ISC StormCast for Friday, August 9th 2019
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 9 August 2019
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Friday, August 9th, 2019 edition of the Sands and the Storms and a Stormcast. |
| 0:07.0 | My name is Johannes Ulrich and I am recording from Denver, Colorado. |
| 0:13.0 | Now, if you are using containers or if you consider using containers, you probably came across Kubernetes. |
| 0:19.0 | Kubernetes is one of these large open source |
| 0:22.4 | projects that allows you to better manage and sort of orchestrate container workloads. |
| 0:29.9 | The Cloud Native Computing Foundation spent some money last year trying to figure out how secure this particular environment is. |
| 0:40.3 | They hired two security company trails of bits and treaties partners to do a fairly extensive security audit of this particular system. |
| 0:53.3 | Now, since Kubernetes is really not just sort of one piece of software as such, but really an ecosystem, |
| 0:59.0 | they did pick a few of the key components of it to do this security audit. |
| 1:06.0 | And, well, with some pretty good results, nothing really that I would call outrageously insecure, |
| 1:15.4 | but they found a total of 37 vulnerabilities, at least that's from the Trails of Bits report, |
| 1:22.1 | where five of them they considered high severity issues, where for example, authentication |
| 1:27.4 | tokens were locked in clear text files. |
| 1:31.3 | If you are using Kubernetes, you definitely should take a look at the reports. |
| 1:36.3 | And now the report also does include a, essentially, a hardening guide and a guide for pen testers that are investigating |
| 1:47.0 | Kubernetes installs. So that itself is probably almost more valuable to end-use of Kubernetes |
| 1:53.0 | than the actual security review report of Kubernetes. Now the report was finished a couple months ago and the report was first, of course, |
| 2:03.1 | presented to the Kubernetes team. So they were able to address the vulnerabilities that were |
| 2:08.7 | pointed out in this report. The Cloud Native Computing Foundation, on the other hand, |
| 2:14.1 | sees this as sort of, you know, one major project and they are planning on |
| 2:20.0 | conducting similar reviews for other projects. And Apple today announced a significant |
| 2:28.7 | expansion of its Buck Bounty program. In the past, Buck Bounties were only available for iOS and only two selected |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.