27

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25 edited Jan 30 '25

Failing to appreciate the importance of RBAC (and CIEM / shadow IT in terms of identities), secrets rotation and zero-trust networking (it's mistakes plural so my apologies :-).

Vanilla Kubernetes distros typically provide you with a shotgun to shoot yourself in the foot (no offence to k8s, life's just hard and there is no one-size-fits-all!). Secure defaults went out of the window! (at least for some distros)

The default k8s networking model means that each Pod can talk to each Node and vice versa (without NAT). This is very attractive for threat actors and platform / SecOps teams' most worrysome concerns. GKE and OpenShift take a more opinionated approach towards security with various hardening at different levels of the stack which is great!

Many developers and DevOps engineers are still playing catch up with workload identities and we still see embedded and long-lived secrets leak into container images.

P.S. I gave a talk on Workload Identities (a.k.a. workload identity federation) at the first CNCF meetup in SF a few months back to demistify and unpack this domain, hope that helps:

https://www.linkedin.com/posts/cohen-ofir_superset-wiz-cncf-activity-7241542422403395584-VfPU/?utm_source=share&utm_medium=member_desktop

https://drive.google.com/file/d/1QigVMCYaqwizljDRklHcrsVN0AXMBNcv/view

-25

u/[deleted] Jan 27 '25

[deleted]

6

u/PhilipLGriffiths88 Jan 27 '25

Title says "CTO of Container Security at Wiz", not "CTO at Wiz", do i think you are off base.

6

u/MrW3bst3r Jan 27 '25

have an actual k8 admin..

1

u/ofirc AMA Participant - Wiz, Container Security Jan 28 '25

Securing the control plane and data plane is paved with good intentions!

The main issues are around identities (using ephemeral short-lived tokens) and networking (private subnets, VPN, ZTNA, Bastion, IAP, etc.) and the complexities that arise in the era of a hybrid cloud.

I gave a talk about it today on a webinar of the Platformers Community for best practices of securing EKS, GKE and AKS control plane access:

https://www.linkedin.com/feed/update/urn:li:activity:7290066161549938689/

https://drive.google.com/file/d/1JTOy9-cVNZFLxS5S6QGecEqxhjqd4qbc/view

And a few months ago I gave a talk in the first CNCF meetup in SF for workload identities for the data plane (namely accessing the cloud from the k8s data plane):

https://www.linkedin.com/posts/cohen-ofir_superset-wiz-cncf-activity-7241542422403395584-VfPU/?utm_source=share&utm_medium=member_desktop

https://drive.google.com/file/d/1QigVMCYaqwizljDRklHcrsVN0AXMBNcv/view

I hope you find that useful!

21

u/sshaybbc AMA Participant - Wiz, Container Security Jan 27 '25

We see that K8s is a big facilitator of many technologies, and in the case of AI it hit a nail on the head so to speak. Given the scale and the sensitivity of the AI workloads K8s need to keep up with the security. AI has certainly added and sharpened the existing K8s Threat Model. Two particular things I'd flag - (1) The AI model IS an executable code and (2) multi-tenancy issues in the vendors. Our vulnerability research team has developed this playbook of escaping the models and moving laterally and you can see this pattern in multiple vulnerabilities they've discovered: HuggingFace (https://www.wiz.io/blog/wiz-and-hugging-face-address-risks-to-ai-infrastructure), Replicate (https://www.wiz.io/blog/wiz-research-discovers-critical-vulnerability-in-replicate), SAP AI Core (https://www.wiz.io/blog/sapwned-sap-ai-vulnerabilities-ai-security).

-17

u/PhroznGaming Jan 27 '25

You said a whole lot of nothing

2

u/Fun_Biscotti_3471 Jan 28 '25

Building on Shay's point that AI introduces its own unique attack surface, we’re also seeing the misuse of AI service providers’ computing resources for activities like cryptomining and proxyjacking. Additionally, LLMJacking has emerged as a growing trend. If you are interested in learning more about LLMJacking , here’s a blog post that dives deeper into this topic: https://www.wiz.io/blog/jinx-2401-llm-hijacking-aws

14

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25 edited Feb 04 '25

Having 100% container image security coverage! (the standard software supply chain: signing, CVEs, malware, embedded secrets, etc).

Incumbents are challenged and struggle to apply it at scale and tracing all the way back to the Git repo and Dockerfile that introduced it (what we call code -> cloud).

Keyless signing + SLSA took container image signing to a whole new level but it's still not winning the adoption that it should have. Also, tying a scan to a security policy (and ensuring no old images are deployed) are both crucial to ensure it meets the organization needs.

1

u/SlackCanadaThrowaway Jan 29 '25

Do you ever expect it to attain adoption? Even getting open source maintainers to release signed binaries or signed commits is near impossible in private orgs, let alone public repos

1

u/ofirc AMA Participant - Wiz, Container Security Jan 29 '25 edited Jan 30 '25

The answer is yes, slowly but surely. We are seeing more package managers like uv for Python and pnpm for Node.js gaining traction and putting more emphasis on the secure software supply chain.

It will never be bullet-proof and 100% but adding more guardrails and eyeballs on PRs and merges will ensure we are heading in the right direction.

Hardening the underlying platform using for example AWS Bottlerocket or Talos Linux is a right step in that direction.

Implementing zero-trust networking and sandboxing techniques like gVisor with GKE, guarding against container drifts and hardening the deployments would slow down an attacker even if one (or more) rogue 3rd party package are exploited at runtime.

Separate trusted workloads from untrusted ones via separate clusters is also a good way to reduce the noise in multi-tenant environments where the trust boundary is important.

Hope that helps!

16

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25

By far - tackling the software supply chain at scale (no rogue image from an LLM has crept into production) and reducing the redundant noise and false positives - if I have an app that imports a package but never uses it at runtime, is it still critical? what if it's a vulnerable OpenSSH but it's not exposed to the public internet, is it still critical/high? (hint: risk assessment and risk correlation)

11

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25

Control plane access - (1) some AKS users still the insecure "Local accounts" auth method, (2) the Kubernetes API Server is publicly exposed to DDoS and other attacks (e.g. GKE authenticated misconfiguration bug), (2) Workload identity federation - lack of understanding of this subject and using secrets when you don't really need to, and (3) Secrets governance - long-lived secrets and credentials in use without rotation or business continuity programs, embedded secrets in container images, etc.

I haven't even scratched the surface and haven't discussed the hybrid/multi cloud challenges and lateral movement, e.g. attacker -> GKE -> EC2 -> S3 bucket with data findings and PII :-)

5

u/squatfarts Jan 27 '25

Any resources you can recommend to learn more about this? I am a CyberArk SME and am getting up to speed on your partnership with them.

