 My goal They do Great, so I'm in Prague and I just got finished hosting a working group and my Wi-Fi was iffy So Sarah Allen is gonna lead the facilitation Not gonna really change much for you Just you know, yep. Hi, sir speaking of the devil you're muted Hello. Hi Michael's our presenter. Oh about the only presenter So I Have someone that was slated from about a month ago lined up for today but Jerry hasn't been on the last couple weeks and I haven't received a confirmation from her so You know if she shows it's her slot, but if You know she's not here then We were Yeah, then then the fact that you're you're enthusiastic to get it in today is really fantastic because it is it You know potentially You know lines that up. So awesome. Thanks. You bet. So I just added the next the calendar invite Awesome, thank you. Jerry You're muted. Are you really that I've come? Yes, though, I wanted to sanity check with you before We went live. Are you ready to present today? I haven't seen you a couple weeks But I want to have your you slated for today. Okay, great. Awesome um So Michael This is the priority so Yes, sir, I recommend if we end up filling time then We prioritize that and not try to squeeze both sessions unless it lines up We're making a good use of time. So when you said this is priority Jerry is priority. She was on the schedule Michael asked if You know, it would be possible to present today and you know, I Said that we you know have maybe 20 minutes. So And and Jerry, you know, one of the reasons why I'm managing expectations so much is I'm in Prague and my lot Wi-Fi has been really Poor and the last session that I was facilitating I was dropping a lot So Sarah's gonna be facilitating today But you are recording. I am recording And I don't know any other I can do Cloud recording maybe I have a record button on my screen. That's is it possible for anybody to record Go for it If not, I can probably upgrade your I think you need to be a co-host it Request oh loud Jerry is the co-host. All right and Now I think you should have the the privileges so having a backup recording would be great Yeah, even if there's just like two minutes Dan, and I can just point people to the proposal On the we're gonna for the top in mid-July and so we're just trying to get the word out and get people more of an understanding of what FACO is and what it does and how I can help in the security space for Kubernetes and cloud native apps. Excellent. Great I Provide a platform for that. So Jerry, I oh, yeah, I see your recording. So yay And I'll volunteer to scribe Is it somebody else who's willing to take notes Michael Christian I Added it to the meeting invite. I will also add it So I just added the chat So yeah, and anybody should feel free to like add in notes. I added people that Had names in the participants, but please feel free to Fix your name if I feel that wrong and add your affiliation Any links or anything Do we have any other orders of business then or should we just dive in? Yeah, so Doug are you dialed in someone styled in look Davis of IBM in There's Check-ins in for the the Sakes and Working Groups and I did ask Doug if he would You know share a bit of context from the TOC meeting. Oh, great right if Doug's not here and since we have you know full dock, and I think we should probably go ahead and get started I Can I can fill in a little bit of you know my my interpretation of that What happened? so you know a couple things were happening so that the the cloud events Project is cloud events is graduating out of the service serverless working group and you know one of the discussion points that was highlighted was that you know that Project that that working group elevating itself to having code was seen as You know the You know the best way to engage in The CNCF So I was very yeah, I did one of those but it doesn't have code It has a specification and the working. I'm part of that working group. Oh, yeah, and People have done there was like an interop demo, but the group has not produced code so one of the things that I was very intrigued about was I CNCF projects were all code base and this is the first time there's been a product project where the goal of the group is to create a specification and It's kind of an open question. I think there's a lot of interest in creating shared libraries but there has been I haven't been actually attending the meetings for a few weeks maybe a month so things might have changed a little bit, but I hadn't noticed I hadn't seen notes that it changed but But yeah, so there was just kind of an open question whether it would be like lots of people doing separate interoperable libraries more like IETF style where like there's different implementations that interoperate with this kind of Worry what we did with the 01 specification and so or whether the group would get together and build software together So so yeah, so was there discussion of that at the Here's Doug Great Speak to this because I haven't been at the meetings for a while. Oh By Jordan Graduating from being a project of the working group to being its only its own sandbox project. Okay Dan was saying that it was Because it had code and I was saying that I think it like it was to my mind the first thing that had become a Sandbox project that didn't have code, but maybe Doug you can speak a little bit too. Yeah, we were Gone No, actually No, you're right. It does not have code as of today But the closest I've heard about us having code is we start some discussions around possibly some shared libraries or shared Coding efforts around some shared libraries and stuff whether that would actually become part of our working group Or we just have pointers to a common open-source project simple Talk