SlideShare a Scribd company logo

The Future of Security and Productivity in Our Newly Remote World

DevOps.com
DevOps.com

Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated. This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks. See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.

Technology
1 of 95
Download to read offline
Attacking and Defending Cloud Native Infrastructure WhiteSource Webinar, August 2020 @sublimino and @controlplaneio
I’m: - Andy - Dev-like - Sec-ish - Ops-y
I’m: - Andy - Dev-like - Sec-ish - Ops-y Course author: - SANS SEC584 - Cloud Native Security: Defending Containers and Kubernetes - O’Reilly - ControlPlane Trainer: - Hashicorp - Docker
● Applications, infrastructure, security, and policy are all defined as code ● Everything is built as a type of software ● Similar controls can be applied to entire classes of software, containers, and systems (static analysis, composition scanning etc) Everything is Software
DoD Enterprise DevSecOps Reference Design Securing the entire application and infrastructure lifecycle ● Collaboration ● Automation ● Containerisation ● Testing SecOps
Third Party Code Risk and Supply Chain Security ● Build stages and their artefacts can be cryptographically signed to provide a chain of trust ● Software dependencies pulled into a secure build environment should be scanned for CVEs and their signatures verified where available
Defending ● Prevent network egress ● Isolate from the host's kernel ● Execute RUN commands a non-root user in container filesystem ● Run build process as a non-root user ○ or in a user namespace ● Share nothing non-essential
Kubernetes Attack Trees - Compromised Container Scenario
kubesim.io - K8S Hacking and Hardening Simulator ● infrastructure deployment ● cluster provisioning and workload configuration ● scenario runner with challenges, hints, and scoring ● raw command line experience ● open source core at https://github.com/kubernetes-simulator/simulator ●
What are we doing today? ● Burning some things ○ And trying to extinguish the flames ● For each attack ○ Intro ○ Demo ○ Remediate ○ DevSecOps-ify
Docker and Kube ● Kube doesn't love us ● Y so difficult? ● What's the problem?
Container Evolution ● Containers are awesome ● But they emerged from the primordial kernel soup ● We love Kube
We Love Kubernetes
SEC584 | Defending Cloud Native Infrastructure Kubernetes Logical Overview
SEC584 | Defending Cloud Native Infrastructure Where is Kubernetes vulnerable? ● Application workloads ● Workload configuration ● Cluster configuration - developer ● Cluster configuration - operations ● Cluster deployment http://nobleillustrations.blogspot.com/2012/08/kraken-rum-animations.html
SEC584 | Defending Cloud Native Infrastructure Attacking the Visible Horizon ● Self-namespace info in `/proc` ● Local filesystem, debug tools ● Mounted volumes from host ● All other pods, flux, helm ● Host Kernel, container runtime ● API server(s), serviceAccounts ● Node ● Datastores ● Registry ● Build server ● Supply chain ● Internet
LET'S GO
--privileged /var/run/docker.socket UID 0 (What Not to Do)
Container Test Pyramid
“Linting” Dockerfiles - Static Analysis ● https://github.com/projectatomic/dockerfile_lint - rule based 'linter' for Dockerfiles ● https://github.com/hadolint/hadolint - Dockerfile linter, validates inline bash with Shellcheck
Static Analysis for Kubernetes Resources https://kubesec.io github.com/controlplaneio/kubesec
kubesec.io - example insecure pod [ { "object": "Pod/kubesec-demo.default", "valid": true, "message": "Passed with a score of 1 points", "score": 1, "scoring": { "advise": [ { "selector": "containers[] .securityContext .capabilities .drop", "reason": "Reducing kernel capabilities available to a container limits its attack surface" }, { "selector": ".spec .serviceAccountName", "reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege" }, { "selector": "containers[] .resources .requests .cpu", "reason": "Enforcing CPU requests aids a fair balancing of resources across the cluster" }, ...
Pod YAML - Isolation-Breaking Configs ● SecurityContexts: use for pods and containers ● Dangerous pod configurations; ○ Running as root (no user namespace support in Kubernetes) ○ Privileged (can perform root operations on the host) ○ No seccomp/AppArmor profile (unlike Docker, no default profile in Kubernetes) ○ Full RBAC (administrative access to cluster) ○ Mounting host volumes (resource contention, side-channel communication) ○ Sharing host pid, network, or IPC namespaces (can lead to escalation) ○ AllowPrivilegeEscalation (permits escalating to root inside the container) ○ Excess capabilities (violates least privilege) ○ No cgroups (unbounded resource consumption)
“Unit Testing” Containers - Dynamic Testing ● inspec ● serverspec ● goss
goss command: java -version: title: Checking Java JRE version and architecture exit-status: 0 stdout: [] stderr: - /^openjdk version "1.8.*/ - /^OpenJDK 64-Bit Server VM .*/ timeout: 1000
breaking out of containers
What is this? ● DirtyCOW. A copy-on-write vulnerability in the kernel from 2016 ● Allows a malicious user to gain root on the host from inside a container ● Was being exploited in the wild
"One of the sites I manage was compromised, and an exploit of this issue was uploaded and executed. A few years ago I started packet capturing all inbound HTTP traffic and was able to extract the exploit and test it out in a sandbox" http://www.v3.co.uk/v3-uk/news/2474845/linux-users-urged-to-prot ect-against-dirty-cow-security-flaw Dirty COW (2016)
Why is it bad? ● It pretty much hoses down your system and flushes the corpse ● Linux kernel since 2.6.22 (July 2007) ○ Fixed in 4.8.3, 4.7.9, 4.4.26 or newer (Oct 2016) ● All Docker versions ○ it’s a kernel bug: container syscalls hit host
