Kubernetes Vulnerabilities efficiency and cloud security Cyber Work Podcast

Show video

today on cyber work michael foster from stackrocks discusses kubernetes and its possible vulnerabilities we discuss intrinsic kubernetes security issues as compared with those that come from improper use the work of a cloud security advocate and evangelist and michael's time in the chicago cubs that's all today on cyberwork also i want to tell you about a new hands-on training series called cyberwork applied every week expert infosec instructors and industry practitioners teach you a new cybersecurity skill and show you how that skill applies to real world scenarios you'll learn how to carry out different cyber attacks practice using common cyber security tools and follow along with walkthroughs of how major breaches occurred and more and it's free go to infosec institute dot com learn or check out the link in the description and get started with hands-on training in a fun environment it's a new way to learn crucial cyber security skills and keep the skills you have relevant that's infosec institute dot com slash learn and now let's begin the show welcome to this week's episode of the cyberwork with infosec podcast each week we talk with a different industry thought leader about security trends the way those trends affect the work of infosec professionals while offering tips for breaking in or moving up the ladder in the cyber security industry michael foster is a passionate tech enthusiast and open source advocate with a multi-disciplinary background as a cloud native advocate at stackrocks michael understands the importance of building an inclusive community michael embraces all forms of automation focusing on kubernetes security devops and infrastructure as code he is continually working to bridge the gap between tech and business and focus on sustainable solutions uh today's show is going to be all about kubernetes and uh we were given the idea of having a whole talk about the hidden vulnerabilities in kubernetes in some ways in which a system that's meant to increase efficiency and safety in the dev process can be made well more efficient and safe so michael welcome to cyberwork thank you for having me so let's start by getting some insights into your background what first drew you to computers and tech and specifically cyber security uh it actually goes way back uh i went to school i went to school as a chemical engineer um it was between computer science and chemical engineering but at the time i just like chemistry coming out of high school but one of the main things that drew me to tech was was the ability to actually learn even when you weren't working so not many not many careers do you have the let's say you know you hit bad times you get laid off do you get to go and contribute to a project and learn get a new skill that can you know you can go and leverage to a new job so one was the the constant learning instability to me that was really one of the huge benefits of tech um now being able to work from home sneaky yeah thing that that has worked out but that's for sure changed the game hasn't it yeah i'm just a big self-learner i like to read you know do research on my own time so yeah it gives me all those benefits oh that's great um yeah yeah so i was also a chemistry major in college until i i hit a wall called uh calculus based physics uh that was that was a little out of my uh my brain range there so what uh you know because you you graduated with chemical engineering and you said you always kind of had an eye towards uh computer science did you sort of were you sort of doing both at the same time when you were in school yeah my school was was really good we had intro programming classes um and i mean even process control classes like you look at some of the the the plan operating systems they're very simple right very secure off the grid but you know i always had kind of an understanding and my family also works in i.t so i always kind of had that background um profession sort of yeah it was it was good to have a sounding board when yeah when things were confused and that's nice i yeah i always uh just played video games growing up so it's natural just always playing it what was your what was your first system oh honestly halo was the the first a little younger but uh 2000 halo was um nice was first and then i got into pcs when i got a little older got it yeah i'm i'm old enough to have started on a commodore 64. so um so just as a side note uh am am i reading your bio correctly were you part of the chicago cubs for two years 2015 2017 yes uh luckily what capacity i was just in the minor leagues um yeah i went to school uh as like i was a chemical engineer but then i also played for the baseball team while i was there ended up getting drafted actually got drafted to the astros the year before okay um passed on that and wasn't part of the cheating scandal so yeah all right i missed that and then all right yeah i got to i got to play the minors for the cubs for two years and um yeah it look unfortunately i had an injury that uh forced me to retire just big shoulder injury but um yeah okay so you move pretty quickly from from baseball to 2017 becoming a quality control analyst and then cloud solutions in 2018. can

