 Hi everyone, my name is Amir Moshamsky and I'm a big product designer. Then I'm going to show you what is TipSafe. What is TipSafe and what we're going to do. So I will start with the what is TipSafe. TipSafe is the first open source product that gives you an ecranitis that supplies an ecranitis from anything. That's the case where we need to go right now we have in TipSafe the ability to scan your access files and your configuration files to do any scanning, to scan your percentages to visualize your normal access control configuration but more so and I will share it with you as well. So how do I start with TipSafe? The basic way to start with TipSafe is to go to our Git repo to copy this line and run it in a machine that has a QCAP. That's it, I have TipSafe installed and I'll wait for it to run and scan. So it takes a few seconds and I will see in a few seconds I will be able to see a table with the results. And I will run the cost scanner, I will talk about the cost scanner in a second but now you can see that I got a digital report with the severity of each one of the controls and the failed resources and if I want to understand more I can use the line of street flag which basically will show me other resources that the QCAP has scanned which control failed on these resources as well as the controls that passed for this resource. So for example, so for example here you can see that I have a name space or I think this is a better example I have a phone it's a Qroxy phone rather QCAP and you see a number of failed controls and it failed their name I can go to the documentation and I can also go and you can see the line in the yellow destination where it failed in general you go into our documentation you can see that you have several options and then you can flag that you can use. The important flags are exceptions I will talk about exceptions in the details and this discussion basically allows you to submit a scanning source to the QCAPSAS application and then the keep local if you don't want to send it to the site you can use the keep local but definitely a really looked at the potential that you have used as an example and we have users who are using it in an isolated environment area we have videos and explanations of how you can do that we have an awesome documentation and you can really go and read and follow Now I set control and I set scan and before we jump to the details I want to show you what is the control and what is the spray reward and what we are scanning so the control basically is a test it's a test that is written in the regal and the open policy agent language and you can see all the regals that we have over in each repository so if you go to a regal library and repository and you're able to see all the controls that we have some of these controls require some sort of consideration for example I cannot know what is the resource key within it that you want to enforce in the organization so you can go on and change that I think you know in the same level I don't know what are the allowed image in one of the organizations and users that we serve so you can go here and change it and tweak it to your specific environment this means that if you're pulling images from one of these repositories the control will not fail but if you're pulling images from another repository within which employment spots are doing that the controls are being assembled in something that is called framework and the framework is something that you can create in your own framework and let's create one cdf oh sorry cdf now and now we can choose the controls according to the stage according to the different stages you see or according to my organization the work routine that I wanted to be scan using this framework and once I plan the framework will be created which means that everyone can use this framework to scan yeah I can go and if I want to add a more quick more control simply if I see that they are handling it or removing etc and keeps the community integrated to your cstd to anyone of the cstd and you can use it as a visual extension and we're ending the line in this release so we'll be able to use kubeski because the line extension is working after I scan and assuming that I need to meet the results I can click on the link here and here on the scan and it will bring me to our v1 and we can look at the v1 and see a different capability I want to start by describing the new dashboard that we just released the idea was actually came from users and the idea was that when we're scanning the clusters we were showing the risks for individual clusters people wanted to see what happens across their entire deployment and if they have many clusters they wanted to understand which one is more important for risk which one is more important and to go ahead and make this start facing and so we created this in order to each one of your cluster right meaning the top priority your new medium and green low and you can see this error the error basically shows you that the risk went out or went down if we look with the tool that they kind of show us what are the number of other abilities that they have according to the severity and I can go to the Armour Graph for this specific cluster and maybe we can see the score of the Armour Graph for each one of these clusters and we can also see it in the graph so you can see here I can choose a different framework that they want to see or compare between different clusters and I can see the top field controls in my organization so for example here I can see that in the most common field control is the automatic mapping of service account in Kubernetes basically there is automatic mapping of service account but if your workload doesn't require a service account or anything yes or maybe a wiser and to end this flag on this automatic mapping of service account and so either you need to educate your team to do that or and you can move ahead and then you can fix that and the same thing goes to vulnerability risk you can see the total number of other abilities that they have in my environment according to their different severity and we can see the top five CVs that we see that this CV is certainly my workload, that this CV workload etc in the item you go ahead and copy the CV and go to the standard CV and now I see all the container images that has a DCV in them and I can go to the latest scan see only in the latest scan results and basically that's one by one okay so we talked about controls we talked about frameworks we looked at the dashboard now let's talk about