Dirty COW (2016) Nondeterministic Live Demo (backup available: YouTube)
WTF just happened?
Security Contexts ● DAC (discretionary access control) ○ File system permissions, the basis of linux security ● Capabilities ○ Subdivides the full set of root capabilities into smaller buckets ○ Not perfect, but can limit the shape of the privilege that the user has ○ Beware CAP_SYS_ADMIN - the capability bucket ● Sandboxing ○ seccomp-bpf (user-supplied code running in kernel) ○ Filtering syscalls to reduce attack surface. Disallowed system calls get SIGKILLed ○ Seccomp is enabled by default in Docker, but NOT IN KUBERNETES ○ It should be mandated via a PodSecurityPolicy ● Mandatory Access Control ○ SELinux (RHEL/CentOS only) ○ AppArmor (Ubuntu, Debian and derivatives) - defaults on in Docker, off in Kubernetes
Docker’s Default seccomp Profile ● Docker uses a JSON DSL for seccomp profiles that compile down to eBPF (i.e. seccomp-bpf), and are run in the kernel ● Only whitelisted system calls are permitted ● Docker’s default seccomp whitelist blocks some dangerous system calls: ○ add_key, keyctl, request_key: Prevent containers from using the kernel keyring, which is not namespaced ○ clone, unshare: Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS. ● “I specifically wanted to block cloning new user namespaces inside containers because they are notorious for being points of entry for kernel bugs” ● Seccomp security profiles for Docker https://blog.jessfraz.com/post/a-rant-on-usable-security/
Writing Effective Seccomp Profiles ● Dynamic ○ "Observational" or "learning" security systems will watch your application's behaviour at runtime in a pre-prod environment and generate a profile ○ This has limited value, as it requires a pre-prod system to demonstrate the complete set of behaviours it exhibits in production - this is a sadly unrealistic goal ○ Some distance can be made with this approach and a comprehensive test suite, but logging, crashing, and stress-related behaviours are unlikely to be comprehensively covered, resulting in potential production downtime ○ This approach can be used to inform the final policy ● Static ○ Laborious ○ Requires in-depth knowledge of the linux syscall interface
bypass container security controls
bypass container security controls
AppArmor bypass
Minimal PoC
/proc/self/exe
lesson: patch your hosts ● the kernel is the basis of container security ● containers doesn't really exist! ● as our reputable track hosts from Canonical's LXD team put it -- containers are a userspace fiction
containers are a userspace fiction ● there is no kernel representation of a container, it is an emergent property of a collection of stimuli and restrictions born from unintelligent design and years of evolution ● a lot like consciousness
<mind blown>
Security Test Suite! ● Testing is a Dark Art ● Anything can be a security test ● Arrange (set env) ● Act (perform test and capture result) ● Assert (does this match expectation?) ● Prove test fails as expected ● Beware acceptance testing and push that test as low as it can go
DevSecOps
testing: out of date versions ● well, this test is simple. What kernel version am I running? And what docker version? ● fancy security tooling will do this for you, OR you can use some basic tests for your node
goss ● goss is "go serverspec" ● it's not the ultimate test tool, but it's pretty good
Security Testing with Goss https://github.com/aelsabbahy/goss
TESTING IS COOL ● It’s how we “prove” we’re secure ● Against known quantities ● Test enough to install confidence ● “Goldilocks Test Suites” -- not too many, not too few
too easy
public clusters drive by pew pew pew
hunting clusters in the wild
BinaryEdge insecure cluster search
binaryedge ● this platform has already portscanned the IPv4 address space for us ● indexed all the content ● and preemptively attacked it ● THIS MAY NOT BE LEGAL IN YOUR JURISDICTION ● you may not care ● but sadly, on stage and on camera, I do
binaryedge THIS MAY NOT BE LEGAL IN YOUR JURISDICTION ● this platform has already portscanned the IPv4 address space for us ● indexed all the content ● and preemptively attacked it
binaryedge
binaryedge
Here’s one I pwnd earlier
The Banner Banhammer ● let's test the API server and see if it's leaking ○ Use my nice nmap script https://gist.github.com/sublimino/c357379369808d0f77d3e2fe86fd4611
API server Pwnage
Watch It Burn ● unauthenticated client ● malicious websockets upgrade ● potential escalation of privilege
Here cometh the Lesson ● Tin foil hats are cool ○ DEFCON says so ○ Defence in depth isn’t going anywhere ● Don't run a Kubernetes API server endpoint on the public internet!!!1one
Kubernetes API Servers on the Public Internet
Billion Laughs
Self Destructive SelfSubjectAccessReview apiVersion: authorization.k8s.io/v1 kind: SelfSubjectAccessReview metadata: name: yaml-dos namespace: default data: a: &a ["HONK","HONK","HONK","HONK","HONK","HONK","HONK","HONK","HONK"] b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a] c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b] d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c] e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d] f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e] g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f] h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] j: &j [*i,*i,*i,*i,*i,*i,*i,*i,*i] k: &k [*j,*j,*j,*j,*j,*j,*j,*j,*j] l: &l [*l,*l,*l,*l,*l,*l,*l,*l,*l]
