►
Description
Kubernetes misconfigurations put applications at risk for privilege escalations and other vulnerabilities. With over 30 security settings under the control of development teams it’s easy for applications to become compromised. This webinar will introduce the Kubernetes Common Configuration Scoring System (KCCSS), an open-source framework to calculate risk scores for Kubernetes workloads, and kube-scan, an open-source risk assessment tool that identifies workloads at risk, what the consequences are, and helps prioritize remediation with PodSecurityPolicy, Pod definitions, and manifest files. Learn how each project was designed, how they work, and see them in action in a test environment.
A
Okay,
very
good,
well
we're
just
a
couple
of
minutes
after
the
hour.
Let's
go
ahead
and
get
started
here.
I'll
say
that
you
know
I'm
Lee,
Cal
code,
I'm,
a
founder
of
layer,
5
and
CN
CF
cloud
native
ambassador
I'll
be
moderating
today's
webinar,
but
we
would
like
to
welcome
our
presenter
today.
Julian
Sabri,
a
a
head
of
product
at
octarine.
A
A
Now
you
we
should
note
that
during
today's
webinar,
while
you
won't
be
able
to
speak,
your
questions
are
highly
encouraged.
There
is
a
Q&A
box
at
the
bottom
of
your
screen,
so
please
feel
free
to
drop
your
questions
in
there
and
we'll
get
to
many
as
many
of
those
as
we
can
as
a
reminder
that
this
is
an
official
CN,
CF
webinar,
and
so
as
such,
it's
the
subject
to
the
CN
CF
code
of
conduct.
B
You
Lea
I
think
for
the
infliction,
so
yes
product
doctrine
and
I'm
just
going
to
give
you
a
few
words
about
doctrine.
That
is
why
we
create
direct,
easy
Jesus,
so
I
octarine.
We
provide
the
security
solution
for
communities.
One
part
is
covering
the
runtime
with
and
the
same
part
is
looking
and
enforcing
the
configuration
of
roads
once
in
the
user
to
shoot.
Our
customer
is
look
how
many
of
them
are
running
a
throat.
How
many?
B
B
The
other
thing
that
we
understood
is
that
they
are
about
30
different
community
selling,
that
directly
affect
the
security
of
low
workloads
and
understanding
how
these
security
settings
change
together
to
make
the
security
better
or
worst
is
hard
to
understand
and
in
the
end,
is
how
to
understand.
What
is
the
actual
risk
that
you
are
potentially
facing?
It's
not
just
about
best
practices.
Now
minimizing
the
number
of
container.
It's
really
about
a
specific
risk
that
you
want
to
avoid
all
you
want
to
to
remediate.
B
And
finally,
the
third
thing
we
wanted
to
achieve
is
give
them
a
solution
to
remediate
the
high
risk,
because
there
might
be
a
good
reason
why
they
need
to
run
a
continuous
root
or
privilege
containers.
But
there
are
a
number
of
other
changes
that
they
might
be
able
to
do
to
lower
the
rate
short
of
being
able
to
just
turn
off
some
of
these
settings.
B
So
the
first
thing
we
need
is
look
around
that
what
are
the
existing
security
frame
on
that?
Maybe
we
could
use
for
communities
and
abroad
them
and
probably
the
most
famous
of
the
most
used
today
is
the
CB
SS,
the
common
ability
scoring
system.
You
can
really
see
the
similarity
in
names
between
KC,
CSS
and
CSS,
and
that's
because
we
took
a
lot
of
inspiration
from
a
CB
SS
you're,
probably
familiar
with
it.
B
If
you
were
scanning
your
docker
images,
the
scanner
will
give
you
a
list
of
VIN
abilities
and
the
CBS
s
rating
and
explanation
and
CB.
Ss
is
very
good
at
describing
the
risk
for
these
vulnerabilities.
It
shows
what
is
the
impact
to
confidentiality,
integrity,
availability
of
your
application
or
server.
