Open Source, Community, and Presentations

Open Source

Our Red and Blue Team open source

kubesec

https://github.com/controlplaneio/kubesec

Security risk analysis for Kubernetes resources. Identifies misconfigurations and generates recommendations to improve the security of Pods, Deployments, and other resources. Used to find insecure configurations, harden security contexts, and learn Kubernetes pod security. Available as: a command line tool; free API; kubectl plugin to scan resources already in the cluster ; or a GitHub Action to run in CI/CD pipelines; GitHub Marketplace and GitLab Marketplace.

netassert

https://github.com/controlplaneio/netassert

Network security testing for DevSecOps workflows. A framework for fast, safe iteration on firewall, routing, and NACL rules for Kubernetes (Network Policies, services) and non-containerised hosts (cloud provider instances, VMs, bare metal). Aggressively parallelises nmap to test outbound network connections and ports from any accessible host, container, or Kubernetes pod by joining the same network namespace as the instance under test.

Simulator

https://github.com/controlplaneio/simulator

Kubernetes production breach simulation. Used to provision ControlPlane CTFs, and as the official CTF engine for every KubeCon since 2019. Provisions full, production-like infrastructure for attacking and debugging Kubernetes: creates a private Kubernetes cluster for each player; runs scenarios demonstrating compromise paths and vulnerabilities; trains defenders to mitigate vulnerabilities.

BadRobot

https://github.com/controlplaneio/badrobot

Security analysis for Kubernetes Operators. Analyses YAML manifests before they’re deployed to detect high-risk configurations and prevents compromised Operators from taking over a cluster through loose RBAC configurations. KubeCon EU 2022 talk on BadRobot and operator security.

truffleproc

https://github.com/controlplaneio/truffleproc

Hunt secrets in a process’s memory. A mashup of TruffleHog and gdb, it analyses a target application’s memory and outputs discovered secrets and high entropy strings. Useful for adversarial emulation, penetration testing, and testing defence in-depth security controls.

TaskCheck

https://github.com/controlplaneio/taskcheck

Detect security issues in Tekton Tasks. Static analysis to detect vulnerable Task configurations and block insecure CI/CD pipelines. Best-practice checks to prevent secrets leakage, code injection, and build stage bypass.

Tekton Chains Storage Forwarder

https://github.com/controlplaneio/chains-storage-forwarder

Tekton Tasks provenance storage OCI shim. Provides a Mongo buffer for attestation and verification metadata, before forwarding them to OCI storage as the default provider does. Backfill for functionality not yet supported in Tekton Chains.

Community

Security leadership and collaboration

Security Technical Advisory Group, The Linux Foundation (CNCF)

TAG Security is a community-run effort to secure access, policy control, privacy, auditing, and explainability of cloud native security. It sits under the Linux Foundation’s Cloud Native Computing Foundation (CNCF) — the home of Kubernetes, Prometheus, and containerd (the Docker runtime) — with a combined project market cap of $18.9T. Responsible for threat modelling and assuring cloud native technologies that are contributed to the CNCF, and assisting maintainers with security work. ControlPlane CEO Andrew Martin is a co-chair and Head of Security Rowan Baker is a long-term contributor, including the Supply Chain Security and Cloud Security whitepapers.

OpenUK

OpenUK is a charity dedicated to the advancement of open source in the United Kingdom with a focus on its security, legal ramifications, and the community. ControlPlane CEO Andrew Martin sits as the charity’s pro bono CISO, advising the public and private sectors and advocating on the group’s behalf. His personal mission is to facilitate the fair remuneration of open source maintainers, enabling them to prioritise security remediation and ensuring the safe adoption of open source.

OpenSSF (Linux Foundation)

The Open Source Security Foundation implements community-wide, industry-supported security initiatives to protect open source software development and delivery.

FinOS (Linux Foundation)

The Fintech Open Source Foundation assists in open source adoption, infrastructure code reuse, and community collaboration for financial services organisations.

Local Community Meetups

We run:

• Service Mesh London with Tetrate
• DevSecCon London with Snyk
• Threat Modelling London
• Supply Chain Security London
• and any other Meetup we can help out!