# CVE-2019-11253 # https://github.com/kubernetes/kubernetes/issues/83253 # Shout out: @raesene for poc collab, @iancoldwater + @mauilion for # HONKing inspiration and other guidance. # Description: In Kubernetes 1.13 and below, the default configuration # is that system:anonymous can request a selfsubjectaccessreview # via mechanisms such as "kubectl auth can-i". This request can # include POSTed YAML, and just the act of trying to parse it causes # excessive memory usage by the API server. Anywhere from about 10 # to 100 concurrent requests of this nature can overwhelm the API # server's resources and cause it to become unresponsive to the point # that the worker nodes and user's running kubectl will believe the # control plane is offline. Since requests can last up to 60s by # default before the timeout kicks in, sustaining the attack only # requires between 10 and ~100 requests per minute.
# CVE-2019-11253 # Recommendation: Update Kubernetes to a release that includes YAML # parsing resource limits and limit direct, public access to API # servers. See the above GH issue for details. # https://github.com/kubernetes/kubernetes/issues/83253
HONK!
Testing testing 123 ● Arrange ● Act ● Assert For network infrastructure?
Network Policy Testing: nmap with Netassert.io k8s: # used for Kubernetes pods deployment: # only deployments currently supported test-frontend: # pod name, defaults to `default` namespace test-microservice: 80 # `test-microservice` is the DNS name of the target service test-database: -80 # test-frontend should not be able to access test-database port 80 new-namespace:test-microservice: # `new-namespace` is the namespace name test-database.new-namespace: 80 # longer DNS names can be used for other namespaces test-frontend.default: 80 default:test-database: test-frontend.default.svc.cluster.local: 80 # full DNS names can be used test-microservice.default.svc.cluster.local: -80 https://github.com/controlplaneio/netassert#configuration Network security testing with highly parallelised nmap https://github.com/controlplaneio/netassert
bats-core ● Test library for Bash ● TEST EVERYTHING EVERYWHERE ● https://github.com/bats-core/ bats-core/
bats-core
break out of service meshes
Istio Threats ● Insecure Control Plane Configuration ● User Misconfiguration ○ Avoid manual configuration ○ Regularly apply config defined in git (CI/Gitops) ● Compromised workload attacks Istio sidecar ○ Defence in depth: use dedicated Egress Gateway, K8S Network Policy & IaaS FW rules ● Init Containers Run Off-mesh ○ Unconstrained by istio security ○ Use K8s network policy ● PodSecurityPolicy blocks Istio init & sidecar ○ CNI Plugin ○ Sub-pod isolation proposals ● Misconfigured app container could run as privileged or use NET_ADMIN to exit the mesh
Attacking the Mesh
Lesson ● secure by default is difficult ● IDS ○ See: falco, $$$ offerings ● Want more? See: Security Rationale for Istio by Rowan Baker
evade detection
De-auditing K8S ● Reconfigure API server ● Blackhole traffic to remote logging endpoint ● DOS remote logging endpoint https://monzo.com/blog/we-built-network-isolation-for-1-500-services
hacking in a safe space
Simulator! ● https://github.com/kubernetes-simulator/simulator ● See “How to Train Your Red Team (for Cloud Native)” by ControlPlane
kubesim.io - K8S Hacking and Hardening Simulator ● infrastructure deployment ● cluster provisioning and workload configuration ● scenario runner with challenges, hints, and scoring ● raw command line experience ● open source core at https://github.com/kubernetes-simulator/simulator ●
K8S Breach Lessons ● Application workloads ○ container images (app, OS, deps, filesystem conf, user, baked-in secrets), malicious images ● Workload configuration ○ pod spec (privileged/PSP config, env vars, service accounts, file mounts, runAsUser, seccomp/selinux), runtime (docker, crio), priv workloads, identity, datastores, traffic sniffing/nmap ● Cluster configuration - developer ○ authn/RBAC, NetPol/networking ● Cluster configuration - operations ○ admission control, etcd encryption, control plane TLS, local/remote registry, dashboard/API, federated identity ● Cluster deployment ○ control plane config, user access, topology, transport & TLS, infrastructure/cloud, OS http://nobleillustrations.blogspot.com/2012/08/kraken-rum-animations.html
How to Train your Red Team (for Cloud Native) ● Hosted: kubesim.io ● Open source: https://github.com/kubernete s-simulator/simulator ● Attack Trees: https://github.com/cncf/finan cial-user-group/tree/master/p rojects/k8s-threat-model ● Training: https://control-plane.io/
Layers of Security Testing
Recap: Applications in Kubernetes ● Just applications, linux processes, memory, and filesystems ● More granular security profile ○ Easier to harden ○ Security boundary is the container process or pod, not the whole instance ○ Controlled networking environment
Layers of Security Testing ● Infrastructure: server hardening/conformance ● Supply chain: image validation, Kubernetes deployment YAML validation ● Runtime: application behaviour, telemetry, session handling, and networking
What's the Problem with Security Testing? ● What's the Problem with Security Testing? ○ False Positives ● Why? ○ Defensive security measures and nondeterministic test environment ● Mitigation ○ Reduce signal-to-noise ratio with targeted testing and retry budgets
Getting the House in Order ● Ensure that applications have a local testing story for developers ○ Build server verifies tests that developers are able to run locally ○ This proves out mocking and stubbing harnesses ● Once developer local testing is in place, testing can be as simple as standing up docker-compose with mocks and mock data ○ https://github.com/kubernetes/kompose can help migration ● Continuous Security (...ish) ○ A lot of tooling isn’t container-native ○ But continuous scanning leaves deeper exploration for humans
Prepare for the Unexpected
SEC584: Defending Cloud Native Infrastructure BETA Pricing: 50% Discount ($2100 USD) Live Online | 3-day beta October 12 - 14 with Andrew Martin & Eric Johnson https://www.sans.org/event/sec584-beta-one-2020
@sublimino @controlplaneio