It
shows
what
is
the
potential
scope
of
living
ability
can
be
used
to
compromise,
just
the
application
or
the
entire
server,
or
get
access
to
entire
data
center.
It
also
explained
how
easy
it
is
to
exploit
that
liability.
B
Is
it
remote
reliability?
Does
it
require
local
access,
so
CB
SS
is
very
good,
describing
and
measuring
the
risk
associated
with
individual
vulnerabilities
and
from
list.
There
is
also
the
CCSS
which
is
CB
SS,
applied
to
configuration
the
common
configuration
score
scoring
system
so
when
I
first
look
at
there,
so
that's
great
that
probably
something
we
can
use
for
Goodman
in
this
configuration.
B
Unfortunately,
it's
a
pretty
much
dead
project.
It's
based
on
the
version
2.0
of
CB
SS
VSS
is
non
version
3.1
with
quite
a
lot
of
improvement
between
200
and
300.
So
that's
not
something
we
really
can
use
directly.
But
it's
interesting
to
see
you
know.
The
idea
of
applying
CB
SS
to
configuration
is
something
that
we
definitely
did
and
the
third
project
that
we
also
looked
at
is
the
C
seal,
the
common
configuration
enumeration.
B
So
we
decided
that
to
take
the
best
of
these
three
frameworks
to
create
easy
CSS.
So
we
are
the
the
it's
free
mode
that
also
come
with
the
list
of
all
just
xec,
so
we
create
all
the
describe
the
risk
for
the
different
communities
container
settings.
We
describe
the
risk
the
same
way
as
we
do
with
cbss,
and
you
see
that
in
an
instance
we
show
what
impact
for
security
are
likely
to
be
exploited,
etc,
and
what
we
did
is
we
made
it
more
specific
to
communities.
B
So,
for
example,
there
is
a
scope
in
in
cbss,
but
what
can
you
put
in
in
fact-
and
we
know-
which
is
hope
to
be
the
container
the
node
and
the
Crestor,
and
probably
most
important
and
probably
houses
as
well-
is
that
we
really,
in
the
end,
wanting
to
show
a
risk
or
the
workload
and
not
for
the
individual
security
settings.
So
we
created
a
new
formula
that
take
all
of
the
risk
into
consideration
and
give
us
call
for
the
entire
workload.
B
So
we
have
to
types
of
risk
to
type
supports
risk
which
is
very
similar
to
CSS,
so
we
describe
body
the
impact
for
the
availability
of
your
container
or
cluster
confidentiality.
I
did
happy
to
be
to
expose
secrets
like
in
access
to
secrets
and
integrity.
Can
you
make
changes
to
your
scope
and
for
all
of
them,
so
straight
from
non
low
medium
to
high
again,
just
like
CB
SS?
We
also
give
a
description.
We
try
to
make
it
very
specific,
yes,
oh
no
again
not
about
trying
to
and
for
some
basically
standard
early
understanding.
B
What
is
a
potential
risk
that
you're
that
you're
facing
so
in
this
example,
that's
the
shared
halls
network,
that's
enabled
for
container,
so
we
explained
that
it
potentially
can
expose
the
container
to
the
Internet
by
binding
the
container
IP
to
the
hosts
IP,
and
that
opens
you
to
those
attacks.
If
you
don't
have
any
anything
in
front
of
it,
it
can
be
used.
We
can
access
to
to
a
container
to
an
application.
That's
maybe
not
designed
to
be
exposed,
Internet,
and
also
it
allows
you
to
do
something
quite
different.
B
B
Then,
just
like
cbss.
We
explain
how
easy
it
is
to
exploit
it,
whether
it's
something
that's
exploitable
remotely
or
we
hire
local
access
and
what
the
potential
impact.
So
we
do
that
for
all
the
rules
thing
we
have
about
25
to
30
risk
rules
today,
in
case
case
in
CSS
and
I,
think
it's
interesting
just
to
read
through
them,
and
hopefully
you
run
you'll
learn
a
few
things
about
what
is
the
actual
risk
associated
with
all
of
these
settings?