Presentations

Our ethos

• Techstrong TV — Andrew Martin, ControlPlane | KubeCon + CloudNativeCon NA 2022 https://techstrong.tv/videos/kubecon-cloudnativecon-north-america-2022/andrew-martin-control-plane-kubecon-cloudnativecon-na-2022

• Untrusted Execution: Attacking the Cloud Native Supply Chain - Andrew Martin, ControlPlane https://www.youtube.com/watch?v=vu_qMthpww8

• VEXing Open Source Security: Vulnerability Data for Everything - Andrew Martin & Andres Vega, ControlPlane (SupplyChainSecurityCon, Open Source Summit EU 2022) https://www.youtube.com/watch?v=ZiRs9S3RwhU

• Throw Away Your Passwords: Trusting Workload Identity - Andrew Martin, ControlPlane https://youtu.be/U40SlSk_9IA

• A Treasure Map of Hacking (and Defending) Kubernetes - Andrew Martin, ControlPlane (Kubecon EU, 2022) https://www.youtube.com/watch?v=1HbwfpE4XKY

• Kubernetes Supply Chain Security: The Software Factory (Kubecon NA, 2021) - Andrew Martin, ControlPlane https://www.youtube.com/watch?v=7CMhIDAPjEs

• Capture The Flag Summary + Wrap UpVirtual - Andrew Martin & Lewis Denham-Parry (Kubecon EU, 2021) https://www.youtube.com/watch?v=phKBYX6Pd_A (CTF speed run)

• Cloud Native Security Day, Capture The Flag (Andrew Martin, Liz Rice, Rory McCune, David McKay, Lewis Denham-Parry) (CTF group run) https://www.youtube.com/watch?v=bFyYaECAPpo&t=2838s

• Capture the Flag Wrap Up & Summary, Andrew Martin, ControlPlane & Magno Logan, Trend Micro (Kubecon NA, 2020) (CTF speed run) https://www.youtube.com/watch?v=pOi1aKpcuC0

• In a Container, Nobody Hears Your Screams: Next Generation Process Isolation - Andrew Martin (Kubecon EU, 2020) https://www.youtube.com/watch?v=NQrs1mpfDNc

• How (Not) To Containerise Securely Lessons Learned the Hard Way (FOSDEM 2020) https://www.youtube.com/watch?v=JvbBFwlqxeI

• Rootless, Reproducible, and Hermetic: Secure Container Build Showdown - Andrew Martin, ControlPlane (KubeCon Barcelona 2019) https://www.youtube.com/watch?v=X_Sb96EKFPA

• From Kubelet to Istio: Kubernetes Network Security Demystified (KubeCon Copenhagen 2018) https://www.youtube.com/watch?v=Uocf67aD5QQ

• The State of Your Supply Chain - Andrew Martin, ControlPlane & Maya Kaczorowski, Google https://www.youtube.com/watch?v=uDWXKKEO8NU

• Continuous Kubernetes Security - Andrew Martin ( ControlPlane) https://www.devopsdays.org/events/2018-riga/program/andrew-martin-talk-1/

• Live Container Hacking: Capture The Flag - Andrew Martin (ControlPlane) vs Ben Hall (Katacoda) (Container Camp 2018) https://www.youtube.com/watch?v=iWkiQk8Kdk8

• Insecure Containers? Continuous Defense Against Open Source Exploits - Andrew Martin ( ControlPlane) https://media.ccc.de/v/ASG2017-160-insecure_containers#t=1062

• Andrew Martin – Meteor-Proof Infrastructure: Reproducible Environments with Container Build Images – PIPELINE 2018 https://learn.pipelineconf.info/2018/03/21/andrew-martin-meteor-proof-infrastructure-reproducible-environments-with-container-build-images-pipeline-2018/

• Insecure Containers (KubeCon Berlin 2017) Best quality, don’t use branding https://www.youtube.com/watch?v=FyU4ThaR564 https://www.youtube.com/watch?v=MP09j2RdgPE

• Avoiding Release Paralysis (Node Conf London 2016) https://www.youtube.com/watch?v=vOMcJ3kRMVo

Publications

Our contributions

• Hacking Kubernetes - Andrew Martin, Michael Hausenblas https://learning.oreilly.com/library/view/hacking-kubernetes/9781492081722/

  Want to run your Kubernetes workloads safely and securely? This practical book provides a threat-based guide to Kubernetes security. Each chapter examines a particular component’s architecture and potential default settings and then reviews existing high-profile attacks and historical Common Vulnerabilities and Exposures (CVEs). Authors Andrew Martin and Michael Hausenblas share best-practice configuration to help you harden clusters from possible angles of attack.