Recommended

PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Eric Smalling
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
 

Recommended

PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Eric Smalling
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
SecDevOps
SecDevOpsSecDevOps
SecDevOpsPeter Lamar
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOpsDaniel Oh
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
Create Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetCreate Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetGene Gotimer
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldKarun Chennuri
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorLFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorEric Smalling
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsSumo Logic
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOpsFelicia Haggarty
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
Redefining cloud native debugging
Redefining cloud native debugging Redefining cloud native debugging
Redefining cloud native debugging LibbySchulze
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline Docker, Inc.
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to heroNicolas De Loof
 

More Related Content

What's hot

Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOpsDaniel Oh
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
Create Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetCreate Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetGene Gotimer
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldKarun Chennuri
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorLFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorEric Smalling
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsSumo Logic
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOpsFelicia Haggarty
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
Redefining cloud native debugging
Redefining cloud native debugging Redefining cloud native debugging
Redefining cloud native debugging LibbySchulze
 

What's hot (20)

Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps Environment
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
 
Create Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and PuppetCreate Disposable Test Environments with Vagrant and Puppet
Create Disposable Test Environments with Vagrant and Puppet
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps World
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your doorLFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
Redefining cloud native debugging
Redefining cloud native debugging Redefining cloud native debugging
Redefining cloud native debugging
 

Similar to The Future of Security and Productivity in Our Newly Remote World

DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline Docker, Inc.
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsSuraj Deshmukh
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned RightScale
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'acorehard_by
 
Docker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps winsDocker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps winsSharath Kumar
 
Scala, docker and testing, oh my! mario camou
Scala, docker and testing, oh my! mario camouScala, docker and testing, oh my! mario camou
Scala, docker and testing, oh my! mario camouJ On The Beach
 
ContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureYury Tsarev
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDocker, Inc.
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Kubernetes: training micro-dragons for a serious battle
Kubernetes: training micro-dragons for a serious battleKubernetes: training micro-dragons for a serious battle
Kubernetes: training micro-dragons for a serious battleAmir Moghimi
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
VASCAN - Docker and Security
VASCAN - Docker and SecurityVASCAN - Docker and Security
VASCAN - Docker and SecurityMichael Irwin
 