you can you walk me through some projects studies or other knowledge shifts that happened in this time that caused you to pivot into cloud security or was this something you were interested in even before this yeah i can actually take you along that path thanks for asking when i so when i first got injured 2000 2015 2016 you know data science and ml really was just kind of starting to be a huge hot topic issue so that kind of naturally drew me and i started doing you know python code and some basic courses and things like that and then once i was forced out of baseball i was like okay well you know what is the transition path and luckily some people point me in the right direction they said you know why don't you go and set up a server because really you got to work infrastructure up if especially if you're getting into big data and big data processing it really helps to know how you're processing down that was the advice that was given to me and so i bought a server and i started you know getting set up with ubuntu and centos and then obviously i ran into issues you know how do i make this repeatable okay well i got introduced to terraform and then it's okay how do you scale it got introduced to containers and kubernetes and this was all on my own time but just through external resources and being pointed in the right direction luckily i'm in toronto so i got an internship to a company called cloud ops based in montreal and they were doing a research project focused around introducing kubernetes to data scientists and so that was my internship and then i got brought in as a consultant for for the better half of two years before stackrock's found me okay so you were you were sort of living two lives at once you were doing you were doing the day job stuff but you said you were always kind of learning in the evening can you can you talk about that like how did you know where where you were were you just sort of learning things based on on personal interest and just where your sort of obsessions took you yeah it was i i find that getting hands-on with things helps me learn a lot more internet and google is a great resource right so i found that once i had the server and you know i had a little bit of of help as well just in terms of pointing me in the right direction which is huge it's why i'm a big big fan of mentorship and advocacy because you can just save people a lot of time right so i had that help and then just getting dirty and figuring out what solutions worked really just helped me kind of go through that learning process and then eventually i kind of gave up on the the machine learning craze and i got more into you know infrastructure's code devops and being part of a consulting team it was more about implementation of different cloud-native technologies so what was what was what was it that sort of cooled you off on on machine learning what did you see you said you felt like it was kind of a dead end like can you talk a little more about that yeah so what i've found is i think that there are really good jobs for people who are data analysts or who come out with a specific like statistics background with a background in encoding that can be useful for companies right i mean there's a lot of good tools that are out there in the cloud but when you're talking about the like big kind of changing roles you're looking at you know higher education phds research papers like those are the those are the jobs that really move the needle on it um and to be honest i just kind of got roped into to devops and kind of that culture and okay i really like the fit nice uh so yeah we're to talk to our topic today uh we're we're going to be talking about vulnerabilities uh in kubernetes and you know this is a name that you know people have trouble pronouncing or knowing sort of where to start with it so i you know because a lot of our listeners are are new to some of cyber security concepts and stuff i want to talk from the ground up a little bit about some basic concepts so uh to start right at the beginning what is what is kubernetes what is its purpose and and what in its optimal configurations are the problems that it helps to solve sure kubernetes is a container orchestration system really containers are at the heart of it so if you're just starting out you know you're used to traditional infrastructure virtual machines containers is kind of a natural next evolutionary step they're not like vms though so that's the other thing okay and really it's just you know how do we operationalize we you know we spent the better half of 20 years operationalizing vms and that turned into your basic cloud architecture and the rise of amazon and you know companies of that sort and then now it's okay well we have this new technology containers we need to operationalize that too scale it grow it network it secure it how do we do that kubernetes was the answer to that and it was also based off of google system borg right so google already had a system in place for operationalizing vms and kubernetes was the the offshoot of that project so natural evolution it's really there for the i'll say not for every use case that's the i think the issue with kubernetes and the documentation is it's like oh containers are these awesome things and people jump right into it without there's just a significant knowledge gap involved i think over versus you know setting up a vm and working in there i think the the payoffs when done when done right you see a massive increase in velocity in developer speed when it's actually implemented in the correct way now one of the things that i see too is companies wanting to make the jump but then not actually structuring their teams and responsibilities correctly which also can can be an issue but back to the original question of what is kubernetes really it's a a management platform for orchestrating containers that can scale to a insane size for management and and really that's what we're looking at when you're looking at kubernetes you're talking about how do we manage and deploy you know hundreds of containers on a single on a single instance and then scale it to a just massive amount across you know different regions and zones that's what kubernetes is designed to do so a great place to start but just to um jump on something you said there uh namely