to that party. I Did was weird the third in the call I think it was Alexis made a comment about us having code and I didn't correct him because I thought it was just A off-the-couple market anything was worth diving into I think quite understand what he meant by that to be honest Okay, maybe that the interop demo was mistaken as Code that the group had built together. Maybe yeah, maybe I don't know Okay, so it sounds like you know We don't need to over-index on on that thing in fact that was Doug's feedback to me when I pinged him that To talk about this great. Okay so That was the There's that discussion and then There was interesting discussion around projects that are only you know associated with With Kubernetes and whether they would be appropriate in the CNCS and there's a fair amount of debate there You know, it was it was fun For me since you know, no jazz no just foundation was referenced a lot since we in the foundation did chose not to Integrate and support user land projects and inside of node you know just and that was just Scale and scope, you know the scope of supporting and integrating and You know choosing which are the blessed user land projects that we choose to support inside of the node just foundation was created to You know sustain the the node just You know project Was you know something that we could not Sustain with within the structure of the node just foundation as it's as it's so that that's you know tangential to To safe but you know was generally interesting, you know, I thought the first half of You know this week's TOC meeting was was quite interesting You have the opportunity to go back and give it a listen. I recommend that And I don't I don't know if there are any other check-ins from other sakes and working groups So are you ready for me? Yeah, do you want to kick it off, sir? Jenny Jerry yes Okay, I'm gonna share my screen So let me know if you can see it I can see it So at the time that I propose getting this talk I wasn't really sure What made sense for the group, but what I've decided to focus on is just what our experience was Integrating our service with both crowd foundry and Kubernetes And I'll give sort of a high-level overview of what we did in each case And as part of that overview, I'm going to touch lightly on things like how we determine application identity in each of these systems And in each system how the system API APIs can be leveraged to perform some of the tasks that were required Which is probably indicative of the fact that those APIs should be designed with fine-grained permissions So that we can preserve the principle of these privilege in that kind of a situation But the first case that I'm going to talk about is our integration with cloud foundering Both of these integrations were customer-driven where we had requests from some of our enterprise customers to Make it easier for them to use our product on these Platforms and the first customer request we got was for a cloud foundry integration. So And that's the one I'll talk about first and as we started to investigate What that integration would look like very early on we discovered the concept of a service broker So what is a service broker? Most of the time if you have a service that you want to list in the cloud foundry marketplace You're going to need to create a service broker so The market place is a listing of all the services that are available Look for services on there So it's a it's a great way to make sure that your service is visible and easy to use for developers So the service broker is just basically an application that we also deployed a cloud foundry and it has a handful of API endpoints that List the service offerings that are available that allow you to provision an instance of your service Whatever that means for your service and That delivers credentials to access Your service to the application So you basically just need to implement a few endpoints and then you have a service broker and the service broker Has to conform to the open service broker API standard And that standard has been accepted for use in cloud foundry Kubernetes and OpenShift to So on the last side was sort of I guess I would like to just show a little graphic of how this works So you have your external service. You have your cloud foundry installation You deploy the service broker application to its own organ space to Seal it off because nobody You need to access it directly You create an organ space for your application to be deployed in and in that app organ space you would create a service instance and creating that service instance is that provision step and that communicates with the external service and Does everything that needs to be done at that step Once you're ready to deploy your application the application will Line to the service instance and communicate with the external service to get credentials to access that service so what I showed on the last screen was Step two on this screen. This this is from the pivotal cloud foundry documentation There are other ways to integrate your service with cloud foundry Levels three and four both involve the service being deployed directly to cloud foundry, which is something we haven't explored yet and then there's sort of standard ways that that you might interact with an external service like Just providing the database credentials the usual way instead of worrying about the service broker, but That's sort of the possible scopes of doing it in cloud foundry So having said all that I'd like to just take a second and look at specifically what ours does So I work for cyber arc on the conjure team conjure is a secure vault that people use to secure credentials required by applications and so applications use these