2. Posture Vs Runtime

3. APPLICATION RELEASE CYCLE
Security Assessment

4. K8S WHO, WHY AND HOW?
How often are you release cycles?
What role at your organization is
most responsible for container
and Kubernetes security?

5. K8S WHO, WHY AND HOW?
• Compliance is a priority
• Lack of K8s knowledge, uses:
• Network security (NGFW) for North-
South sanitation
• WAF/API gateways for application-level
vulnerabilities
• Willing to purchase a standalone
solution for K8s security
• Looking for solution that covers A-Z
(runtime, posture etc)
• Security is not priority
• Hates adding tools to his pipeline
• Bottle neck in the organization
• “Don’t touch my production!” -
shift left
• Everything is code/API
• Visibility is very
important, but not as
a standalone offering
• Secret management
is a headache
Deliver code as fast as possible
Risk Mitigation, Compliance
and avoid data breach

6. K8S CUSTOMERS POINT OF VIEW

7. K8S CUSTOMERS POINT OF VIEW

8. SHIFT LEFT

9. CAN WE SECURE USING ONLY SHIFT LEFT?
Others can claim:
IMO, NO!!!
Micro Services are predictable
Pro: Watch for abnormal behavior
Con: Not really the case with many types
of workloads -> a lot of false positive
Immutability
Pro: you scan for vulnerabilities and deliver new image
every time
Con: if the attacker knows how to insert a malware he
can do it every time + maybe he is already on the
host/other workload

10. POSTURE VS RUNTIME

11. K8S SECURITY REQUIREMENTS

12. WHERE AND WHY EXISTING SOLUTIONS FAIL
Endless chase
No single source of truth for K8s
Configuration
Thousands of potential
misconfigurations
Inability to build a reliable
normal baseline
False Positives, Complexity, and
performance impact
Resources intensive
Find Vulnerabilities &
Misconfigurations
Anomaly Behavioral Analysis
and Network Segmentation
K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION

13. LOOKING TO SECURE KUBERNETES?
K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION
kubernetes

14. A WHOLE
NEW WAY
TO SECURE
KUBERNETES
Infusing Visibility,
Control, and Security
Seamlessly into
Every Workload

15. ARMO BRINGS K8S POSTURE AND
RUNTIME TOGETHER -
SEAMLESSLY
Enrich finding with runtime deep
visibility information
Shrink the attack surface based
on field proven best practices
Continuous compliance
validation and auditing
From Zero to Zero-Trust in 10
minutes
No need to change policies
when microservices change
Resiliency by design, even
against the most advanced
attacks
Add Context and Relevancy to
posture findings
Patented one-YAML deterministic
ZERO-TRUST
K8S POSTURE MANAGEMENT K8S RUN TIME PROTECTION
ARMO Kubernetes
Fabric™

16. KEY TAKEAWAYS
• You need both posture and
runtime protection
• Scan your posture as soon
as possible (shift left)
• Apply runtime protection
on dev/staging/production
Stay Safe!
Questions?

17. The greatest risk
is the one you are not aware of
zvika.ronen@fossaware.com
TEL: +972-(0)52-426-5306
All right reserved © FOSSAware LTD

18. • I am 48
• L.L.B law degree - Ono academic college
• I am the CTO of FOSSAware
• I specialized in FOSS technologies and software audits
• I help organizations to implement a risk management program to manage their OSS usage, lower
the remediation costs and comply with ISO standards
• I also perform tech due-diligence audits and escort such process for target companies
18
Who am I
18

19. 19
Few Words on Open Source
19

20. 20
freely accessed, used, changed, and shared
FSF
four essential freedoms of the
Free Software Definition
OSI
Ten criteria of the Open Source
Software Definition
20
FOSS Definition

21. Legal risk
• Losing IP protection
• Paying Monetary Damages
• Block product shipment/distribution (Injunction)
• Negative press and damaged relationship with customers
Cyber security vulnerabilities
• Denial of service, taking a service offline
• Business intelligence and Client information theft
• Hacker remote access
• Ransom attacks
Operational risk
• Losing ability to build your software due to missing web based components
• Losing community support due to open source project with low contribution
activities
• Using outdated open source components (less secure, more complex to
upgrade)
Open Source Risks
21