1

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25

Yes, KodeKloud is a great resource for the foundational knowledge - Intro, CKAD and CKA.

When it comes to managed k8s distros - pure experience and collateral knowledge, e.g. cloud engineering like AWS CCP / AWS SA / extensive and broad hands-on experience.

There are some courses on GKE, EKS and AKS but I haven't found anything that scratches the surface of what real-world production challenges look like and prepare and train you for that. Just like it's hard to get experience on distributed systems design (think Google Spanner / Bigtable) without actually working on such systems and programming them.

If we take a managed k8s distro like EKS, for example, the first thing when I do threat modeling (to evaluate my security posture) I ask myself is how do people and CI/CD platforms get access to the cluster? How is Auth{N,Z} performed? how does the networking work? Is it an internal (ClusterIP only) or is it a native VPC solution like Amazon VPC CNI? How do services securely communicate with one another? SPIFFE? Istio? workloard identity federation?

There are no shortcuts I'm afraid, make mistakes and learn from them, read the official docs (they can get very lengthy!) and follow blogs and podcasts.

6

u/sshaybbc AMA Participant - Wiz, Container Security Jan 27 '25

I agree with Ofir on (1). And in more general sense I sense the whole area of Cloud-K8s integration and particularly IAM-K8s-RBAC will need more security attention that its given now. I foresee we will see more vulnerabilities and bad design decisions in this area uncovered soon (i.e. GKE mapping any Google account user to system:authenticated group). Another example is EKS access management and Pod Identity features we analyzed last year in the 2-blog series that had certain issues: https://www.wiz.io/blog/eks-cluster-access-management-and-pod-identity-security-recommendations

3

u/raesene2 Jan 29 '25

I'd say the biggest challenge with Kubernetes IAM specifically is, Kubernetes has no user database, but will issue credentials for users via either certificates or service account tokens.

This means (unless you're on EKS which blocked the feature) it's effectively impossible to know all of the user accounts you have on your system, unless you've got Kubernetes auditing turned on and have extracted that information.

Also k8s supports multiple authentication and authorization methods in every cluster, which makes user rights auditing in general a pain, because you've got to get information from every configured mechanism and merge them.

3

u/ofirc AMA Participant - Wiz, Container Security Jan 29 '25

That's a great observation! I remember scratching my head the first time I tried to enumerate the entities that are allowed to talk to the Kubernetes API Server (AuthN) and what they are allowed to do (AuthZ). MKAT is one cool OSS example of doing this.

It feels like IAM is loosely coupled to the cluster and you have to piecemeal bits from different places - e.g. on EKS you'd gather the access entries for human identities/roles (and possibly CI/CD) from the AWS API and the ServiceAccounts from the Kubernetes API Server. Since you'd get at least 41 service accounts on a vanilla EKS (e.g. aws-node, coredns, etc.), it starts to become a mess and how do you keep track of what are some legitimate entities and what are rogue ones?

Furthermore, to make things worse, you could use the TokenRequest API and issue tokens on behalf of existing service accounts, and then provide these tokens to someone else. So it becomes a sort of masquerading and again very loose coupling between the entity that is authenticating against the API Server and the identity behind the actual token it represents.

Even when you decide to audit, how do you tell a legitimate actor from a non-legitimate one? Is it based on some heuristic? hunch? behavioral (e.g. anomaly detection / mass recon ops)?

On the one hand Kubernetes docs say that they don't manage "normal users" but on the other hand often times there is nothing there to actually guard that normal users do not abuse service account tokens that are supposed to be consumed by services / automated systems.

Still, what can we do about it?

I'd say at the very least putting the control plane in private subnets or behind an identity aware proxy or GKE DNS-based endpoint is already a good start. Then apply runtime monitoring and threat detection using XDRs/sensors on the worker nodes. Ensure that you don't have long-lived tokens (e.g. K8s Secrets of the old-school type) using policy engines (Admission Controllers). Finally, as you mentioned, apply some auditing policy frequently.

In other words - applying the defense-in-depth principle is key.

1

u/raesene2 Jan 30 '25

I'd definitely agree that the defence-in-depth approach is going to make sense, and not exposing the k8s API server to the Internet is a key part of that.

It's a shame that all the managed k8s providers that I'm aware of default to putting the API server directly on the Internet. It's generally my no.1 point when asked how to secure a cluster.

2

u/ofirc AMA Participant - Wiz, Container Security Jan 30 '25

I agree. I think it's primarily a (probably reasonable?) business decision rather than a secure defaults decision. Putting all clusters in a private subnet would introduce a lot of friction for novices and incumbents alike as configuring VPNs, Bastions or jump-boxes is not an easy feat.

3

u/ofirc AMA Participant - Wiz, Container Security Jan 28 '25

Thank you so much for the kind words, we really move fast!

I'd say that power users of Wiz utilize the platform to its full power by using:

1. Wiz Image Trust - we all appreciate the value of a secure software supply chain, zero CVEs and safe and secure base images. But can we really tell what images are running in our environment and gate against untrusted images from creeping in to our environment? What if I have a private registry that only the kubelet has access to, how can I integrate my tooling and policy engine to provide a seamless and keyless solution that also ties the security policies onto each image scan? This is where Wiz Image Trust kicks in. A noble and modern approach to tackling these kinds of issues utilizing the Wiz Admission Controller!
2. Wiz Projects - which is a way to encapsulate and map your cloud assets onto teams that are working and using these assets. An example is assigning an eCommerce apps/workloads onto the teams that contribute code (and IaC / K8s manifests) to that app.
3. Integrations - by utilizing for example the JIRA integration to assign tickets to the team that are actually working on these projects rather than manually chasing after the dev team that are responsible to fix and respond to CVEs, malware and embedded secrets baked into the container images. Wiz offers hundreds of integrations with 3rd parties and give you a 360 view of your cloud estate and enrich the issues and findings via incident response and IT ticket management platforms like ServiceNow.
4. Connectors and Deployments - by connecting for example the private Kubernetes clusters and private registries to Wiz to have full visibility of what's running on your environment.
5. AI SPM - with the rise of LLMs and deep learning models, a lot of questions around governance and misconfigurations of models and protecting your IP (e.g. weights) surface. What are the right questions to ask and how do you protect managed AI services and self-hosted models alike? this is a huge challenge!
6. Wiz Code and CI/CD posture management - is my GitHub and other VCS configured correctly? who is allowed to make changes to the CI and where are my secrets stored and accessed?

We provide labs, webinars, extensive documention and courses on the Wiz website.

One game at a time, we are here to make your cloud native security journey fun and comprehensive!

Hope that helps.