that some people that some companies are either sort of hesitant to use it or what ends up happening is they do implement it but they don't they said sort of reshuffle their their team appropriately what are what are some some common issues in terms of uh you know misuse or or not taking full advantage of it that you see uh yeah so you have you know maybe you have operations teams and you have developer teams and you have a couple different products the different products are going to have different security needs some might need more sys calls than others some might need more ports open than others and what happens is if you don't have them structured properly you might get them using the same name space or on the same cluster but then you haven't actually separated and uses use those kubernetes native tools to separate them properly right so and then honestly what happens is you operations will then try to push back and say hey you have to implement the security controls otherwise you know you two your two applications are going to conflict and then you get the natural pushback of you know you're hampering developer speed developers are hitting a wall so there's there's this constant back and forth and really that's the cultural wise towards devops was to break down that wall um right you know i i think devops is somewhat of a hot topic because it's used properly but never not always implemented in the correct sense of the term yeah yeah and and it is still sort of there there are these these sort of fine gradation suck apps and devops and devsecops and and so forth that yeah that it's and there's no real sort of universal system people saying like do it this way you know so there's it's okay and a lot of it has to be kind of implemented on the fly too i imagine like you're you can't really break your day-to-day operations to sort of like implement an entire new system like that so i think a lot of people are just like all right just just put it in there and we'll we'll figure it out on the go and then yeah and then you get too used to using it in the haphazard way yeah one of the at least when people come at my previous job in stock rocks as well when people ask you know how do we get started with kubernetes it's it's a year two year journey right especially for corporations to make that that shift individuals can make a lot quicker but there's a whole road map of technologies you have to get used to so it's it's not just like a lift and shift right it's not right it's nothing like that and even just taking monoliths and then trying to put them into containers it's not the same yeah and you're not really taking advantage of that architecture so it's one one of the the issues that i have is just dispelling that myth of like kubernetes is the next hottest thing and it's the best thing in the market it's like no there's there's proper ways to do it and i i think that this cncf and the community is coming around to recognizing that so when you said that there's a one to two year you know um shift needed earlier what are what are some of the what are some of the the milestones along that way like what what should you be doing after three months after six months after a year that you're not doing now or whatever yeah the the ccf actually has a roadmap that they put out which is pretty good it goes through their technologies a little bit more because kubernetes is so pluggable so you know you get your container set up then you get kubernetes operationalize now what do you do now you need visibility tools right now you need to monitor you need logging you need tracing might need like a an apm that you need to go by or something like that there are specific kind of you know different applications that you need to add maybe it's ingress security right um and and you can do it at different times depending on where you are as a company and what what the timeline looks like to production what i tend to see is companies that either never get off the ground with kubernetes because they don't know how to secure it right companies are just like we don't even know how to secure containers right we don't um you know and they don't know the technologies out there so they just don't even jump and then there's the let's go into containers they move a monolith in and then they just slowly try to piece it off and then you know it's patching the logging and it's patching the metrics and then finally when they operationalize it and try to push production it's oh wait yeah we have security things that we need to go and then when they're implementing security at the end tail at the tail end of it they're coming back and it's kind of breaking a little bit of their pipelines to say hey we can't do that in production right that's great because that's obviously that's that that leads us right into our our topic for today kubernetes vulnerabilities uh so can we start by dividing them if it's possible between say vulnerabilities that can be solved with patching or just correct usage that might not be or you know dividing it on the other side into problems that are maybe just inherent to the product yeah so there's there's a couple layers there i'm using i guess i probably shouldn't use layers but we're talking about kubernetes we're talking about containers right right so containers and the application code that's running in the containers have their own vulnerabilities and that is something that we need to scan for using something like an image scanner we need to make sure that the containers themselves aren't old right so making sure that we're updating even you know internalizing the containers and managing them ourselves that's also a conversation right moving them off docker hub and rate limits and things like that so the containers is one part then there is okay