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...Nagios
 
Navigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariMetosin Oy
 

Similar to The Future of Security and Productivity in Our Newly Remote World (20)

DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing Pods
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
Docker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps winsDocker Security and Orchestration for DevSecOps wins
Docker Security and Orchestration for DevSecOps wins
 
Scala, docker and testing, oh my! mario camou
Scala, docker and testing, oh my! mario camouScala, docker and testing, oh my! mario camou
Scala, docker and testing, oh my! mario camou
 
Container Security Mmanagement
Container Security MmanagementContainer Security Mmanagement
Container Security Mmanagement
 
ContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven Infrastructure
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images Security
 
Kubernetes: training micro-dragons for a serious battle
Kubernetes: training micro-dragons for a serious battleKubernetes: training micro-dragons for a serious battle
Kubernetes: training micro-dragons for a serious battle
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
VASCAN - Docker and Security
VASCAN - Docker and SecurityVASCAN - Docker and Security
VASCAN - Docker and Security
 
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
 
Navigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas Saari
 

More from DevOps.com

Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareDevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykDevOps.com
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudDevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and PredictionsDevOps.com
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionDevOps.com
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)DevOps.com
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureDevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportDevOps.com
 
Monitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogMonitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogDevOps.com
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDevOps.com
 
Securing medical apps in the age of covid final
Securing medical apps in the age of covid finalSecuring medical apps in the age of covid final
Securing medical apps in the age of covid finalDevOps.com
 
How to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureHow to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureDevOps.com
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?DevOps.com
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsDevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...DevOps.com
 

More from DevOps.com (20)

Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the Cloud
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware Resolution
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident Response
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
 
Monitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogMonitoring Serverless Applications with Datadog
Monitoring Serverless Applications with Datadog
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or Privately
 
Securing medical apps in the age of covid final
Securing medical apps in the age of covid finalSecuring medical apps in the age of covid final
Securing medical apps in the age of covid final
 
How to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureHow to Build a Healthy On-Call Culture
How to Build a Healthy On-Call Culture
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift Environments
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
 