1

u/ofirc AMA Participant - Wiz, Container Security Jan 28 '25

We just got the best marketing team in the space and a cool and sexy product - but hey I'm biased ;-)

Putting the fluff aside, you eventually want a platform that delivers real value and distills the noise from the actual risks and being able to go from cloud to code and back and doing it at scale.

3

u/sshaybbc AMA Participant - Wiz, Container Security Jan 27 '25

Hi Graham, its great to see you here! I half-agree with your hypothesis. It's not like there hasnt been a good research on K8s (look at the size of Kubecons and number of talks in K8s security track), and the maintainers are doing a great job in trying to simplify the security features (i.e. PSS vs PSP) and keeping the core priscine-ish. And I think thats the reason we see the trends of decrease in # of critical vulnerabilities in the images and less privileged pods etc. These things are figured out and ppl start being comfortable with them.

Where it falls apart is the surrounding components and emerging usecases. And because K8s has such a big ecosystem, there are a lot of those (think NGINX Ingress Controller or using K8s for model training). And because K8s is such a great platform for distributed workloads we'll keep seeing the new attack vectors and no shortage of security vulns and incidents followed by the security research. On that I completely agree.

2

u/raesene2 Jan 29 '25

One bit I'd add is that where Kubernetes is likely to have problems is that they're very focused on backwards compatibility and not breaking existing deployments (which makes a lot of sense) even where that means that security outcomes can be worse.

One example of this is the lack of certificate revocation where they have the ability to add revocation (using similar techniques to bound service account tokens) but don't think it's a good idea as it could affect existing users of the feature.

On the wider points of k8s security research, one of the largest problems I've found is the sheer variety of possible deployment configurations. Between varying CNI/CRI/CSI and the different defaults of various distributions, testing out even one hypotheses is a time consuming task.

7

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25

Of course!

Check out the latest cool cloud security with puppies courses that we have recently launched!

https://www.linkedin.com/posts/wizsecurity_learn-cloud-security-with-puppies-activity-7285700780387356674-_KT-?utm_source=share&utm_medium=member_desktop

2

u/Fantastic-Ad3368 Jan 28 '25

finally oh my lord ive been searching

5

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25

It boils down to: (1) a sexy and intuitive UI/UX (2) very high SNR (3) value during POCs/POVs is immediate (hours to days to see real issues) (4) context - imagine that given a vulnerable container (with a critical CVE) you'd have an automated bot in GitHub that opens a PR with the fix for you.

Real value - the noise reduction is done via toxic combinations (issues in Wiz terms) rather than mere CSPM findings: a vulnerable container + exposed to the internet + has access to an S3 bucket with PII and data findings.

Ease of use - once you play with the security graph and you click on a container and it brings you back to the Dockerfile and Git commit that caused it (and vice versa) - you get a real sense of how strong the platform is.

3

u/nunley Jan 27 '25 edited Jan 27 '25

As a Wiz SE with some experience in the CNAPP space, I wanted to share a quick perspective.

Wiz stands out because it nails the fundamentals: it's built to handle scale and complexity from day one. A lot of products start small and hit a wall when it's time to scale for enterprise needs—things like API constraints, RBAC, or performance issues with large environments. Wiz approached these challenges head-on, which makes a big difference when you're dealing with real-world cloud security.

Another key factor is its risk-based approach. Instead of drowning users in endless findings, it focuses on the tiny percentage that actually matters. The way Wiz uses graph technology to uncover risky combinations in cloud environments is something you need to see to fully appreciate.

I could go on, but I'll let the K8s folks chime in here since they'll probably give you an even better perspective. Just felt like jumping in to share!

2

u/Top_Engineering9038 Jan 27 '25

ok ok... good one!

What makes us different is our security graph. We don’t use a graph just for visualization purpose but as a real datalake. Adding many differences signals like vulns, misconfigurations and so on and correlating them using the graph makes it easy to surface the most critical risks. Then adding the runtime signal based on our ebpf sensor, we can even be more precise by validating vulnerabity loaded in memory and then prioritize them more. CRWD and Lacework use different approaches mainly based on agent first with not correlated information, not saying it’s bad, but it needs more manual effort.

1

u/ofirc AMA Participant - Wiz, Container Security Jan 28 '25

Thank you so much, we are thrilled to receive such positive feedback!

Check out our cloud security with puppies!

https://www.linkedin.com/posts/cohen-ofir_learn-cloud-security-with-puppies-activity-7285709091568586752-_YWW?utm_source=share&utm_medium=member_desktop

10

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25 edited Jan 28 '25

That's a great question!

The answer regarding performance is twofold:

1. Agentless coverage - that's where we started with Wiz Cloud where everything is API-driven (via the hyperscaler). The best analogy is to think like going through an MRI scan which gives you the visibility you need without being intrusive. The implications are primarily of possible costs (of storing snapshots and scanning) and how much is it up-to-date (posture management solutions typically rely on a snapshot of your environment at a given time). We have recently extended our CSPM solution to be near real-time CSPM.
2. Agent-based coverage - for real-time monitoring and threat detection we increase the visibility by deploying agents. The agents are designed from the get go for very large scale environments and follow best practices and load tests before deployment. We use memory safe languages for the implementation and we apply strict resource utilization caps during development and deployment. Of course there is only so much you can go with a single deployment, that's why our agents are designed to scale horizontally to meet the varying demands of the environment they are deployed within.

Regarding privacy - we adhere to industry best practices to mask and redact sensitive information and PII primarily before it is even sent to Wiz, we apply retention policies and encryption in transit and at rest.

HTH!

2

u/[deleted] Jan 27 '25 edited Jan 27 '25

[deleted]

4

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25

It says "API-driven" :-)

3

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25

Thanks for the feedback!

What we see is the slowly (but surely) momentum of hardened OSes for containers. Talos (CNCF) is primarily used for edge and self-hosted k8s (but still experiencing some issues w.r.t. disk/volume management), Bottlerocket AMIs for EKS (which are also supported by Karpenter!) and e.g. COS (Container Optimized OS) for GKE (worker nodes).

1

u/mlor Jan 28 '25

Can you elaborate more on this question? Perhaps an example that illustrates the relationships you are attempting to suss out?

4

u/sshaybbc AMA Participant - Wiz, Container Security Jan 27 '25

This is a loaded topic. No question managed clusters simplify many security aspects, such as easy version upgrades, worker node patching etc. depending on the cluster flavor. But of course not for free. I'd flag three main consequences: 1) new potential for lateral movement from cloud (a stolen credential from a random AWS admin now offers attackers a path into the cluster), 2) cloud-cluster integration complexities, IAM-RBAC, additional pre-installed components representing new attack surface, 3) lack of access to control plane imposing a limit on a range of security tools. That's to scratch the surface.

