►
From YouTube: Security Series: Aqua & Red Hat OpenShift
Description
Cloud native security advocate Rory McCune (Aqua Security) will join Dave Meurer, Principal Solution Architect on the Red Hat Global Partner Security ISV team, to dig deeper on how teams can tackle run time security for cloud native applications. Rory and Dave will explore the findings of Red Hat’s Kubernetes security survey and research insights from Aqua Security’s Team Nautilus to identify the best strategies for dealing with emerging attack trends.
A
A
Okay,
well,
we
are,
we
are
live
once
again.
Ladies
and
gentlemen,
with
our
every
wednesday
open
shift
commons
briefings
operator
hours,
and
today
we
are
lucky
enough
to
be
talking
about
security
series,
runtime
analysis
and
it's
a
partner
chat
with
aqua
security,
and
we
have
a
a
wonderful
man
here
from
from
across
the
pond
rory
mccune,
a
cloud
native
security
advocate,
and
we
have
our
very
own
dave,
muir,
a
solutions
architect
and
he's
he's
joining
us
today
from
the
home
of
the
patriots
of
the
south
aka
tampa
bay,
buccaneer,
town,
rory
and
dave.
C
A
B
A
A
C
A
A
B
So
I've
been
aqua
for
just
over
six
months
now.
You
know
it's
gonna.
Ten
time
flies
it's
hard
to
see
how
long
times
have
been
these
years
last
couple
years,
but
it's
been
six
months
and
yeah
I'm
really
enjoying
it.
What
I
do
here
is
cloud
native
security
advocate,
so
my
job
is
basically
trying
to
help.
Do
education
work
primarily.
You
know
education
and
outreach
around
cloud
native
security,
and
I
do
some
some
industry
work
as
well,
so
things
like
kubernetes,
sig
security,
and
I
help
with
the
cis
benchmarks.
B
A
A
Let's,
let's
create
you
know
a
day,
zero
event,
and
I
gotta
tell
you
it
was
like
it
was
a
really
fun
working
with
the
people
at
aqua
security,
but
but
that
event
has
actually
become
a
really
important
way
for
people
to
get.
You
know
updated
information
around
how
to
secure
your
workloads
in
a
multi-cloud,
so
hopefully
anyone
who's
going
to
be
coming
or
watching
kubecon
here
up
in
la
you
should
check
that
out.
It
should
be
really
good.
B
Yeah
we've
got
a
great
lineup
this
year.
You
know
we
had
a
lot
of
I've
been
helping
with
the
cfp
and
I've
got
talk
at
it
as
well.
So
yeah,
I'm
really
looking
forward
to
cuba,
sec
and
and
cubeco.
You
know
yeah,
I'm
really
sad
that
I'm
not
gonna
be
there.
I
had
planned
on
it.
I've
been
waiting
for
you
know
the
us
government
to
finally
say
it's:
okay,
you
can
come
from
the
uk,
but
it's
just
yeah.
I
I
had
to
accept.
Eventually
it
wasn't
gonna
happen.
I
think.
A
A
C
No
we're
we're
going
to
be
nerding
out
in
this
session
about
some
reports
that
came
out
both
from
red
hat
and
aqua
and
talk
about
some
of
the
what
was
said
how
some
of
the
aqua
reports
match
to
what
red
hat
says.
So
it's
going
to
be
a
pretty
cool
show
we
have
it's
all
around.
You
know
security
before
we
get
into
that,
though,
let
me
just
share
this
screen.
C
So
we've
got
content
and
shows
and
podcasts
all
about
runtime
analysis
this
month
that
you
can,
you
can
look
out
for
that,
should
be
dropping
here
in
the
next
couple
weeks.
You
can
see
some
you
know
sites
there
on
the
left,
aquasec.com,
obviously
red
dot,
hat
devsecops,
where
you
can
get
more
information
as
well.
A
A
It
has
been
in
your
blood.
You
know
you
were
at
black
duck,
then
you
guys
were
bought
by
synopsis
and
now
you're
over
here
at
red
hat
and
you've
been
doing.
You
know
talking
about
security,
the
whole
time,
I've
known
you
has
it
changed
much,
and
I
can
leave
this
open
for
rory
and
or
dave
like
you
know
back
then
it
was
about.
How
do
you
secure
your
containers
right?
How
do
you
know
that
the
code-
that's
in
your
containers,
is
you
know
not
going
to
introduce.
A
C
You
know
back
then
kubernetes
wasn't
really
didn't
really
have
a
large
hold
in
production
systems,
but
as
it's
grown,
and
we
see
more
companies
now
with
critical
applications
in
production
using
kubernetes
using
openshift
and
containers,
then
you
really
have
to
think
about
not
only
just
securing
that
container,
but
the
entire
dev
and
ops
life
cycle,
and
it's
absolutely
different
from
like
you
know
legacy.
I
call
it
legacy
classical
type
of
web
applications
that
sit
on
a
server
and
you
have
endpoint
security
things
like
that
with
containers
and
kubernetes.
C
C
It's
a
a
way
to
help
our
customers
understand
what
they
need
to
start
thinking
about
when
implementing
security
and
the
different
integration
points
like,
for
example.
Obviously,
cicd
in
a
devops
world
is
very
important.
So
what
security
methods
or
controls?
Could
you
think
about
when
you're,
integrating
and
creating
your
pipeline
and
well?
These
are
the
main
categories.
There's
like
34,
odd,
different
functions
that
we've
identified
underneath
this
to
help
our
customers
understand
devops
and
devsecops,
so
they
can
start.
You
know
implementing
security
and
what
we
call
sort
of
a
layered
approach
or
defense,
in-depth
strategy.
B
Yeah
so
well,
it's
fascinating
for
me
because
I
got
into
container
security
in
2015
around
that
time.
My
previous
life,
I
was
a
pen,
tester
security
consultant
and
I
started
off
seeing
docker
and
people
putting
docker
in
and
I
got
the
idea.