credentials to connect to databases or APIs So if you have an existing conjure installation and you want to deploy some apps to cloud foundry you'll install our service broker and we also created a build pack to make it easy to inject those credentials needed by the application into the app and When you deploy your application, you're going to bind it to the service broker Which gives you credentials to access conjure and creates an identity in conjure for the application You update the policy within our service to grant access to the credentials that the application needs and Then when the application starts it uses those credentials to get the access keys that it needs to access other services so So that was our cloud foundry integration Shortly after maybe even during the time we were working on that we started to get a lot of customer requests to integrate with kubernetes and So in the next few sides, I'll talk a little bit about what that would play and it ended up being quite a bit different from the way That we handle things in cloud foundry So even though kubernetes Officially supports the use of service brokers It's still in pretty early stages and if you actually look at Their code and get hub it hasn't actually had a stable release yet So it's probably not something that is worth trying to use in production at this time So instead of doing the same kind of model that we did in cloud foundry We decided on a completely different tack. So one of the big differences is that in kubernetes We facilitate deploying our service to kubernetes as a high availability cluster and then our service has a Special authentication plugin that's specific to kubernetes and each application is Deployed with an authenticator container that interacts with our service and delivers a time-limited access token to the application So that it cannot authenticate with our service So this is just a graphic of our workflow What happens is the authenticator Container that's deployed with the application starts out by submitting a certificate signing requests to conjure with this that the id with the pod information contained And Conjure responds by injecting a time-limited certificate into the pod using the kubernetes api using that pod information that was included in the cert request then the Authentic with the certificate and That authentication process results in a time-limited token being placed into this shared memory So now that application as access to a time-limited access token in this shared memory and it can use that token to retrieve Whatever information it needs from the external service and initiate that connections the external service So I'm hopeful that this kind of a model Might be something that other services also find useful or that the way that we've implemented it means that External services would actually be able to use the application identity we providing kubernetes to authenticate kubernetes deployed applications themselves So I'm curious to see where this will go right now. It's only available for our enterprise customers because it is Still an app opens that would be released at the end of the month And that open source release is going to include both the custom authenticator that we use which is specific to our products But could be a good model for other products and the authenticator container which is deployed together with the applications So having sort of covered what we did both in cloud foundry And in kubernetes. There's one last thing I would like to talk about and that is the developments that have been happening in cloud foundry since we created our integration there so since we Did our cloud foundry integration? Cloud Foundry has released something that they're calling app instance identity Which just basically means that every instance of every application deployed in cloud foundry is Deployed with an x509 cert and a private key pair that encodes its identity in the CF deployments as information about The application good the instance good and the org and the space that the app is deployed in and so my hope would be that we might be able to change our Cloud Foundry integration to leverage these certificates Similarly to how we have been operating kubernetes. So in our kubernetes integration we basically turned conjure into a certificate authority for the kubernetes deployed applications and Configured conjure to accept the conjure generated certificates as proof of identity via mutual TLS We might be able to modify our existing Cloud Foundry integration to work in a similar way to have an authenticator build pack is probably how it would work that would take on that role of communicating with the Custom Cloud Foundry authenticator to inject a time-limited access token into the application memory So Where is it now? It's not yes with the compliant. I expect that they may be working on that though And that may change and they're working on improving the specs on the workload for Accessing the certificates and validating them against the certificate authority So I think this is really interesting. I'm really glad that things have progressed this way and cloud foundry Which also led me to the question of how long it might be until kubernetes also is Updated to come with app identity out of the box We know that spiffy is Currently a sandbox project in CNCF I think it remains to be seen where that's going to go, but It's an interesting time to be talking about application identity So at this point I would ask if anybody has any questions and I would do my best to answer them and this was sort of I Didn't try to plan something very in-depth or Low level if there are things that come out of this that people would like more information about or would like me to