Thomas Fricke

In a world where we stand on the shoulders of giants, where we build systems that are increasingly interconnected, supply chain security is becoming more and more important. As Free and Open Source projects, we believe that we can lead the way for the industry in terms of processes, best practices and technology patterns. In this open panel, we want to discuss the importance of security in Free and Open Source Software projects. We want to encourage participants of FOSS Backstage to share their questions and insights about topics like supply chain security, security processes, vulnerability disclosure, bug bounties and more.

Other people: Isabel Drost-Fromm Gregor "Little Detritus" Bransky

Tokens are a powerful way of controlling the access to to Rest APIs. Chasing them should be hard. Unfortunately, there is a widespread habit of leaving tokens lying around allowing very powerful attack vectors. An attack demonstrates how to hack an OpenShift cluster, which is fully securty compliant to the accepted standards of NIST and CIS. Hijacking a container gives full control to the cluster, including host access. If running in the cloud, the cluster can be used for further attacks, because the host has another token to the cloud API server. With this token, arbitrary accounts and cloud resources can be controlled, including virtual machines, storage and derived accounts.

This will be part of a set of trainings on Kubernetes security, open sourced at https://github.com/thomasfricke/training-kubernetes-security

In den letzten Wochen der scheidenden Bundesregierung erhielt der Sprecher eine Mail von der Open Knowledge Foundation https://okfn.de/en/ über seine Meinung zur Open Source Sicherheit. Daraufhin erstellte er er eine Studie zum Thema Sicherheit von Open Source Projekten. Vier Projekte dienten als Beispiele und deren Hauptakteur:innen wurden befragt. Darunter "the random programmer from Nebraska" https://www.explainxkcd.com/wiki/index.php/2347:_Dependency Ariadne Connill https://twitter.com/ariadneconill/status/1445632043514155014 Die Studie hat Eingang gefunden in den Vorschlag für einen öffentlichen Fonds zur finanziellen Förderung von Open Source Projekte https://sovereigntechfund.de/ Die Finanzierung kann, vorbehaltlich der Annahme durch die nächste Bundesregierung, mit 10 Mio € im Jahr eine signifikante Absicherung wichtiger Open Source Projekte sein und ist zumindest in der Größenordnung des Open Tech Fund https://www.opentech.fund Der Vortrag gibt Einblicke in die Struktur von Open Source Projekten, ihre Bedeutung für die Sicherheit und beleuchtet wo Unterstützung dringend gebraucht wird.

The talks shows the security model of Kubernetes and how to detect and fight security weaknesses with a few lines of scripting.

Hidden under the hood of Kubernetes are a lot of security features. Starting from the Linux namespaces used in containers to the network there are a lot of configurations with many bells and whistles supporting or totally destroying the security of a cluster The talk gives an overview of the container escape vulnerabilities in the wild, that are documented in the CVE database. Simple scripts are shown to check clusters for vulnerabilities. The scripts are used to analyze Istio, the "trust nothing" distributed firewall solution, and find an exploitable attack immediately. This would be a script kiddie attack, if they already would have started using Kubernetes and Istio. Finally, it is shown, how Istio has handled the bug report and how future versions from 1.2 will close the exploit using the Container Network Interface (CNI).