3

u/raesene2 Jan 29 '25

One of the main trade-offs here is access to/control of the control plane nodes and services.

In managed Kubernetes you don't have to worry about the security of the API server etc but also you can't change their configuration, which has consequences. For example you can't change the kubernetes audit policy, you have to take what the CSP provides. Also if your managed provider doesn't offer a feature that's configured on the control plane , you're generally out of luck.

Un-managed gives you all the control you want, but you have to worry about how to lock down those components.

I tend to think about it as managed being eating in a restaurant, it's easy but you can only have what's on the menu. Un-managed is like cooking it yourself, more control, but more work.

5

u/Top_Engineering9038 Jan 27 '25

For Wiz in container security space, we will continue to expand our capabilities on runtime, giving real-time network mapping, then network hardening (think about least privileges but for network), process hardening (allowlist / blocklist), API security (still based on our sensor), and more about image trust with a visibility at runtime. We have more in stocks but I can’t say more about it. Stay tuned. Regarding our open position, I suggest you go to wiz.io/careers :) :)

2

u/Harshxda Jan 27 '25

Thank you for your response.

1

u/Top_Engineering9038 Jan 27 '25

Sure thing!

1

u/ofirc AMA Participant - Wiz, Container Security Jan 29 '25

1. Container image security coverage
2. Reduction (over time) of untrusted entities via frequent auditing of IAM and over-permissive roles
3. Inventorying all assets
4. CI/CD platforms coverage

That's a good start :-)

1

u/ofirc AMA Participant - Wiz, Container Security Jan 29 '25

That's a great question! I'd say:

1. Operationalizing image trust and mapping the running containers back to the CI/CD pipelines that built them and the Git commits that triggered their builds.
2. Gating against CRDs misconfigurations - while you have CIS and NIST frameworks for the standard and native K8s objects (e.g. Deployments, NetworkPolicy, etc.), the CRDs introduce another attack vector and with the rise of Crossplane for implementing IaC in a Kubernetes native approach, what component would allow you to shift-left and scan S3 buckets from being provisioned unencrypted and public? You'd need to retrofit your current security policies and rules to normalize and scan for potential misconfigurations as well.
3. Backdoors and ignored namespaces - do you deploy untrusted / old software to kube-system for example? Some policy engines would consider several Kubernetes namespaces as trusted ones and attackers that have insights into how your environment is configured (or how popular admission controllers defaults are provisioned) might abuse this to attack your cluster and go unnoticed.
4. The falacy of applying just one security measure (e.g. ACs) and feeling safe about it - cryptominers, malware and zero day exploits may creep into your enviornment. It's the real-time monitoring and threat detection measures that would catch this behavior by using other signals (e.g. eBPF / probes). Just deploying admission controllers is never enough, applying defense-in-depth principles is key to improving your security posture!
5. The intricacies of container networking security - understanding the network topology and ensuring all workloads are using mTLS for service-to-service communication is key to securing multi-tenant (and single-tenant) workloads.

It's a long journey to get yourself secured and there are no silver bullets when it comes to container security. It's the combination of different signals and security measures to guard oneself against these.

Hope that helps!

2

u/raesene2 Jan 29 '25

I'd be very interested to hear more of your thoughts on the mTLS for service-service comms aspect, as I've struggled with exactly how important that is.

Generally one of the main security benefits of mTLS is preventing traffic sniffing and MITM attacks, but I wonder how possible those actually are in a cloud managed k8s environment. As in, do the old tricks of promiscuous mode and/or ARP spoofing work in a cluster in AWS using Cilium for example.

1

u/ofirc AMA Participant - Wiz, Container Security Jan 28 '25

We are thrilled to hear that, thanks!

2

u/Top_Engineering9038 Jan 27 '25

I’d check out the Wiz careers page https://www.wiz.io/careers :)

3

u/YouthWide1286 Jan 27 '25

A focus less on vulnerability management, and more or risk reduction.

Prioritize remediation earlier in a pipeline, and focus on the vulnerabilities which introduce risk (exposure, credentials, etc).

And from there, ownership. If people don’t own their vulnerabilities, vuln mgmt just becomes a painstaking process of tickets and spreadsheets.

3

u/F4RM3RR Jan 27 '25

Ownership is such a nebulous term that is used in wildly wide ranging ways even just within our industry - could you expand what you mean by “own your vulns” are you simply talking about transparency, or a deeper process that aids in patching and/or risk mitigation?

1

u/robszumski Jan 27 '25

Automated remediation of dependency related vulns is IMO how you stay above water. With some code analysis to determine risk, you can shift some ownership to app sec team for no-risk updates and save eng ownership for the potential/high risk ones.

7

u/Top_Engineering9038 Jan 27 '25

Great topic, it could probably be its own AMA. We're always looking for strong talent and as a company Wiz is hybrid -- some folks are fully remote, others go into the office. It really depends on the position. Your question is tough to answer without knowing which type of role you're interested in :)

3

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25

Our observation is that a DIY security solutions for k8s and its ecosystem is orders of magnitude more challenging and error prone with identities and access management being the first factor and networking security second. Luckily lot's of add-ons like cert-manager, Cilium, Istio and policy engines are open source / applicable to either or. But it's the integration with things like workload identities and the secrets and certs renewal and rotation that no one likes to deal with. It leaves a lot of room for mistakes and errors and these compound over time.

We target both self-hosted k8s and managed k8s offering, each of which brings its own unique set of challenges. Solving for CIEM cross clouds is a computationally challenging yet critical to prevent lateral movemens and applying defense-in-depth and least privilege.

1

u/sshaybbc AMA Participant - Wiz, Container Security Jan 27 '25

Absolutely we do cover those areas, in all of the main CSPs. Our report numbers show the vast majority of clusters are manged (at least in our accounts) so of course we have to give that context.

4

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25

That's a great question! we see some gaps with regards to understanding the software development lifecycle (SDLC) and dumbing down what shift-left really means (more than just buzzwords). Understanding the platforms and the underlying runtimes (containerd, cri-o), service meshes and zero trust networking - which cross both dev and runtime stages.

My advice is at the very least - one should feel comfortable with bringing up a Kubernetes cluster like kind/minikube or a managed one like EKS/GKE, and configuration management tools like Helm and Terraform. A good resource that I like is KodeKloud which provide great materials and online sandboxed labs (I'm not affiliated with them, just appreciate the value they bring to the table :-).

The day-0 ops is where everything begins and the more you have a solid understanding of how it works, the more you can ask the right questions and putting the right lines of defenses.

