It can be challenging to understand where critical risks reside, especially when adopting mandated security tools, and difficult to assert the absence of security gaps that may remain in your organisation. Our Penetration Testing Group provides insight into the security posture of our client’s cloud native environments, evaluating their configuration for vulnerabilities, assessing systems against key threats and delivering practical remediation actions.
The ControlPlane Penetration Testing Group provides three core offerings:
ControlPlane is a renowned leader in Kubernetes and container security. Our Penetration Testing Group is able to assess Kubernetes at multiple levels, from the underlying nodes to external API access and cloud provider integrations. The Penetration Testing Group have experience with managed instances such as AWS EKS, GCP GKE and Azure AKS, self-managed instances such as OpenShift, as well as complex on-premise deployments.
The security of CI/CD is critical to protecting production assets. From source code repository to production deployment, the Penetration Testing Group will assess the security posture of all systems involved in the release process. Our team’s experience is wide-ranging: from managed services such as GitHub, GitLab, and Cloud provider services to self-hosted instances of Jenkins, Tekton Pipelines, Artifactory, ArgoCD and Flux.
Our assessment is not limited to traditional CI/CD pipeline components but includes supporting services such as secrets and key management systems (e.g. Vault, Cloud KMS offerings), policy enforcement technology (e.g. OPA, Kyverno) and supply chain security tools used in the integrity of code, artefacts and containers (e.g. Cosign, Notary, Tekton Chains, Rekor).
ControlPlane offers training courses in Kubernetes security, teaching the fundamentals of Kubernetes and containers, the underlying risks to clusters and workloads, and how to validate the security configuration.
Students have access to cloud-hosted clusters to examine methods of compromise, play attack scenarios against real infrastructure, and then shift their focus to defending and remediating infrastructure services.
Our customers come to ControlPlane to solve difficult problems and produce cutting edge solutions. The Penetration Testing Group have previous experience of assessing isolated execution environments, content inspection systems and data query execution environments. If you have a unique, challenging, or industry-leading requirement which requires a security assessment, ControlPlane is happy to see if we can help.
ControlPlane has provided in-depth expertise consulting and deploying cloud native technology and supply chain security solutions for over five years, advising our clients on how to secure systems from code to production.
Our CEO co-authored “Hacking Kubernetes” a practical guide to Kubernetes security and how it is attacked. We’ve provided Kubernetes training from fundamentals to advanced security for highly regulated clients, and regularly run capture the flag tournaments at KubeCon+CloudNativeCon and security conferences.
ControlPlane authored the CIS GKE Benchmarks and is active in open source community providing security patches to CI/CD related projects.
If you are interested in any of these services or would like to enquire about our other offerings, please get in touch with us here.