A Look Under the Hood of CNCF Security Audits - Adam Korczynski & David Korczynski, Ada Logics

less than 1 minute read

Abstract

To graduate, a CNCF project must complete a third party security audit and publish the results publicly. Because of the nature of the work, much of it is done behind closed doors. In this talk, Adam and David present their experiences with auditing CNCF projects, how a security audit progresses, what the projects should expect, and what the outcomes have been so far. We also examine which vulnerabilities have been found, and what is required from the CNCF projects to complete a third party security audit. Over the last year and a half, Ada Logics has carried out security audits of six CNCF projects and worked with the projects on mitigating found issues and publishing the results. The projects the team audited were: Flux, CRI-O, KubeEdge, Argo, Istio and Cilium. The talk will also go over the audit reports and how they are helpful to contributors, adopters and other security researchers looking to contribute security work. The talk will cover both high-level problems and results as well as a technical look into the security issues that CNCF projects face.

Sched URL

Video

Twitter Facebook LinkedIn

About

Conferences

A Look Under the Hood of CNCF Security Audits - Adam Korczynski & David Korczynski, Ada Logics

Abstract

Video

You May Also Enjoy

You Shall Not Pass! Unless You Are GUAC Verified…. - Parth Patel, Kusari & Dejan Bosanac, Red Hat

Living off the Land Techniques in Managed Kubernetes Clusters - Ronen Shustin & Shay Berkovich, Wiz

Leveraging OCI 1.1 for Enhanced SBOM Integration and Vulnerability Scanning in Harbor - Anais Urlichs, Aqua Security & Shengwen Yu, VMware

Lessons Learned from Generating 100M SBOMs: Google’s Approach to SBOM Compliance - Brandon Lum & Isaac Hepworth, Google