lior mazor, profile picture
Uploaded bylior mazor
111 views

Application security meetup k8_s security with zero trust_29072021

The document discusses Kubernetes (k8s) security, emphasizing the need for both posture and runtime protection in the release cycle to mitigate risks and ensure compliance. Organizations face challenges such as misconfigurations, visibility issues, and threat management, while ARMO offers solutions to improve k8s security by integrating visibility and control throughout the workload. It highlights the importance of managing open-source dependencies due to vulnerabilities, providing guidance on risk management for software supply chains.

Embed presentation

Posture Vs Runtime
APPLICATION RELEASE CYCLE Security Assessment
K8S WHO, WHY AND HOW? How often are you release cycles? What role at your organization is most responsible for container and Kubernetes security?
K8S WHO, WHY AND HOW? • Compliance is a priority • Lack of K8s knowledge, uses: • Network security (NGFW) for North- South sanitation • WAF/API gateways for application-level vulnerabilities • Willing to purchase a standalone solution for K8s security • Looking for solution that covers A-Z (runtime, posture etc) • Security is not priority • Hates adding tools to his pipeline • Bottle neck in the organization • “Don’t touch my production!” - shift left • Everything is code/API • Visibility is very important, but not as a standalone offering • Secret management is a headache Deliver code as fast as possible Risk Mitigation, Compliance and avoid data breach
K8S CUSTOMERS POINT OF VIEW
K8S CUSTOMERS POINT OF VIEW
SHIFT LEFT
CAN WE SECURE USING ONLY SHIFT LEFT? Others can claim: IMO, NO!!! Micro Services are predictable Pro: Watch for abnormal behavior Con: Not really the case with many types of workloads -> a lot of false positive Immutability Pro: you scan for vulnerabilities and deliver new image every time Con: if the attacker knows how to insert a malware he can do it every time + maybe he is already on the host/other workload
POSTURE VS RUNTIME
K8S SECURITY REQUIREMENTS
WHERE AND WHY EXISTING SOLUTIONS FAIL Endless chase No single source of truth for K8s Configuration Thousands of potential misconfigurations Inability to build a reliable normal baseline False Positives, Complexity, and performance impact Resources intensive Find Vulnerabilities & Misconfigurations Anomaly Behavioral Analysis and Network Segmentation K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION
LOOKING TO SECURE KUBERNETES? K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION kubernetes
A WHOLE NEW WAY TO SECURE KUBERNETES Infusing Visibility, Control, and Security Seamlessly into Every Workload
ARMO BRINGS K8S POSTURE AND RUNTIME TOGETHER - SEAMLESSLY Enrich finding with runtime deep visibility information Shrink the attack surface based on field proven best practices Continuous compliance validation and auditing From Zero to Zero-Trust in 10 minutes No need to change policies when microservices change Resiliency by design, even against the most advanced attacks Add Context and Relevancy to posture findings Patented one-YAML deterministic ZERO-TRUST K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION ARMO Kubernetes Fabric™
KEY TAKEAWAYS • You need both posture and runtime protection • Scan your posture as soon as possible (shift left) • Apply runtime protection on dev/staging/production Stay Safe! Questions?
The greatest risk is the one you are not aware of zvika.ronen@fossaware.com TEL: +972-(0)52-426-5306 All right reserved © FOSSAware LTD
• I am 48 • L.L.B law degree - Ono academic college • I am the CTO of FOSSAware • I specialized in FOSS technologies and software audits • I help organizations to implement a risk management program to manage their OSS usage, lower the remediation costs and comply with ISO standards • I also perform tech due-diligence audits and escort such process for target companies 18 Who am I 18
