1.
© 2018 Aqua Security Software Ltd., All Rights Reserved
Aqua Security
Cloud Native Security

2.
2
The Leading Cloud Native Security Company
Aqua helps the world’s leading enterprises to modernize
security for their container-based, serverless and cloud native
applications, from development to production
Open Source Leadership
Maintaining the industry-standard tools
for container, Kubernetes and cloud
security
We “wrote the book” on K8s
security, and chair the CNCF
Technical Oversight Committee
Community Leadership
CloudSploit

3.
Agenda
n Aqua’s Open Source Tools
n Kubernetes config with Kube-Bench
n Kubernetes penetration testing tool with Kube-Hunter
n Image scanning and CI integration with Trivvy
n Aqua Enterprise called Aqua CSP
n Runtime protection
n Container firewall

4.
4
Aqua’s Open Source Tools
n Scans Kubernetes nodes
against the CIS
benchmark checks
n github.com/aquasecuri
ty/kube-bench
n Scan images for known
vulnerabilities
n Works within CI tools
n github.com/aquasecuri
ty/trivy
CIS benchmark for K8S
Image vulnerability
scanner K8S penetration-testing
n Tests K8s clusters
against known attack
vectors, both remote
and internal
n github.com/aquasecurit
y/kube-hunter

5.
5
….and more Aqua Open Source Tools….
n CloudSploit is a cloud security auditing and monitoring product that
scans IaaS and SaaS accounts for security risks, including
misconfigurations, malicious API calls and insider threats.
CloudSploit is a CSPM (Cloud Security Posture Management) service.
n github.com/cloudsploit
n Tracee is a lightweight, easy
to use container and system
tracing tool. After launching
the tool, it will start collecting
traces of newly created
containers (container mode)
or processes (system mode).
n github.com/aquasecuri
ty/tracee
System Tracing Tool
Tracee
CloudSploit
Cloud Security Posture Management
CSPM

6.
Kubernetes Configuration Assessment for Security

7.
7
Kubernetes components
■ Kubernetes components
installed on your servers
■ Master & node components
■ Many configuration settings
have a security impact
■ Example: open Kubelet port =
root access
■ Defaults depend on the
installer
Scheduler Controllers Etcd
Kubernetes Master Node
Node
Kubelet
Kube-
proxy
Pod
Node
Kubelet
Kube-
proxy
Pod
Node
Kubelet
Kube-
proxy
Pod
Node
Kubelet
Kube-
proxy
Pod
API Server

8.
CIS Kubernetes benchmark

9.
■ Open source automated tests for CIS Kubernetes Benchmark
■ Tests for Kubernetes Masters and Nodes
■ Available as a container
kube-bench
github.com/aquasecurity/kube-bench

10.
Kubernetes penetration testing

11.
■ Open source penetration tests for Kubernetes
■ See what an attacker would see
■ github.com/aquasecurity/kube-hunter
■ Online report viewer
■ kube-hunter.aquasec.com
kube-hunter
How do I know the
config is working to
secure my cluster?

12.
kube-hunter.aquasec.com

13.
14

14.
15

15.
Image scanning and CI integration – Trivy

16.
Common Vulnerabilities & Exposures

17.
Known
Vulnerabilities
Unknown
Vulnerabilities
Vulnerabilities
l Static scanning
l Scanner identifying components
with known vulnerabilities
l e.g. Trivy, Clair, Aqua
l Dynamic Threat Analysis
• Identify advanced threats that
try to hide their purpose
• Aqua
Designed by vvstudio / Freepik

18.
19
CentOS OS
Nginx Application
(package)
Binaries
Scanning Container Images
Alpine OS
NodeJS (NPMs)

19.
20
Vulnerability sources
■ Vulnerabilities are
published on different
security advisories
■ NVD – national
vulnerability database
■ Vendors will have
their own advisories

20.
l NVD reports this in Varnish HTTP Cache versions 4.0.0 - 5.2.0
Case study: Debian / CVE-2017-8807

21.
Debian applied
patch to 5.0.0

22.
l System Package
Manager
l apt
l yum
l apk
Detect comprehensive vulnerabilities
● Application Package Manager
● Bundler
● Composer
● Pipenv
● Poetry
● npm
● yarn
● Cargo

23.
Not all scanners are created equal
Information sources / advisories
• NVD
• Distributions
• Vendors
• (Commercial DBs)
Scanning techniques
• Layer-by-layer or image
Detection techniques
• Version comparison
• Hash comparison
Functionality
• Malware
• File scanning
• Windows

24.
script:
- ./trivy --exit-code 0 --severity HIGH --no-progress --auto-refresh [YOUR_IMAGE]
- ./trivy --exit-code 1 --severity CRITICAL --no-progress --auto-refresh [YOUR_IMAGE]
...
DevSecOps
With Travis CI
With CircleCI
- run:
name: Scan the local image with trivy
command: trivy --exit-code 0 --no-progress --auto-refresh [YOUR_IMAGE]
...

25.
Aqua Enterprise….we call this CSP….Cloud-Native
Security Platform

26.
28
Aqua Cloud Native Security
Cloud IaaS
Orchestration
Workloads
Kubernetes Security
Cloud Security Posture Management
Container &
CaaS
Security
FaaS
Security
VM
Security PAS
SecurityCI/CD,Registries
SIEM,Analytics,Monitoring
LDAP / AD /
SAML
Secrets Vaults Collaboration
Cyber
Intelligence

27.
29
Automatic learning of pod/container behavior and then runtime enforcement

28.
DevSecOps
ContainerContainer
l Immutable containers are easier to
protect
l Any change in runtime is not legit
l If a change is detected, it’s blocked
= No code injection into
containers
Image Container
bin
user
etc
bin
user
etc
?
=

29.
Container Firewall that learns network traffic and then allows granular control of all
inbound and outbound traffic. Policy is enforced regardless where the orchestrator
places the pod/container

30.
Jenkins Aqua Plugin for container images and serverless functions (Lambda)

31.
© 2018 Aqua Security Software Ltd., All Rights Reserved
github.com/aquasecurity/kube-bench
github.com/aquasecurity/kube-hunter
github.com/aquasecurity/trivy
github.com/aquasecurity/tracee
github.com/cloudsploit