This
is
going
to
be
popular,
but
then
it
it
was
simple
and
it
was
early
adopters.
So
you
had
these
kind
of
early
drops
and
they
had
quite
simple
setups.
You
know
they
had
a
couple
of
containers
running
on
a
server
and
that
was
fine.
B
B
You
know
some
companies
getting
it
in
like
2017
quite
early
doors,
but
then
then
you
see
the
cloud
native
landscape
starting
to
build
up,
and
you
know
everyone's
seen
that
map
with
like
a
million
different
products
on
it
and
it's
that's,
just
been
developing
and
developing,
and
so
for
me
it's
just
just
the
story
of
you
know
increasing
increasing
layers.
You
know
you've
got
your
container,
then
you've
got
your
orchestrator,
then
you
get
your
service
mesh
and
your
ci
system
off
the
side.
B
So
it's
not
just
now
in
one
cloud
now
you're
saying
how
do
I
make
sure
that
my
containers
running
in
one
cloud
are
going
to
be
as
secure
as
my
containers
running
in
another
cloud
when
the
controls
are
different
right,
the
kind
of
things
made
available
to
you
and
each
cloud
are
not
the
same,
and
for
me
it's
just
it's
just
the
story
of
increasing
complexity
and
it's
been
very
interesting,
but
you
know
I
think
it
must
be
really
daunting
for
people
coming
into
this
world.
Now
you
know
I've
come
into.
B
I
think
you
both
did
as
well.
You've
you've
been
able
to
gradually
build
up
those
levels
of
experience
as
things
get
added,
but
if
you
get
dropped
into
this
now
I
see
companies
coming
in
and
they're.
Like
you
know,
where
do
I
start?
Where
do
I
go
here
and
that's
that's,
you
know
a
big
challenge.
I
think.
A
Okay,
so
aqua,
you
guys
have
been
around
probably
quite
some
time
I
like,
as
I
said
you
know,
we
we
were
working
with
you
folks,
for
for
several
years
you
guys
have
been
a
pretty
big
name
in
the
security
space
and
and
it
seems
to
be,
you
know,
continuing
to
to
to
be
that
way.
Dave
you
mentioned
that
there
were
some
reports.
Is
this
something
that
you
know?
Is
it
like
a
an
idc
study
that
you
just
decided
to
throw
some
money
at
or
or
what?
C
To
answer
that,
we're
not
gonna
we're,
not
gonna,
go
through
these
reports
line
by
line.
I
think
what
what
we're
gonna
show
or
talk
about
is
pretty
interesting.
There's
three
reports
that
we're
gonna
reference
today
and
one
of
them
was
one
of
them
was
done
by
red
hat.
You
can
see
on
the
left
hand
there
it's
a
state
of
kubernetes
security
report
a
couple
months
ago.
We
published
this
and
red
hat.
C
Does
this
I
think
semi-annually
or
annually,
but
it's
really
focused
on
how
companies
and
our
customers
are
adopting
kubernetes
and
then
we're
going
to
take
some
of
the
aspects
of
that
report
and
talk
about
how
they
were
later.
Don't
relate
to
the
two
aqua
reports
you
see
on
the
right
hand,
side
there.
So
the
one
in
the
middle
is
the
runtime
understanding
cloud
native
runtime
protection
security
gap.
It's
it's
a
good
report.
C
A
B
Absolutely
I
I
know
you
mean
about
other
reports
where
you
go
off
and
you
get
launched,
but
I
actually
find
things
like
this
really
interesting,
because
there's
a
there's,
a
tendency.
You
know
in
cloud
native
and
in
kind
of
like
product
companies
to
assume
that,
like
everyone's
super
advanced-
and
you
know
everyone's
like
off
building
these
amazing
things,
but
you
really
have
to
go
out
and
ask
like
real
practitioners
and
say
how
what
you
know,
what
are
you
and
when
you
do
that
and
when
you
say
to
people,
what
are
you
actually
feeling
you?
B
You
find
a
lot
of
kind
of
interesting
things
like
you
know,
people
aren't
necessarily
off
in
the
supervisor,
they're
still
worrying
about
the
basics
and
it's
helpful
because
it
kind
of
feeds
that
narrative
of
well,
you
know,
whilst
advanced
features,
are
great
and
they're
they're
very
useful
to
have
it's
also
good
to
like
think
about
where
the
basics
are
and
where
are
people
really
finding
challenges?
And
I
think
this
kind
of
survey-based
reporting,
but
that
side
of
things
is
really
useful
and
then
you've
got
these
like
threat
reports
and
again.
B
This
is
the
other
side
of
the
coin,
which
is
we
hear
a
lot
about.
You
know
if
you
go
to
security
conferences,
you'll
find
these
amazing
attacks
that
do
your
marvelous
stuff,
but
when
it
comes
down
to
what
is
actually
being
attacked,
you
know
what
is
what
is
what
what
are
the
people
who
are
trying
to
compromise
systems
really
doing?
Because
that's
where
you
should
be
focusing
your
effort
right,
you
need
to
focus
on
the
stuff.
B
A
B
I
I've
done
the
black
hat
and
defcon
thing
I
think,
like
two
or
three
times
now
and
black
hat's,
not
too
bad
honestly
defcon
yeah,
I
I
would
be.
I
am
careful
when
I
go
to
death
when
I
wouldn't
connect
to
random
wi-fi,
and
you
know
when
I
when
I
did
defcon,
I
did
make
sure
to
like
harden
my
laptop
and
I
actually
remember.
I
was
going
out
there
first
time,
I'd
ever
been
to
defcon
and
I'm
in
the
airport
and
a
vulnerability
comes
up
in
dhcp.
B
B
Time
they
happen
at
the
same
time,
but
they're
not
the
same.
So
I
also
think
of
black
as
like
corporate,
so
black
hat's
a
corporate
conference.
You
know
the
people
go
there,
they're
paying
thousands
of
dollars
a
ticket.
