logo
allArticlesConferencesPresentations

A Look Under the Hood of CNCF Security Audits

Conference:  KubeCon + CloudNativeCon Europe 2023

2023-04-21

Authors:   David Korczynski, Adam Korczynski

Summary

The presentation discusses the process and goals of auditing CNCF projects for security vulnerabilities and promoting community involvement in addressing them.
  • The goal of the audits is to promote community involvement in addressing security vulnerabilities in CNCF projects
  • Reports are made in a way that makes it easy for security researchers to identify next steps in analyzing the security of a given software
  • Audits are not the finished work and there is still more to do
  • Community members can get involved by carrying out their own auditing and reporting vulnerabilities to the projects
  • Projects may have bug bounties in place for successful disclosures
  • Being helpful and including as much information as possible in disclosures can lead to quicker turnaround time for addressing vulnerabilities
  • The audits are holistic and cover a variety of areas including threat modeling, code auditing, and software supply chain assessment
  • The audience of the reports varies and includes maintainers, customers, and others
  • The process includes mapping out attack surfaces, threat actors, and goals, as well as identifying critical code parts and vulnerabilities
  • The main goal is to ensure that the project defends against identified threats and vulnerabilities
After the audit of the Argo project, a bug bounty was put in place which has had good results from community members submitting disclosures. This shows the benefit of having third parties come and address security issues in the project.

Abstract

To graduate, a CNCF project must complete a third party security audit and publish the results publicly. Because of the nature of the work, much of it is done behind closed doors. In this talk, Adam and David present their experiences with auditing CNCF projects, how a security audit progresses, what the projects should expect, and what the outcomes have been so far. We also examine which vulnerabilities have been found, and what is required from the CNCF projects to complete a third party security audit. Over the last year and a half, Ada Logics has carried out security audits of six CNCF projects and worked with the projects on mitigating found issues and publishing the results. The projects the team audited were: Flux, CRI-O, KubeEdge, Argo, Istio and Cilium. The talk will also go over the audit reports and how they are helpful to contributors, adopters and other security researchers looking to contribute security work. The talk will cover both high-level problems and results as well as a technical look into the security issues that CNCF projects face.
Materials:
Tags:
CNCF
security audits
third party security
closed doors
Adam

Post a comment

Related work

Lessons From Two Years of Crypto Audits

Conference:  BlackHat USA 2019
Authors:
2019-08-07

Get In Containerds, We’re Going Securing: Kubernetes SIG Security is Here!

Conference:  KubeCon + CloudNativeCon Europe 2021
Authors: Aaron Small, Savitha Raghunathan, Ian Coldwater, Tabitha Sable

Security Through Transparency: Kubernetes SIG Security Update

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Savitha Raghunathan, Ian Coldwater, Rey Lejano, Pushkar Joglekar
2021-10-13

Nurturing Security Permaculture: Kubernetes SIG Security Update

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Savitha Raghunathan, Tabitha Sable, Mahé Tardy, Ala Dewberry
2023-04-19

The Insider Threat: Third-Party Applications In Your Cluster

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Dagan Henderson, Will Kline
2022-10-28

The Prometheus Conformance Program

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Richard Hartmann
2021-10-14