logo
allArticlesConferencesPresentations

How the Argo Project Transitioned From Security Aware To Security First

Conference:  KubeCon + CloudNativeCon North America 2022

2022-10-27

Authors:   Henrik Blixt, Michael Crenshaw

Summary

The presentation discusses the security measures taken by Argo CD, an open-source continuous delivery tool, to address vulnerabilities and improve supply chain security.
  • Argo CD has implemented security measures to address vulnerabilities and improve supply chain security
  • The measures include introducing security advisory drafts, having regular meetings with a special interest group, and improving logging to monitor for potential issues
  • Argo CD has also tightened up supply chain security by introducing S-bombs to all components and using cryptographically secure random number generators
One of the issues encountered by Argo CD was related to directory traversal and symlink following attacks on the repo server component. To address this, Argo CD locked down permissions, used ephemeral copies of manifests for user-written plugins, and killed sim links that reached outside of the repository. Additionally, Argo CD conducted a full audit of all cryptography used and improved logging to monitor for potential issues.

Abstract

When the Argo project applied for graduation, we believed we had a good handle on security. After all, we hadn't had any CVEs in a while, and we had 100s of companies using it in production. So everything must be great, right? This is the story of an incubating CNCF project learning: what we didn't know and how we dove headfirst into a mission to put security first. Attendees will learn about the project processes we put in place for reported vulnerabilities, how to work with external security companies, and the help we received from the CNCF. We’ll also dig into the engineering best practices we implemented as well as take a look at some concrete implementations around SBOMs and Fuzzing. The information in this talk will be especially beneficial to anyone from incubating or sandbox projects that are setting out to improve their security posture, but the learnings, stories and recommendations presented will be equally applicable to any software project or product.
Materials:
Tags:
Security
Argo
CNCF
CVEs
SBOMs

Post a comment

Related work

Building a Successful Open Source Community as an End-user Company

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Henrik Blixt, Kareena Hirani
2021-10-15

Building a Community: How Cortex Went from a Vendor Project to a Community

Conference:  KubeCon + CloudNativeCon Europe 2021
Authors: Goutham Veeramachaneni

Notes from the Field: A Discussion with the KubeVirt End Users

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Alona Paz, Kim Wuestkamp, Dinesh Majrekar, Ryan Hallisey, Peter Salanki
2023-04-20

How We Securely Scaled Multi-Tenancy with VCluster, Crossplane, and Argo CD

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Konstantinos Kapelonis, Ilia Medvedev
2023-04-19

A Different Uber Post Mortem

Conference:  Defcon 31
Authors: Joe Sullivan CEO of Ukraine Friends
2023-08-01

Who Did It - How We Attributed Campaigns of a Cyber Mercenary

Conference:  BlackHat USA 2021
Authors:
2021-11-10