Recently uploaded

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

The Future of Security and Productivity in Our Newly Remote World

  • 1. Attacking and Defending Cloud Native Infrastructure WhiteSource Webinar, August 2020 @sublimino and @controlplaneio
  • 2. I’m: - Andy - Dev-like - Sec-ish - Ops-y
  • 3. I’m: - Andy - Dev-like - Sec-ish - Ops-y Course author: - SANS SEC584 - Cloud Native Security: Defending Containers and Kubernetes - O’Reilly - ControlPlane Trainer: - Hashicorp - Docker
  • 4.
  • 5.
  • 6. ● Applications, infrastructure, security, and policy are all defined as code ● Everything is built as a type of software ● Similar controls can be applied to entire classes of software, containers, and systems (static analysis, composition scanning etc) Everything is Software
  • 7. DoD Enterprise DevSecOps Reference Design Securing the entire application and infrastructure lifecycle ● Collaboration ● Automation ● Containerisation ● Testing SecOps
  • 8. Third Party Code Risk and Supply Chain Security ● Build stages and their artefacts can be cryptographically signed to provide a chain of trust ● Software dependencies pulled into a secure build environment should be scanned for CVEs and their signatures verified where available
  • 9. Defending ● Prevent network egress ● Isolate from the host's kernel ● Execute RUN commands a non-root user in container filesystem ● Run build process as a non-root user ○ or in a user namespace ● Share nothing non-essential
  • 10. Kubernetes Attack Trees - Compromised Container Scenario
  • 11. kubesim.io - K8S Hacking and Hardening Simulator ● infrastructure deployment ● cluster provisioning and workload configuration ● scenario runner with challenges, hints, and scoring ● raw command line experience ● open source core at https://github.com/kubernetes-simulator/simulator ●
  • 12. What are we doing today? ● Burning some things ○ And trying to extinguish the flames ● For each attack ○ Intro ○ Demo ○ Remediate ○ DevSecOps-ify
  • 13. Docker and Kube ● Kube doesn't love us ● Y so difficult? ● What's the problem?
  • 14. Container Evolution ● Containers are awesome ● But they emerged from the primordial kernel soup ● We love Kube
  • 16. SEC584 | Defending Cloud Native Infrastructure Kubernetes Logical Overview
  • 17. SEC584 | Defending Cloud Native Infrastructure Where is Kubernetes vulnerable? ● Application workloads ● Workload configuration ● Cluster configuration - developer ● Cluster configuration - operations ● Cluster deployment http://nobleillustrations.blogspot.com/2012/08/kraken-rum-animations.html
  • 18. SEC584 | Defending Cloud Native Infrastructure Attacking the Visible Horizon ● Self-namespace info in `/proc` ● Local filesystem, debug tools ● Mounted volumes from host ● All other pods, flux, helm ● Host Kernel, container runtime ● API server(s), serviceAccounts ● Node ● Datastores ● Registry ● Build server ● Supply chain ● Internet
  • 22. “Linting” Dockerfiles - Static Analysis ● https://github.com/projectatomic/dockerfile_lint - rule based 'linter' for Dockerfiles ● https://github.com/hadolint/hadolint - Dockerfile linter, validates inline bash with Shellcheck
  • 24. kubesec.io - example insecure pod [ { "object": "Pod/kubesec-demo.default", "valid": true, "message": "Passed with a score of 1 points", "score": 1, "scoring": { "advise": [ { "selector": "containers[] .securityContext .capabilities .drop", "reason": "Reducing kernel capabilities available to a container limits its attack surface" }, { "selector": ".spec .serviceAccountName", "reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege" }, { "selector": "containers[] .resources .requests .cpu", "reason": "Enforcing CPU requests aids a fair balancing of resources across the cluster" }, ...
  • 25. Pod YAML - Isolation-Breaking Configs ● SecurityContexts: use for pods and containers ● Dangerous pod configurations; ○ Running as root (no user namespace support in Kubernetes) ○ Privileged (can perform root operations on the host) ○ No seccomp/AppArmor profile (unlike Docker, no default profile in Kubernetes) ○ Full RBAC (administrative access to cluster) ○ Mounting host volumes (resource contention, side-channel communication) ○ Sharing host pid, network, or IPC namespaces (can lead to escalation) ○ AllowPrivilegeEscalation (permits escalating to root inside the container) ○ Excess capabilities (violates least privilege) ○ No cgroups (unbounded resource consumption)
  • 26. “Unit Testing” Containers - Dynamic Testing ● inspec ● serverspec ● goss
  • 27. goss command: java -version: title: Checking Java JRE version and architecture exit-status: 0 stdout: [] stderr: - /^openjdk version "1.8.*/ - /^OpenJDK 64-Bit Server VM .*/ timeout: 1000
  • 29. What is this? ● DirtyCOW. A copy-on-write vulnerability in the kernel from 2016 ● Allows a malicious user to gain root on the host from inside a container ● Was being exploited in the wild
  • 30. "One of the sites I manage was compromised, and an exploit of this issue was uploaded and executed. A few years ago I started packet capturing all inbound HTTP traffic and was able to extract the exploit and test it out in a sandbox" http://www.v3.co.uk/v3-uk/news/2474845/linux-users-urged-to-prot ect-against-dirty-cow-security-flaw Dirty COW (2016)
  • 31. Why is it bad? ● It pretty much hoses down your system and flushes the corpse ● Linux kernel since 2.6.22 (July 2007) ○ Fixed in 4.8.3, 4.7.9, 4.4.26 or newer (Oct 2016) ● All Docker versions ○ it’s a kernel bug: container syscalls hit host
  • 32. Dirty COW (2016) Nondeterministic Live Demo (backup available: YouTube)
