Open Source, Community, and Presentations
Open Source
Our Red and Blue Team open source
kubesec
https://github.com/controlplaneio/kubesec
Security risk analysis for Kubernetes resources. Identifies misconfigurations and generates recommendations to improve the security of Pods, Deployments, and other resources. Used to find insecure configurations, harden security contexts, and learn Kubernetes pod security. Available as: a command line tool; free API; kubectl plugin to scan resources already in the cluster ; or a GitHub Action to run in CI/CD pipelines; GitHub Marketplace and GitLab Marketplace.
netassert
https://github.com/controlplaneio/netassert
Network security testing for DevSecOps workflows. A framework for fast, safe iteration on firewall, routing, and NACL rules for Kubernetes (Network Policies, services) and non-containerised hosts (cloud provider instances, VMs, bare metal). Aggressively parallelises nmap to test outbound network connections and ports from any accessible host, container, or Kubernetes pod by joining the same network namespace as the instance under test.
Simulator
https://github.com/controlplaneio/simulator
Kubernetes production breach simulation. Used to provision ControlPlane CTFs, and as the official CTF engine for every KubeCon since 2019. Provisions full, production-like infrastructure for attacking and debugging Kubernetes: creates a private Kubernetes cluster for each player; runs scenarios demonstrating compromise paths and vulnerabilities; trains defenders to mitigate vulnerabilities.
BadRobot
https://github.com/controlplaneio/badrobot
Security analysis for Kubernetes Operators. Analyses YAML manifests before they’re deployed to detect high-risk configurations and prevents compromised Operators from taking over a cluster through loose RBAC configurations. KubeCon EU 2022 talk on BadRobot and operator security.
truffleproc
https://github.com/controlplaneio/truffleproc
Hunt secrets in a process’s memory. A mashup of TruffleHog and gdb, it analyses a target application’s memory and outputs discovered secrets and high entropy strings. Useful for adversarial emulation, penetration testing, and testing defence in-depth security controls.
Innovation and R&D
Kubesim
Kubernetes Hacking Simulator. A Kubernetes cluster for security training, hacking, and learning. Used to run CTFs, training sessions, and workshops. The production version of Simulator.
TTX
Tabletop exercises internet-scale security incidents. A subscription service for running tabletop exercises to keep your security team sharp and prepared for the worst. We provide a range of open and closed source scenarios to test your incident response capabilities, and bring in our experts to help you learn from the experience.
IR Simulator
Incident response simulation. Dynamic incident response simulation for cloud native environments. Pairs with the TTX service to provide a full incident response training and simulation package for CISOs and security teams.
Cloud Threat Subscription
Curated counter-threat intelligence for Kubernetes. A subscription service with best-in-class patterns, practices, and automated threat remediation for Kubernetes and clound native.
Community
Security leadership and collaboration
Security Technical Advisory, The Linux Foundation (CNCF)
TAG Security is a community-run effort to secure access, policy control, privacy, auditing, and explainability of cloud native security. It sits under the Linux Foundation’s Cloud Native Computing Foundation (CNCF) — the home of Kubernetes, Prometheus, and containerd (the Docker runtime) — with a combined project market cap of $18.9T. Responsible for threat modelling and assuring cloud native technologies that are contributed to the CNCF, and assisting maintainers with security work.
ControlPlane CEO Andrew Martin is a co-chair and Head of Security Rowan Baker is a long-term contributor, including the Supply Chain Security and Cloud Security whitepapers.
OpenUK
OpenUK is a charity dedicated to the advancement of open source in the United Kingdom with a focus on its security, legal ramifications, and the community.
The charity’s pro bono CISO is Andrew Martin, advising the public and private sectors and advocating on the group’s behalf. His personal mission is to facilitate the fair remuneration of open source maintainers, enabling them to prioritise security remediation and ensuring the safe adoption of open source.
OpenSSF (Linux Foundation)
The Open Source Security Foundation implements community-wide, industry-supported security initiatives to protect open source software development and delivery.
FINOS (Linux Foundation)
The Fintech Open Source Foundation assists in open source adoption, infrastructure code reuse, and community collaboration for financial services organisations.
ControlPlane contributes into multiple working groups (including the FINOS Common Cloud Controls), conferences, and meetups.
Presentations
Our ethos is open source security, sharing with the community and learning to secure the next generation of technology in public.