Defcon
is
very
much
the
wide
closer
to
the
traditional
hacker
thing.
Even
this
year
you
could
turn
up
with
cash.
Then
they
don't
need
to
know
who
you
are.
B
You
don't
need
a
credit
card,
you
turn
up
and
people
do
they
turn
up
with
cash
on
the
door,
hand
their
cash
in
and
provide
no
like
identification
whatsoever.
So
that's
more
your
traditional.
You
know
hacker
event,
whereas
black
hat
is
cool
and
they
have
a
lot
of
interesting
research,
but
it's
more
your
kind
of
corporate
style
that
I
did
some
training
at
black
hat
and
that's
you
know.
A
A
I
I
had
a
question
for
you,
you
know
you,
you
guys
were
talking
about
these
reports
that
you're
done
and
that
it's
important
to
bubble
up
this
important.
You
know
this
information,
so
customers
can,
you
know,
learn
from
you
know,
others,
others
mistakes
or,
or
you
know,
learn
pick
up
best
practices
on
how
to
secure
workloads
and
in
your
you
know,
devsec,
ops,
environment,
stuff.
A
B
Uh-Huh,
so
I've
been
in
security
for
20
years
just
over
20
years
now,
and
I'm
still
waiting
for
that
to
happen,
because
technology
moves
so
quickly
and
and
security
is
to
an
extent
always
playing
catch
up.
It's
really
interesting
to
me,
because
I
I
submit
a
lot
of
cfps
to
conferences
and
I
find
that
it's
much
easier
to
talk
to
to
go
to
a
developer
conference,
they're
far
more
open
to
someone
coming
to
them
and
talking
about
security.
B
If
I
try
and
go
to
a
security
conference
and
talk
about
like
containers
or
devsecops,
it's
often
not
like
you
know
you
don't
get
take
up
there,
so
I
think
there
is,
and
it's
actually
something
which
comes
out
in
the
reports
there's
a
bit
of
a
gap
there,
where
maybe
security
departments
aren't.
You
know,
they're
they're,
having
difficulty
in
like
keeping
up
with
what
the
state
of
the
technologies
of
what
to
do
in
these
modern
environments.
B
So
I
I'm
not
sure
we'll
ever
get
there
just
because
kubernetes
and
the
cncf
move
so
quickly.
You
know
we're
still.
We
slowed
it
down,
so
it's
one
kubernetes
every
four
months,
instead
of
every
three
months,
but
in
the
enterprise
world
you
know
that's
where
they
deal
with
years.
You
know
it's
it's
like
I'm
installing
the
system
and
it'll
be
I'm
going
to
make
a
year
to
install
it
and
by
which
time
has
been
three
kubernetes
releases.
B
B
Yeah,
I
think
the
other
thing
is
that
there
can
be
the
other
thing
that
place
there
can
be.
A
bit
of
a
bubble
is
in
cloud
native
world.
What
I
find
is
that
that
sometimes
you
know
you'll
have
these
conversations
with
people
in
the
actual
projects
and
they
assume
that
the
customers
all
know
the
details
of
exactly
what
is
in
their
stack
like
they
assume
the
customers
know.
What
run
c
is
the
run,
sees
a
low
level
container
component,
and
I
guarantee
you
that
most
people
running
kubernetes
don't
even
know
they
have
it
installed.
B
So
there
was
a
vulnerability
in
a
couple
of
months
ago
and
I'm
not
sure
most
companies
knew
that
they
had
to
patch,
because
once
he's
sitting
down
there
right
in
the
depths
of
of
the
world
and
they
never
install
that
because
they
installed
cryo
or
they
installed
docker,
they
didn't
install,
run
c.
So
there's
still
there's
a
knowledge
gap
there
as
well
between
the
projects
and-
and
I
think
the
customers.
A
A
A
You
know,
processing
and
then
that
that
just
kind
of
came
along
with
how
chips
were
designed
made
it
into
x86,
and
you
know
x86
64
and
was
basically
just
dumping
information
into
like
you
know,
the
equivalent
of
like
a
unsecured
trash
can,
and
there
would
be
like
all
kinds
of
stuff
in
there
that
people
could.
So
you
know
that
was
pretty
amazing
security
problem
and
it
was
fixed
by
red
hat
and
google
and
a
bunch
of
other
companies
that
got
together
and
fixed
it
really
quickly.
But
what
about
the
vulnerabilities
now
like?
C
B
And
if
you
talk
a
lot
of
security
people
as
time
goes
by
what
we're
finding
more
and
more
about
how
difficult
it
is
to
create
the
sandbox
with
like
standard
linux
features,
is
more
and
more
secure.
People
say
no,
it's
not.
You
know
what
we've
seen
enough
vulnerabilities
now.
This
is
hard
to
create
a
proper
security
boundary.
We
wouldn't
put
our
money
on
it,
but
and
that's
something
which
you
know
I
think
is
coming
out
as
we
get
more
research.
That
runs
your
vulnerability.
I
mentioned
a
while
ago.
B
That
was
a
race
condition
and
it
was
a
race
condition
when
you
were
mounting
volumes
into
a
container,
but
that
turned
out
to
be
exploitable
in
kubernetes
quite
easily.
So
you
know
it's
that
kind
of
thing,
that
as
more
research
is
done
and
as
more
people
as
more
security
researchers
are
drawn
to
the
field
of
containers
and
of
cloud
native
you're
going
to
find
more
and
more
of
these
exploits
coming
out
anytime,
there's
a
field,
essentially,
security
users
will
turn
up
and
they'll
start.
B
C
So
if
I
I
can
jump
in
here,
rory,
that's
great,
because
that's
that's,
as
you
mentioned,
one
of
the
things
we
wanted
to
talk
about
with
the
reports.
If
you
could
talk
a
little
bit
more
about,
because
I
found
it
very
interesting
about
the
whole
containers
being
a
security
boundary
and
only
three
percent
of
folks
said
it
was.