B
We
also
learned
from
from
a
lot
of
users
that
no,
maybe
the
first
person
who
record
it
might
be
a
DevOps
person
who
might
be
more
familiar
with
risk
and
security,
but
when
they
want
to
share
it
with
the
developer
expanding
why
they
need
to
address
the
way
the
particular
container
is
misconfigured.
They
need
to
really
be
able
to
convey.
B
What's
what's
the
reason
why
it
should
be
taken,
care
of
the
other
type
of
rule
does
doesn't
exist
in
cbss
is
regulation,
so
there
are
security
settings
that
make
your
security
better,
put
some
organizational
data
and
create
a
bore
of
the
traffic
means
in
the
case
before
we
sniff
traffic
from
other
container.
It's
all
encrypted.
You
know
at
risk
of
exposing
secrets,
so
the
communication
are
described
the
same
way
at
risk.
B
At
the
high
level,
the
risk
has
two
components:
one
is
based
on
the
impact
of
the
of
the
risk.
Now,
if
it's
impacting,
if
it
has
high
impact
liability,
I
in
fact,
like
financially
high
impact
on
integrity
and
potentially
can
compromise
your
entire
cluster,
that
part
of
the
risk
will
be
larger,
but
the
other
part
equally
important
is
based
on
the
exploitability.
B
So
how
easy
is
it
to
take
advantage
of
a
miss
configuration
or
a
risky
configuration
and
that's
based
on
whether
it's
local,
which
is
harder
or
remote,
remotely
accessible
and
whether
it's
easier
not
to
exploit
the
issue?
So
we
just
add
both
of
them,
and
we
that
gives
you
a
risk
for
an
individual
risk
whole.
So
you
might
have
a
risk
that
has
very
high
impact
but
very
low,
exploit
ability
and
the
overall
score
might
be
lower
or
the
same
as
a
risk.
That's
medium,
but
that's
very
easy
to
to
export.
B
So
the
first
step
is
we
create
multiple
risk
or
for
each
setting
of
one.
More
then,
from
this
risk
we
compute
the
the
score
for
the
entire
workload
and
the
way
we
are
doing
it
today,
working
better
patiently
works
is
we
look
at
all
the
risk
and
the
entrace
cope
if
two
risks
share
the
same,
an
electroscope,
we
take
the
maximum
score
and
we
so
that'll
give
us
the
workload
or
again
from
zero
to
ten,
based
on
the
individual
risk
that
we
computed
earlier.
I
mention
risk
so
far,
I'd
best
the
drawers
for
remediation.
B
So
when
we
look
at
all
the
image
or
risk,
we
try
to
find
a
matching
remediation
and
matching
today
is
mediation
that
are
the
same
attack
picture
and
the
same
scope:
the
risks
at
risk
as
cluster
scope
and
remotes
remotely
exploitable.
We
look
for
remediation
that
have
the
same
scope,
cluster
scope
and
remote
remediation
and
we
take
the
so
once
we
have
the
the
remediation,
we
basically
lower
the
impact
by
the
remediation.
B
So
if
risk
was
high
for
confidentiality
and
rumination
was
low
for
confidentiality,
then
we
modify
the
risk
to
be
media
one
not
much
now,
if
we
add
the
I
risk
but
high
remediation,
we
don't
go
all
the
way
to
none,
because
typically
remediation
don't
exclude
one
percent
of
the
of
the
risk
but
lower
into
to
a
very
low
level.
So
we
go
from
high
to
low,
so
we
we
basically
do
risk
remediation.
B
So
Casey
CSS
is
a
favor,
come
with
the
list
of
rules,
the
IDS
that
you're
not
going
to
run
it
by
yourself
trying
to
manually
map
these
four
through
clusters
and
nearly
run
the
formula,
but
instead
that
they're
going
to
be
pools
that
do
the
work
for
you,
scanner
that
look
at
your
operation
not
be
to
the
KC
CSS
rules
and
give
you
this
score
and
with
along
with
a
CSS,
we
have
open
sourced
cube
scan,
which
is
container
scanners.