22. https://www.theregister.com/2001/06/02/ballmer_linux_is_a_cancer/
Steve Ballmer Former Microsoft CEO
22

23. 23
Today Everyone loves
Open Source
23

24. 24
https://www.zdnet.com/article/ballmer-i-may-have-called-linux-a-cancer-but-now-i-love-it/

25. 25

26. Source: Synopsys OSSRA 2021
26

27. Source: Synopsys OSSRA 2021
Industry Sectors and Open Source
27

28. Own Proprietary
Software
3rd Party Commercial
Software
Open Source
Commercial Software
Dependencies
Open Source
Dependencies
28
Open Source in Commercial Software

29. 29
Hackers also Love Open Source
29

30. dateutil vs python3-dateutil 350 FORKS
jellyfish vs jeIlyfish (“L” is an “I”) 122 FORKS
Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks
30
OSS Malicious Package Analysis by the Academy
Hundreds of open
source packages were
used in real cyber
events
61% malicious
packages used
typosquatting
2nd most common –
injection to existing
package

31. Source: Dustico Blog, https://dusti.co/blog/unsafe-to-download-pip/
31
Downloaded FOSS may include hidden setup

32. Source: WhiteSource, 2021
32
Open Source Vulnerabilities Continue To Increase

33. #1 Lodash
#2 FasterXML jackson-databind
#3 HtmlUnit
#4 Handlebars
#5 http-proxy
33
Source: WhiteSource, Top 10 Open Source Vulnerabilities In 2020
33
Top 10 Open Source Vulnerabilities In 2020

34. 34
Source: Sonatype, devsecops community survey 2020

35. 35
Open Source related breaches
occur much too often
35

36. Source: Sonatype, devsecops community survey 2020
1 in 5 breaches is Open Source related
36

37. Open Source Component - Apache Struts (CVE-2017-5638)
37
Equifax breach was 100% preventable

38. • Popularity: 2 million downloads per week
• Dependency: “flatmap-stream” has malicious code
• The action: Harvest the victim’s “copay” private keys
• Intention: Steal Bitcoin
• Result: 7000 stollen bitcoins
38
The “Event-Stream” incident
https://github.com/dominictarr/event-stream/issues/116

39. • Open Source Component - Mozjpeg (CVE-2020-13790)
• Mozjpeg weekly downloads from NPM - 650k
Instagram Hack core reason – Mozjpeg
39

40. 40
40
Source: reddit.com
CODECOV

41. Source: medium.com/@alex.birsan/dependency-confusion
41

42. 42
42
PyPI and NPM Flooded with over 5,000 Dependency Confusion Copycats
Source: securityreport.com
Copycat behavior (Dependency Confusion based)

43. • Human factor (training)
• Proprietary code (static analysis)
• Supply chain 3rd party (liability &
support)
• Open Source?
• White/Black-box (testing)
What is the weakest / unknown link of the chain?
43

44. 44
Top 10 Web Application Security Risks

45. “Developers often use available open source and third-party
software components to create a product; an SBOM allows the
builder to make sure those components are up to date and to
respond quickly to new vulnerabilities. Buyers can use an SBOM to
perform vulnerability or license analysis, both of which can be used
to evaluate risk in a product.”
What Biden has to say on Open Source?
45

46. 46
What Should We Do?
46

47. 47
1. Know Your Product
47

48. Homegrown code
3rd Party Commercial
Software
Open Source
Commercial Software
Dependencies
Open Source
Dependencies
48
Open Source in Commercial Software

49. 49
2. Manage your Open Source
49

50. 3rd Party Commercial
Software
Open Source
Dependencies
Open Source
Dependencies
50
Choosing right
Manage your
software supply
chain in “critical
software”
Manage your Open Source
“critical software” — software that performs functions critical to trust (such as affording or
requiring elevated system privileges or direct access to networking and computing resources)

51. 51
CII Best Practices badge program

52. End User License Agreement
BSD Open Source License
52
Manage risks from 3rd party (Supply Chain)
Common Default in Commercial Software Agreements