  • 34. Security Contexts ● DAC (discretionary access control) ○ File system permissions, the basis of linux security ● Capabilities ○ Subdivides the full set of root capabilities into smaller buckets ○ Not perfect, but can limit the shape of the privilege that the user has ○ Beware CAP_SYS_ADMIN - the capability bucket ● Sandboxing ○ seccomp-bpf (user-supplied code running in kernel) ○ Filtering syscalls to reduce attack surface. Disallowed system calls get SIGKILLed ○ Seccomp is enabled by default in Docker, but NOT IN KUBERNETES ○ It should be mandated via a PodSecurityPolicy ● Mandatory Access Control ○ SELinux (RHEL/CentOS only) ○ AppArmor (Ubuntu, Debian and derivatives) - defaults on in Docker, off in Kubernetes
  • 35. Docker’s Default seccomp Profile ● Docker uses a JSON DSL for seccomp profiles that compile down to eBPF (i.e. seccomp-bpf), and are run in the kernel ● Only whitelisted system calls are permitted ● Docker’s default seccomp whitelist blocks some dangerous system calls: ○ add_key, keyctl, request_key: Prevent containers from using the kernel keyring, which is not namespaced ○ clone, unshare: Deny cloning new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS. ● “I specifically wanted to block cloning new user namespaces inside containers because they are notorious for being points of entry for kernel bugs” ● Seccomp security profiles for Docker https://blog.jessfraz.com/post/a-rant-on-usable-security/
  • 36. Writing Effective Seccomp Profiles ● Dynamic ○ "Observational" or "learning" security systems will watch your application's behaviour at runtime in a pre-prod environment and generate a profile ○ This has limited value, as it requires a pre-prod system to demonstrate the complete set of behaviours it exhibits in production - this is a sadly unrealistic goal ○ Some distance can be made with this approach and a comprehensive test suite, but logging, crashing, and stress-related behaviours are unlikely to be comprehensively covered, resulting in potential production downtime ○ This approach can be used to inform the final policy ● Static ○ Laborious ○ Requires in-depth knowledge of the linux syscall interface
  • 42. lesson: patch your hosts ● the kernel is the basis of container security ● containers doesn't really exist! ● as our reputable track hosts from Canonical's LXD team put it -- containers are a userspace fiction
  • 43. containers are a userspace fiction ● there is no kernel representation of a container, it is an emergent property of a collection of stimuli and restrictions born from unintelligent design and years of evolution ● a lot like consciousness
  • 45. Security Test Suite! ● Testing is a Dark Art ● Anything can be a security test ● Arrange (set env) ● Act (perform test and capture result) ● Assert (does this match expectation?) ● Prove test fails as expected ● Beware acceptance testing and push that test as low as it can go
  • 47. testing: out of date versions ● well, this test is simple. What kernel version am I running? And what docker version? ● fancy security tooling will do this for you, OR you can use some basic tests for your node
  • 48. goss ● goss is "go serverspec" ● it's not the ultimate test tool, but it's pretty good
  • 50. TESTING IS COOL ● It’s how we “prove” we’re secure ● Against known quantities ● Test enough to install confidence ● “Goldilocks Test Suites” -- not too many, not too few
  • 52. public clusters drive by pew pew pew
  • 55. binaryedge ● this platform has already portscanned the IPv4 address space for us ● indexed all the content ● and preemptively attacked it ● THIS MAY NOT BE LEGAL IN YOUR JURISDICTION ● you may not care ● but sadly, on stage and on camera, I do
  • 56. binaryedge THIS MAY NOT BE LEGAL IN YOUR JURISDICTION ● this platform has already portscanned the IPv4 address space for us ● indexed all the content ● and preemptively attacked it
  • 60. The Banner Banhammer ● let's test the API server and see if it's leaking ○ Use my nice nmap script https://gist.github.com/sublimino/c357379369808d0f77d3e2fe86fd4611
  • 62. Watch It Burn ● unauthenticated client ● malicious websockets upgrade ● potential escalation of privilege
  • 63. Here cometh the Lesson ● Tin foil hats are cool ○ DEFCON says so ○ Defence in depth isn’t going anywhere ● Don't run a Kubernetes API server endpoint on the public internet!!!1one
  • 64. Kubernetes API Servers on the Public Internet
  • 66.
  • 67. Self Destructive SelfSubjectAccessReview apiVersion: authorization.k8s.io/v1 kind: SelfSubjectAccessReview metadata: name: yaml-dos namespace: default data: a: &a ["HONK","HONK","HONK","HONK","HONK","HONK","HONK","HONK","HONK"] b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a] c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b] d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c] e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d] f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e] g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f] h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] j: &j [*i,*i,*i,*i,*i,*i,*i,*i,*i] k: &k [*j,*j,*j,*j,*j,*j,*j,*j,*j] l: &l [*l,*l,*l,*l,*l,*l,*l,*l,*l]
  • 68. # CVE-2019-11253 # https://github.com/kubernetes/kubernetes/issues/83253 # Shout out: @raesene for poc collab, @iancoldwater + @mauilion for # HONKing inspiration and other guidance. # Description: In Kubernetes 1.13 and below, the default configuration # is that system:anonymous can request a selfsubjectaccessreview # via mechanisms such as "kubectl auth can-i". This request can # include POSTed YAML, and just the act of trying to parse it causes # excessive memory usage by the API server. Anywhere from about 10 # to 100 concurrent requests of this nature can overwhelm the API # server's resources and cause it to become unresponsive to the point # that the worker nodes and user's running kubectl will believe the # control plane is offline. Since requests can last up to 60s by # default before the timeout kicks in, sustaining the attack only # requires between 10 and ~100 requests per minute.