2024
- Nerding out about security with Andrew Martin from ControlPlane (2024) Watch Video
- Future Open Source LLM Kill Chains (Vicente Herrera, ControlPlane) (YouTube) Watch Video
- Introducing Timoni the Next-Gen Package Manager for Kubernetes (Stefan Prodan, ControlPlane) (YouTube) Watch Video
- GitOps Continuous Delivery at Scale with Flux (Stefan Prodan) (YouTube) Watch Video
- Tackling Configuration Management at Scale with Flux, CUE and OCI at Cisco (Alec Hothan, Cisco & Stefan Prodan) (YouTube) Watch Video
- Kubernetes MLSec: Securing AI in Space (Francesco Beltramini & James Callaghan, ControlPlane) (YouTube) Watch Video
- Keeping Kubernetes Safe: The Lowdown on Locked Namespaces (Marco De Benedictis, ControlPlane) (YouTube) Watch Video
- Brewing the Kubernetes Storm Center: Open Source Threat Intelligence for the Cloud Native Ecosystem (Constanze Roedig, Technische Universität Wien & James Callaghan, ControlPlane) (YouTube) Watch Video
- I’ll Let Myself In: Kubernetes Privilege Escalation Tactics (Andrew Martin & Iain Smart, ControlPlane) (YouTube) Watch Video
- Bringing light to risks lurking in the black boxes of AI models (Vicente Herrera) (YouTube) Watch Video
- Kubernetes AI Security Playbook: Safeguarding the Data and Model Supply Chain (Andrew Martin & Jack Kelly, ControlPlane) (YouTube) Watch Video
- Kubernetes MLSec: Securing AI in space (Andrew Martin & Francesco Beltramini) (YouTube) Watch Video
2023
- Back to the Future: Next-Generation Cloud Native Security (with Matt Jarvis, Snyk) (Kubecon Amsterdam, 2023) Watch Video
- Automated Cloud-Native Incident Response with Kubernetes and Service Mesh (Matt Turner, Tetrate & Francesco Beltramini, ControlPlane) (Kubecon Amsterdam, 2023) Watch Video
- Avoiding IAC Potholes with Policy & Cloud Controllers (CloudNativeSecurityCon 2023) Watch Video
- InSPIREing Progress: How We’re Growing SPIFFE and SPIRE in 2023 and Beyond (Daniel Feldman, Hewlett Packard Enterprise & Andrés Vega, ControlPlane) (Kubecon Amsterdam, 2023) Watch Video
- Threat Model Report: Security Considerations for Hardening Declarative GitOps on K8s with Argo CD (Torin van den Bulk & James Callaghan, ControlPlane) (YouTube) Watch Video
- Envoy Gateway End User Threat Model Report: Raising Awareness of Gateway API Security (James Callaghan & Torin van den Bulk, ControlPlane) (YouTube) Watch Video
- Smarter than your average SBOM ! (Matt Jarvis & Andrew Martin) (YouTube) Watch Video
- Harnessing the Power of OSCAL: A Dive into Continuous and Automated Compliance for Kubernetes (Francesco Beltramini) (YouTube) Watch Video
- Hacking and Defending Kubernetes Clusters: We’ll Do It LIVE!!! (Fabian Kammel & James Cleverley-Prance, ControlPlane) (YouTube) Watch Video
- Woman Rock interview with Maddie Clingan (ControlPlane) (YouTube) Watch Video
- Security Threat Modeling Live from Scratch Session (Andrew Martin, ControlPlane) (YouTube) Watch Video
- Learn by Hacking: How to Run a 2,500 Node Kubernetes CTF (Andrew Martin & Andrés Vega) (YouTube) Watch Video
2022
- A Treasure Map of Hacking (and Defending) Kubernetes (Kubecon Valencia, 2022) Watch Video
- Tweezering Kubernetes Resources: Operating on Operators (Kevin Ward) (KubeCon Valencia, 2022) Watch Video
- Three Surprising K8s Networking “Features” and How to Defend Against Them (James Cleverley-Prance) (KubeCon Valencia, 2022) Watch Video
- Untrusted Execution: Attacking the Cloud Native Supply Chain (Kubecon NA 2022) Watch Video
- Threat Modelling Kubernetes: A Lightspeed Introduction (Lewis Denham-Parry) (KubeCon Valencia, 2022) Watch Video
- Throw Away Your Passwords: Trusting Workload Identity (KubeCon Valencia, 2022) Watch Video
- VEXing Open Source Security: Vulnerability Data for Everything (SupplyChainSecurityCon EU 2022) Watch Video
- Techstrong TV — KubeCon + CloudNativeCon NA (2022) Watch Video
- Attacking the Cloud Native Supply Chain (Andrew Martin, ControlPlane) (YouTube) Watch Video
2021
- Kubernetes Supply Chain Security: The Software Factory (Kubecon NA, 2021) Watch Video
- Cloud Native Security Day, Capture The Flag (CTF group run with Liz Rice, Rory McCune, David McKay) (Kubecon EU, 2021) Watch Video
- Kubernetes and Cloud Security with Andrew Martin (2021) Watch Video
2020
- In a Container, Nobody Hears Your Screams: Next Generation Process Isolation (Kubecon EU, 2020) Watch Video
- How (Not) To Containerise Securely: Lessons Learned the Hard Way (FOSDEM 2020) Watch Video
2019
- The State of Your Supply Chain (2018) (Kubecon Shanghai, 2019) Watch Video
- Rootless, Reproducible, and Hermetic: Secure Container Build Showdown (KubeCon Barcelona, 2019) Watch Video
2018
- Live Container Hacking: Capture The Flag (Container Camp London, 2018) Watch Video
- Continuous Kubernetes Security (DevOpsDays Riga, 2018 Watch Video
- From Kubelet to Istio: Kubernetes Network Security Demystified (KubeCon Copenhagen, 2018) Watch Video
- Meteor-Proof Infrastructure: Reproducible Environments with Container Build Images (PIPELINE, 2018) Watch Video
2017
- Insecure Containers? Continuous Defense Against Open Source Exploits (KubeCon Berlin, 2017) Watch Video
Publications
Our contributions to books, whitepapers, and training courses.