53. Homegrown code Open Source 3rd Party Proprietary SW
Cost
All type of software
requires some level of
compliance and/or
vulnerability
monitoring
Possible
Vulnerabilities
IP rights Owned Licensed Licensed
License
Requirements
Procurement is
being done by
Homegrown The developers Procurement people
Monitoring is being
done using different
tools, processes, and
policies
Who is
responsible?
The developer The developer The vendor
Support By the developer Community/Developer By the vendor
Additional
Dependencies
Access to Source
Code
Analysis tools
Static Code Analysis
Software Composition
Analysis
Penetration Test
53
53
Homegrown vs. Open Source vs. 3rd Party Proprietary SW

54. 54
54
1. Risk management program (ISO-5230)
• Policy
• Process
• Tools
• Training
2. Early detection = Lower remediation cost
3. Ongoing management (pre-> post production)
OSS in Commercial Software Development

55. 55
3. Do not invent the wheel
55

56. International Standard for open source license compliance
56

57. Questions?
zvika.ronen@fossaware.com
TEL: +972-(0)52-426-5306

58. The greatest risk
is the one you are not aware of
zvika.ronen@fossaware.com
TEL: +972-(0)52-426-5306

59. Automated Red-Team for Managing Attack Surface
Alex Peleg
CEO | Hacker

60. AI and Community powered
Attack Surface and Operations
Management For SMEs
Reducing Time From Breach to Fix
Recover From Incidents Offensive
Engineering
Cynergy.app

61. Agenda
Kesaya breach story
Attack Surface 101
Why AI?
Continuous Red-Team, the good the bad and the ugly.
Open topics for further research and innovation
1
2
3
4
5

62. What has gone wrong?
A server was exposed....

63. Attack Surface 101
Attackers need only one
hole in the defense

64. Attack Surface 101
External Attack Surface

65. Attack Surface 101
Web & Mobile Apps

66. Attack Surface 101
Infrastructure

67. Attack Surface 101
Cloud

68. Attack Surface 101
Employees

69. Attack Surface 101
3rd & 4th Parties

70. Attack Surface 101
Subsidiaries

71. Why AI?
Context Scale Stupidity

72. Continuous Red-Team

73. Additional Research...
1 Faster and Better Context
2 Threat Intelligence to
Improve Prioritization
3 AI based mitigation - GPT3
4 Integration with CICD

74. Q&A

75. Thanks and Questions! Alex@cynergy.app
Type text

76. Turn any Kubernetes solution into
Zero-Trust by design
FROM ZERO to ZERO-TRUST

77. WHAT ARE WE UP AGAINST?
What hackers are looking for? What do they do inside?
• Data
 Business & customer’s data
• Keys
 Encryption & Authentication
• Resources
 CPU (coin miners)
 Storage
 Network (bots)
• Damage & Extortion
 Ransome
 DDoS, UI/UX harm
• Intellectual Property
 Algorithms
 APIs
• Use existing software in
inappropriate way
• Change behavior of existing
software
 Change configuration
• Inject new software
 Corrupt existing software
 Add new software
How do they break in?
• Misconfigurations
• Credential abuse
• Software vulnerability

78. KNOCK-KNOCK, WHO IS THERE?
Who is calling my APIs? Who is reading my
Data?

79. DON’T TRUST, VERIFY!
Protect customer solutions
even if infrastructure is
compromised
Genuine Software
Identity – like DNA
Automated Zero-Trust
Network Policy
Transparent Data
Signing & Encryption

80. SOFTWARE DNA – WHAT DOES THIS MEAN?
Executable
DLL/SO
DLL/SO
ARMOGuard
DLL/SO
Python/Java/JS/.NET
ConfigFile/ConfigMap
Environment Variables
Command Line
ARMO
Back-End
Prove DNA validity
Receive Cryptographic Materials
Protect process memory while it runs:
• Validate cryptographic digest of every relevant
artifact
• Prevent unsigned artifacts from loading
• Keep containers immutable
• Use Kubernetes for automation

81. INTENTION
POD A
Secret Volume
POD B
Server
Legit App
Container Container

82. REALITY
POD A
Secret Volume
POD B
Injected App
Server
Legit App
Container Container

83. WITH ARMO ZERO-TRUST
POD A
Secret Volume
POD B
Injected App
Server
Legit App
Container Container

84. DEMO
Questions?

85. • Thank You!
• Questions?
• To be continued…