B
Not
I
almost
remember
it
was
down
well
she's
cool
containers
don't
contain
in
in
the
early
days.
That
was
one
of
his
statements.
You
know
he
came
out,
it's
containers
don't
contain
and
at
the
time
when
I
first
was
in
containers,
well
they
kind
of
do
and
to
an
extent
they
do
right
against
some
attacks.
B
They're
not
too
bad,
but
I
think
it's
fair
to
say
that
time
has
proven
him
right
and,
as
we
spend
more
and
more
time
poking
at
the
the
way,
the
abstractions
work
and
because
you've
got
these
layers
of
all
these
different
programs,
it's
really
difficult
for
them
to
align.
So
you've
got
the
run
c
project
which
is
owned
by
one
group.
Then
you've
got
cryo
and
container
be
owned
by
different
groups.
Then
you
potentially
got
docker.
Then
you
potentially
got
kubernetes
and
trying
to
line
up.
All
of
that
to
create
a
security.
B
Boundary
is
is
hard
where
you've
got
like
other
projects,
maybe
use
like
virtual
machines
like
aws,
firecracker
or
carter
containers,
they're
designed
to
be
security
boundaries.
You
know
those
things
are
dedicated
or
g-visor,
which
is
a
prop
which
is
designed
to
be
a
sandbox,
and
I
think
that
is
a
tricky
one
because
yeah,
I
was
surprised
to
me
when
I
saw
that
survey
result
and
it
said
93
people
think
it
is
the
security
event
I'm
like.
Well,
I
you
know,
I
I'm
not
sure.
If
it
was
me,
I
would
put
my.
B
I
would
put
my
highly
secure
workloads,
it's
fine
for
some
things,
but
but
there's
definitely
a
level.
Everything
in
security
is
no
absolute
right.
You
know,
I
can't
say
it's
not
insecure,
because
it's
not,
but
I
also
wouldn't
say
it's
perfectly
secure
and
I
would
say
that
the
attack
surface
there
is
quite
large
and
hard
to
get
right.
C
C
A
Everyone
knows
who
dan
walsh
is,
but
I'm
I'm
actually
I'm
actually
impressed
by
how
many
people
do
know
who
dan
walsh
is.
Dan
dan
was
one
of
the
first
employees
in
the
red
hat
office.
When
we
started
here
in
in
western
mass,
there
were
probably
12
of
us
in
in
the
office
and
and
later
on.
You
know
he
became
mr
sc
linux
and
I
used
to
travel
around
with
dan
all
the
time
and
and
he
he
couldn't
he
he.
B
C
B
Yeah
and
it's
interesting
because
docker
is
the
way
it
it
does
and
the
way
it
created
it's
little.
It's
it's
essentially
the
isolation
it
provides.
Is
all
these
different
things
like
it's
se
linux.
You
can
apply
an
se
linux
profile
and
you
should
provide
an
sc
limits
profile,
two
containers,
but
when
you
put
that
into
places
like
kubernetes,
for
example,
kubernetes
has
disabled
one
of
those
layers,
which
is
second
and
people
like
again.
I'm
not
sure
they
almost
know
that,
like
docker,
has
this
second
filter,
which
what
that
does.
B
Is
it
filters
certain
syscalls
to
the
kernel
and
says
these
are
dangerous.
You
know
don't
allow
them,
but
if
you
run
docker
or
anything
else
under
kubernetes
kubernetes
turns
it
off
and
only
recently
gave
you
the
ability
to
turn
it
back
on
again
at
a
cluster
level.
So
there's
all
these
different
details
that
I'm
not
sure
when
people
are
like
doing
the
surveys,
I'm
not
sure
we've
done
a
great
job
of
communicating.
You
know
exactly
how
this
this
thing
is
built
and
where
the
gaps
might
be.
A
A
Yeah,
probably
so
so
there's
a
ton
of
security
vendors
out
there
right,
I
mean
there's,
you
know
from
like
endpoint
security,
like
dave
mentioned
from
you,
know
like
like
a
mcrafee
which
does
endpoint
security
or
others,
and
then
there's
secret
security.
You
know
you
got
cyber
arc,
who
does
secret
security
and
I,
you
know
a
whole,
a
whole
host
of
others.
A
B
Oh
so
I
mean,
let
me
give
the
easy
part
first,
which
is
where
aqua
comes
in,
so
aqua
is
focused
on
cloud
native
right.
So
the
idea
is
that
you
know
we're
looking
at
cloud
native
workloads
and
we're
looking
at
all
the
different
parts
of
that
we're
looking
at
containers.
So
these
are
the
fundamental
blocks
that
you're
building
around
you
need
to
have
your
security
in
there
we're
looking
at
your
clusters.
So
you
know
once
you
build
these
things
in
containers,
you're
putting
them
into
clusters.
You
need
to
worry
about
kubernetes
security.
B
Your
clusters,
your
containers
up
and
down,
but
then
you
also
need
like,
through
your
lifecycle,
security,
because
we're
doing
like
devops
we're
doing
agile,
we're
doing
things
quickly.
You've
got
security
and
development.
You
know,
analyzing
my
images
early,
making
sure
I've
got
the
right
hardening
in
place,
but
then
you
need
it
in
run
time
and
that's
kind
of
where
this
report's
coming
in.
You
need
to
talk
worry
about
when
you're
actually
running
those
things.
If
someone
or
more,
let's
be
real
here,
when
someone
breaks
into
one
of
your
applications,
will
you
spot
it?
B
Does
your
tooling
understand
containers,
and
like
knows
what
container
is
so
that
it
can
say,
hey
it's
this
application
from
this
cluster
instead
of
just
giving
you
something
which,
like
means
nothing
to
container
land
like
a
host
agent,
might
do
you
need
something
which
understands
your
world
understands
cloud
native
to
give
you
the
good
information,
and
it's
that
kind
of
thing.