Hacking Kubernetes - Andrew Martin, Michael Hausenblas https://learning.oreilly.com/library/view/hacking-kubernetes/9781492081722/
TAG Security Supply Chain (for CNCF) sig-security Supply Chain Security Whitepaper https://www.cncf.io/announcements/2021/05/14/cncf-paper-defines-best-practices-for-supply-chain-security/
TAG Security Cloud Native Security Whitepaper (for CNCF) https://www.cncf.io/blog/2020/11/18/announcing-the-cloud-native-security-white-paper/
Why World Leaders Must Invest In Open Source Technology https://expertinsights.com/insights/interview-amanda-brock-andrew-martin-openuk/
11 Ways (Not) to Get Hacked (for Kubernetes.io) https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/
Threat Modelling Kubernetes (for O’Reilly Online)
SEC584: Attacking and Defending Cloud Nativ (for SANS)
Kubernetes Attack Trees (for Financial Services User Group)
Attacking and Defending Kubernetes (for O’Reilly Online)
Istio (for Aqua)
GKE CIS Benchmarks (for Google Cloud)
Hardening Git for GitOps (for Weave)
Media
Interviews and panels across the years.
Global Newswire
Expert Insights
Accuknox - Fireside chat with Andrew https://www.accuknox.com/blog/accuknox-fire-side-chat-with-andrew
OpenUK: Security, Practical Challenges October 17, 2022 Thought Leadership Day Liz Rice - Chief Open Source Officer Isovalent https://www.youtube.com/watch?v=yJuw3jDZJW8
- Andrew Martin - Founder & CEO ControlPlane
- Sarah Novotny - Open Source Wonk, Azure Office of CTO Microsoft
- Mark Cox - VP Security Apache Foundation (log4J)
- Sal Kimmich - Open Source Developer Advocate Sonatype
Exploring container security: four takeaways from Container Security Summit 2019 https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-four-takeaways-from-container-community-summit-2019
LIVE Panel on Security (moderated by Peter McKee): Justin Cormack (Docker CTO), Andrew Martin (ControlPlane CEO), Peter McKee (Docker Head of Developer Relations), Liz Rice (Isovalent Chief Open Source Officer), Liral Tal (Snyk Developer Advocate) Join host Peter McKee with a panel of security professionals as we discuss Container Security in a Cloud Native World. We will discuss topics such as shifting left, application development and container security, software supply chain attacks and more. We will also be taking questions live from the attendees.
Is the future for secure computer systems open source? LIVE from Digital Catapult, London - 29 June Andrew Martin, Bruce Perens, Amanda Brock, https://www.youtube.com/watch?v=LxdQY4eMuWM
Committing to Cloud Native (for Curiefense) https://open.spotify.com/episode/7tdM04TMRS6CTqtydRrMLH
DevSecOps - Views from the coal face https://snyk.io/learn/snykcon-devsecops-views-from-the-coal-face/
Access Control: Securing Kubernetes (for Teleport) https://goteleport.com/resources/podcast/access-control-andrew-martin/
COSECAST: The KubeCon CTF https://cosecast.com/episode-8-kubecon-ctf/
BeerSecOps #01: Discussing GitOps with Andy Martin (ControlPlane)
Enterprise Security: Gain Control Over Cloud Security https://www.enterprisesecuritymag.com/controlplane-