dig deeper into another time I'd be happy to to consider doing that I Don't know if people have a way to get in touch with me, but I'm on github. So My information is there. I think we're also all on the calendar invite. Okay, and if anybody's not on the calendar invite Paying me or then can I do or JJ and I Had a link to these slides a PDF of these slides in the minutes so that if people wanted to go back and refer to them They could In particular, I had this note here that if you're curious about looking at the code for what we did for our kubernetes integration Or for the quad foundry service broker or build packets all publicly available or will be by the end of the month We'll announce the kubernetes on our website contour.org So that would be good place to watch out for it great awesome, so So I did just a question Like you called out that this notion of instance identity and if that were actually a thing that was consistent across platforms that seems like a Very clear opportunity and and that it would have made some of the work easier Or at least you could have leveraged this work perhaps across the platforms But I'm wondering whether there's anything else in the sort of Aspect of secure aspect Secure access where you saw that where you had to maybe implement stuff in application logic Or you saw things in one platform that you wish were more ubiquitous, you know And if you could kind of speak to those kind of challenges and opportunities To have a consistent way to identify applications No matter which platform you're in Seems to me so valuable We're one service, but there are a lot of services out there that are trying to do the same kind of thing Pivotal has a great relationship with the people that add services on their platform and Through them I've encountered a lot of other people trying to do this kind of work And so I think everybody would be glad to see a secure and consistent way to validate the identity of applications One other thing that I really only like lightly touch on but I think is really important too is making sure that These platform level API so in caught foundry, it's the cloud controller API You guys you really want to design them so that you can give granular Access so that you can Provision a service account that can only access certain routes or And as granular is you can make it so that if I want to develop something that Could use that API for example if I want to validate that there really is a pod in a given namespace Using that API, I don't I don't want to have to give that service account really expansive permissions to be able to do that I want something that I can just allow it to ask this one specific question But I want it to ask and then not give it any other visit permission so that if somebody were to somehow get those Access credentials that the service account has they're not going to be able to go very far so Sorry, hopefully my connection come through So Jerry one thing I wanted to you know since you were presenting I wanted to make sure you saw in the chat that Doug is the co-lead of The open service broker API specification. I did see that next time I Just yesterday finally got my legal department to approve Me as a contributor so I have a PR Nice and that project that I need to go back and review now that they find it's been months It took them a very long time to approve it. So I will be doing that probably in the next few days Yes Thank you Beyond that I had a question, you know In addition to Kubernetes and cloud Foundry. Are you looking at supporting any other plough platform? Are you supporting a? platform less You know not one of those two So we do have other stuff for example, we have a Custom Authenticator for I am and then we have a workflow that we call host factory that People use it they're deploying like VMs to AWS I don't know that Implementation as specific as one of these would be required for most other workflows. It's one of those things where When it comes up, we'll know it and we'll have to deal with it But it's not come up right now. A lot of our more general tooling has been workable for a lot of different systems The reason why I asked is just you know, I think that's a great perspective You know in those use cases when we're folks have things that go outside of the you know the cloud native Workflows and you know being able to validate You know the approaches that we have in that You know non sort of the cloud native blessed cases is I think interesting to our work Thank you Jerry you mentioned a custom Authenticator for I am is that AWS I am specifically I think that's the focus at first But I'm hoping that it will be more general We have customers that use GCP. We have customers that use Azure. So I'm sure we'll need to address all of those cases Well, thank you for giving me the opportunity to talk about this. It was fun Does anybody else have any questions? I Guess the only question I would ask how would you compare? It's a vault and what vaults doing with open service broker How should corpse ball so I know that vault has a service broker I don't know How much they're doing with that or how it's being used I Do like that our solution also has the build pack Which makes it easy to inject the secret values Into the application at runtime because it installs summon which is our tool to do that So I do think that's an advantage for what we've done But in terms of you know having a service broker. I'm sure it's very similar Right in so like you have to end up building something like summon to get the secret from ball at runtime So because they don't have some and you're probably like modifying the code in your application to use a client library or something like that The summon just puts the