The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.
4. K8S WHO, WHY AND HOW?
How often are you release cycles?
What role at your organization is
most responsible for container
and Kubernetes security?
5. K8S WHO, WHY AND HOW?
• Compliance is a priority
• Lack of K8s knowledge, uses:
• Network security (NGFW) for North-
South sanitation
• WAF/API gateways for application-level
vulnerabilities
• Willing to purchase a standalone
solution for K8s security
• Looking for solution that covers A-Z
(runtime, posture etc)
• Security is not priority
• Hates adding tools to his pipeline
• Bottle neck in the organization
• “Don’t touch my production!” -
shift left
• Everything is code/API
• Visibility is very
important, but not as
a standalone offering
• Secret management
is a headache
Deliver code as fast as possible
Risk Mitigation, Compliance
and avoid data breach
9. CAN WE SECURE USING ONLY SHIFT LEFT?
Others can claim:
IMO, NO!!!
Micro Services are predictable
Pro: Watch for abnormal behavior
Con: Not really the case with many types
of workloads -> a lot of false positive
Immutability
Pro: you scan for vulnerabilities and deliver new image
every time
Con: if the attacker knows how to insert a malware he
can do it every time + maybe he is already on the
host/other workload
12. WHERE AND WHY EXISTING SOLUTIONS FAIL
Endless chase
No single source of truth for K8s
Configuration
Thousands of potential
misconfigurations
Inability to build a reliable
normal baseline
False Positives, Complexity, and
performance impact
Resources intensive
Find Vulnerabilities &
Misconfigurations
Anomaly Behavioral Analysis
and Network Segmentation
K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION
13. LOOKING TO SECURE KUBERNETES?
K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION
kubernetes
14. A WHOLE
NEW WAY
TO SECURE
KUBERNETES
Infusing Visibility,
Control, and Security
Seamlessly into
Every Workload
15. ARMO BRINGS K8S POSTURE AND
RUNTIME TOGETHER -
SEAMLESSLY
Enrich finding with runtime deep
visibility information
Shrink the attack surface based
on field proven best practices
Continuous compliance
validation and auditing
From Zero to Zero-Trust in 10
minutes
No need to change policies
when microservices change
Resiliency by design, even
against the most advanced
attacks
Add Context and Relevancy to
posture findings
Patented one-YAML deterministic
ZERO-TRUST
K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION
ARMO Kubernetes
Fabric™
16. KEY TAKEAWAYS
• You need both posture and
runtime protection
• Scan your posture as soon
as possible (shift left)
• Apply runtime protection
on dev/staging/production
Stay Safe!
Questions?
18. • I am 48
• L.L.B law degree - Ono academic college
• I am the CTO of FOSSAware
• I specialized in FOSS technologies and software audits
• I help organizations to implement a risk management program to manage their OSS usage, lower
the remediation costs and comply with ISO standards
• I also perform tech due-diligence audits and escort such process for target companies
18
Who am I
18
20. 20
freely accessed, used, changed, and shared
FSF
four essential freedoms of the
Free Software Definition
OSI
Ten criteria of the Open Source
Software Definition
20
FOSS Definition
21. Legal risk
• Losing IP protection
• Paying Monetary Damages
• Block product shipment/distribution (Injunction)
• Negative press and damaged relationship with customers
Cyber security vulnerabilities
• Denial of service, taking a service offline
• Business intelligence and Client information theft
• Hacker remote access
• Ransom attacks
Operational risk
• Losing ability to build your software due to missing web based components
• Losing community support due to open source project with low contribution
activities
• Using outdated open source components (less secure, more complex to
upgrade)
Open Source Risks
21
28. Own Proprietary
Software
3rd Party Commercial
Software
Open Source
Commercial Software
Dependencies
Open Source
Dependencies
28
Open Source in Commercial Software
30. dateutil vs python3-dateutil 350 FORKS
jellyfish vs jeIlyfish (“L” is an “I”) 122 FORKS
Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks
30
OSS Malicious Package Analysis by the Academy
Hundreds of open
source packages were
used in real cyber
events
61% malicious
packages used
typosquatting
2nd most common –
injection to existing
package
31. Source: Dustico Blog, https://dusti.co/blog/unsafe-to-download-pip/
31
Downloaded FOSS may include hidden setup
33. #1 Lodash
#2 FasterXML jackson-databind
#3 HtmlUnit
#4 Handlebars
#5 http-proxy
33
Source: WhiteSource, Top 10 Open Source Vulnerabilities In 2020
33
Top 10 Open Source Vulnerabilities In 2020
42. 42
42
PyPI and NPM Flooded with over 5,000 Dependency Confusion Copycats
Source: securityreport.com
Copycat behavior (Dependency Confusion based)
43. • Human factor (training)
• Proprietary code (static analysis)
• Supply chain 3rd party (liability &
support)
• Open Source?