That
comes
as
a
container
itself
that
you
install
a
new
cluster.
B
B
On
this
page,
first
so
release
here
is
the
description
of
the
project.
It
has
link
to
other
cases.
Yes,
as
from
oh
I'll,
show
you
look
at
the
page
in
a
minute
explaining
how
it
works,
what
you're
going
to
see
with
screenshots
but
probably
more
important
for
you.
It
explains
how
to
install
it.
So,
obviously
you
can
always
compile
everything
from
source
and
read
on
local
file,
but
we've
applauded
the
continue
image
in
repository,
so
you
can
take
of
that
and
just
do
a
cube,
CTL
apply
and
install
the
the
containers.
B
In
one
comment,
we
have
two
ways
of
installing
cubes.
Can
the
more
secure
way
is
to
install
the
containers
and
do
a
cube,
CD
l-pod
forward
to
access
the
web
UI
from
your
computer?
If,
for
some
reason
you
want
to
expose
it
to
colleagues
who
to
other
people,
it's
also
possible
to
use
the
other
type
of
installation
that
includes
a
load
balancer,
so
it's
exposed
the
web
UIC's
candies
can
be
exposed,
just
be
careful
to
not
expose
it
to
the
internet.
B
B
We
really
made
a
CCS
as
easy
to
extend
as
we
can
create
both
renewal
schools,
new
remediation
roles
and
really
hope
that
we
are
going
to
have
more
rules
that
describe
how
open
source
solution
or
even
proprietary
solutions
can
improve
your
security
posture
or
sometimes
how
some
application
that
you
install
have
additional
risk
associated
to
them,
so
adding
the
corresponding
cases.
Yes,
s.
Also,
you
have
an
exact
understanding
of
your
your
cluster,
so
I
was
mentioning
the
the
the
rules.
B
Okay,
here
we
are
so
under
rules.
We
risk
accommodation.
The
old
glamour
file
be
a
lot
a
couple
of
tools
that
and
predates,
as
we
know,
that
went
all
information
since
the
wreck
and
raise
the
score
are
completed.
Ministry
just
need
to
fill
out
description
in
the.
In
fact,
if
you
want
to
close,
we
have
the
same
for
radiation
and
we
are
looking
at
anymore
for
specific.
B
We
have
a
wiki,
that's
the
last
thing.
I
wanted
to
show
you
on
github,
where
we
have
more
information.
So
specifically,
if
you're
familiar
with
cbss,
we
have
more
in-depth
comparison
of
KC,
CSS
and
CSS
more
more
explanation
about
the
different
fields,
neural
and
some
information
about
how
to
contribute.
B
B
So
we
can
really
know
that
the
most
rescue
man
is
this
echo
a
deployment
we
have
a
couple
of
set
were
set.
It
show
you
the
type
of
khomeini,
subject
that
it
is
and
where
it's
located
in
which
namespace-
and
this
is
just
for
one
cluster-
so
we
don't
show
the
cluster
here,
but
that's
the
cursor
when
you
installed
cubes,
you
can
click
on
the
score
here
and
it
will
give
you
the
list
of
all
the
risk
and
remediations
and
we
can
take
a
look
at
a
couple
of
them.
B
So
we
see
that
the
highest
risk
here
is
that
we
are
mounting
some
auspice
in
the
container,
with
right
permission
and
at
the
sensitive
post
past
directory.
So
we
can
click
on
show
more
and
it
explained
exactly
why
it's
it's
it's
risky.
So
this
is
about
mounting
sensitive
host
pass
like
/var
on
docker.
That's
one
of
these
Hospice
that
really
don't
want
to
be
mounting
it
in
a
container
because
it
can
give
the
container
access
to
talker
modify
how
docker
is
running.
B
Let's
you
may
be
through
socket
file
interact
with
application,
which
secrets
body
file
binaries
on
the
host.