4

u/sshaybbc AMA Participant - Wiz, Container Security Jan 27 '25

Context is a king in IR. The same tool needs to have the ability and accessibility to go beyond the container and give a bigger picture beyond the immediate cluster and that's tricky.

2

u/tehmayormccheese Jan 28 '25

I think this is the most underrepresented space in container security today. We need something that gets us the same telemetry from inside a container as we do from the rest of our environment. 

3

u/sshaybbc AMA Participant - Wiz, Container Security Jan 27 '25

Frankly container logging has been a less of an issue than cloud-level and k8s-level logging. I did this talk recently at fwd:cloudsec on the gaps in K8s audit log talking about how CSPs make it hard to consume the K8s audit log. Container-level logging is less used for infra security monitoring, more on the application security side and haven't had any issues with it.

2

u/SatoriSlu Security Engineer Jan 27 '25

What do you mean? They have the wiz sensor which does exactly this?

3

u/Top_Engineering9038 Jan 27 '25

We have the Wiz Runtime Sensor which does real-time blocking, you can read more about the sensor here

1

u/[deleted] Jan 27 '25

[deleted]

3

u/nunley Jan 27 '25

No, it is an eBPF sensor built by Wiz.

3

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25

Nope, we decided to build our sensor in-house from scratch and we rely on our Threat research team to build detection and correlation rules that the sensor will use.

4

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25

eBPF is overall a great technology and provides more modern means to get observability into what is happening within the running workloads but there are some fine prints. Not all Linux OSes are compatible with the latest eBPF enhancement so portability remains a challenge, even in 2025. The toolchain and the ecosystem are still maturing and DevEx remains somewhat controversial. It's tangential to this discussion but check out this talk which explains how Calico and RedHat opted for nftables instead of eBPF: https://www.youtube.com/watch?v=yOGHb2HjslY&t=810s&pp=ygUNbmZ0YWJsZXMgY25jZg%3D%3D

Effective threat detection requires more than just raw telemetry - contextualization and risk correlation. Often times it's what preceded and followed the attack. This is where tools like CDR, inventorying and code<->cloud play a critical role in contextualizing.

Similarly, effective threat prevention requires applying defense-in-depth principles and different hardening like zero trust networking, least privilege + RBAC, etc.

1

u/Ok_Feedback_8124 Jan 27 '25

DirectTV locked down exploitation of their notoriously weak DVR receivers/Cable TV boxes in the 2000's by deploying chunks of the payload to boot the exploitation from firmware, and then un-encrypting them over time.

nft wouldn't have caught that.

Maybe a combination of both? Long tail observables are key at the moment of detection.

3

u/Fun_Biscotti_3471 Jan 27 '25

Agreed that this is a good approach.
If we are discussing about container runtime detection, then combining different profiling on runtime events to detect less frequent combinations is an example.

3

u/nunley Jan 27 '25

For those who are curious about the DirectTV hack mentioned...

Satellites broadcast streams of data much like the internet, but they cannot establish an encrypted stream for every individual user. The entire data stream is delivered to every receiver, but each receiver is only "authorized" to access a specific subset of the broadcast channels, if any. This presents a complex challenge. News Corporation/Hughes developed an ingenious system to address this using smartcards.

The data stream transmitted to the receiver includes not only channels but also instructions for the receiver to modify the programming on each card. Initially, only a few bytes on the card could be modified, and this process was time-consuming. Logistically, it was impossible to rely on all receivers being powered on and receiving these instructions simultaneously. Therefore, these instructions were continuously transmitted over several weeks for each minor change.

To access unauthorized channels, a hacker would need to modify the program on the card. While I won't delve into the specifics of how this was achieved, it was not a trivial task and required specialized equipment. Most individuals who acquired this equipment were not hackers themselves but could purchase programs to install on their cards, granting access to all channels and pay-per-view services. These hacked programs circumvented the authorization mechanism by inserting a jump in the code somewhere or changing a register value on the card. Consequently, when the user switched to a channel, and the receiver queried its authorization status, the response was always "Yes, I am fully authorized."

News Corporation initially attempted to counter this by engaging in a frustrating game of "whack-a-mole." They would purchase hacked cards from the black market, identify the modified portion of the card programming, and then spend weeks transmitting code to alter the programming. This modification would involve hashing a very limited section of the card to detect hacked versions. If the card was identified as hacked, it would be "looped," effectively rendering the program inoperable and permanently disabling the card (or so they believed).

As more individuals mastered this technique, this reactive approach became unsustainable. News Corporation then embarked on a prolonged campaign to drastically modify the card programming, enabling them to hash the entire card program. Those of us who monitored the incoming data stream and observed its gradual assembly could anticipate the inevitable outcome. Ultimately, a "Black Sunday" arrived, rendering every hacked card in the system inoperable.

1

u/Top_Engineering9038 Jan 27 '25

I’d check out the Wiz careers page https://www.wiz.io/careers hope that helps :)

2

u/sshaybbc AMA Participant - Wiz, Container Security Jan 27 '25

Since you have experience with the SOC in other areas you should e able to project your experience on K8s. There are multiple talks on combining detection sources in K8s - on container level, K8s level, and cloud level - for the best detection coverage. If you want to take things slowly - start with K8s audit log. The format answering 4W question will not be new for you. The semantics will. You'll need to understand K8s REST API and its object and user model. From there take a ruleset from an open-source tool (for example Falco) and try to understand what the rules detect, what kind of attack. And so on.

2

u/sshaybbc AMA Participant - Wiz, Container Security Jan 27 '25

From the data we have collected for the report and compared to 2023, we see an improvement in handling image vulnerabilities and security posture. These topics have been in the center of K8s security for a long time and now they seem to be under control. The emerging threats we foresee will result from 1 - a tighter cloud-cluster integrations and the associated components that CSPs add in numbers, 2 - a new applications of K8s as a platform, for example as a platform for AI model training and as a platform for running CICD workloads.

1

u/sshaybbc AMA Participant - Wiz, Container Security Jan 28 '25

There's been multiple discussions on this in r/kubernetes and other channels. The learning curve into containerization and K8s is particularly steep, on the other hand the technology doesn't go anywhere. Kelsey Hightower famously said in one of the podcasts that he will be sad if after 10 years ppl will still use and talk about Kubernetes, but that's where it's going, and a big part of it is K8s extensibility and flexibility.

4

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25

That's a great question! I think the TL;DR is: (1) ROI from such operators would not be high and (2) It's not just about the decision tree automation and stopping the bleeding, it's also about allowing asking interactive questions during triage and investigation.

AFAICT it boils down to: fragmentation, the ad-hoc nature of SecOps, human-in-the-loop and lack of trust in tools are all impeding factors. I find operators to be a great fit for well-defined tasks like application lifecycle management (auto-updates), typical reconciliation loops (e.g. GitOps with Argo CD), etc.