19 Few Words on Open Source 19
20 freely accessed, used, changed, and shared FSF four essential freedoms of the Free Software Definition OSI Ten criteria of the Open Source Software Definition 20 FOSS Definition
Legal risk • Losing IP protection • Paying Monetary Damages • Block product shipment/distribution (Injunction) • Negative press and damaged relationship with customers Cyber security vulnerabilities • Denial of service, taking a service offline • Business intelligence and Client information theft • Hacker remote access • Ransom attacks Operational risk • Losing ability to build your software due to missing web based components • Losing community support due to open source project with low contribution activities • Using outdated open source components (less secure, more complex to upgrade) Open Source Risks 21
https://www.theregister.com/2001/06/02/ballmer_linux_is_a_cancer/ Steve Ballmer Former Microsoft CEO 22
23 Today Everyone loves Open Source 23
24 https://www.zdnet.com/article/ballmer-i-may-have-called-linux-a-cancer-but-now-i-love-it/
25
Source: Synopsys OSSRA 2021 26
Source: Synopsys OSSRA 2021 Industry Sectors and Open Source 27
Own Proprietary Software 3rd Party Commercial Software Open Source Commercial Software Dependencies Open Source Dependencies 28 Open Source in Commercial Software
29 Hackers also Love Open Source 29
dateutil vs python3-dateutil 350 FORKS jellyfish vs jeIlyfish (“L” is an “I”) 122 FORKS Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks 30 OSS Malicious Package Analysis by the Academy Hundreds of open source packages were used in real cyber events 61% malicious packages used typosquatting 2nd most common – injection to existing package
Source: Dustico Blog, https://dusti.co/blog/unsafe-to-download-pip/ 31 Downloaded FOSS may include hidden setup
Source: WhiteSource, 2021 32 Open Source Vulnerabilities Continue To Increase
#1 Lodash #2 FasterXML jackson-databind #3 HtmlUnit #4 Handlebars #5 http-proxy 33 Source: WhiteSource, Top 10 Open Source Vulnerabilities In 2020 33 Top 10 Open Source Vulnerabilities In 2020
34 Source: Sonatype, devsecops community survey 2020
35 Open Source related breaches occur much too often 35
Source: Sonatype, devsecops community survey 2020 1 in 5 breaches is Open Source related 36
Open Source Component - Apache Struts (CVE-2017-5638) 37 Equifax breach was 100% preventable
• Popularity: 2 million downloads per week • Dependency: “flatmap-stream” has malicious code • The action: Harvest the victim’s “copay” private keys • Intention: Steal Bitcoin • Result: 7000 stollen bitcoins 38 The “Event-Stream” incident https://github.com/dominictarr/event-stream/issues/116
• Open Source Component - Mozjpeg (CVE-2020-13790) • Mozjpeg weekly downloads from NPM - 650k Instagram Hack core reason – Mozjpeg 39
40 40 Source: reddit.com CODECOV
Source: medium.com/@alex.birsan/dependency-confusion 41
42 42 PyPI and NPM Flooded with over 5,000 Dependency Confusion Copycats Source: securityreport.com Copycat behavior (Dependency Confusion based)
• Human factor (training) • Proprietary code (static analysis) • Supply chain 3rd party (liability & support) • Open Source? • White/Black-box (testing) What is the weakest / unknown link of the chain? 43
44 Top 10 Web Application Security Risks
“Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product.” What Biden has to say on Open Source? 45
46 What Should We Do? 46
47 1. Know Your Product 47
Homegrown code 3rd Party Commercial Software Open Source Commercial Software Dependencies Open Source Dependencies 48 Open Source in Commercial Software
49 2. Manage your Open Source 49
3rd Party Commercial Software Open Source Dependencies Open Source Dependencies 50 Choosing right Manage your software supply chain in “critical software” Manage your Open Source “critical software” — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources)
51 CII Best Practices badge program