  This book begins with a vanilla Kubernetes installation with built-in defaults. You’ll examine an abstract threat model of a distributed system running arbitrary workloads, and then progress to a detailed assessment of each component of a secure Kubernetes system.

  • Understand where your Kubernetes system is vulnerable with threat modelling techniques
  • Focus on pods, from configurations to attacks and defences
  • Secure your cluster and workload traffic
  • Define and enforce policy with RBAC, OPA, and Kyverno
  • Dive deep into sandboxing and isolation techniques
  • Learn how to detect and mitigate supply chain attacks
  • Explore filesystems, volumes, and sensitive information at rest
  • Discover what can go wrong when running multitenant workloads in a cluster
  • Learn what you can do if someone breaks in despite you having controls in place

• OpenUK State of Open Report: The UK in 2022 – The journey

• TAG Security Supply Chain (for CNCF) sig-security Supply Chain Security Whitepaper https://www.cncf.io/announcements/2021/05/14/cncf-paper-defines-best-practices-for-supply-chain-security/

• sig-app Operator Whitepaper https://github.com/cncf/tag-app-delivery/projects/1

• TAG Security Cloud Native Security Whitepaper (for CNCF) https://www.cncf.io/blog/2020/11/18/announcing-the-cloud-native-security-white-paper/

• Why World Leaders Must Invest In Open Source Technology https://expertinsights.com/insights/interview-amanda-brock-andrew-martin-openuk/

• TAG Security Supply Chain (for CNCF)

• TAG Security Cloud Security (for CNCF)

• 11 Ways (Not) to Get Hacked (for Kubernetes.io) https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/

• Threat Modelling Kubernetes (for O’Reilly Online))

• SEC584: Attacking and Defending Cloud Nativ (for SANS)

• Kubernetes Attack Trees (for Financial Services User Group)

• Attacking and Defending Kubernetes (for O’Reilly Online)

• Istio (for Aqua)

• GKE CIS Benchmarks (for Google Cloud)

• Hardening Git for GitOps (for Weave)

Media

Interviews and panels:

• Global Newswire

• Expert Insights

• Accuknox - Fireside chat with Andrew https://www.accuknox.com/blog/accuknox-fire-side-chat-with-andrew

• OpenUK: Security, Practical Challenges October 17, 2022 Thought Leadership Day Liz Rice - Chief Open Source Officer Isovalent https://www.youtube.com/watch?v=yJuw3jDZJW8

  • Andrew Martin - Founder & CEO ControlPlane
  • Sarah Novotny - Open Source Wonk, Azure Office of CTO Microsoft
  • Mark Cox - VP Security Apache Foundation (log4J)
  • Sal Kimmich - Open Source Developer Advocate Sonatype

• Exploring container security: four takeaways from Container Security Summit 2019 https://cloud.google.com/blog/products/containers-kubernetes/exploring-container-security-four-takeaways-from-container-community-summit-2019

• LIVE Panel on Security (moderated by Peter McKee): Justin Cormack (Docker CTO), Andrew Martin (ControlPlane CEO), Peter McKee (Docker Head of Developer Relations), Liz Rice (Isovalent Chief Open Source Officer), Liral Tal (Snyk Developer Advocate) Join host Peter McKee with a panel of security professionals as we discuss Container Security in a Cloud Native World. We will discuss topics such as shifting left, application development and container security, software supply chain attacks and more. We will also be taking questions live from the attendees. https://docker.events.cube365.net/dockercon/2021/content/Videos/xFXRmTEesZu2SKucY

• Is the future for secure computer systems open source? LIVE from Digital Catapult, London - 29 June Andrew Martin, Bruce Perens, Amanda Brock, https://www.youtube.com/watch?v=LxdQY4eMuWM

• Committing to Cloud Native (for Curiefense) https://podcast.curiefense.io/23

• DevSecOps - Views from the coal face https://snyk.io/learn/snykcon-devsecops-views-from-the-coal-face/

• Access Control: Securing Kubernetes (for Teleport) https://goteleport.com/resources/podcast/access-control-andrew-martin/

• COSECAST: The KubeCon CTF https://cosecast.com/episode-8-kubecon-ctf/

• BeerSecOps #01: Discussing GitOps with Andy Martin (ControlPlane)

• Enterprise Security: Gain Control Over Cloud Security https://www.enterprisesecuritymag.com/controlplane-