• White/Black-box (testing)
What is the weakest / unknown link of the chain?
43
45. “Developers often use available open source and third-party
software components to create a product; an SBOM allows the
builder to make sure those components are up to date and to
respond quickly to new vulnerabilities. Buyers can use an SBOM to
perform vulnerability or license analysis, both of which can be used
to evaluate risk in a product.”
What Biden has to say on Open Source?
45
48. Homegrown code
3rd Party Commercial
Software
Open Source
Commercial Software
Dependencies
Open Source
Dependencies
48
Open Source in Commercial Software
50. 3rd Party Commercial
Software
Open Source
Dependencies
Open Source
Dependencies
50
Choosing right
Manage your
software supply
chain in “critical
software”
Manage your Open Source
“critical software” — software that performs functions critical to trust (such as affording or
requiring elevated system privileges or direct access to networking and computing resources)
52. End User License Agreement
BSD Open Source License
52
Manage risks from 3rd party (Supply Chain)
Common Default in Commercial Software Agreements
53. Homegrown code Open Source 3rd Party Proprietary SW
Cost
All type of software
requires some level of
compliance and/or
vulnerability
monitoring
Possible
Vulnerabilities
IP rights Owned Licensed Licensed
License
Requirements
Procurement is
being done by
Homegrown The developers Procurement people
Monitoring is being
done using different
tools, processes, and
policies
Who is
responsible?
The developer The developer The vendor
Support By the developer Community/Developer By the vendor
Additional
Dependencies
Access to Source
Code
Analysis tools
Static Code Analysis
Software Composition
Analysis
Penetration Test
53
53
Homegrown vs. Open Source vs. 3rd Party Proprietary SW
54. 54
54
1. Risk management program (ISO-5230)
• Policy
• Process
• Tools
• Training
2. Early detection = Lower remediation cost
3. Ongoing management (pre-> post production)
OSS in Commercial Software Development
60. AI and Community powered
Attack Surface and Operations
Management For SMEs
Reducing Time From Breach to Fix
Recover From Incidents Offensive
Engineering
Cynergy.app
61. Agenda
Kesaya breach story
Attack Surface 101
Why AI?
Continuous Red-Team, the good the bad and the ugly.
Open topics for further research and innovation
1
2
3
4
5
73. Additional Research...
1 Faster and Better Context
2 Threat Intelligence to
Improve Prioritization
3 AI based mitigation - GPT3
4 Integration with CICD
76. Turn any Kubernetes solution into
Zero-Trust by design
FROM ZERO to ZERO-TRUST
77. WHAT ARE WE UP AGAINST?
What hackers are looking for? What do they do inside?
• Data
Business & customer’s data
• Keys
Encryption & Authentication
• Resources
CPU (coin miners)
Storage
Network (bots)
• Damage & Extortion
Ransome
DDoS, UI/UX harm
• Intellectual Property
Algorithms
APIs
• Use existing software in
inappropriate way
• Change behavior of existing
software
Change configuration
• Inject new software
Corrupt existing software
Add new software
How do they break in?
• Misconfigurations
• Credential abuse
• Software vulnerability
79. DON’T TRUST, VERIFY!
Protect customer solutions
even if infrastructure is
compromised
Genuine Software
Identity – like DNA
Automated Zero-Trust
Network Policy
Transparent Data
Signing & Encryption
80. SOFTWARE DNA – WHAT DOES THIS MEAN?
Executable
DLL/SO
DLL/SO
ARMOGuard
DLL/SO
Python/Java/JS/.NET
ConfigFile/ConfigMap
Environment Variables
Command Line
ARMO
Back-End
Prove DNA validity
Receive Cryptographic Materials
Protect process memory while it runs:
• Validate cryptographic digest of every relevant
artifact
• Prevent unsigned artifacts from loading
• Keep containers immutable
• Use Kubernetes for automation