End User License Agreement BSD Open Source License 52 Manage risks from 3rd party (Supply Chain) Common Default in Commercial Software Agreements
Homegrown code Open Source 3rd Party Proprietary SW Cost All type of software requires some level of compliance and/or vulnerability monitoring Possible Vulnerabilities IP rights Owned Licensed Licensed License Requirements Procurement is being done by Homegrown The developers Procurement people Monitoring is being done using different tools, processes, and policies Who is responsible? The developer The developer The vendor Support By the developer Community/Developer By the vendor Additional Dependencies Access to Source Code Analysis tools Static Code Analysis Software Composition Analysis Penetration Test 53 53 Homegrown vs. Open Source vs. 3rd Party Proprietary SW
54 54 1. Risk management program (ISO-5230) • Policy • Process • Tools • Training 2. Early detection = Lower remediation cost 3. Ongoing management (pre-> post production) OSS in Commercial Software Development
55 3. Do not invent the wheel 55
International Standard for open source license compliance 56
Questions? zvika.ronen@fossaware.com TEL: +972-(0)52-426-5306
The greatest risk is the one you are not aware of zvika.ronen@fossaware.com TEL: +972-(0)52-426-5306
Automated Red-Team for Managing Attack Surface Alex Peleg CEO | Hacker
AI and Community powered Attack Surface and Operations Management For SMEs Reducing Time From Breach to Fix Recover From Incidents Offensive Engineering Cynergy.app
Agenda Kesaya breach story Attack Surface 101 Why AI? Continuous Red-Team, the good the bad and the ugly. Open topics for further research and innovation 1 2 3 4 5
What has gone wrong? A server was exposed....
Attack Surface 101 Attackers need only one hole in the defense
Attack Surface 101 External Attack Surface
Attack Surface 101 Web & Mobile Apps
Attack Surface 101 Infrastructure
Attack Surface 101 Cloud
Attack Surface 101 Employees
Attack Surface 101 3rd & 4th Parties
Attack Surface 101 Subsidiaries
Why AI? Context Scale Stupidity
Continuous Red-Team
Additional Research... 1 Faster and Better Context 2 Threat Intelligence to Improve Prioritization 3 AI based mitigation - GPT3 4 Integration with CICD
Q&A
Thanks and Questions! Alex@cynergy.app Type text
Turn any Kubernetes solution into Zero-Trust by design FROM ZERO to ZERO-TRUST
WHAT ARE WE UP AGAINST? What hackers are looking for? What do they do inside? • Data  Business & customer’s data • Keys  Encryption & Authentication • Resources  CPU (coin miners)  Storage  Network (bots) • Damage & Extortion  Ransome  DDoS, UI/UX harm • Intellectual Property  Algorithms  APIs • Use existing software in inappropriate way • Change behavior of existing software  Change configuration • Inject new software  Corrupt existing software  Add new software How do they break in? • Misconfigurations • Credential abuse • Software vulnerability
KNOCK-KNOCK, WHO IS THERE? Who is calling my APIs? Who is reading my Data?
DON’T TRUST, VERIFY! Protect customer solutions even if infrastructure is compromised Genuine Software Identity – like DNA Automated Zero-Trust Network Policy Transparent Data Signing & Encryption
SOFTWARE DNA – WHAT DOES THIS MEAN? Executable DLL/SO DLL/SO ARMOGuard DLL/SO Python/Java/JS/.NET ConfigFile/ConfigMap Environment Variables Command Line ARMO Back-End Prove DNA validity Receive Cryptographic Materials Protect process memory while it runs: • Validate cryptographic digest of every relevant artifact • Prevent unsigned artifacts from loading • Keep containers immutable • Use Kubernetes for automation
INTENTION POD A Secret Volume POD B Server Legit App Container Container
REALITY POD A Secret Volume POD B Injected App Server Legit App Container Container
WITH ARMO ZERO-TRUST POD A Secret Volume POD B Injected App Server Legit App Container Container
DEMO Questions?
• Thank You! • Questions? • To be continued…

