 My goal in the next 14 minutes and 48 seconds is to share with you some really great open source tools that you can use to enhance the security posture of your cloud-native applications. Aqua was founded four years ago specifically to address the challenges around cloud-native security. Now, if there's one thing I want you to remember from this presentation, it is our GitHub page. I'm going to try and cover four of the six projects that are available here, and hopefully these will help you enhance the security posture of your cloud-native workloads. This is a slide from last year, but if you talk to security people today and ask them what are one of the key challenges when migrating to a cloud-native application, security is up there. If you talk today to CISOs, DevOps, SecOps people, they're still trying to understand this world of Kubernetes, of containers, and how they can take traditional security best practices and adopt them to this world. The good news is that if you talk to a security person, initially their reaction and the thought process kind of goes all the way from denial until eventually understanding what they need to do. The reason is that security folks like myself are slowly understanding that the people that need to be in control of security and take responsibility are often DevOps people. The people building your images in your pipeline need to understand the security risks and be able to address some of those. If you talk to a DevOps person, they're also aware. There are many people in this room that are using OpenShift. One of the key challenges when going to that environment is having your compliance team or your security team coming over and saying, hold it, you cannot go live with this project because we do not have regulatory requirements answered. We don't have our security tools, we don't have visibility into this application. This can obviously be a big hindrance and a pain when you want to go live with your applications. The good news is that from a theoretical standpoint, if DevOps and security both know there is a need to collaborate, there should be a utopia with every organization having a DevSecOps role, a DevSecOps group that is fostering collaboration between the security and the DevOps teams. The actual reality on the ground is very different and looks a lot like this, where we have DevOps, well, DevOps and ops that have been working really productively together for many, many years, and then you have security comes and tries to get in the middle and try to understand, okay, this is our OpenShift cluster, these are our functions, how do we take these processes like incident response, how do we take our patch management, how do we take our security visibility and apply it to this new world? This is what we're seeing, it's a lot more realistic, I would say, than the previous slide. Hopefully, the tools I'm going to share with you in the next few minutes can help DevOps people be empowered and take back the security of those applications. The first tool I'm going to share with you is Trivi, just raise your hands, anyone using Trivi today or familiar with Trivi? Good, that's about 90% of the room, hopefully after this, the other 10% will be familiar with the tool as well. What Trivi does, it allows you to do a security assessment of your images at build time. We found that about 82% of images are built locally on developers' workstations before they get into your Jenkins pipeline or whatever CI tool you're using. Trivi is extremely easy to use, it is very fast. You can scan your image in under 10 seconds the first time. The next scan will be even quicker. It looks for vulnerabilities in the operating system, packages, dependencies, and as you can see here, it supports things like NPM, you can run it, there's many ways to run it, we'll see in a second, but it can be run locally as an executable, as a container, as we'll see in a second, it can be easily embedded into your CI pipeline. It is available, assuming you're using REL or CentOS, you can install it very easily as you can see here. Another option is to simply put it on the Mac. Again, the nice thing about Trivi is that it is a tool that can be used to create a DevOps culture. You can take all the developers that are creating the images, they can assess the security posture locally on their work stations prior to the image getting into the pipeline. How do you run it? As you can see here, it's dead easy, Trivi, and the image name. You can give it all kind of parameters like only show me critical vulnerabilities, only show me high severity vulnerabilities, and we will actually show you what you need to do to remediate as well. Here's an example of a report, Trivi with an image, there's a Python, there's an NPM vulnerability in here. For each one, we'll give you the installed version, in your image, the fixed version that you need to use in order to remediate. This report can obviously be generated as JSON, HTML, and it's really, really nice. Again, what we're doing here is allowing the DevOps people that are creating the images to take control of security. There's no reason to get blocked once the application is down the line. We want to shift the security left, and this is a great capability, you can do that. Everyone here loves going through airport security. If you look here, from a DevOps mindset, DevOps need velocity, the speed, the