#04 The Room

Date:

Sep 19th, 2023

Videos:

How to test and compare SAST solutions

Unmasking Azure Kubernetes Service - Unveiling Inherent Security Risks in K8S Environments

Location:

Torre Ocidente, Rua Galileu Galilei 2, in the Colombo Shopping Center

This meetup was sponsored by BNP Paribas.

Agenda:

  • 18h00: Welcome notes by the OWASP Lisboa chapter leadership team
  • 18h20: How to test and compare SAST solutions by Guillaume Montard
  • 19h00: Unmasking Azure Kubernetes Service - Unveiling Inherent Security Risks in K8S Environments by Sadi Zane
  • 20:00: Food & Drinks sponsored by BNP Paribas

How to test and compare SAST solutions

Over the past two decades, many of us have had negative experiences with SAST. In this talk, I will explain SAST, its significance, and introduce a framework that allows you to test and compare the latest SAST solutions. By the end, I hope to change your perspective on SAST.

Guillaume Montard

Guillaume, co-founder of Bearer, developer-first security solution. Previously CTO and VP of Engineering at Skillsoft.

LinkedIn Twitter

Unmasking Azure Kubernetes Service - Unveiling Inherent Security Risks in K8S Environments

This talk delves into the security risks associated with Azure Kubernetes Service (AKS). Specifically, it focuses on a deep dive into key security controls like Role-Based Access Control (RBAC) and explores associated risks with service accounts. Additionally, the talk presents a novel approach highlighting how an attacker could exploit Node authorization certificate keys to achieve long-term persistence within AKS environments and their underlying containers. Furthermore, the presentation describes and demonstrates an attack against a vulnerable Grafana enterprise application by leveraging directory traversal techniques to steal privileged tokens. These tokens serve as a stepping stone for further pivoting into the container environment. The talk also addresses the inherent shortcomings of default Azure Kubernetes deployments, including vulnerabilities related to secrets management, pod security admission, and underlying networks. By shedding light on these deficiencies, attendees gain a comprehensive understanding of the security challenges and potential avenues for improvement in AKS environments.

Sadi Zane

Sadi Zane is a Principal Cyber Security Consultant specialising in offensive security, Red Team/Purple Team exercises, and extensive experience in Orchestration technologies e.g., Cloud on premise Kubernetes container security systems.

LinkedIn

Pictures from the meetup

A modern event space with star-shaped ceiling lights and BNP Paribas branding, featuring a camera on a tripod ready to record the session.

A vertical OWASP banner standing next to a large wall-mounted screen displaying the event title "#04 The Room" and the sponsor logo.

Attendees seated on tiered wooden benches in a modern venue with the word "INNOVATION" written in large letters on the wall behind them.

A speaker holding a microphone stands next to the main event screen displaying the "#04 The Room" title slide.

A speaker presenting a slide titled "How to test and compare SAST solutions?" while holding a microphone.

An overhead view of the audience seated on tiered benches watching a presentation on "Cloud Kubernetes Services Architecture," with a videographer recording the talk.

A catering area set up with open pizza boxes on a long table and snacks arranged on high round tables.

Watch Star