More Related Content

PPTX
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
byDigital Bond
 
PDF
Accelerating OT - A Case Study
byDigital Bond
 
PPTX
The RIPE Experience
byDigital Bond
 
PDF
Buyer and Seller Perspectives on Open Source in Tech Contracts
byBlack Duck by Synopsys
 
PPTX
Sam Herath - Six Critical Criteria for Cloud Workload Security
bycentralohioissa
 
PDF
Open Source Security for Newbies - Best Practices
byBlack Duck by Synopsys
 
PPTX
The Subversive Six: Hidden Risk Points in ICS
byTripwire
 
PPT
The Case for Continuous Open Source Management
byBlack Duck by Synopsys
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
byDigital Bond
 
Accelerating OT - A Case Study
byDigital Bond
 
The RIPE Experience
byDigital Bond
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
byBlack Duck by Synopsys
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
bycentralohioissa
 
Open Source Security for Newbies - Best Practices
byBlack Duck by Synopsys
 
The Subversive Six: Hidden Risk Points in ICS
byTripwire
 
The Case for Continuous Open Source Management
byBlack Duck by Synopsys
 

What's hot

PDF
Software security, secure software development in the age of IoT, smart thing...
byLabSharegroup
 
PPTX
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
bycentralohioissa
 
PDF
Assessing the Security of Cloud SaaS Solutions
byDigital Bond
 
PDF
Ofer Maor - Security Automation in the SDLC - Real World Cases
bycentralohioissa
 
PPT
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
byDigital Bond
 
PPTX
Building an AppSec Team Extended Cut
byMike Spaulding
 
PPTX
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
byDigital Bond
 
PDF
Software Security Assurance for DevOps
byBlack Duck by Synopsys
 
PPTX
Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
byTripwire
 
PDF
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
bySynopsys Software Integrity Group
 
PDF
Active Directory in ICS: Lessons Learned From The Field
byDigital Bond
 
PPTX
Post Wannacry Update
byThomas Springer
 
PDF
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
byDenim Group
 
PPTX
Information Assurance Metrics: Practical Steps to Measurement
byEnclaveSecurity
 
PDF
Application Asset Management with ThreadFix
byDenim Group
 
PDF
Cisco Advanced Services
byCisco do Brasil
 
PPTX
Jack Nichelson - Information Security Metrics - Practical Security Metrics
bycentralohioissa
 
PDF
API Training 10 Nov 2014
byDigital Bond
 
PPTX
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
byDigital Bond
 
PDF
Why Zero Trust Yields Maximum Security
byPriyanka Aash
 
Software security, secure software development in the age of IoT, smart thing...
byLabSharegroup
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
bycentralohioissa
 
Assessing the Security of Cloud SaaS Solutions
byDigital Bond
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
bycentralohioissa
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
byDigital Bond
 
Building an AppSec Team Extended Cut
byMike Spaulding
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
byDigital Bond
 
Software Security Assurance for DevOps
byBlack Duck by Synopsys
 
Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
byTripwire
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
bySynopsys Software Integrity Group
 
Active Directory in ICS: Lessons Learned From The Field
byDigital Bond
 
Post Wannacry Update
byThomas Springer
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
byDenim Group
 
Information Assurance Metrics: Practical Steps to Measurement
byEnclaveSecurity
 
Application Asset Management with ThreadFix
byDenim Group
 
Cisco Advanced Services
byCisco do Brasil
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
bycentralohioissa
 
API Training 10 Nov 2014
byDigital Bond
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
byDigital Bond
 
Why Zero Trust Yields Maximum Security
byPriyanka Aash
 

Similar to Application security meetup k8_s security with zero trust_29072021

PDF
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
bySynopsys Software Integrity Group
 
PDF
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
byBrian Vermeer
 
PPTX
A question of trust - understanding Open Source risks
byTim Mackey
 
PDF
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
byBlack Duck by Synopsys
 
PDF
Security in open source projects
byJose Manuel Ortega Candel
 
PPTX
2019 04-18 -DevSecOps-software supply chain
byCameron Townshend
 
PPTX
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
byCameron Townshend
 
PDF
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
byDevSecCon
 
PPTX
360° Kubernetes Security: From Source Code to K8s Configuration Security
byDevOps.com
 
PDF
Open source software: The infrastructure impact
byRogue Wave Software
 
PDF
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
byNETWAYS
 
PPTX
Dev Secops Software Supply Chain
byCameron Townshend
 
PDF
BackStabber Special: Supply chain attacks
byKnoldus Inc.
 