agility. When a DevOps person goes through airport security, they want to get to the other side as quickly as possible. They're not going to be faffing around taking their shoes off, sir, please take your belt off. Do you have any money on you? They know, and it's the same thing when their pipeline is being built. They want to have multiple, very quick releases every single day. Everything needs to be automated. Everything needs to be embedded in that pipeline. If it's not DevOps people, we'll simply circumvent it. Security in stark contrast, as you can see here, in a very different mindset, they are driven by regulatory compliance, all kind of standards, PCI, GDPR, they need to comply with all different standards, and a security guy usually doesn't have that automated mindset. This is where we're trying to bridge this gap. Very quickly, if you wanted to use trivia in your pipeline, here's an example, and you can use it in any tool, Jenkins, Travis, whatever you happen to be using, give me an exit code of zero if I have high severity vulnerabilities, because that is aligned with my risk appetite. Give me an exit code of one if I have a critical vulnerability and prevent my image from being pushed into my production registry. This is a great tool. You can use it on the developer's workstations, put it in your pipeline, control the promotion of images from staging to production. The next tool we're going to talk about is Tracy. Tracy is Trivie's little sister. Is anyone in the room familiar with EBPF? Good. There's a few people where you'll hear a lot more about EBPF. EBPF is a great tool that can be used to observe the behavior of your systems, processes, containers. Anyone that's familiar with BPF from the Berkeley packet filter days of net filter and IP tables, this is kind of the next generation which has very, very low performance impact but allows you to trace pretty much anything in your operating system. What do I mean by anything? Anything, right? So it allows you to get down to kernel levels. If anyone used strace before, to think of strace on steroids, you can pretty much hook into anything in the underlying operating system using EBPF with very, very low performance impact. Why is this important for cloud native applications? Because hackers more and more frequently are targeting cloud native applications because everyone knows that this is where the next generation of applications is, but they're obfuscating the attacks inside the images. So this kind of attack here you can see, this is a piece of malware that was embedded inside a bunch of images that were publicly available on Docker Hub last year. This image was compressed and then base64 encoded and then put into the image. So scanning this image with any security tool, including Trivi or any other tool, is not going to pick this up. This image is going to be fine, going to go into production. When you run the pod and it spins up the container, then it's going to unpack this piece of malware which is going to do crypto mining, all your pods are going to jump to 100% and you have Kubernetes at scale hacking infrastructure, whatever flavor you're using. So here on our blog you can see exactly how this happens. But again, this is why you need to have deep behavioral analysis of what is happening in your containers at runtime and why static scanning of the images is slowly realizing in the security world this is not enough anymore to detect these kind of attacks. How do you install it? You can see here it's very easy. It's on our GitHub page. Let me show you a quick example of what happens if you're using Tracy to try and look inside, run a simple Alpine image and run LS. This is the kind of visibility you will get. Why is this important? Because it allows us to say, you know what? This container is running. It is trying to access something it should not be doing. It's trying to access a system call. It's trying to unpack something. This is an example of a report of an image that when you scan the image everything is fine. When you run the image it is extremely malicious and can basically do a container breakout. Again, another reason why a tool like Tracy can give you that deep visibility. The next tool I'm going to share with you is Kubehunter. So a quick question. Is Kubernetes secure by default? Resounding no. OK, good. Let's take a look and understand by the way which Kubernetes is the most secure by default? Red Hat. So as it happens, OpenShift is definitely the most secure. The problem is that while there are many tools with Kubernetes like PSPs, like admission controllers, like role-based access control, there are many things you can use by default. A lot of flavors don't do that. And there's this huge gap between what happens in reality when we spin up new clusters and what should happen from a security standpoint. If you look here, this is becoming more and more common where high-profile cyber attacks occur due to a misconfigured Kubernetes cluster or Kubernetes cluster that has critical vulnerability like RunC, which we had last year. John mentioned this in his presentation before. But you can see some of the kind of risks that are happening here. And one of the key challenges is that the CISOs or the security in your organization may not even be aware that you have your OpenShift clusters running. Definitely what are the key risks around that? So