the ways that you can deploy cubeskills so I showed you the command line and running cubeskills on any machine the tenant said to me that it's part of your CV type or part of your useful extension but there's another option which is to run cubeskills as a deployment of the health chart basically it will run a cubeskills start of your cluster and if you look at my cluster see that once it is deployed we have a namespace called the RMS system and in our RMS system basically we have a few calls that are working in our SAS application but you can also work with the cubeskills in microservice and you can use the API to train your scans and other activities that it is documented in our documentation and when you do it in order to be able to send results and treat your scan with programming tools this is also something that you can use in the end and you can use the programming tools in the dashboard if you would like to use it instead of using our UI now when we talk about the correction scanning we're showing you the results based on different clusters and you can go ahead and decide which one of the frameworks we've shown in the graph basically you can see up to three trends that are made up between frameworks so you choose which one you want to work with and show you can see that the framework is in which one and what you're seeing and what I know mean and it seems like you've deployed the hand chart in this case and I can trigger scanning from the UI or I can set scheduling scans for instance once a week or once a day that they will send automatically and send their results the results are seen based on the frameworks on the different frameworks and then you can see the results here and you can see historical results here and you can choose which result so we are able to show you tricks so for example here you can see that the previous scan I have 63 failed resources now I have 64 and if I log in or if I click on it I want to see the failed resources list and I'm able to see that the new failed resource because it is colored in new. If some resource here should be with the property that is causing it to fail for example and these are all the workloads that has host pass mount in them and there might be a case and then for the new system that the AWS now to proceed that require the host pass mount to operate and then I have the option to set them as exceptions or the entire namespace as exceptions meaning that even future resources may not appear and fail resources and the last thing I want to show you when it comes to the scan results is the indication and we indicate for each controller if it is a configurable control or if it requires cloud integration and then you can go to our connection or go to the settings and just follow the instructions of how to do it and perform the cloud integration or if it requires the host scanner. Now the host scanner is something that we are really proud of and basically and today if you want to ask questions about your privilege for example and you have two options either to run it manually which is not scalable or to deploy the privilege demo set that will collect the data for you but which will increase the risk and because you have a single privilege demo set running a privilege demo set running environment basically just to collect the data once in a while the deleted ones in a while and what we've created then created this inside about there is only if you use the host scanner a flag we are scanning and for a specific control which means it requires something it's a privilege it's a demo set but it appears for a split of a second in that so we don't need to worry about arranging the routes the last thing that the controls are able to do is they are able to ask questions about image scanning results and now we're talking about in a second where we mean talk about image scanning now this is what we call control view we're showing you each one of the controls and the resources that fail on each one of these controls but there is also something which is so cool here you can see all the resources that you can for example here I'm looking for deployments and then you can see from each deployment which controls it is fail again you can set exceptions from here as well or in the deployment patient from here as well or you can delete from this tool that we've seen in the past but I think it's more powerful here so that's why I'm showing it on this page basically it's a what you call assist germination we show the control we show you that it failed and we show you the line which caused it to fail but which is super powerful and you can see that this is pink it means that there is a line in your data file it's causing us or it's causing this control fail and then you can change the object to download the data file and then use your editor in order to fix that and agree on it means the file is missing in your data file and you can add that in order to remediate the issue in the next series we have the ability to share using Jira and and and as well and so you may be able from here to click it and share it and assign it to the right thing to remediate with all the tips and it helps that you make this is another example etc etc again you can go one by one and then fix and then okay so this was okay so this was the progress and then you can go ahead and then try it yourself and with the ability to export the exceptions from here and then you can keep them in your infrastructure scope and apply them to other clusters as well and if you look at the documentation we have a very extensive documentation on the exceptions and how they work and how you can tweak them in order for it to be next section I'm going to cover is scanning again here I can scan from the URL and in the next series we will support regarding the scan right now it is scanning every day at midnight and basically in the next release you will be able to set this from here from the URL we have the ability to filter the images that has critical or high vulnerability and has fixes and our ability are the remote execution, remote execution are the more dangerous vulnerabilities in our case because it means that your workload is exposed to the internet means that someone will be able to leverage and exploit your cluster and this is where I want to stress that some of the controls that we are doing are scanning your length of time, servers, settings and the workload but we are also able to look at your image scan and we are able to triage it with different attributes for the server so here we have