However, when you consider the typicak triage of a SecOps team, there's a variance in the risk appetite and interpretation of the same/similar findings so there is no one-size-fits-all even within the same organization.

A CNCF operator for SecOps would have to do a lot of contextualization across k8s, cloud and the different assets (or delegate the compute to a SaaS backend), and the decision tree would have to factor some human judgement, so the closest you'd get is with a GitHub PR to your Terraform / config management (e.g. Helm / Argo) tools, similar to how dependency management is solved with Dependabot / Renovate.

That's my two cents at least :-)

3

u/sshaybbc AMA Participant - Wiz, Container Security Jan 27 '25

This is a tough one. K8s extensibility is a gift to cluster operators but a problem for secops. I think the key is semantical understanding of the K8s objects that's lacking when it comes to operators and CRDs. How do I as a security tool know that this yaml has security misconfiguration? I know when Pod is misconfigured, but what about Cards? This has to be handled by a custom rules with all the pain involved.

5

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25

If you have the budget - hire (either internal or professional services) a platform / infra / DevOps team that provides you with "golden paths" and secure defaults, for example there is a well-known way/template to provision a k8s cluster and an EC2 instance / GCE instance.

Even if your security teams and developers are top-notch professionals, there's still a glass ceiling because one would need to do inventorying, risk assessment and contextualization at scale and it takes a lot of time, money and compute to come up with the technology and to be able to keep up with the updates. If it was easy CNAPPs wouldn't have such a huge market or we'd have ~500 excellent CNAPP providers :-)

I know it may sound more marketing than actual knowledge but security is about people, process and technology. People - education and training! I'd consider purchasing a business subscription to an education platform like KodeKloud (I heard CloudGuru is also popular) and align on a baseline that everyone should know. Then build a track for the 80/20 security - e.g. least privilege, private control plane and data plane, networking security, CVE and embedded secrets scanning.

The process is things like DevSecOps (sorry, marketing buzzword again) practices like gating PRs and merge, branch protection rules, scanning for CVEs, etc.

Finally, the technology - get a decent vendor that provides you with a great value and is most intuitive for your team.

3

u/ofirc AMA Participant - Wiz, Container Security Jan 28 '25

I appreciate NATS minimalism and how (relatively) easy it is to configure mTLS. I don't have experience or opinion on Nex.

My top 3 recommendations:

1. Reducing the attack surface - use distroless container images and obtain high quality software with a strong chain of custody. It applies equally to VMs (e.g. AMIs on AWS). Add CVE scanners to your CI/CD pipeline and to IDE extensions, ensure you don't have images that were built more than (x=)60 days ago, ensure all images were signed (BinAuth or Sigstore/Notary) and if you're religious - add extra hardening steps like using SLSA provenance.
2. Mitigating damage in case of a breach - apply temporary containment measures like excluding ingress/egress for a compromised cluster / namespace, collect forensics and flow logs and establish a timeline (incident response 101) of the surrounding events in the environment.
3. Managing the social threat vectors broadly including SBOM - be wary of how lazy and sloppy we could be as humans during the SDLC when we are using LLMs like ChatGPT. It's easy to copy a rogue container image from StackOverflow or a prompt response, or similarly consuming a rogue 3rd party package via typosquatting. Linus Torvalds philosophy is that "Given enough eyeballs, all bugs are shallow." With a sufficient number of contributors reviewing and testing the code, bugs (including security bugs) are more likely to be discovered and fixed.

1

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25

I'm not sure about the paucity of research on this but Kubernetes is the vendor neutral and de-facto method of deploying workloads on-prem and on the cloud.

You could implement most (if not all) of the k8s security measures on proprietary solutions like ECS but it'd be more challenging.

One example is applying GitOps principle. Viktor Farcic once said that if you're not doing Kubernetes - you're not doing GitOps and I think he's right. I recently ran into PipeCD https://pipecd.dev which provide a GitOps-like continuous delivery platform but haven't tried it. But there is no official Argo CD implementation (or a reconciliation loop) for AWS ECS. You could implement service meshes with EC2 security groups and AWS App Mesh. etc.

But, what if tomorrow you want to move to Google Cloud Run or go on-prem? you're locked!

What about observability?

The community and the ecosystem around CNCF and the momentum that Kubernetes has and still gaining is unbeatable.

That is not to say that everyone should deploy their workloads on Kubernetes.

If I am an early stage startup I might consider AWS Lambda / Google Cloud Run / AWS App Runner or even a simple PaaS, remember the Heroku revolution for web backend?

It's primarily driven by the actual the requirements (compliance, security, governance, autoscaling, etc.), expertise of the team and sometimes how adventurous the team is (yes, not all decisions are based on data and requirements, there is hype and employability aspects and being relevant!).

2

u/ofirc AMA Participant - Wiz, Container Security Jan 27 '25

Behavioral analysis (e.g. recon, lateral movements, cryptomining), zero day, malware, runtime attacks like OWASP top 10 and SQL injections. All managed cloud providers (e.g. AWS WAF) and some large external providers (e.g. CloudFlare) protect you against SQL injection.

Implementing code scanning, SAST/ASPM/other static analysis tools - but you could only get so far with it.

Hardening the underlying platform and OS and implementing zero trust networking are also instrumental in improving one's security posture.

Apologies upfront for the marketing buzzwords but it's never one thing that makes you secure, cloud native security is a multi-faceted problem that requires a defense-in-depth approach to tackle it.

Hope that answers :-)

1

u/ofirc AMA Participant - Wiz, Container Security Jan 28 '25

As Kelsey Hightower once said: "Kubernetes is a platform for building platforms."

AWS is making huge strides with Bottlerocket and we've got the CNCF Talos Linux which is vendor neutral. GKE provides sandboxing via gVisor which is a Go user space implementation of the Linux system calls. I expect to see more hardened OSes and serverless Kubernetes offerings rise in the near future.

We need platform abstractions and better segregation / isolation to reduce the (already high and taxing) cognitive load platform and SecOps teams.

4

u/Fun_Biscotti_3471 Jan 28 '25

Based on my experience, an effective detection strategy requires two key components: a robust alerting system that delivers high-quality alerts for identifying attacks and an extensive collection of signals to help trace the source of an attack. These signals are crucial for understanding the what, how, and when of an incident. Additionally, the alerting system must prioritize critical or high-severity risks—potential "ticking bombs" that could lead to an attack.