there's a tool available, any security people in the room familiar with Shodan, you can go into Shodan and you can pretty much search for Docker instances, Kubernetes instances that are out there on the internet. You will be shocked at how many Kubernetes clusters are out there, which have serious misconfigurations and security misconfigurations and vulnerabilities. It's interesting just to do it to understand the kind of breadth that we're seeing in this area. What can you do about this? CubeHunter, again on our GitHub page, another free tool, it will scan your network for Kubernetes clusters and do a penetration test. It will say, this is your cluster, these are the risks we have identified, these are the vulnerabilities. You can run it either as a pod. If you do it as a pod, please do not use your production environment because it's an active scan, meaning potentially it could bring down your cluster. But you can run it remotely, just scan my network, you can give it an IP address, or you can say, just look for clusters in my environment and I'll give you a report that will say, these are the vulnerabilities we have identified, this is what you need to do to go and remediate that. So that is the other tool. The next one is Qbench. So CIS, the Center of Internet Security, has a great book, it's about 200 pages of how your Kubernetes and Docker servers should be configured. Qbench, again, is on our GitHub page. What it does is it will scan, look for all the CIS benchmarks, and for each one tell you whether you have a pass or a fail, and more importantly, it will show you how to remediate. So what can you do, what do you need to do in order to remediate? So again, that is for the Kubernetes CIS benchmark. We have done something similar, specifically around Red Hat, so taking Red Hat's best practices for how should an OpenShift cluster be configured. If you want to see more around that, please come upstairs after joining the day, and we can show you what that looks like at the Aqua Booth as well. So I've showed you three of the six. Another tool, again, Open Source on our GitHub page is around IS. So how can you do Cloud Security Posture Management? Cloud Security Posture Management, CSPM, is about scanning your underlying infrastructure, scanning your AWS, your Microsoft, your Google Cloud infrastructure, and looking for misconfigurations, looking for risks. Those can be S3 buckets with sensitive data. It can be how do you measure your compliance against PCI or another regulatory standard? Are you using audit trails like you should be in Amazon? Do you have VPCs that are exposed? So everything that I talked about until now is looking at things like the images, your orchestrator security. This is going a level lower, looking at the actual infrastructure, CSPM. So I think I'm coming up to the end of my 15 minutes. We spoke about Trivi just to wrap up. Trivi allows you to scan images, both locally on developers workstations, but perhaps more importantly to embed that in the CI pipeline to control the promotion of images into your registry and check that if you do have vulnerabilities in the underlying operating system that you're using inside that image or the dependencies that you get the information about how to remediate that and prevent those images from going into the registry. The next tool we spoke about was Tracy, Trivi's sister. Tracy is an EBPF tool that leverages that technology to do deep behavioral analysis of containers. It allows you to identify malicious behavior that would not have been identified just by static scanning like that piece of malware that we saw that was GZIP compressed, base 64 encoded and embedded in the image, right? And as we see that these applications become more and more ubiquitous, hackers are targeting more and more frequently these kind of applications. We're seeing more and more publicly available images in Docker Hub or publicly in any other repo that contain malware. The next tool we spoke about was QPunter. This can be used to do penetration tests on your network, looking for Kubernetes clusters, identifying misconfigurations. A classic case, by the way, was Tesla. They were probably the most notorious breach about a year and a half ago where they left their Kubernetes cluster in a publicly exposed in an Amazon environment where the dashboard was enabled with anonymous authentication. Obviously Kubernetes has since fixed a lot of stuff, but again, there are many, many defaults that are still not secure. It should be given once a hacker gets into that dashboard to get from there, to map out the entire structure of all your pods, your secrets, everything else is very easy. I usually, when we talk to security people, compare this to in the old days of just VMware, it's like getting into your vSphere server and being able to right click and map out the entire organization. So need to check that that's not happening. And finally, we spoke about CSPM, Cloud Security Posture Management. This is the fourth tool which you can use to scan your infrastructure, your cloud provider and check for security and misconfigurations. If you have any questions or would like to see any of this live, please come up to our demo environment upstairs. We also are giving away our books on Kubernetes security from Liz Rice and Michael from Red Hat. So please come and get one of these and thank you very much.