So
all
of
the
different
risk
in
the
different
categories
are
explained
here,
it's
very
easy
to
exploit
like
it's
just
about
reading
and
writing
to
files.
Once
you
get
local
access
and
can
potentially
impact
the
entire
note,
not
just
the
container,
so
you
can
go
through
a
list
again.
B
It's
it's
not
very
interesting
as
seen
for
education,
if
you
have
no
team
of
developers
who
are
not
necessarily
aware
of
the
risk
associated
with
many
different
container,
setting
that
they
have
to
set
NetFlow
is
another
good
example
right:
the
fact
that
in
craft
any
kind
of
packets
means
you
can
do
man-in-the-middle
attack.
So
that's
why
the
impact
on
confidentiality
is
high.
B
B
Shoes
here
so
we
see
that
there's
also
some
some
risk,
but
it
has
a
couple
of
remediation
that
bring
down
the
risk
quite
a
lot.
One
is
the
fact
that
there's
no
listening
port,
so
this
service
is
not
listening
to
any
incoming
traffic,
which
means
it's
remediating,
basically,
all
kind
of
remote
attacks
by
not
just
by
not
accepting
traffic,
so
there's
not
actually
any
vulnerable.
B
Any
risky
configuration
that
that
has
to
do
with
remote
access,
but
if
we
had
any,
that
would
remain
to
be
a
very
good
rumination
for
all
of
this
risk
same
thing:
it
has
a
service
mesh,
and
this
case
it's
obtained,
but
could
be
issue
or
anything
else
we
with
encryption.
So
that
means
it's
now
much
harder
for
any
workload
that
can
sniff
traffic
to
get
any
any
content,
so
it
remediates,
specifically
the
potentiality
and
not
so
much
the
other.
B
The
other
types
of
a
risk
so
again
that
that's
very
interesting,
I
I
think
to
really
understand.
You
know
if
I,
if
I,
install
a
service,
mesh
and
I
do
enable
encryption,
what
kind
of
risk
do
I'd
take
care
of
and
what
kind
of
risk
actually
remains
so
service
mesh
is
not
security.
Answer
for
everything.
It's
it's
a
security
answer
for
a
specific
type
of
risk.
B
B
But
what's
interesting
here
is
that
it's
a
walk
law
that
expose
for
an
external
load
balancer,
so
potentially
accessible
through
the
internet,
which
by
itself
again
is
not
instantly
a
big
deal
there,
your
workload
that
was
supposed
to
be
exposed
to
the
internet,
but
it
does
not
have
any
CPU
or
memory
limits.
So
what
happen?
B
If
you
get
a
dose
on
this
on
this
walk,
oh,
that
accessible
from
the
internet-
and
you
not
have
any
kind
of
rate
limiting
upfront
I
know,
then
we
potentially
will
be
using
too
many
resources
on
the
pod
and
the
the
on
the
node.
Sorry
and
the
node
is
going
to
try
to
reschedule
other
pods
on
different
nodes,
and
you
may
have
cascading
failures.
B
Also,
what's
what's
interesting
with
having
something
that
exposed
to
the
Internet
is
that
you
are
potentially
chaining
local
risk
with
remote
access
and
through
the
load
balancers.
So
if
you
have
any
kind
of
reliability
in
your
code,
you
know
own
application
running
in
the
container
in
the
OS
that
can
be
used
to
chain
remote
access
with
local
reliability.
So
that's
also
something
you
want
to
pay
attention
to
when
you
have
very
large
a
lot
of
privileged
local
villages,
making
sure
that
they
are
not
accessible
remotely.
B
So
I
encourage
everybody
to
the
North
Cape
scan
and
try
it
in
their
own
cluster.
You
can
just
remove
it
when
you're
done,
it's
open
source
can
look
at
the
code.
You'll
see
that
we
don't
export
any
information,
so
it
doesn't
connect
to
the
internet.
So
you
can
even
run
in
a
Gap
environments.