PDF
Immutable Infrastructure Security
byRicky Sanders
 
PDF
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
byFINOS
 
PDF
Hacking Kubernetes Threat Driven Analysis and Defense 1st Edition Andrew Martin
bynoniqclarah
 
PDF
Preventing Supply Chain Attacks on Open Source Software
byAll Things Open
 
PPTX
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
bylior mazor
 
PPTX
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
byWhiteSource
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
bySynopsys Software Integrity Group
 
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
byBrian Vermeer
 
A question of trust - understanding Open Source risks
byTim Mackey
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
byBlack Duck by Synopsys
 
Security in open source projects
byJose Manuel Ortega Candel
 
2019 04-18 -DevSecOps-software supply chain
byCameron Townshend
 
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
byCameron Townshend
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
byDevSecCon
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
byDevOps.com
 
Open source software: The infrastructure impact
byRogue Wave Software
 
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
byNETWAYS
 
Dev Secops Software Supply Chain
byCameron Townshend
 
BackStabber Special: Supply chain attacks
byKnoldus Inc.
 
Immutable Infrastructure Security
byRicky Sanders
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
byFINOS
 
Hacking Kubernetes Threat Driven Analysis and Defense 1st Edition Andrew Martin
bynoniqclarah
 
Preventing Supply Chain Attacks on Open Source Software
byAll Things Open
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
bylior mazor
 
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
byWhiteSource
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 

More from lior mazor

PDF
AI Coding - level up your flow + security 08012026
bylior mazor
 
PDF
Cloud Security Redefined With Runtime Meetup 29102025
bylior mazor
 
PDF
Securing The Non-human Identities Meetup 23102025.pdf
bylior mazor
 
PDF
Cloud Security Enforcement First Meetup 10092025.pdf
bylior mazor
 
PPTX
Webinar_ Building Your Secure AI Roadmap.pptx
bylior mazor
 
PDF
Bridging The Cloud and Application Security Gaps Meetup 15102024
bylior mazor
 
PDF
The Hacking Games - Hybrid Cloud Attack Surface Reduction Meetup 09102024.pdf
bylior mazor
 
PDF
Securing the Future of Applications Meetup 18092024
bylior mazor
 
PDF
GenAI Risks & Security Meetup 01052024.pdf
bylior mazor
 
PDF
The Power of Malware Analysis and Development.pdf
bylior mazor
 
PDF
The CISO Problems Risk Compliance Management in a Software Development 030420...
bylior mazor
 
PPTX
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
bylior mazor
 
PPTX
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
bylior mazor
 
PPTX
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
bylior mazor
 
PDF
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
bylior mazor
 
PPTX
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
bylior mazor
 
PPTX
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
bylior mazor
 
PPTX
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
bylior mazor
 
PPTX
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
bylior mazor
 
PPTX
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
bylior mazor
 
AI Coding - level up your flow + security 08012026
bylior mazor
 
Cloud Security Redefined With Runtime Meetup 29102025
bylior mazor
 
Securing The Non-human Identities Meetup 23102025.pdf
bylior mazor
 
Cloud Security Enforcement First Meetup 10092025.pdf
bylior mazor
 
Webinar_ Building Your Secure AI Roadmap.pptx
bylior mazor
 
Bridging The Cloud and Application Security Gaps Meetup 15102024
bylior mazor
 
The Hacking Games - Hybrid Cloud Attack Surface Reduction Meetup 09102024.pdf
bylior mazor
 
