Detect: Identify Risks Fast
Isolate critical security threats to Kubernetes and other container-based systems, and implement appropriate security controls and measures to mitigate these risks.
- How we assured GKE for Google Cloud Platform
- Our work with Verisign assuring internet-scale critical architecture
- The JPMC security assurance for Amazon EKS project
We built the first threat models for Kubernetes and lead community CNCF threat modelling under the Linux Foundation.
Threat model full or partial systems, infrastructure proposals, and individual software services. Duration dependent on scoping, timeboxing, or depth of complexity:
- 1 or 2 day workshop
- 1 to 2 week writeup
- Presentation and next steps meeting
See our threat modelling packages.
Kubernetes & Cloud Penetration Testing
Test Kubernetes and cloud-native systems to identify vulnerabilities and potential security risks. We have fixed price and time-based offerings, see our penetration testing scoping in detail.
- Kubernetes and associated services
- EKS and AWS cloud
- GKE and GCP cloud
- AKS and Azure cloud
- On-prem and airgapped systems
Supply Chain SecurityOur supply chain case studies.
Protect organisation’s supply chain from potential security threats, by implementing security measures and best practices.
We build secure supply-chain security practices into systems:
- Open Source Ingestion: How’s your Supply Chain with your insecure OSS ingestion? (James Holland, Citi)
- Supply Chain: Untrusted Execution: Attacking the Cloud Native Supply Chain (Andrew Martin, ControlPlane)
- Software Factory: Kubernetes Supply Chain Security: The Software Factory (Andrew Martin, ControlPlane)
Assurance & Maturity AssessmentOur assurance case studies.
Evaluate security posture, including security architecture and processes, to identify potential weaknesses and with our detailed assessments based on industry standards.
- How we assured a decentralized storage and compute system
- Enabling successful banking licence application with Kubernetes project
We can help with:
- Review of cluster security controls
- Analysis of system security threats
- Evaluation of organisation-wide security posture
See our assurance packages.
Correct: Secure by Design DevSecOps
Platform Engineering & DevelopmentOur platform engineering case studies.
Develop secure software delivery platforms and applications, designed to be resistant to attacks and minimise the risk of data breaches or other security incidents.
- Cloud native solutions using the best of the cloud provider offerings
- Identify, measure, and remediate platform risks
- Integrated guard rails
- Developer experience focus balanced with security requirements
GitOps and Progressive DeliveryOur supply chain case studies.
ControlPlane offers a hardened, enterprise-grade distribution and support services for the CNCF-graduated open-source Flux CD project.
Implement secure and efficient GitOps with Flux CD. Our Enterprise Assurance and support for architecture, deployment, and supply chain management with Flux CD covers the key secure components of modern software development, built around GitOps.
- Secure GitOps with Flux CD
- Tekton Pipelines with Chains and secure supply chain attestation
- Evidence lakes for audit data recall
- Securely reduced cycle time for happier developers
Operational AutomationOur platform engineering case studies.
Automate routine tasks and processes for infrastructure, which helps to improve efficiency and reduce the risk of human error.
- Infrastructure as Code
- Secure by Design
- Secure Supply Chain
Telemetry & SensorsOur platform engineering case studies.
Threat observability and data analysis to identify vulnerability and performance issues. We integrate with SOC and SIEM processes to ensure detection and response.
- Automated detection triggers
- Event threat models and remediation guidance
- KPIs and SLOs for security
Protect: Nurture Talent and Stay Secure
Breach SimulationOur ctf case studies.
Simulate a security breach to test incident response plans and identify areas for improvement.
- Real infrastructure
- Secure security sandboxes
- Unlimited testing and training
We run the official CTFs for Kubecon. We teach people security with a host of cloud native security experts, and can customise events to simulate target systems.
Cloud Native Training Curriculum
Our training courses focus on the secure development and deployment of cloud native applications and systems. We are long-time cloud native trainers, from Docker and Terraform through Kubernetes and Service Mesh, and have trained the world’s biggest organisations under contract to SANS, O’Reilly, The Linux Foundation, and more.
We care about imparting knowledge that remains relevant and sticks with your team, and cater from introductory to advanced levels.
Purple Team TrainingOur purple team case studies.
Combine elements of both red team (offensive) and blue team (defensive) security testing to improve security posture.
- Learn by hacking to build better defence
- Share responsibility for security amongst your teams
- Build a culture of security
Zero Trust SystemsOur zero trust case studies.
Implement a security model that assumes all users, devices, and applications are untrusted, and requires authentication and authorisation for every access attempt, in order to minimise the risk of unauthorised access or data breaches.
- Remove passwords and replace them with short-lived credentials
- Encryption in transit, signing at rest, federated identity