So
it's
across
the
life
cycle,
but
it's
up
and
down
as
well,
but
it's
focused
on
cloud
native
right.
B
B
B
Yeah,
so
there's
a
different
couple
ways
you
can
do
it.
I
think
one
of
the
things
we're
finding
over
time
is
the
fact
that
that's
evolving
as
customers
evolve.
So
we
we
do
on
premises.
You
know
you
can
deal
with.
You
know
there
are
enterprises,
you
do
not
want
to
be
in
the
cloud
right,
they
want
to
be
on
premises
still
and
that
absolutely
makes
sense
for
some
companies,
but
also,
obviously
you
can
do
in
the
cloud.
B
So
you
can
do
your
own
installing
in
the
cloud
or
you
can
do
sas
and
sas
is
something
we're
moving
more
to
and
that's
because
of
customer
demand
right.
Customers
want
sas
services
or,
better
or
worse,
that's
how
they
like
doing
business.
We
do
use
agents
for
a
lot
of
our
our
our
work
and
the
reason
there's
a
really
great
great
reason
for
that,
which
is
you
can't
block?
You
can't
take
active
defense.
B
If
you
don't
have
an
agent,
you
know
you
can
alert,
and
you
can
say,
hey
I've
seen
this
thing,
but
if
you're
not
running
code
on
a
on
a
vm
you're,
not
blocking
anything,
because
how
do
you
do
that?
You
need
to
have
so
so
it's
I
think
it's
about
giving
that
customers
that
flexibility,
some
will
want
agents
some
will
not,
but
for
my
money
anyway,
you
need
agents
to
really
get
like
protection
rather
than
just
detection.
A
B
Yeah
I
mean
you,
do
have
to
have
people
kind
of
working
flexibly
to
upgrade
themselves,
but
what
I'd
say
about
about
like
kubernetes
does
rev,
but
it
doesn't
mean
customers
do
so.
One
of
the
things
that
I've
been
doing
like
I'm
doing
personal
research
on
is
there's
a
great
search
engine
called
census
and
it
indexes
all
the
publicly
visible
kubernetes
clusters
on
the
internet.
B
A
B
Yeah,
but
with
a
y,
basically,
what
they'll,
let
you
do
is
you
can
query
their
data
set,
and
so
I've
got
a
query
that
runs
every
night
and
it
pulls
every
single,
publicly
exposed
version
number.
So
a
fun
thing
about
kubernetes.
That
again,
a
lot
of
customers
don't
know
is
kubernetes
enables
anonymous
authentication.
So
it
lets
you
hit
the
api
server
without
credentials
and
it
exposes
a
couple
of
endpoints
by
default.
One
of
them
is
slash
version,
and
that
gives
you
the
exact
version
and
date
it
was
made.
B
So
you
can
just
scan
the
internet
and
say
tell
me
all
the
clusters
and
and
what
I
found
was
there's
an
an
awful
lot
of
people
who
are
not
keeping
up
to
date
with
kubernetes.
You
know
we're
talking
like
20
30
percent
of
of
clusters
in
a
given
cloud
will
be
running
unsupported
versions
and
there's
still
people
running.
Like
super
old
versions.
I
mean
I
actually
saw
on
the
openshift
side.
I
think
I
saw
a
couple
of
clusters
running
like
3.2,
which
has
been
out
of
support
since
the
arc,
and
there.
A
B
Work
there
I
used
to
work
for
banks,
and
so
I
worked
in
the
banking
sector
some
time
ago
and
yeah.
I
also
remember
that
my
very
first
it
security
job
was
in
a
brand
new
shiny
internet
bank
early
2000.
We
had
a
solarc
10k.
We
had
all
the
kind
of
modern
tech.
But
what
was
the
big
conversation
every
morning
in
the
ops
meeting
was
mainframe
batch
time.
It
was
how
much
will
this
shiny
new
thing
impact
mainframe
batch,
and
it's
probably
that
mainframe
still
there
today
doing
the
same
thing
so
yeah
sometimes
changes
full
time.
A
Oh,
I
I
just
one
more
question
because
I'm
just
curious
like
so
how
many
security
vendors
do
customers
need
before
they're
secure
right.
You
know,
I
mean
yeah
like
it,
it
can't
be
just
aqua.
I
I
I
would
imagine
that
that
like
do
you,
do
you
know,
do
you
do
secrets
management,
do
do
you,
you
know
what
about
endpoint
and
and
so
forth,
like
isn't
there
shouldn't
shouldn't
there
be
some
kind
of
like
a
security
committee
or
something
like
this.
B
Yeah
well
so
yeah
you
get
back
to
the
age-old
question.
This
is
one.
It
goes
on
forever
with
ideas.
You
know
you
can
take
point
solutions
and
you
can
say
you
get
a
vendor
that
specializes
and
they
go
super
deep
into
one
area.
The
challenge
with
them
is:
can
you
make
them
play
friendly
with
all
your
other
stuff?
You
know
with
all
the
other
installed
software
and
a
lot
of
times.
B
You
know
with
my
my
old-school
id
security
hat
on
I'm,
I'm
never
going
to
say
that
one
vendor
can
fix
all
your
problems,
even
though
I
work
for
one,
because
I
don't
think
that's
realistic
right,
but
I
do
think
that
you
know
you
for
me
it's
about
trying
to
find
like
solutions
which
match
your
environment
as
closely
as
possible,
but
yeah
sure
I
mean
you
know,
there's
those
areas,
we
don't.
We
don't
work
in
and
there's
areas
we
wouldn't
try
to.
B
But
I
think
it's
about
trying
to
like
cover
an
area
that
makes
sense
and
to
me
the
kind
of
cloud
native
world
feels
like
a
like
a
an
area.
You
could
conceivably
cover
right
without
trying
to
get
into,
like
you
know,
laptop
protection
or
anything.
You
know
strange
like
that.