the workload we are seeing vulnerabilities exposed to the central traffic which means basically we take on the problem as we see the service we connected to the vulnerabilities that they have and we are able to ask a question about it to show it to you and let us focus on the important stuff that you intermediate once you see that you have created two options, the one option is you have all the scans you have and filter them and then look for the workload that you need or the cluster that you need for to focus on the latest scan and then here is the method of each one of the scans that you can go in and see and have vulnerabilities on each one of your images we have the ability so we have a ground that shows you the vulnerabilities over time and you are able to set exceptions here as well so for example if you want because you think this is the most important thing you are going to have that change or you know that it is working one-fixingly and you don't want to see you can go and set them as exceptions and the good thing about setting exceptions is that you can log in and you can filter for example based on superiority and then so let's say that I want to date me and I want to date me out on the collectible and I need to filter them out and then I can log them for let's say that I want to set all the vulnerabilities in turn and to be showing these exceptions I can make a click here and then return all of them and now I can decide that I want to continue with this law in the collectible that are connected to the curve that you know have vulnerability and I can do that so let's say basically the image scanning and the exception of image scanning and the curve that we have in image scanning and the next thing is the artwork visualizer and here I need to choose the class sign and if I want to be able to move look at the role is access before this is the class sign and here basically we have a three different capability the first capability is that you use different queries some of these queries are actually run as controls and so you can go from the control to the graph the vice versa and so if I want to show all the class sign thank you for going to other stuff that went from here and then the next thing I have is the basic class who can so let's say I want to know who can please get them and watch the resource to be secret to show me all the main subjects that can do that but it's not showing only the subject it's showing you also it's a worker who is connected to the service account you can show that as well and you can see by namespace and you can go and look at it and you can do things like showing according to the type so I could be again according to the type and I can go see the subject and then the roles that is really cool and the last thing you can do is run investigation and so let's say this user and I don't know what he's doing he's showing the role of the user and then show me all the resources that this user is able to do things and all and here you know it shows me quite fast that I have a misprocuretion because this role shadows this role basically and this user is actually clustering which means that all the other roles are done and you know this is super cool and super easy to understand and just looking at this graph and we know that our role is super complicated that it really helps us if you want to learn more and how to use Keepscape for your own needs and we have a demo channel where we know you can really show me your you can go and enjoy and use and it will show you how you can utilize and get more much more so that's basically what we're doing in the short term what we're going to end and right now you're in the same clusters where we're showing everything on a cluster level and many of you came to us and said that we're scanning sometimes the other fibers scanning code repositories and you want to scan to be able to scan not immediately the cluster you want to scan in many general districts and so we are going to add section here between the code and then we're going to show you the code repositories scanning as well as the image repositories scanning and so this is coming soon and then the next thing that is going to come and I show you the first step and we talked about the ability to share and we are going to add this share button in many cases in the product and we are going to have the ability to export papers to CSV files because we do understand that we need to collaborate with your family and there we are going to get to that by the way I don't know if most of you know but they basically have a user management section in the product and you can buy users to use their account and you can definitely create an authentication if you look at the documentation and we are in the here section and it is talking about authentication with single sign off so you can also connect it to your directory and then use that single sign off the things that we are going to add moving on and we are going to add an inventory section the basic inventory will show you the other resources that we have found between showing the relationship between these resources the priority the findings and findings over time so between the ability to show you drinks the end goal for us is to be able to feel action but insights working to fix the priority of fixing all the findings in the environment at the end of the day we want to give you a solution that doesn't open enough of relatives and also give you the ability to understand the context of this alert and how to prioritize and remediate the colors we want to save you as you work and out and the next thing we are going to add is policy and right now it keeps you just in your scans your environment and shows you the findings we want to give you the end what is what we call the policy and the ability to enforce specific controls in clusters we are going to force you to use a mission controller and we want to use it to get forward and set the pipeline as well and basically the idea is that you can set the upgrade and for example i don't want to have a privilege in my environment except for the release of a proved project a workload deployment whatever and we we are going to do that all in all it's going to be in the next three to four months and if you want to learn more about what we're doing in the weather you can definitely add yourself to our discord channel which we are enhancing in use of thank you very very much for being with me on a cube scan what's new and what's going and what's going to come thank you and have a lovely day