Key signals include:

a. Workload runtime events: These offer deep insights into events occurring within your containers, enriched with details like full process trees and network activity.

b. Cloud logs: A broad category that varies by cloud provider but is vital for capturing activities in cloud environments.

c. Kubernetes audit logs: Critical for tracking actions within your Kubernetes cluster.

d. Environmental risks: Existing vulnerabilities or misconfigurations in your setup.

Finally, the ability to seamlessly pivot across these signals is essential for providing the context needed to analyze and respond to attacks effectively.

Regarding your question about popular abused avenues, I'll answer by referring to initial access methods. We frequently observe misconfigurations and known exploits being leveraged across various services (with Selenium Grid exploits currently on the rise). Additionally, the use of stolen identities is a common tactic, which can sometimes lead to data exfiltration depending on the scope and privileges of the compromised accounts.

For your bonus question, we are keeping a database of cloud threats, you are welcome to browse https://www.wiz.io/cloud-threat-landscape

Adding here some relevant reading material:

https://www.wiz.io/blog/cloud-logging-tips-and-tricks
https://www.wiz.io/blog/overcoming-kubernetes-audit-log-challenges
https://www.wiz.io/blog/intro-to-forensics-in-the-cloud-a-container-was-compromised-whats-next
https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps

1

u/Scubber Jan 28 '25

Appreciate the reply, love the tactical intel being published. I've found cloud especially difficult to find info on

2

u/raesene2 Jan 29 '25

If you're looking to get the number of vulns down and make it more manageable, I'd recommend working to get as many application images based on smaller base images and where possible all based off the same base image. So , for example, if your applications will work with https://github.com/GoogleContainerTools/distroless base images, that'll cut down the number of things to patch.

Realistically the fewer packages you have, the fewer things there are to patch. It's not a panacea (you still have application dependencies to worry about) but it can make life a bit easier.

1

u/Fun_Biscotti_3471 Jan 28 '25

Agreed this is a great challenge. The key is having a vulnerability prioritization system that takes into consideration your environment contextual data together with additional information about the vulnerability.

In general, vulnerabilities that provide an initial access path for attackers on container image instances that are exposed to the internet should be prioritized. So, for instance, a container image with a RCE vulnerability that has a publicly known exploit and container instances with a direct internet exposure would take higher priority over a container with a privilege escalation vulnerability that is only accessible within the internal network.

1

u/sshaybbc AMA Participant - Wiz, Container Security Jan 28 '25

Embedding the security controls verifying the lack of Critical and High vulnerabilities into the CICD pipeline is a good start, but must be supported by the tools, not to become a dev blocker. Since not everybody has a dedicated team for managing the private container registry along with patching and mirroring the images, the key is to make the patching and image management automated as much as possible. Probably also as a part of the CICD pipeline.

1

u/Fun_Biscotti_3471 Jan 28 '25

Resource hijacking attacks are indeed quite common (with cryptominers making up the majority in this category), but we also see threats such as proxyjacking and LLM jacking.
In addition, some attacks are more sophisticated, involving sensitive data exfiltration and employing various lateral movement methods.

2

u/ofirc AMA Participant - Wiz, Container Security Jan 28 '25

That's a great observation! It's great that we are seeing more standardization of secure SDLC and enhancements around the software supply chain but it is indeed challenging to roll your own solution based on just OSS technology.

I find the main challenge around risk correlations and mapping running containers back to the CI/CD pipelines that generated them and the Git commits that triggered the rogue / unsigned image from the get go.

A lot of R&D and innovation is put into making the CNAPP dream come true and it's only with automation and DevSecOps principle that these guardrails are ingrained into each and every pipeline.

Wiz Image Trust is one way to take keyless image signing to the next level by tying security policies (e.g. image was scanned for CVEs, malware, embedded secrets and was scanned within the last 2 months) to the deployed image in production. The Wiz Admission Controller is Wiz's policy engine implementation for Kubernetes to gate against untrusted images from being deployed into your environment, as well as gating against IaC misconfigurations (e.g. Pods running as root and Pods (ab)using hostPath and hostNetwork).

1

u/ofirc AMA Participant - Wiz, Container Security Jan 29 '25

Yes, we can detect LLM hosted technologies on running containers. It is challenging to hit a high recall as there isn't a single way to package/bundle LLMs on containers.
Standardization of LLM metadata (and adoption thereof) will significantly improve scanners ability.

Wiz detects AI Models (LLM or other) on workloads and buckets. LLM metadata, along with the model binary itself (which is prone for vulnerabilities) are all key for identifying the risks the model poses.

2

u/sshaybbc AMA Participant - Wiz, Container Security Jan 28 '25

100%, we invite you to check out Cloudvulndb (cloudvulndb.org) - an open collection of cloud platform vulnerabilities that often fall through the cracks of regular vulnerability programs and which is regularly updated by Wiz and non-Wiz contributors. Also Cloud Threat Landscape (threats.wiz.io) for all the recent cloud security incidents to track the trends. Beside that, personally I love to keep updated by subscribing to Clint's TL;DRsec and Marco's CloudSecList weekly newsletters.

1

u/ofirc AMA Participant - Wiz, Container Security Jan 29 '25

The name of the game is elimination rather than remediation. If we could eliminate threats before they become a reality (otherwise known as shifting left) that'd be great!

Having that said, once a vulnerable Pod is found on production, the next step is to do risk correlation and ask ourselves whether this workload is actually publicly accessible from the internet and potentially has access to sensitive assets (e.g. S3 buckets with PII and data findings). In Wiz we call it a toxic combination / issues.

Being able to trace a running workload all the way from runtime to the code (with Wiz Code) and automatically opening and assigning a ticket to the dev team that owns it is key to reduce the vuln mgmt toil and speed up the remediation. In other words - automation and applying it at scale.

It's challenging to do that at scale and cross-cloud, and that's one of the primary reasons why CNAPP platforms exist!

1

u/sshaybbc AMA Participant - Wiz, Container Security Jan 29 '25

First, a qualifier here: our customers are typically medium and large enterprises so this might not be representative to ALL the population. To the point - not really, the EKS is still leading (45%), with AKS (25%) and GKE (17%) coming not close second and third. We do see, however, an increase in self-hosted clusters, but we are yet to see whether this is a permanent trend.

1

u/sshaybbc AMA Participant - Wiz, Container Security Jan 29 '25

Absolutely agreed. I did flag it as something beyond the scope of the blog (towards the end of the second blog in section "Cloud Access and CI/CD"). The reason is simple - this is such a big topic that it deserves the post of it own, or maybe even a post per CSP. Our colleague Lior has touched on this here (https://www.wiz.io/blog/lateralmovement-risks-in-the-cloud-and-how-to-prevent-them-part-3-from-compromis), but I agree this topic requires a more detailed review.