We're
not
trying
to
do
laptop
protection,
we're
not
trying
to
do
that
world,
but
but
you
can
see
cloud
native
is
kind
of
like
a
coherent
whole,
then
it
makes
sense
to
address
as
a
product
set.
A
C
Yeah-
and
I
was
going
to
add
to
that
mike
I
mean
this
relates
to
the
discussion
we
had
in
the
beginning
is
there's
so
many
different
types
of
security
functions
and
a
lot
of
times,
they're
not
really
related.
So
if
you're
you're
really
knowledgeable,
for
example,
in
third-party
dependency
vulnerability
management
like
blackduck,
they
like
rory,
said
they
they
go
very
deep
into
the
third
party
dependencies.
C
Well,
that's
just
one
of
30
plus
different
types
of
security
functions
that
you,
you
know
are
thinking
about
when
you're,
when
you're
building
a
devops
pipeline
so
and
that's
even
on
the
application
side.
There's
a
bunch
of
ops
type
security
like
network
visual
visualization-
and
you
know
behavioral
analysis
things
like
that
that
are
a
little
bit
different.
C
A
B
I
I
think
you
know
for
me-
and
this
is
again
come
back
to
my
like
long-term
security.
This
is
what
you
probably
found
with
that
one.
I
think
with
a
lot
of
these
hacks
is
what
actually
went
wrong
was
probably
something
quite
basic
and
it
could
be
bad
credential
management.
It
could
be.
I
people
a
lot
of
people
will
like
put
like
their
remote
management
servers
on
the
internet,
because
it's
easy
right-
and
I
can
just
like
get
to
I'd-
always
worry
about
any
fancy.
Software
like
vpns
and
and
it's
getting
the
basics
right.
B
You
know
and
if
you
can
get
the
basics
right,
you're
doing
better
than
a
lot
of
other
companies
as
an
organization.
Am
I
getting
the
basics
I
mean
for
me
job
zero
in
security
is:
do
I
have
an
asset
inventory
that
I
can
see
where
all
my
information
and
assets
are-
and
I
know
who
owns
them
and
what
state
of
patching
they're
in
and
if
you
went
to
most
large
enterprises
and
asked
that
question
and
said,
can
I
have
that
to
now
or
in
the
next
hour?
B
I
I
think
you'd
be
surprised
how
few
or
maybe
you
wouldn't
be
surprised
how
few
of
them
could
answer
that
question.
So
I
think
there
is
a
big
mismatch
between
again.
This
is
like
you
go
to
a
security
conference.
It
is
all
super
advanced
elite,
ai
blockchain
whatever,
but
in
reality
where
most
companies
are
is
they're
really
worrying
about.
I
didn't
know
that
someone
in
a
branch
office
has
installed
a
new
internet
connection
so
that
they
could
support
some
third-party
software
right
and
that
that's
where
they've
ended
up
having
a
problem.
C
In
this,
and
this
mic
relates
to
a
lot
of
the
data
that
we
find
in
these
reports
that
we've
been
talking
about
on
the
red
hat
side,
we
there's
a
statistic
in
that
report
that
says
94
of
the
folks
that
took
that
survey
had
a
security
incident
already
and
it
seems
to
agree
with
some
of
the
aqua
reports
where
aqua
is
saying.
Well,
the
attack
volume
is
up.
26
percent.
I
think
what
rory
was
saying
as
well.
Is
that
there's
new
ways
to
attack?
It's
not
just
your
traditional.
C
B
What
you're
seeing
now
is
you're
seeing
like
the
so
there's
a
couple
of
things:
one
you're
seeing
increasing
complexity,
increasing
speed
right,
everybody's
thinking,
super
super
fast.
If
you
want
to
do
something
super
fast,
it's
hard
to
also
maintain
security
while
you're
going
faster
ever
faster.
I
mean,
if
you
look
at
the
the
code,
come
attack
that
was
attack
earlier
in
this
year,
and
that
was
a
supply
chain
attack
on
a
company.
B
That's
super
complex,
but
attacking
things
like
supply
chain,
ci
cd
systems,
which
again
gets
mentioned
in
the
reports,
is
it's
an
increasing
problem,
because,
if
you
think
about
what
ci
cd
system
is
it's
an
environment
to
run
code
right
and
if
I
can
run
code
in
an
environment,
I
can
execute
things
like
a
cryptocoin
mining
software
or
I
can
execute
something
which
will
encrypt
all
your
data
like
ransomware
attacks,
there's
actually
code
execution
environments
and
that's
what
kubernetes
is
that's.
Why
that's?
B
Why
attackers
love
docker
and
kubernetes,
because
I
always
call
kubernetes
remote
command
execution
as
a
service,
because
that
is
literally
what
it
is
by
design
it.
It
executes
commands
on
systems,
so
this
rce
is
a
service
and
that's
what
attackers
love,
because
if
they
got
if
they
got
rce,
that's
the
that's
the
holy
grail
for
an
attacker,
because
then
they
do
where
they
want.
A
You
know
I
I
was
scanning
over
the
the
the
report
that
was
about
attacks
in
the
wild,
the
container
supply
chain
and
infrastructure,
one,
the
black
one
and
you
it
you
you're
right
dave.
They
they
use
this
word
honey
pots
in
there.
So
I
want
to
ask
what
that
is
one
of
the
charts
right
at
the
beginning,
which
basically
shows
like
attacks
attacks
attack
trends
between
june
of
2019
and
december
2020
have
gone
from
2500
in
2019
to
13
000
to
17
000
I
mean
it's
like.
A
B
Yeah,
so
what
this
is,
there's
a
couple,
two
things:
the
first
honey
pots.
Essentially
a
honey
pot,
is
a
an
intentionally
vulnerable
system
that
you
place
usually
on
the
internet,
with
the
design
of
hoping
to
find
out
what
an
attack
is
and
there's
a
number
of
different
ways.
You
can
do
that
you
can
just
put
a
virtual
machine
out
there
in
this
case.