values in the environment of the running process. Well, thank you everybody Thanks, Jerry Jerry So I don't know if we have if Dan has connectivity, but We can it looks like we have time to Have Michael talk about this use case Then project Thanks Sorry, my wife just asked me if my son can do piano and he's right above me. So Tell her no Let me just share my screen So I'm not sure how much Everyone knows about sysdig Sysdig is started off a company with an open-source project that focused on capturing system calls. So easiest way to think of sysdig is Pcp dump for system calls So what we can do is we can look at a Linux based system And we can see all the system calls that are going through it and then capture those system calls into what we call an SCAP file and then that SCAP file then can then be used to go back and see what was happening on the system From a system call perspective at that time And so what we did is we took that same similar concept of capturing system calls And we wrote a rules engine around those system calls and that's really what Akko is So it allows you to detect abnormal behavior inside of those system calls We specifically have focused on container-based systems, although it will work for any Linux based system And it is Linux only right now And this is kind of where the market is starting to kind of define this term Runtime security, but we're definitely not the only ones in this space of runtime security There's other tools out there such as twist lock and aqua Fresh tracks also does some things around this as well And there's one other I think stack rocks So this is starting to kind of become this more Virgining space around runtime security We're the only ones that offer a open-source solution to runtime security and we also offer a proprietary Version of Falco as well that gives you a lot of features out of the box So what this abnormal detection can do can detect things like shells or processes on the inside of a container Unexpected outbound connections. So all of a sudden your database container starts making outbound connections to the internet That would be something that would be abnormal Processes start listening on ports that you don't expect binaries being changed inside of a container and so forth Um, the way we want to look at this from a security perspective is while we can do things in the image build process using tough and notary And image scanning to make sure that we're not shipping things with vulnerabilities Or we know what we're shipping a part of a container when the container actually launches most container runtime environments are not immutable so Containers can then make changes to their environment once it's up and running so installing new packages modifying things and so forth and What Falco allows you to do is that when we detect this abnormal of the behavior will notify you and that Notification is up to you to determine how you want to process it So while you need it where or why do you need it? So the cloud native paradigm really gives you a lot of choices It pushes place down to the development teams right developer developers can package up their application inside of a container and Let's just say you don't always know what's inside of that container that development package up and want to deploy to your production environment Image scanning is seen more as a point in time. So when you scan the image, you know the image doesn't have any vulnerabilities But when the container image actually goes to production There's a lag time between when you scan that image and when that container image is actually running As I mentioned running containers aren't necessarily immutable unless you specifically have them running in that way The resource isolation paradigm of containers is much different than VMs and we see this as a need in the market when you see things like deviser and Product containers as well that have come around as well that seeks to provide that more VM like isolation for containers and so what Falco can detect is Vulnerabilities and things like container isolation exploited applications Things like exposed dashboards or exposed API ports for all of a sudden images start getting launched that we don't expect Which the last one exposed dashboards and API ports is kind of a common thing if we think back to the Tesla The Tesla hack really wasn't a hack Tesla just left their Kubernetes dashboard wide open on the internet And also what you can do with Falco is begin to enforce best practices around things like CIS DCI socks and everyone's favorite GDPR as well as organizational security best practices So a little bit more about how Falco actually works and I'll just show a couple of the slides And I'll give you a quick demo is to certain functions inside of the kernel It uses something called trace points inside of the kernel and then we have an alpha an early alpha version of an EBPF probe that can be loaded up as well That has limitations of course you need to be running a newer version of a kernel In order to take advantage of that and it needs to have EBPF support Built into it as well So for those of the people who aren't necessarily comfortable with the kernel module level of integration then we can do it with EBPF as well Then this basically the stream of system calls will come into the processing libraries and the event engine That is then rules are applied to that As far as alerting is concerned so we can log to CIS log we can log to a file standard out or we can execute a program That program could be something That then goes and post to a web hook or something like that What we want to try and do and why we're actually presenting Falco as a potential sandbox project to the CMCF talk is that we see a