Securing the Future of Applications Meetup 18092024
bylior mazor
 
GenAI Risks & Security Meetup 01052024.pdf
bylior mazor
 
The Power of Malware Analysis and Development.pdf
bylior mazor
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
bylior mazor
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
bylior mazor
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
bylior mazor
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
bylior mazor
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
bylior mazor
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
bylior mazor
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
bylior mazor
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
bylior mazor
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
bylior mazor
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
bylior mazor
 

Recently uploaded

PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 

Application security meetup k8_s security with zero trust_29072021

  • 2.
  • 3.
  • 4.
    K8S WHO, WHYAND HOW? How often are you release cycles? What role at your organization is most responsible for container and Kubernetes security?
  • 5.
    K8S WHO, WHYAND HOW? • Compliance is a priority • Lack of K8s knowledge, uses: • Network security (NGFW) for North- South sanitation • WAF/API gateways for application-level vulnerabilities • Willing to purchase a standalone solution for K8s security • Looking for solution that covers A-Z (runtime, posture etc) • Security is not priority • Hates adding tools to his pipeline • Bottle neck in the organization • “Don’t touch my production!” - shift left • Everything is code/API • Visibility is very important, but not as a standalone offering • Secret management is a headache Deliver code as fast as possible Risk Mitigation, Compliance and avoid data breach
  • 6.
  • 7.
  • 8.
  • 9.
    CAN WE SECUREUSING ONLY SHIFT LEFT? Others can claim: IMO, NO!!! Micro Services are predictable Pro: Watch for abnormal behavior Con: Not really the case with many types of workloads -> a lot of false positive Immutability Pro: you scan for vulnerabilities and deliver new image every time Con: if the attacker knows how to insert a malware he can do it every time + maybe he is already on the host/other workload
  • 10.
  • 11.
  • 12.
    WHERE AND WHYEXISTING SOLUTIONS FAIL Endless chase No single source of truth for K8s Configuration Thousands of potential misconfigurations Inability to build a reliable normal baseline False Positives, Complexity, and performance impact Resources intensive Find Vulnerabilities & Misconfigurations Anomaly Behavioral Analysis and Network Segmentation K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION
  • 13.
    LOOKING TO SECUREKUBERNETES? K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION kubernetes
  • 14.
    A WHOLE NEW WAY TOSECURE KUBERNETES Infusing Visibility, Control, and Security Seamlessly into Every Workload
  • 15.
    ARMO BRINGS K8SPOSTURE AND RUNTIME TOGETHER - SEAMLESSLY Enrich finding with runtime deep visibility information Shrink the attack surface based on field proven best practices Continuous compliance validation and auditing From Zero to Zero-Trust in 10 minutes No need to change policies when microservices change Resiliency by design, even against the most advanced attacks Add Context and Relevancy to posture findings Patented one-YAML deterministic ZERO-TRUST K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION ARMO Kubernetes Fabric™
  • 16.
    KEY TAKEAWAYS • Youneed both posture and runtime protection • Scan your posture as soon as possible (shift left) • Apply runtime protection on dev/staging/production Stay Safe! Questions?
  • 17.
    The greatest risk isthe one you are not aware of zvika.ronen@fossaware.com TEL: +972-(0)52-426-5306 All right reserved © FOSSAware LTD
  • 18.