B
What
this
is
is
we
put
virtual
machines
on
the
internet,
running
docker
by
exposing
the
docker
socket
like
on
the
internet
yeah,
and
then
you
see
people
attack
it,
but
you
can
also
do
fancy
things
like
you.
Can
you
can
leave
like
honey,
they're,
called
honey
tokens
and
you
leave
a
like
a
string
like
an
api
key
and
a
url
somewhere
and
then,
when
someone
grabs
it
and
tries
to
like
use
it,
you
get
an
alert,
saying,
hey
someone
has.
B
B
Any
time
a
new
technology
comes
along
when
companies
are
like
in
the
early
days
and
they're
struggling
to
work
out,
how
to
do
it
securely
attackers
go
hey
here
is
a
good
source
of
compute
power,
here's
a
good
source
of
easy
to
compromise
machines
and
they
are
very
quick
at
moving
these
days
I
mean,
if
you
read,
attacks
on,
like
you
read
documents
and
reports
on
how
like
commercial,
malware
gangs
operate.
It's
a
business.
B
You
know
they've
got
like
developers,
they
have
got
like
you
know,
sales
people
who
sell
the
kit
to
other
people.
They
have
got
a
supply
chain,
they've
got
all
their
own
stuff,
it's
commercial
operation,
and
so
it's
not
a
long
before
and
docker.
As
I
said,
right,
doctors
command
execution
as
a
service.
It's
a
great
target.
You
know
because
it
lets
them
run
their
malware.
It
lets
them
run
their
whatever.
It
is.
They'll
do
cryptocoin
mining
whatever
it
is
they're
looking
to
do
that
day.
B
Docker
will
let
them
do
it
and
yeah,
but
in
terms
of
complexity
of
attack.
What
that's
tracking
is
someone
making
the
canonical
mistake
of
putting
a
docker
tcp
connection
on
the
internet,
I'd
love
to
say
that
no
one
made
that
mistake
in
real
life,
but
I
used
to
be
a
pen
tester
and
I
did
see
companies
who
did
exactly
that
on
the
on
their
internal
networks.
So
I'd
scan
the
corporate
network,
I
would
find
the
docker
socket.
B
A
B
Oh
gee,
I
oh
well
the
kubernetes
enterprise
summit,
which
we've
got
coming
up,
so
I
I
must
mention
that
you
know
a
lot
of
you
mentioned
before
very
kindly.
We
have
got
that
coming
up,
it's
going
to
be
a
virtual
event
and
this
year,
but
absolutely
registered
that
we've
got
some
great
talks.
So
that's
that's
definitely
worth
looking
at
and.
A
B
Yeah
so
we're
doing
that
live
but
virtual,
so
that
that
that's
going
to
be
happening
and
yeah.
I
think
the
other
thing
would
be
to
to
get
the
reports.
You
know
we
we've
touched
on.
You
know
some
of
the
good
themes
from
the
reports,
but
there's
a
lot
more
information
in
there
and
I
think
to
me
it's
a
this
kind
of
stuff
is
useful
because
if
I'm
a
company
and
I'm
using
kubernetes-
and
I'm
trying
to
convince
my
management
that
you
know
hey,
you
need
to
invest
in
security.
B
Then,
honestly,
I
that's
when
I
was
a
security
person
like
the
defense.
This
is
the
kind
of
information
I
needed
because
I'd
say:
look:
here's
real
stats!
Here's
real
practitioners
in
the
real
world
telling
us
what
their
real
problems
are.
It's
not
a
marketing
department.
You
know
these
are
surveys.
We
have
the
data
same
with
your
with
your
own
as
well
right.
You
know
this
is
this
is
useful
because
it's
like
hard
data.
It's
like
you
know.
This
is
real
people
telling
you
real
things.
C
B
Yeah,
so
so
that's
because
the
more
you
look
into
container
security,
the
more
you
realize
you
need
to
look
into
container
security
more
so
I
said
I've
been
doing
it
for
six
five
six
years
now
and
I
still
find
that
stuff.
I
didn't
know
about
kubernetes,
you
know
and
as
you
look
more
into
it,
you
realize
quite
how
complicated
it
is.
B
You're
never
going
to
be
able
to
roll
out
a
container
cluster
and
like
get
it
just
like
bang.
That's
it
secure.
I'm
done!
I'm
fine
and
I
think
when
you
come
into
it,
you
may
be
an
assumption.
It's
look.
You
know
if
I'm
getting
a
product
from
a
major
vendor,
I'm
kind
of
not
just
install
this
it'll
be
fine
and
it's
like
you
know.
B
No,
no
is
the
answer
to
that
and
I
think
only
once
you
get
like
start
digging
into
it
and
you
start
running
containers
in
production
for
a
while
and
you're
like
oh,
oh,
these
are
the
problems
I'm
gonna
have
like.
This
is
the
challenge
I'm
gonna
have
with
vulnerability
management,
trying
to
keep
all
these
hundreds
of
images
up
to
date
with
the
tidal
wave
of
cves.
B
You
know
vulnerabilities,
I
get
every
time
and
when
you
start
trying
to
do
things
like
admission
control,
so
you
know
trying
to
stop
people
just
misusing
their
rights
to
kubernetes
is
not
trivial,
and
so
that's
where
I
think
you
know.
I
always
think
you
know.
If
you
talk
to
two
people,
who've
been
security
a
long
time
and
you
say,
is
something
secure,
they'll,
never
ever
say.
Yes,
you
know.
No,
no
experience
security
practitioner
says
yeah,
that's
secure,
because
that
doesn't
happen,
whereas
somebody's
new
security
might
say
yeah,
you
know
they
might
say.
B
Yeah
and
I
I
think
there
can
be
an
assumption
right
because,
like
you
know,
you're
getting
products
from
major
vendors,
the
that's
going
to
be
perfect
and-
and
you
know
again
with
my
pen,
tester
hat
on-
I
know-
that's
not
always
true.