lot of Possibilities that if we could have other event streams where we could take this rich Rules engine and apply these rules to this other event streams And then also having more generic notification providers as well so that we could hit a web hook natively from Falco if we could hit or push to something like a messaging system like knaps or something like that natively inside of Falco as well so that we can kind of be this rules engine and then From a modularity cloud native perspective we can have other event streams that are actually sending us data that were processed a Little bit about the project and growth of the project. We're actually seeing lots of Usage at least from a downloads perspective and Docker hub polls as well So we're well over three-quarters of a million Docker hub polls for our images about 34,000 downloads of the actual RPMs themselves and Of course, everyone loves github stars. So we're about 805 github stars as well Users of note so lift has used us for a while And we're in the process of trying to document that story from them, but another great one is cloud.gov so cloud.gov and by the way, this presentation is linked in the The issue that I opened to do the presentation, which is in the notes for this meeting But this right here is actually cloud.gov documentation That actually talks about how they have this behavioral monitoring in an experimental mode right now In their cloud dot our cloud foundry environment for cloud.gov And then they've also given a presentation at the cloud foundry summit as well about detecting tainted apps Using falco inside of pod boundary as well. So it's not just something that can work with Kubernetes It is something that can work with cloud foundry as well And so I'll kind of let you look at the The rest of the presentation on your own is there are there any questions and I can just give people a quick demo and kind of show How it works very quickly Demo would be okay There's also a good presentation Which I can drop in the document or in that meeting minutes as well There's a good presentation around runtime security that Google gave at Kupkan EU Just a few weeks ago. It kind of lays out What are the areas of security that you need to worry about and kind of defining what this base of Runtime security is and what runtime security means and how it's different from supply chain security or infrastructure So let me stop my share and share my entire screen So what we have here is I have a Bar in my way So in this environment, I've got a couple different Things up and running. So the main thing is that we have falco up and running here This is deployed as a daemon set. We provide a daemon set for users to actually quickly deploy this All of the configuration for falco is stored in a configuration map and this daemon set will then pull down that configuration So all of your rules and things like that would be stored in a config map And then those rules are pulled down when the containers launches or the pods launch The other thing that we have in this environment is NAT as well. And so NAT is Acting as our messaging platform and what falco will do in this demo Is it will push an alert over to NAT and then we have kubeless running as well And what kubeless is set up to do is it's set up to listen to a Particular topic or a subject in NAT and when it detects a critical alert, it will actually go and take action So let me show you what the rules actually look like So in the The rules use a pretty Simple language. It's the same language that we use for Cystic and What this looks like is you basically just have the field and then some value and then you can string it together With other values as well There's a lots of different Boolean logic that you can do inside of the rules as well the other thing that you can do is you can key off of Kubernetes metadata as well So falco will connect to the Kubernetes API server and pull that information back So you can say for this particular application that's running in a certain namespace with a certain pod name with certain label I want to be able to take action on it Rule attack crypto miners running inside of Kubernetes. So we take the node front-end application and if I spawn a process And I'm in a container So basically I'm not running on the host system and my command line contains stratum TCP Which is a common protocol that's used for miners. Then I want to throw this alert Another example is you can list out all like common minor ports in this case and if I see a Front-end application making an outbound connection to a minor port Then I want to throw a critical alert as well. So you can see the rule language is actually pretty flexible It's also fairly simple as well And then also what we have is over in the coobless side of things we have a very simple function It basically says if I see a critical alert And I'm not running. I'm running inside of a container Then I want to actually take action on that and it won't this will actually do is that if I detect a critical alert running Inside of a pod and Kubernetes will actually go and delete that particular pod any questions before I run this real quick So This is a no J. I have a quick question. How is this? secured it can Anybody else inject a critical alert and use that for DDoS attack on a pod Yeah, so the way it would be secured at least in this particular case is that you would have security on that so that Only certain people could actually log into that The other thing is is people would have to get access to the particular host system and they The They they wouldn't necessarily easy be easily be able to spoof That it was coming from a particular container Because you have to be inside of the container and then we're