well we have our containers how are we setting the configuration around the containers and that's more of a kubernetes problem where most of the kubernetes security issues are misconfigurations of the kubernetes features right it's not necessarily kubernetes itself that's having the issues it's just there's rba controls there's ingress and things just aren't set up in a proper way you get multi-tenant issues things of that sort then there's kubernetes so you'll have um the new one is the man in the middle attack that that came out uh which really only affects multi-tenant issues but it's significant then there was the laughing attacks last year so you know too many calls to the api server causing it to shut down those those things normally are patched pretty quickly and especially since you have cloud providers the average cloud provider and the average usage i think is for using version 1.5 which is pretty stable it's one of the more stable versions but you're also missing out on all the new functionality that's in 119. so it's one of those you're you're using the stable version you can't upgrade to take advantage of the new ones but then if you upgrade to the new ones then you're introducing new features that may cause vulnerabilities with the misconfigurations right so it's this this it's one of those things where the the knowledge gap needs to be solved first before people take the leap into kubernetes and implementation okay that's great yeah so that was going to be my next question was um you know what are some aspects about you know the inherent insecurity aspects of kubernetes that users aren't aren't well and aware enough of so uh you know uh you you basically just said it there you're you're jumping forward to new interesting versions but they you might not be aware that uh you know they might not be quite as secure as they could be in the uh the tried and true version is there anything else like that yeah kubernetes is very complicated but it's designed to be open by default right permissions are open you come in with cluster admin um the default service accounts are basically like hey you know if you create a pod it's gonna have a default service account you can do whatever you want with it design but like that because had they actually implemented proper security controls nobody would use the thing so it's about knowing those defaults so you default service accounts you know really we should be removing those and every single deployment should have its own service account that's tailored to it in its own namespace right right r back controls same thing is if you have a service account it needs to be properly tailored networks so network policy open by default really there's there's a couple different ways to implement it but because networks because it's an additive policy right so it's either open but then as soon as you implement one policy it shuts everything down and only that one specific port will be open for example for that uh for that service for that pod right so i remember i was actually at a conversation with the meetup with microsoft and they spent 30 minutes talking about the default deny option for for network policies right just even as part of test right just turn it on turn it off see what works see what doesn't just shut down the networks in the namespace um and then you know adjust accordingly but one of the one of the biggest issues that i find and it's more of a cultural issue is just visibility into the cluster and you're really starting to see these different projects take off in the kubernetes community but a lot of people they start running and they get on you know cube control keep cuddle whatever however you want to call it and you know you just get a list of deployments and services and you just don't really know how to visualize it what's interacting with what and so the different projects with prometheus grafana elastic and stuff like that i think are really helpful as a starting place to understand what's going on in your cluster okay so what is your your kubernetes security checklist are there things that people should be doing with it straight out of the box to make it more secure you were mentioning that a little bit with uh you know um turning on on and off you know privileges and and what have you yeah i'm actually working right now with uh with sig security docs we just had a meeting about it today and it's actually nothing there's nothing like that in the kubernetes documentation for there's like your basic you know learn how to do stuff but there really isn't a checklist um there's a road map for technologies but yeah anyways yeah well i think didn't you say basically they they want it to be as open as possible so they're not necessarily going to like tell you what to do in that regard but it might be might be worth it yeah i know i i agree uh really it's you you really need to know the the the basics of kubernetes first before like really go and play with kubernetes don't put into production don't you know take your time get to know it go and get the search learn then what you want to be looking at is i i like to work on the pod level so if you're a developer for example and you're going to start and you're going to containerize it you need to know what's going on in your container so that means you need to know how much resource it needs how much cpu how much memory what privileges and he doesn't need sys syscalls all of that can be configured in the deployment spec right and that's going to be that's going to cover most of your use cases right is it a stateful application really we should not be writing to the host so you know learning that also helps you learn to be a better developer in kubernetes because really it's designed for originally it was designed for stateless applications