    • I am48 • L.L.B law degree - Ono academic college • I am the CTO of FOSSAware • I specialized in FOSS technologies and software audits • I help organizations to implement a risk management program to manage their OSS usage, lower the remediation costs and comply with ISO standards • I also perform tech due-diligence audits and escort such process for target companies 18 Who am I 18
  • 19.
    19 Few Words onOpen Source 19
  • 20.
    20 freely accessed, used,changed, and shared FSF four essential freedoms of the Free Software Definition OSI Ten criteria of the Open Source Software Definition 20 FOSS Definition
  • 21.
    Legal risk • LosingIP protection • Paying Monetary Damages • Block product shipment/distribution (Injunction) • Negative press and damaged relationship with customers Cyber security vulnerabilities • Denial of service, taking a service offline • Business intelligence and Client information theft • Hacker remote access • Ransom attacks Operational risk • Losing ability to build your software due to missing web based components • Losing community support due to open source project with low contribution activities • Using outdated open source components (less secure, more complex to upgrade) Open Source Risks 21
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
    Source: Synopsys OSSRA2021 Industry Sectors and Open Source 27
  • 28.
    Own Proprietary Software 3rd PartyCommercial Software Open Source Commercial Software Dependencies Open Source Dependencies 28 Open Source in Commercial Software
  • 29.
    29 Hackers also LoveOpen Source 29
  • 30.
    dateutil vs python3-dateutil350 FORKS jellyfish vs jeIlyfish (“L” is an “I”) 122 FORKS Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks 30 OSS Malicious Package Analysis by the Academy Hundreds of open source packages were used in real cyber events 61% malicious packages used typosquatting 2nd most common – injection to existing package
  • 31.
    Source: Dustico Blog,https://dusti.co/blog/unsafe-to-download-pip/ 31 Downloaded FOSS may include hidden setup
  • 32.
    Source: WhiteSource, 2021 32 OpenSource Vulnerabilities Continue To Increase
  • 33.
    #1 Lodash #2 FasterXMLjackson-databind #3 HtmlUnit #4 Handlebars #5 http-proxy 33 Source: WhiteSource, Top 10 Open Source Vulnerabilities In 2020 33 Top 10 Open Source Vulnerabilities In 2020
  • 34.
    34 Source: Sonatype, devsecopscommunity survey 2020
  • 35.
    35 Open Source relatedbreaches occur much too often 35
  • 36.
    Source: Sonatype, devsecopscommunity survey 2020 1 in 5 breaches is Open Source related 36
  • 37.
    Open Source Component- Apache Struts (CVE-2017-5638) 37 Equifax breach was 100% preventable
  • 38.
    • Popularity: 2million downloads per week • Dependency: “flatmap-stream” has malicious code • The action: Harvest the victim’s “copay” private keys • Intention: Steal Bitcoin • Result: 7000 stollen bitcoins 38 The “Event-Stream” incident https://github.com/dominictarr/event-stream/issues/116
  • 39.
    • Open SourceComponent - Mozjpeg (CVE-2020-13790) • Mozjpeg weekly downloads from NPM - 650k Instagram Hack core reason – Mozjpeg 39
  • 40.
  • 41.
  • 42.
    42 42 PyPI and NPMFlooded with over 5,000 Dependency Confusion Copycats Source: securityreport.com Copycat behavior (Dependency Confusion based)
  • 43.
    • Human factor(training) • Proprietary code (static analysis) • Supply chain 3rd party (liability & support) • Open Source? • White/Black-box (testing) What is the weakest / unknown link of the chain? 43
  • 44.
    44 Top 10 WebApplication Security Risks
  • 45.
    “Developers often useavailable open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product.” What Biden has to say on Open Source? 45
  • 46.
  • 47.
    47 1. Know YourProduct 47
  • 48.
    Homegrown code 3rd PartyCommercial Software Open Source Commercial Software Dependencies Open Source Dependencies 48 Open Source in Commercial Software
  • 49.
    49 2. Manage yourOpen Source 49
  • 50.
    3rd Party Commercial Software OpenSource Dependencies Open Source Dependencies 50 Choosing right Manage your software supply chain in “critical software” Manage your Open Source “critical software” — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources)