actually looking at the system calls themselves inside of the Linux kernel So you would have to somehow spoof the system calls to say that it's half This particular process is being ran from a particular container The other thing that you can do as far as NATs is concerned is of course use TLS So that you're making encrypted connections Into into NATs as well so that people can't easily go And see what's being sent or if you're using mutual authentication Then only certain people being able to connect to the NAT server but if somebody is able to get to the host system and Spoof this and DDoS this then you probably have worst case You have probably have worse situations going on in your environment If somebody is able to get to the host system and spoof thing Does that answer your question? Yes. Thanks. Yeah So the first thing that I'll do here is I'll go and connect to let me just pull this So I have a Node.js application up and running but since Dan's on the phone I didn't know if it was appropriate to remotely exploit it Sure go ahead So let me just jump on to this front-end machine real quick and I need to pass flags And so the first thing I'll do is I'll just Just run a bash terminal on it. Oh Oh, sorry Of course when you jump to the demo nothing starts working right I need to specify my name space and there we go So you see right away that I've Opened a terminal and I get an alert right here over in this Focal pod where I'm tailing the logs and you can see that I've opened a shell So a shell was spawned inside of a container with an attached terminal So somebody's went interactive inside of this container So what I can do now is I can run something that will actually trigger the alert So let me actually go over here and see if I can get this to work It wasn't working earlier via the remote exploit. Let me see if I can get it And so this is actually sending a profile cookie This profile cookie is actually encoded and this application Doesn't actually sanitize the inputs from the cookie and there's a way that you can actually exploit JavaScript by doing It's essentially a form of just-in-time execution that you can inject functions inside Application was poorly written and somebody's not sanitizing the inputs and if I click send, let's see if it works It didn't work. So let me go over here and let me just do it this way So I'll just do a curl and remember that rule that I had open that if I had stratum TCP in the command line It would Throw a critical alert And of course my demo doesn't work, but it should actually go and kill that particular container and shut it down And of course I tested it before I got on the call and it worked fine, but It should have shut that container down, but you can see that it is So if I did Hello, I Get an alert right there that I've modified Or I've created that new file If I did something like move then less to Then unless old I get an alert right there as well that I'm modifying things in the binary directory as well And these are all kind of common things that you would expect somebody who's getting into a system to do as they're trying to compromise a system so With that I'll ask if there's any other questions for anyone So I have a general question. I might have missed the context for Why we're talking about this and I was wondering if you'd be willing to talk about that a little bit more What do you mean context so So and you and you can feel creative throw this back at me and say I did a bad job of this too because I think I might I might have did a bad job of explaining So It's the secure access for everyone working group So I guess maybe I'm asking is it you and of me like what is What is? How does what we're talking about really to the charter of the group? I would I would throw out there that it may not necessarily take care of the access Perspectives of things and the authentication perspective of things I was actually under the question the impression that the working group was more focused on Cognitive security in general and how you solve that problem of Cognitive security in general and if I'm wrong then Wasted everyone's time Well, actually I am I think we're also working to tighten up our charter so that it's clear to newcomers But I I what I wanted to ask is kind of related to this What we're really seeking to do is kind of figure out Is there a common or maybe a few common secure archetype right? What are the Things that if you are coming to setting up a cloud native deployment What do you need? You know, what are the things that every cloud deployment should have and what are the patterns there and Particularly with regard to solving these problems where different clouds have to interoperate and there's kind of complexity in hybrid systems and so I'm curious in this work you're doing which You've made efforts to make it work Incubinettis not in Kubernetes in different places Are there some things that you are seeing in patterns that have made it easier for You to build something that works in multiple environments in the cloud And are there's areas where you've had to kind of fill in gaps and do things that are Substantially different in different environments where you kind of wish there was a little more commonality Yeah, I think that where the challenges are going to come in From the different clouds and what we've seen is that It's important to provide context in these security events that we're throwing and so In this case, we're only integrating in with Kubernetes We can also integrate in with mesos or marathon, but we can't pull any metadata right now back from something like cloud boundaries So when these security events happen We want to be able to access the API and give people information about it's this