right unless stateful applications it seems like statefulness was more of an afterthought so i think if you're a developer you're working containers start at the pod specs start with deployments with security context user ids and group ids specifically because that's another issue and then you can kind of understand okay now i know what my my application needs now i can i can actively communicate that to a devops team or to the infrastructure team to say okay you can firewall off these ports this is all my application needs right so if i was going to answer for the checklist i'd say start at the deployment level learn what's going on in the container learn the vulnerabilities of the container and then shut everything down using the deployment spec that you can and then after that hopefully you know then you get more into an operationalizing and more devops specific team i think it really depends on it yeah depends on hopefully you can hand that problem off to somebody else okay there you go that's that's always my favorite piece of advice um so to move sort of one level up from there what are some ways you'd recommend that kubernetes be made more safe in the future i mean as long as we're writing letters to santa right now what what open letter would you give on that level what are some things uh that are known about and either being worked on or not known about or not being given enough attention to what do you think uh so i i mean i'm trying to help with this i think documentation and actually vocalizing the value of doing these things especially earlier on i'm part of the business value subcommittee because i think you're starting to realize that you know kubernetes itself needs to actually vocalize you know the actual value of it because sometimes there's just so much information out there so that'd be one the other i know they're working on multi-tenant multi-tenancy i haven't really looked too much into that project but coming starting with research and starting with you know a bunch of researchers working in kubernetes that can get hairy real fast when you're talking about stateful applications and you know using posix and uids and gids and you know what happens when people want to switch groups and it was it can get somewhat hairy so i would love to see something where you know research became more useful because i think i think that it has exponential gains in the research community especially to be to be able to for a researcher to have their container that they run their applications on and just go and drop it anywhere the other thing too is if you're running parallel workloads a lot of the the code for research is not necessarily optimized for large-scale infrastructure and so you actually end up getting a lot of wasted cpu time i think kubernetes would be able to take more advantage of that i just haven't really seen as much of a push in research because there is such a big knowledge gap right and researchers really are focused on on their work so i would love it if i had a wish list sounds all right we're gonna we're gonna mail that off and see what happens um so uh so i wanna pivot a little bit uh you know where we wanna talk about you know things happening in cyber security but also we wanna talk about uh the work of it cyberworks so i want to pivot to your role at stackrock specifically that of uh as it says cloud native advocate and evangelist so can you tell me a little bit about your the aspects of your your day-to-day job as an evangelist and an advocate for for for cloud security yeah sure um it kind of is a an interesting role because i'm in between sales marketing and the devs right so the developers have different projects that they're working on and you know sometimes we need to vocalize this in terms of you know what is the product doing that's differentiating like how are we really enabling security in kubernetes right and how are we doing in a reasonable way so you know when i'm interacting with the devs and the product team it's interesting just to see what they're trying to to do for the different customers and how they're planning on implementing it and then it's my job to kind of vocalize that to the customer as well as you know sales and engineering sales engineers they do that too on the evangelism side i'm also interacting with the community because it's interesting to see the community's developments right so my pod security policies are aimed to be deprecated soon right how does that react how or how does that influence our product and do we need to adjust some of our our risk management tools or anything like that accordingly right there's there is this constant feedback with the community and with um with enterprise right now especially with kubernetes because kubernetes is seen as more upstream right especially the the cncf you know one two oh gets released and then it'll get adopted in a year from now right after every all the uh the different cloud providers have done their checks so okay really it's about just interacting and being involved in the community creating awareness and and pushing for i guess i want to say content that can actually bring people in to the fold in a reasonable way trying to cut down on buzzwords right i mean to that end i mean if people want to do the kind of work you do and work in cloud security and work as a tech advocate or an evangelist uh to that end what are some hard and soft skills uh that they should have to make them desirable to potential employers it sounds like communication is obviously a huge part of it but you can't just communicate if you don't know the text so it sounds like you really have to know a lot from both worlds right yes there's that um unfortunately there is speaking the language a little bit and it's understandable with tech you