Nothing
is
being
sent
out.
It's
really
running
one
person
locally
without
any
internet
access.
The
only
thing
is
incoming
traffic,
so
you
can
actually
access
the
web
UI.
B
B
A
Okay
great
well,
this
is
a
fantastic
presentation.
We've
got
a
few
different
questions
that
have
come
in
in
the
time
that
you've
been
giving
it
so
very
good.
So
a
fair
bit
of
interest
here.
Let
me
let
me
toss
a
couple
of
your
way
and
and
this
first
one
came
in
a
little
bit
earlier,
but
the
question
is
is
asking
how
it
is.
How
is
it
that
the
workloads
are
enumerated
I'm
using
a
cube
skin?
Yes,.
B
So
that's
a
very
good
question,
so
we
often
have
we
are
often
asked
know.
What
do
you
look
at
with
cubes
can
do?
Do
you
look
at
configuration
files?
What
happened
if
I
install
my
workload
with
M
charts
or
characters
so
cubes
can
look
at
the
runtime
configuration
of
your
workload,
so
the
it
doesn't
matter
if
you
walk
load
was
installed
no
with
the
Yammer
file
always
am
chart
or
if
operators
are
making
any
change.
It's
looking
at
the
the
runtime
configuration
from
communities.
A
Makes
sense
very
good?
Well,
there
are
we've
got
a
couple
of
collection
of
questions
that
are
somewhat
related
to
one
another,
so
I'm
going
to
conflate
two
of
them.
Let's
see
if
there's
a
difference,
the
first
one
is
rather
straightforward.
It'sit's
a
question
about
compatibility
with
OpenShift
and
whether
or
not
in
cube
scan
has
been
is
compatible
is
OpenShift.
So.
B
A
B
A
B
So
it's
I,
don't
know
if
the
question
is
no,
how
does
it
look
at?
Does
it
look
like
at
the
low
key
to
the
clock,
sorry
at
the
pod
security
policy,
or
does
the
pod
security
policy
with
prevent
cube
scan
from
from
running
so
the
answer
should
be.
You
know
if
it
should
walk
in
in
mini
strict
with
many
strict
pod
security
policy,
but
also
it.
A
Okay,
got
it
and
I
think
some
of
the
attendees
are
interested
in
just
the
furtherance
of
cube
scan
and
its
compatibility
with,
or
it's
it's
cognizance
of
pause
security
policies,
so
they're
very,
very
good
at
other.
Just
lots
of
questions
coming
through
so
another
question
here
is
whether
or
not
it's
possible
to
restrict
Q
scan
to
a
specific
namespace.
B
B
A
B
That's
interesting.
So,
yes,
we
looked
at
sea
ice
benchmark
to
make
sure
that
we
had
rules
that
covered
everything.
That's
one
of
the
reason
why
we
added
some
of
the
our
back
roll
CI
check
them
in
yesterday
or
on
Monday,
so
everything
that
you
will
see
in
CIS
is
covered
and
and
much
more
so
everything
related
I
should
say
everything
related
to
containers.
B
So
in
the
latest,
CI
s
benchmark
1.5,
if
I
remember
correctly,
seems
like
five
point,
X
five
point:
three
five
point:
six
five
point:
seven
that
will
there
is
that,
is
that
is
part
of
it.
We
don't
reef
reference.
The
CAS
benchmark
necessarily,
but
it
is,
it
is
discovered.
Yes,
in
the
end
she
has
benchmark,
is
also
about
container
settings,
at
least
in
section
five
and
that's
what
the
cover.
B
Yeah,
so
we
used
the
attack
vector
from
CBS
s
and
it's
only
local
and
local
and
remote.
We
are
adding
something:
that's
a
bit
similar
to
one
of
the
Mitra
framework
that
classified
the
types
of
attacks.
So
again,
we
do
it
specifically
for
communities
and
we're
starting
to
add
that
kind
of
information,
a
better
classification
or
the
type
of
risk
to
improve
the
formula,
especially
to
improve
the
way
we
match
risk
with
remediation.