You
know
I
would
do
pen
tests
on
big
organizations
with
big
products
that
you
know
and-
and
I
would
find
things
that
surprised
me
right.
You
know
I'd
get
surprised
about
doing
a
pentest
and
go.
I
can
do
that.
How
does
that
work?
B
And
that's
because
you
know
people
make
assumptions
about
how
things
are
going
to
be
used
right.
You
know
you're,
making
a
product,
you
put
it
out
there.
You
assume
that
the
customers
are
going
to
use
it
a
certain
way
and
then,
when
they
get
it,
they
don't
know
that.
That's
what
you
assume
they're
going
to
do.
They
do
something
wildly
different
and
you
end
up
with,
like
you
know,
things
that
make
pen
testers
have
a
good
day.
C
Cool
the
other
thing
I
know
we
have
a
little
bit
more
more
time,
you
don't
mind
mike
yeah,
just
one
more
question,
because
I
thought
it
was
interesting.
You
know
when
you
think
about
application
security,
it's
all
about
vulnerabilities
and
identity.
Those
are
kind
of
the
top
two
things
you
got
to
worry
about,
but
in
kubernetes
containers.
What
I've
seen
across
all
these
reports
is
that
bad,
configs
and
misconfigurations
are
kind
of
the
primary
reason
I
mean
it's.
Are
you
seeing
the
same
thing.
B
Yeah
config
is,
is,
is
so
kubernetes
config
is
hard
one
because,
like
there's
130
different
ways
to
install
kubernetes,
so
you
know
it's
hard
to
say
what
what
does
good
look
like?
Is
it
really
tricky
and
it's
a
problem
we
had
with
the
cis
benchmarks,
but
also
because
things
are
complicated
and
kind
of
non-obvious?
You
know
I
mean
a
really
good
example
of
this.
Is
there
is
a
hard-coded
group
in
the
kubernetes
source
code
called
system
masters?
A
Cool
hey,
let
me
sneak
one
one
more
in
there's:
lots
of
security
vendors
out
there
that
have
been
around
for
a
long
long
time.
There
were
some
really
big
names.
I
think
it
was
like
you
know,
symantec
and
and
others
that
had
you
know
enterprise,
you
know
security
solutions
there
you
know
30
years
ago.
A
Where
did
all
those
companies
go
did
are?
Are
the
are
the
are
the
companies
that
are
best
suited
for
providing
security
in
a
multi-cloud?
Are
they
all
new?
Are
they
all
like
built
in
kubernetes
for
kubernetes,
or
are
there
any
of
the
legacy
security
vendors
still
out
there
that
are
that,
are,
you
know,
have
mainstream
offerings.
B
I
I
think
it's
a
tricky
one,
because
I
think
the
problem
that
the
the
the
traditional
or
kind
of
older
vendors
is
moving
to
a
new
category
and
seeing
that
in
advance
and
saying
hey,
look,
that's
going
to
be
successful
whereas
and
it's
not.
If
I
use
the
term
it's
not
in
their
dna,
you
know
it's
hard
for
companies
and
obviously
the
acquisitions,
and
sometimes
that
works
out.
B
You
know,
as
you
know,
and
sometimes
that
doesn't
work
out,
but
I
think
that
what
you
tend
to
find
is
that
the
companies
who
are
like
built
around
the
premise
of
this
is
the
area
I'm
trying
to
address
will
have
the
most
success,
because
it's
the
company
vision
right.
It's
not
like
some
division
or
like
some
project
that
I'm
doing
that,
maybe
I'm
not
gets
funded.
It's
like
this
is
where
we're
going.
B
This
is
the
thing
we
want
to
do
and
that
that
would
be
my
view
of
it
is,
is
you
know
also
a
lot
of
these
other
vendors?
They
might
be
happy
with
the
area
they're
in
right.
They
might
say
you
know
I'm
happy
with
doing
whatever
it
is.
I'm
doing
I
don't
feel
the
need
to
try
and
get
into
this
new
risk
area
that,
frankly,
might
not
take
off.
You
know,
for
if
you
go
back
even
four
years
ago,
people
would
have
said
well
kubernetes.
Will
it
take
off?
B
A
Okay,
well,
I
I
know
when
we
were
talking
about
doing
this
this
having
this
fireside
chat.
If
you
will,
you
know
the
there
was
a
conversation
like
okay,
initially
we're
like
well,
how
many
slides
do
we
have,
and
you
know
we're
I
was
kind
of
joking.
I
was
like
well,
let's
keep
it
under
100
slides,
you
know
yeah.
I
am,
I
think
it's.
I
think
it's
really
great
and
refreshing
to
be
able
to
have
people
like
yourselves
from
aqua
on
here
and
not
have
it
be
a
presentation
of
now.
B
C
I
think
I
mentioned
the
next
shows
in
a
couple
days.
It's
actually
tomorrow
and
we've
got
three
podcasts
that
we're
planning
to
drop
this
month,
as
well
as
as
long
as
as
well
as
a
blog
that
talks
about
this
category,
the
security
methods
within
it,
the
integrations,
but
again
for
more
information.
You
can
go
to
those
links
or
that
email
on
the
bottom
left,
and
I
think
I
did
that
in
less
than
90
seconds,
but
I
want
to
thank
mike.
I
want
to
thank
laura
as
well.
It's
been
been
a
pleasure
mike.
A
B
A
Be
in
los
angeles,
I
will
be
there
hosting
an
open
shift
commons
briefing
day,
zero
event,
I'll
try
and
stop
in
and
and
visit
as
many
of
our
partners
while
we're
there.
So
if
anyone's
coming
to
the
convention
center,
please
look
for
me,
I'm
probably
over
two
meters
tall,
I'm
easy
to
find,
and
you
know
looking
forward
to
to
seeing
you
people.
So
that's
it
for
another
hour
for
the
openshift
commons
briefings
operator
hours
mike
waite
dave,
muir,
rory
mccune,
thanks
for
coming
today
and
enjoy
the
rest
of
your
week.