know some i i came into to more cloudiness software's in kubernetes and i actually had to work backwards to understand more legacy systems so the consulting side actually really allowed me to do that not everybody gets that privilege though so i would say like i think the cncf is a great starting point for people even if it's just get on a zoom call like the the meetings are all public get on a zoom call and just listen to what people have to say and i found that extremely useful for just understanding the thought process of what's going on um and then like documentation is a great place to start because you know you're starting with the simple workflow and you're explaining the thought process so that when you go and actually build these tools later you know you're gonna understand that thought process and be able to communicate it effectively too right i think that's a great starting point for people and it's something you can do on your own time and that's that's honestly why i really like the cncf it's one of the reasons you know why i do what i do today so yeah are there things that you can put on your i mean you know legitimately but can you you can put on your resume to let people know that you you know these backgrounds are there are there skills or projects or ways that you can sort of communicate that you uh you know you understand this sort of thing and that you have you know some history with it especially if you're just getting out of school or just starting in the field oh i yeah i mean i i personally can you can just record videos and stuff like that even if it's a youtube channel i mean yeah when i when i applied to stackrocks i had some content and educational content that i created and you know i forwarded it to them right so even if you're let's say studying for the ck for the certified kubernetes administrator to get that base level knowledge you know create a study guide on github right for existing one and then talk you know your way through the the technologies that you're using it's it's honestly a lot of i.t i think if you can get over the imposter syndrome and just actually just get dirty and get your you know get out there and start working on projects people will see that initiative and they really appreciate that and they appreciate you trying to work through these different problems right right yeah and there and they can see you if you if you're a good afraid they can see you sort of thinking through the problems in real time too i imagine yeah because it's so hard when you get into uh look at the interview process to distill down you know your life into 45 minutes right so here you can go on your own time and look at some youtube videos i posted or some projects even if they're half done projects that just you know do the project but then also do like a little bit of documentation just explaining what you're trying to do on the project right right that communication if just saying hey this is what i was trying to accomplish i got stuck on this problem and i abandoned this somebody else feel free to pick it up or let me know yeah right you know i i you look at some of the the cloud native technologies that are out there a lot of the new stuff is just based off of stuff that people worked on in 2017 and they took a couple pieces of functionality out and they merged it into like a framework or something like that right okay it's a very darwinian space i want to say right and and it's also it's reliant on people's time so it's uh you just you never know okay well you you mentioned before that you're still sort of at the you know the start of your your security journey here in in you know in cloud security and and tech and so forth so uh can you talk a little bit about like what types of projects or job positions or opportunities you're trying to make happen in the next say five to ten years like where where does something like cloud security advocate or tech evangelist go next yeah that's a that's an interesting one that's a good question i'm not i'm not i'm not interviewing you uh for a job here per se but i am asking you the the the five-year question so yeah well if you asked me five years ago where i'd be i would not say this role right so yeah but but i will say that hitting dingers and uh yeah it i i like because i came from consulting there is always a place in i.t for people who can communicate business value from developers to the business because developers you know they want to work on projects and it's buying them time into the things that they think are going to impact the business and also somewhat sometimes steering them the other way too right there's there's always going to be that glue i kind of see myself more as an operations implementation type of person because that's my background where i've come up from that being said who knows i could get on a side project with the cncf and you know maybe i'm a maintainer in a side project there so i personally just look to continue to evolve my skills yeah and then see where it takes me but uh yeah i could see consultant uh devops engineer engineer i don't even think it was a roll frog right yeah you could springboard in a lot of directions than it sounds like this isn't yeah this isn't like a straight ladder where you definitely are going to go from here to here to here you can you're you're still in a developmental point where you can you can sort of fork off in different directions i imagine yeah i've seen people go from from advocate to to like cloud transformation specialist right because company wants to go into kubernetes what's the roadmap and i've seen the roadmap uh over 10 times now at least actually somewhat implemented over 10 times so it's it's one of those things that you just kind of continue continue moving and luckily with the speed