B
So
we
will
we
adding
categories
like
secret
exposure,
lateral
movement,
humanities,
privilege,
escalation,
this
kind
of
things,
so
that
will
allow
us
to
to
a
more
granularity
when
we
match
the
risk
and
remediation
and
for
the
workload
formula.
So
it's
the
same
spirit
as
the
meet
ray
attack
framework,
but
it's
very
specific
to
communities.
So
there
will
be
fewer
categories
and
there
will
be
a
bit
different
than
this
framework.
A
Okay,
understood
very
good.
Well,
there's
just
a
couple
of
final
questions
and
I.
Think
just
some.
You
know
it's
the
interest
and
feedback
on
plot
security
policies,
and
so
the
you
know
the
question
here
is
are
the
the
note
here
is
that
there
may
be
multiple
PSP
policies
in
the
environment,
so
you
know
some
for
infrastructure
components,
some
for
tenants
and
the
question
being
whether
or
not
cubes
can
ensures
that
the
correct
PSP
policies
are
taken
into
account.
While
you
risk.
B
So
I
sing
again
because
we're
looking
at
what?
How
is
the
the
container
running
and
not
how
it's
been
configured
originally,
you
know
it
includes
any
kind
of
change,
weathers
for
policy
or
again,
apertures
or
or
anything
so
in
the
end.
What
what
we're
looking
at
is
the
current
states
of
the
walk
Road,
not
how
it
was
originally
configured,
but
really
how
it's
running
right
now,
so
that
would
include
know
what
policies
are
being
enforced
because
they
changed.
A
B
We
want
to
add
more
rules.
We
just
added
a
couple
of
on
the
back
this
week
and
we're
looking
at
a
few
more
on
secrets
in
environment
variable,
for
example,
and
we
welcome
any
suggestions,
I'm
sure
we
are
missing
some
of
them.
The
next
big
step
will
probably
be
to
expand
outside
of
communities
because
typically
acquaints
Crestor
lives
in
the
bigger
environments.
B
When
you
have
other
controls,
especially
on
the
network
side,
seems
like
load
balancer
that
are
in
front
of
all
US
traffic
network
policy,
that
also,
in
the
end,
change
the
risk
profile
of
your
oppressor
and
finally,
more
more
tool
for
KC
CSS,
so
I
think
you
know,
outside
of
cubes,
can
just
having
a
better
understanding
of
the
risk
how
the
risk
interact
with
each
other.
What
kind
of
remediation
you
can
apply?
B
B
B
If
you
have
any
question
that
either
equipment,
sir
here
or
was
not
clear
on
your
is
just
new
question
that
comes
up
but
not
hesitate
to
email
me.
My
email
address
here,
Julian
with
the
yet
I'm
calm,
feel
free
also
to
open
issues.
We
are
looking
for
people,
ours
and
I
know.
You
also
hope
some
of
you
will
contribute
to
KC
CSS
that
you
scan
as
one.
A
B
A
B
Yes,
we
haven't
engaged
with
it
with
anybody,
yet
we
wanted
to
make
sure
that
there's
some
maturity
in
the
in
the
project
and
that
we
have
a
enough
feedback
know
exactly
what
direction
we
want
to
go.
But,
yes,
we'll
be
looking
at
CN,
CF,
probably
and
see
if
we
can
put
the
project
under
that
that
umbrella,
or
some
other
opens,
was
an
organization.
A
Very
good,
all
right,
I
think
that
you
know
those
are
all
the
questions
that
that
we
have
today.
Well,
so
thanks
so
much
all
for
joining
us
on
this
CN
CF
webinar,
the
webinar
recording
and
the
slides
will
be
online
later
today,
and
so
we're
looking
forward
to
seeing
you
all
at
a
future
seen
yet
webinar
and
thank
you
so
much
for
telling
us
about
KC,
SS,
KCC,
SS,
Julian
and
cubes
can.