logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Jimmy Mesta
2022-10-25

tldr - powered by Generative AI

The OWASP Top Ten for Kubernetes is a community-curated list of the most common Kubernetes risks backed by data collected from organizations varying in maturity and complexity. The project aims to help practitioners assess and secure the security of their containerized infrastructure.
  • The OWASP community has published a number of projects to help practitioners assess and secure the security of their containerized infrastructure
  • The OWASP Top Ten for Kubernetes is a community-curated list of the most common Kubernetes risks
  • The project is backed by data collected from organizations varying in maturity and complexity
  • The project aims to help practitioners assess and secure the security of their containerized infrastructure
Authors: Rahul Arvind Jadhav
2022-10-25

For Kubernetes, the basic unit of execution is a pod. All the binaries in all the containers have equal access to the volume mount points and thus have direct access to the service account tokens and k8s secrets that the pod mounts. Almost all Kubernetes attacks exploit/leverage this fact. The only thing an attacker has to ensure is to inject a binary into the pod using a known/unknown vulnerability in any of the binaries within any of the containers. Once the attacker injects a malicious binary, it has unrestricted access to the secrets in predefined volume mount points (we are making it so easy for the attacker!). Typically only a few binaries within the pod need access to the tokens/secrets. The access should be restricted to such a list of processes/binaries, and an automated framework should derive this list. This is easier said than done, taking into consideration that the app is updated every few weeks, i.e., the security posture changes with the app updates. The sessions aim to highlight runtime security risks that are inherent to k8s design and possible solutions to alleviate some of these concerns. Rahul is a dev/maintainer of KubeArmor (runtime security engine).
Authors: Michael Foster
2022-10-24

tldr - powered by Generative AI

The MP Guard project proposes a flexible workflow for DevSec organizations to simplify the experience of creating and maintaining Kubernetes Network policies. The project aims to automate the generation of policies and integrate them into the application's CI/CD pipeline, ensuring that policies get updated whenever required cluster connectivity changes. The proposed network activity is presented to the DevOps team for review, and changes can be automatically updated. The resulting Kubernetes network policies become part of the GitOps process to provision Kubernetes clusters, helping organizations cross the Kubernetes network policy chasm.
  • Identifying the right networking requirements of individual workloads is challenging, and operationalizing the task across Dev, Sec, and Ops is not trivial.
  • The MP Guard project proposes a flexible workflow for DevSec organizations to simplify the experience of creating and maintaining Kubernetes Network policies.
  • The project aims to automate the generation of policies and integrate them into the application's CI/CD pipeline, ensuring that policies get updated whenever required cluster connectivity changes.
  • The proposed network activity is presented to the DevOps team for review, and changes can be automatically updated.
  • The resulting Kubernetes network policies become part of the GitOps process to provision Kubernetes clusters, helping organizations cross the Kubernetes network policy chasm.
Authors: Stephane Graber, Christian Brauner
2022-09-16

The user namespace has grown a lot since its introduction some 9 years ago. However, it is still very far from ubiquitous, even in the modern container space. In this talk, we'll be exploring the current state of things and delve into some of the exciting developments that have recently landed or will be landing very soon. This will cover the very exciting work done on the new VFS API and VFS idmap shifting, now making it very easy to setup containers without having to first mangle their root filesystem. More importantly, also allowing containers relying on shared filesystem layers to be easily run unprivileged. On the security front, we'll be covering the work to better mediate the use of the user namespace, allowing LSMs to decide who can or cannot create a user namespace. As well as the recent addition of IMA namespacing now makes it possible to have an entire system measured and checked, containers included. We'll wrap things up looking ahead for any other major blocker to the adoption of user namespace and the deprecation of much less safe container options.
Authors: Ed Warnicke, Aeva Black
2022-06-21

tldr - powered by Generative AI

The presentation discusses the need for simplicity in addressing supply chain security in open source software communities. The speaker proposes the use of a canonical, unique, and immutable identity for software artifacts to simplify the problem space.
  • Software artifacts can be represented as an array of bytes and should have a unique, canonical, and immutable identity
  • Identity should be based on the byte array representation of the artifact
  • File names, locations, and URLs are not suitable for identity
  • Simplifying the problem space requires a change in perspective
  • Focusing on simplicity leads to reliability, performance, and security
Authors: Magno Logan
2021-09-24

tldr - powered by Generative AI

The presentation discusses different attack scenarios on Kubernetes clusters and provides best practices for securing them.
  • Overview of Kubernetes architecture and components
  • Using K8s Threat Matrix and MITRE ATT&CK for Containers to demonstrate attack phases
  • Best practices for securing Kubernetes clusters
  • Anecdote about a vulnerable Drupal web application used for modeling attacks