kubernetes really has showcased the speed of developers and now there's the the whole meme of kubernetes like all the different applications right that are out there so there's always people trying to make sense of it all and figure out the use case for that specific application um i you know it's i don't think people are going to it's just gonna be interesting to see where kubernetes comes out in the next three years i'll say that okay yeah would you like to speculate on that um i think it's gonna continue to mature i think as more and more as the product starts to stabilize i think a little bit you're gonna see more adoption from from companies especially the ones that need to scale and scale quickly right i see the edge computing case being really big especially with with data protection and like the more political sense coming into play like you're seeing things like anthos and azure arc and you know amazon everywhere kind of thing where you know you need a hub to control your clusters but then you might have a cluster in europe a cluster in north america and a cluster right in asia all with different data protections right so regulation really does come into that too and i could see that playing a factor for where you host your kubernetes services i mean this is this is unfortunately the question of 2020 all the time but do you have you seen the sort of process accelerate or decelerate due to uh you know covid and and uh you know the sort of d you know decentralizing of of offices and and you know uh you know banks and in in the you know in the office and things like that in terms of functionality kubernetes really hasn't slowed down in terms of like added functionality and the different things that they're doing i they they slowed their release cycle to three releases a year i actually really agree with it i think four is a lot for enterprise to to keep up with and that is one of my criticisms of open source is support and understanding the you know kind of how slow businesses are to some extent that's it's just my two cents but uh yeah i know i think the three releases is good i think it allows us to analyze more and more chunks but there obviously is the trade-off of now you each release is going to be more feature-heavy so you're also going to not necessarily be able to communicate those features as well so again i in terms of release cycle it's good features i don't really see it slowing down and adoption really has not slowed down either so right all right as we as we wrap up today um tell me a little bit about stackrocks and your current offerings and some projects on the horizons that you're excited to talk about yeah so stackrocks was actually one of the companies at the beginning who who banked on kubernetes they saw kubernetes you know scaling and and and being kind of the main container orchestrator i mean main player so it's it's good to see people kind of catch on that that is the way to go uh stackrock's it basically handles you know risk management uh risk management uh configuration management networking it can create network policies for you you can do it all we have a 30 minute demo that you can easily just install to look at your clusters and get started and in 10 minutes we'll show you all your vulnerabilities what the one thing that stacks does really well is it follows kind of that kubernetes mindset and one of the main reasons why i like it follows a kubernetes mindset where it doesn't shut down anything by default it's there to give you the information um companies companies look at risk differently so it's not there to say hey this is the high riskiest things or this is the very the riskiest thing it's there to show you here are the container vulnerabilities here's the configuration issues that you have right and then allow you to pick off the first three right you you really you want um you want a solution that sticks and not one where your developers are just going to throw the at the window because really that's that's who you're designing the application for so um but yeah and installs into your cluster nothing comes to us although we are looking at different ways for for implementation for for different use cases so uh stay tuned in 2021 and you can easily check it out at stackrocks.com

on the internet oh you you you scoop my last question if our listeners want to learn more about michael foster or stack rocks where can they go online yeah so stackrocks.com staccrux our github we also have a new open source tool so if you're looking to get started and especially some of these configuration issues we created cube linter so open source tool you just keep link or link your files and it'll show you you know if you don't have if you have privilege escalation and the different issues in your deployments nice easy tool on the command line recommend it especially for people getting started and then for myself twitter michael foster and linkedin and feel free to email me at michael michael.foster stackrocks.com perfect michael thank you so much for being my guest today on cyberwork this was a lot of fun yeah thanks for having me i enjoyed it uh and thank you all as ever for listening and watching uh new episodes of the cyberwork podcast are available every monday at 1 pm central both on video at our youtube page and on audio wherever fine podcasts are downloaded and don't forget to check out our hands-on training series titled cyberwork applied each week expert infosec instructors teach you a new cyber security skill and show you how that skill applies to real world scenarios go to infosecinstitute.com learn

to stay up to date on all things cyberwork thank you once again to michael foster and stackrocks and thank you all again for watching and listening we'll speak to you next week

2021-01-14

Show video