particular Application or it's this particular pod or it's this particular deployment. That's actually the that's causing problems The other thing is is that we need API access and getting those API access and authentication to those different platforms Can sometimes be challenging And then the other thing is is that if you're going to take action inside of that How can you limit these functions that are taking action, especially if you're using something like Functions as a service or serverless functions How can you give them the right level of access to just do that one individual thing that they do? Without being able to compromise the entire system, and I think that kind of goes back to Is it Christian? Well, Jerry brought up that point, but maybe Yeah of How do you know the Like you're not d-dossing it and the thing that is taking action is actually taking out Is supposed to be taking action right and how can you not trick those functions into killing something that it's not supposed to The nice thing is is that if it is this But it is definitely a challenge that we see I think more broadly And this isn't necessarily a knock against the CNCF But if you look at the CNCF landscape Security is one area overall whether if it's authentication or runtime security or infrastructure security That's not anywhere on the landscape whatsoever There's admittance control which allows applications in there's things like network policy, but I Kind of personally feel that security is one of those areas in that landscape that's missing. I Agree, I've actually given the same feedback And they told me to feel free to add myself. So I don't know if you've added Yeah, and we've I've I've opened up an issue on the landscape to say like where does FACA fit? Where does our commercial product fit? And so it's still TBD to figure that out But as I've talked to some members of the talk, they're like, well, we're not security experts. So It's hard for them to kind of digest some of this information Yeah, and I think that that's kind of that's part of what we are trying like trying to help with right is that It's also hard to put just be I don't know I have mixed feelings like there are things you need for security like authorization like identity There are these different things that you need that are kind of in their own security world But but everything needs security Um, so so how do we actually? Sketch out that landscape. I can't think it's one of the the questions of this working group and and so We're not there yet. The all of these use case presentations are a way for us to get common language and to Understand the problems that people are trying to solve. So so I found this to be really helpful and interesting Yeah, I hope you keep coming Michael Thanks, I like your perspective So we've just got two minutes left, I think we have a presentation plan for next week, um, so Any I forgot what it is offhand, but we'll Should we should we have a presentation about the open service broker as well? I'm not sure if we have that scheduled already That seems to be relevant. I Think that's a great idea In what respect because there really isn't any security aspect to the OSB API Oh, really? No Identity seems to be have been broken by it for a while. Yes, you can pass enough identity and yet it passes around credentials But it doesn't really Okay, it doesn't really do a whole lot in terms of helping you with security other than passes around credentials All right, you can talk about how it passes around credentials and whether they'll improve that since it has such a big impact on so many platforms right now Yeah, I guess we can talk about that. Yeah. Yeah, and I think more generically just understanding that there's this The goal is having this generic API where anyone can go and ask for services and have those services spun up Uh, and then start consuming those services. You have to ask yourself How do you restrict? I need to make that up, right? It would be really dug. Maybe you can find the person who's thinking about like how do you like issues of trusting services and dishing out access and whether um The open service broker has all the controls it wants to have or whether, you know, they're like The the people implementing it are Asking for things that maybe need to come from the platforms Maybe there's somebody who has been focused in developing that area who could kind of talked to How it uses the services and and off I think particularly key management is kind of a big deal So I can talk to some of that But I think I'm probably going to need a little more information before I can identify the right person for the rest of this Stuff So what I could do is it's a future call and unfortunately I don't know when because I'm at docker con next week and that's that I'm traveling in Asia for weeks um, but the next time I'm on I could talk about the various Data that flows back and forth how the open service broker gets or does this job relative to credentials And then from that, hopefully you guys can then say, okay Here's the problem We want to talk more about and then I can identify the right person to talk about that or bring them in that makes sense That's great. And I think we have a couple presentations already lined up So whenever you're you're back and free would be fabulous. Okay sounds good. Um, so I want to be respectful everybody's time It's um 12 01. So, um, thank you so much Jerry and michael for your presentations and please feel free to Review the notes and if we got anything wrong or you want to add color or links I tried to add some links into the slot into the notes, but um, please They're editable by everybody so Thank you Thank you everyone. Bye. Bye. Thanks everybody. Have a good one