Pod Security policy
Host volume mounts blacklists
Vulnerabilities Scan
Kubernetes vulnerabilities scan on
the master API server and worker
node components. Istio Control
Plane CVE scan.
Ingress Controllers
Scan Ingress controllers for
security best practices
K8S Operators
Scan etcd and prometheus
operators for security best
practices
Istio Security
Istio security configuration and
best practices
Workload Conformance
Validate labeling scheme
Validate annotation scheme
Validate readiness/liveness
probes exist
Validate cpu & memory limits
defined
K8S Dashboard
Kubernetes Dashboard security
checks
Service Resources
Scan Service resources for
hardening best practice
Registry Whitelist
Container image name and tags
Supply chain validation against
whitelist
Admission Control
Enforce policy at resource
admission time
Drift prevention
K8S CIS Benchmark
Scan Kubernetes nodes against
CIS benchmark
K8S API Server
Kubernetes API Server access
privileges checks
Alcide Advisor
What Can You Scan?!

28. Copyright ©2019 Alcide.io, All Rights Reserved
Am I Pulling Software from Authorized Image Registries?
28
Cluster Hygiene with Alcide Advisor in CI+CD

29. Copyright ©2018 Alcide.io, All Rights Reserved
Alcide Advisor: Key Takeaways
￫ Ramping up your K8s environment quickly while reducing security
risks
￫ Agile Security - IN // Security vs agility OUT
￫ One platform for collaboration: connecting security and DevOps

30. Copyright ©2019 Alcide.io, All Rights Reserved
Q & A

31. Copyright ©2018 Alcide.io, All Rights Reserved
Thank you!
www.whitesourcesoftware.com
Alcide.io