  • 51.
    51 CII Best Practicesbadge program
  • 52.
    End User LicenseAgreement BSD Open Source License 52 Manage risks from 3rd party (Supply Chain) Common Default in Commercial Software Agreements
  • 53.
    Homegrown code OpenSource 3rd Party Proprietary SW Cost All type of software requires some level of compliance and/or vulnerability monitoring Possible Vulnerabilities IP rights Owned Licensed Licensed License Requirements Procurement is being done by Homegrown The developers Procurement people Monitoring is being done using different tools, processes, and policies Who is responsible? The developer The developer The vendor Support By the developer Community/Developer By the vendor Additional Dependencies Access to Source Code Analysis tools Static Code Analysis Software Composition Analysis Penetration Test 53 53 Homegrown vs. Open Source vs. 3rd Party Proprietary SW
  • 54.
    54 54 1. Risk managementprogram (ISO-5230) • Policy • Process • Tools • Training 2. Early detection = Lower remediation cost 3. Ongoing management (pre-> post production) OSS in Commercial Software Development
  • 55.
    55 3. Do notinvent the wheel 55
  • 56.
    International Standard foropen source license compliance 56
  • 57.
  • 58.
    The greatest risk isthe one you are not aware of zvika.ronen@fossaware.com TEL: +972-(0)52-426-5306
  • 59.
    Automated Red-Team forManaging Attack Surface Alex Peleg CEO | Hacker
  • 60.
    AI and Communitypowered Attack Surface and Operations Management For SMEs Reducing Time From Breach to Fix Recover From Incidents Offensive Engineering Cynergy.app
  • 61.
    Agenda Kesaya breach story AttackSurface 101 Why AI? Continuous Red-Team, the good the bad and the ugly. Open topics for further research and innovation 1 2 3 4 5
  • 62.
    What has gonewrong? A server was exposed....
  • 63.
    Attack Surface 101 Attackersneed only one hole in the defense
  • 64.
  • 65.
  • 66.
  • 67.
  • 68.
  • 69.
  • 70.
  • 71.
  • 72.
  • 73.
    Additional Research... 1 Fasterand Better Context 2 Threat Intelligence to Improve Prioritization 3 AI based mitigation - GPT3 4 Integration with CICD
  • 74.
  • 75.
    Thanks and Questions!Alex@cynergy.app Type text
  • 76.
    Turn any Kubernetessolution into Zero-Trust by design FROM ZERO to ZERO-TRUST
  • 77.
    WHAT ARE WEUP AGAINST? What hackers are looking for? What do they do inside? • Data  Business & customer’s data • Keys  Encryption & Authentication • Resources  CPU (coin miners)  Storage  Network (bots) • Damage & Extortion  Ransome  DDoS, UI/UX harm • Intellectual Property  Algorithms  APIs • Use existing software in inappropriate way • Change behavior of existing software  Change configuration • Inject new software  Corrupt existing software  Add new software How do they break in? • Misconfigurations • Credential abuse • Software vulnerability
  • 78.
    KNOCK-KNOCK, WHO ISTHERE? Who is calling my APIs? Who is reading my Data?
  • 79.
    DON’T TRUST, VERIFY! Protectcustomer solutions even if infrastructure is compromised Genuine Software Identity – like DNA Automated Zero-Trust Network Policy Transparent Data Signing & Encryption
  • 80.
    SOFTWARE DNA –WHAT DOES THIS MEAN? Executable DLL/SO DLL/SO ARMOGuard DLL/SO Python/Java/JS/.NET ConfigFile/ConfigMap Environment Variables Command Line ARMO Back-End Prove DNA validity Receive Cryptographic Materials Protect process memory while it runs: • Validate cryptographic digest of every relevant artifact • Prevent unsigned artifacts from loading • Keep containers immutable • Use Kubernetes for automation
  • 81.
    INTENTION POD A Secret Volume PODB Server Legit App Container Container
  • 82.
    REALITY POD A Secret Volume PODB Injected App Server Legit App Container Container
  • 83.
    WITH ARMO ZERO-TRUST PODA Secret Volume POD B Injected App Server Legit App Container Container
  • 84.
  • 85.
    • Thank You! •Questions? • To be continued…