  • 69. # CVE-2019-11253 # Recommendation: Update Kubernetes to a release that includes YAML # parsing resource limits and limit direct, public access to API # servers. See the above GH issue for details. # https://github.com/kubernetes/kubernetes/issues/83253
  • 70. HONK!
  • 71. Testing testing 123 ● Arrange ● Act ● Assert For network infrastructure?
  • 72. Network Policy Testing: nmap with Netassert.io k8s: # used for Kubernetes pods deployment: # only deployments currently supported test-frontend: # pod name, defaults to `default` namespace test-microservice: 80 # `test-microservice` is the DNS name of the target service test-database: -80 # test-frontend should not be able to access test-database port 80 new-namespace:test-microservice: # `new-namespace` is the namespace name test-database.new-namespace: 80 # longer DNS names can be used for other namespaces test-frontend.default: 80 default:test-database: test-frontend.default.svc.cluster.local: 80 # full DNS names can be used test-microservice.default.svc.cluster.local: -80 https://github.com/controlplaneio/netassert#configuration Network security testing with highly parallelised nmap https://github.com/controlplaneio/netassert
  • 73. bats-core ● Test library for Bash ● TEST EVERYTHING EVERYWHERE ● https://github.com/bats-core/ bats-core/
  • 75. break out of service meshes
  • 76. Istio Threats ● Insecure Control Plane Configuration ● User Misconfiguration ○ Avoid manual configuration ○ Regularly apply config defined in git (CI/Gitops) ● Compromised workload attacks Istio sidecar ○ Defence in depth: use dedicated Egress Gateway, K8S Network Policy & IaaS FW rules ● Init Containers Run Off-mesh ○ Unconstrained by istio security ○ Use K8s network policy ● PodSecurityPolicy blocks Istio init & sidecar ○ CNI Plugin ○ Sub-pod isolation proposals ● Misconfigured app container could run as privileged or use NET_ADMIN to exit the mesh
  • 78.
  • 79.
  • 80. Lesson ● secure by default is difficult ● IDS ○ See: falco, $$$ offerings ● Want more? See: Security Rationale for Istio by Rowan Baker
  • 82. De-auditing K8S ● Reconfigure API server ● Blackhole traffic to remote logging endpoint ● DOS remote logging endpoint https://monzo.com/blog/we-built-network-isolation-for-1-500-services
  • 84. Simulator! ● https://github.com/kubernetes-simulator/simulator ● See “How to Train Your Red Team (for Cloud Native)” by ControlPlane
  • 85. kubesim.io - K8S Hacking and Hardening Simulator ● infrastructure deployment ● cluster provisioning and workload configuration ● scenario runner with challenges, hints, and scoring ● raw command line experience ● open source core at https://github.com/kubernetes-simulator/simulator ●
  • 86. K8S Breach Lessons ● Application workloads ○ container images (app, OS, deps, filesystem conf, user, baked-in secrets), malicious images ● Workload configuration ○ pod spec (privileged/PSP config, env vars, service accounts, file mounts, runAsUser, seccomp/selinux), runtime (docker, crio), priv workloads, identity, datastores, traffic sniffing/nmap ● Cluster configuration - developer ○ authn/RBAC, NetPol/networking ● Cluster configuration - operations ○ admission control, etcd encryption, control plane TLS, local/remote registry, dashboard/API, federated identity ● Cluster deployment ○ control plane config, user access, topology, transport & TLS, infrastructure/cloud, OS http://nobleillustrations.blogspot.com/2012/08/kraken-rum-animations.html
  • 87. How to Train your Red Team (for Cloud Native) ● Hosted: kubesim.io ● Open source: https://github.com/kubernete s-simulator/simulator ● Attack Trees: https://github.com/cncf/finan cial-user-group/tree/master/p rojects/k8s-threat-model ● Training: https://control-plane.io/
  • 89. Recap: Applications in Kubernetes ● Just applications, linux processes, memory, and filesystems ● More granular security profile ○ Easier to harden ○ Security boundary is the container process or pod, not the whole instance ○ Controlled networking environment
  • 90. Layers of Security Testing ● Infrastructure: server hardening/conformance ● Supply chain: image validation, Kubernetes deployment YAML validation ● Runtime: application behaviour, telemetry, session handling, and networking
  • 91. What's the Problem with Security Testing? ● What's the Problem with Security Testing? ○ False Positives ● Why? ○ Defensive security measures and nondeterministic test environment ● Mitigation ○ Reduce signal-to-noise ratio with targeted testing and retry budgets
  • 92. Getting the House in Order ● Ensure that applications have a local testing story for developers ○ Build server verifies tests that developers are able to run locally ○ This proves out mocking and stubbing harnesses ● Once developer local testing is in place, testing can be as simple as standing up docker-compose with mocks and mock data ○ https://github.com/kubernetes/kompose can help migration ● Continuous Security (...ish) ○ A lot of tooling isn’t container-native ○ But continuous scanning leaves deeper exploration for humans
  • 93. Prepare for the Unexpected
  • 94. SEC584: Defending Cloud Native Infrastructure BETA Pricing: 50% Discount ($2100 USD) Live Online | 3-day beta October 12 - 14 with Andrew Martin & Eric Johnson https://www.sans.org/event/sec584-beta-one-2020