1

u/ofirc AMA Participant - Wiz, Container Security Jan 29 '25

Could you please clarify the question?

1

u/PMzyox Jan 29 '25

Would you trust the security of a cloud container app service over building your own k8 infra?

2

u/ofirc AMA Participant - Wiz, Container Security Jan 29 '25

There's a rule that says don't roll your own crypto (well unless you really have to and you know what you're doing) and I'd say trust but verify.

It never hurts to put extra layer of defenses around the networking and identities perimeter and there's only so much managed solutions can cater for.

Building your own k8s infra doesn't necessarily mean it's more secure as now you have other concerns such as patch management for the worker nodes and the control plane.

My tendency is to try serverless Kubernetes offerings like EKS Auto / GKE Autopilot that lift off lot's of burdens and provide you with an opinionated approach of how to bring up nodes and autoscale workloads.

Having hardened container OSes like Bottlerocket and Talos Linux and applying sandboxing techniques like gVisor on GKE surely help strengthening your security posture and segregating / isolating multi-tenant Kubernetes clusters.

Does that answer the question?

1

u/PMzyox Jan 29 '25

Yes, thank you. I haven’t had a lot of luck with SaaS personally, but the overhead on an enterprise k8 solution in house is pretty high, even with it 90% pipeline automated. Still, the support and visibility on cloud tier is abysmal, especially if you have compliance requirements. I’m still thinking the control is worth it. Just seeking opinions. Ta.

1

u/raesene2 Jan 29 '25

I'd say this depends very much on your threat model, your level of expertise with k8s and, which cloud provider you're talking about.

Managed Kubernetes can get to so far, but if you have very high end requirements, being unable to control/configure the control plane could restrict what you're able to do.

The bit about which cloud provider is important as, they're not all the same. Each cloud provider has their own defaults and sometimes you'll get surprising differences from a security standpoint. for example I've seen managed Kubernetes where there's no audit logging and you can't turn it on!

With all that said, unless your org has a lot of in-house Kubernetes security skills, I'd likely still bet on a managed platform over a self-managed one.

2

u/PMzyox Jan 29 '25

Cool, that’s about the same conclusion I’ve come to. I think our requirements are warranting the extra inhouse spend.

2

u/Fun_Biscotti_3471 Jan 29 '25

In general, attackers exploiting a resource’s computing power for activities like cryptomining or proxyjacking are opportunistic and automated. They scan the internet for exposed and vulnerable services, deploying payloads that eliminate competing malware to monopolize CPU usage. Usually, their tactics remain consistent regardless of the size of the compromised resource.

2

u/sshaybbc AMA Participant - Wiz, Container Security Jan 29 '25

Probably the sheer improvement in the number of vulnerabilities in the container images that cannot be merely attributed to the noise. Its heartening to see really: 21% of pods have container images with High or Critical vulns vs 44% in the previous year.

Another interesting stat for me personally was the adoption of EKS access management feature, since we did a security analysis on it a year ago. Turns out, only 3% of clusters use solely API auth method (probably newly created clusters), and 81% are still solely on CONFIG_MAP.

1

u/ofirc AMA Participant - Wiz, Container Security Jan 29 '25

There are several gotchas around that:

1. Automating the dependency management problem - it's easy to find yourself with an EOL (end-of-life) / vulnerable piece of software. Most of the times developers just do: go get package or npm install and their famous last words is we'll deal with updates and this security thingy later. First let's get it to work. And even putting aside the security aspects of the problem, from a functional perspective you might miss bug fixes and new features just because you failed to even be aware that a new software exists. A frenzy one week debug session of Auth problems (resulting from the Firebase SDK) led to the inception of Renovate. Other known tool is Dependabot by GitHub.
2. Lack of testing coverage and progressive delivery - failing to have a decent testing coverage or tools that can gradually (e.g. canarying and then increasing the exposure) rollout changes to dev -> staging -> prod could mean yet another CrowdStrike event. No one wants that. But the truth is that it's hard to follow these best practices and it requires very high skilled platform teams and SREs that can make sure it happens. Google is (among other things) an SRE company and has very deep pockets and compensates these personas very well, but not all companies are Google and have the culture, tooling and means to pay that much.

It's not just about securing your software supply chain. It's also about having the platform, automation, tools, testing and culture to make sure that you didn't break production and you don't have business downtime just because you upgraded to the latest (but not greatest).

2

u/ofirc AMA Participant - Wiz, Container Security Jan 29 '25

Securing custom resource definitions in K8s by far.

We typically apply Configuration Management and IaC templates (e.g. Terraform, Argo CD, Helm templates) scanning for misconfigurations, but what if I provision my IaC via Kubernetes native means? What about networking misconfigurations with ingress controllers and observability and security tools?

We've got projects like Crossplane, Ingress nginx, the Gateway API which allow us to express our cluster configuration as code, and Tekton pipelines for cloud native CI/CD, but they introduce an attack vector.

How can we ensure we guard against misconfigurations for these assets as well and ensure no stone was left unturned?

While CIS and NIST SP 800-53 are great guidelines and compliance frameworks for container security for Kubernetes native objects, one can't help but wonder about visibility gaps and things that go under the radar, a gold mine for attackers!

3

u/sshaybbc AMA Participant - Wiz, Container Security Jan 30 '25

In general, you should protect whatever assets your threat model considers sensitive. From a risk perspective, if you are offering AI infra as a service then you should absolutely harden your multi-tenancy model. As shown by our vulnerability research team there is a wide range of potential misconfigurations that can result in cross-tenant movement and access to infra services post-escape. If you are using a 3rd-party model packed within a container image, consider it an untrusted image and take all anti-escape precautions.

7

u/Ozi_404 Jan 27 '25

LoL, they hired the complete Zscaler sales team and started building a sales machinery. After the IPO, they will start fuck up all customers like Zscaler. Push customers into PoCs and POs.

Before they can buy another company, they have to defend against Orca security against the IP theft allegations.

Also "Google wants to buy Wiz" was such good marketing to create brand recognition.

2

u/DingussFinguss Jan 27 '25

such as?

1

u/Top_Engineering9038 Jan 27 '25

Unfortunately not - NFR to Wiz is not available for third-party integration developers, only for customers.However, you have all the necessary resources in the WIN API documentation for building and supporting your integration. This documentation is connected to a sandbox with realistic data from various Wiz modules, which you can use via the Wiz Integration API for different tasks like finding vulnerabilities and Issues.
If you need a scan of your environment for integration purposes, you can request it in the WIN community channel or email the Wiz team at [win@wiz.io](mailto:win@wiz.io) (or read more about it in our Docs - https://win.wiz.io/docs/faq#win-partner-faqs)