Hi [[ session.user.profile.firstName ]]

Do You Know your Kubernetes runtime vulnerabilities?

Introducing Kubei Open Source Scanner - Spot, Analyze, Secure.


Easy, quick scanning of relevant runtime images. All and only runtime images.
For container security, there are plenty of open-source tools that can help prevent another cyber security fiasco.
Container image scanning should be a core part of your security strategy. Although image scanning won't protect you from all possible security vulnerabilities, it's the primary means of defense against security flaws or insecure code within container images.
Image scanning is usually integrated with the CI/CD or the image registry. Portshift’s open source solution - Kubei, takes another approach and scans the containers that actually run in production.
On our webinar we will review the capabilities of some open-source scanning solutions and introduce you to the unique benefits of Runtime Kubernetes Scanning with Kubei. Know immediately which containers have vulnerabilities, where these vulnerabilities exist (pod, container and namespace), and what needs to be patched or replaced. Kubei couples your Kubernetes information with the vulnerability information for a quick, easy remediation

Key Discussion Points:
1. The importance of container image scanning
2. A comparison of Open-Source tools for image scanning solutions -
Clair, Anchore, KubeXRay, Snyk, Trivy
3. The advantages of Runtime Image Scanning
4. Review and live demo of Kubei - Kubernetes Runtime Image Scanner

Zohar Kaufman is Portshift’s Co-Founder and VP R&D. As a vateran in cyber security, Zohar spent 20 years managing software, networking and embedded system development teams and was previously the founder and VP of R&D at CTERA Networks and VP of R&D at SofaWare technologies.
Recorded Apr 7 2020 35 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Zohar Kaufman, VP R&D
Presentation preview: Do You Know your Kubernetes runtime vulnerabilities?

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • DevOps Tech: How Can Developers Leverage Shift-Left for Better Security Oct 13 2020 6:00 pm UTC 60 mins
    Ariel Shuper, VP Product Portshift.io
    Security is everyone's responsibility. By better integrating information security (InfoSec) objectives into daily work, teams can achieve higher levels of software delivery performance and build more secure systems.
    Shifting the security review process "left" or earlier in the software development lifecycle requires several changes from traditional information security methods, on our webinar we will explore what it means to shift-left security for DevOps, and share steps to ensure a successful transition to DevSecOps.

    Our webinar will also focus on how to solve the key challenge of shifting-left: Finding the right AppSec tools. This session is perfect for IT professionals like CTOs, CIOs and DevOps engineers.

    In this session, we will discuss:
    - How developers are the new security guards in protecting company information
    - How application security tools can support developers
    - How to develop an automated security testing process throughout the application lifecycle - build, run and deploy
    - Scan and secure the runtime environment
    - What are the tools and best practices you should consider
  • MITRE ATT&CK Framework for Kubernetes and Container Runtime Security Sep 23 2020 6:00 pm UTC 60 mins
    Zohar Kaufman, VP R&D & Ariel Shuper, VP Product
    The MITRE ATT&CK framework provides a threat matrix that guides administrators, developers, DevOps, security teams and others in protecting their networks, systems and endpoints from undesirable access and manipulation.

    But what about Kubernetes? What we are missing is a MITRE ATT&CK matrix that is interpreted for the Kubernetes environment – a matrix that connects the dots and provides the missing security context for Kubernetes security best-practices.

    At Portshift, we’ve brought this matrix to life. We’ve taken the concepts presented by Microsoft and the theory of a threat-based model from MITRE and implemented a matrix that is tailored for Kubernetes, helping our users actively detect potential threats in their Kuberetes clusters but also to create, implement and monitor their defense strategies and the security of their applications and deployments. With our K8SHIELD™ Framework, we’ve also released a graphical view that connects the dots for you with the familiar ATT&CK matrix, displaying the risks and their applicability to deployed clusters.
    This session is perfect for IT professionals like CTOs, CIOs and DevOps engineers.

    In this session we will discuss:
    - Tactics – the attack vector; the ultimate objective of an attacker
    - Documented attacks describing how adversaries achieved these tactics by using the associated techniques
    - Recommendations for remediation - a prioritized list of mitigation steps you should apply to give you the broadest protection
  • Misconfiguration in Containers Deployment and Kubernetes: Risks and Fixes Recorded: Aug 6 2020 58 mins
    Zohar Kaufman, VP R&D and Ariel Shuper, VP Product Portshift.io
    Human error remains a persistent cause of the majority of container security incidents. According to Gartner, 95% of cloud security failures are rooted in mistakes made by users. As your application workloads become more distributed and run in containers managed by Kubernetes, the risk of a misconfigured component exposing you to a security incident grows.
    In today’s DevOps driven, application development environment, configuration management must be as automated and streamlined as possible for it to be effective. It should be comprehensive, covering not just the pods deployments, but also the Kubernetes objects (e.g. ConfigMap) and settings (Roles, Roles bindning, Security Context, Secrets etc.)

    Join our session to learn about configuration management best practices and how to avoid the common misconfiguration pitfalls of containers and Kubernetes.
    On our Talk Session, Ariel Shuper and Zohar Kaufnam will discuss -
    * Kubernetes RBAC misconfiguration, detection and mitigation
    * Secrets management best practices
    * Security Context and Pod Security Policies
    * Automated policies generations with Developers manifests
    * Network policies - The good, the bad and the ugly
    * Kubernetes APIs protection
  • Service mesh, in and outside of the Kubernetes cluster Recorded: Jun 18 2020 37 mins
    Alexei Kravtsov, Cloud Security Infrastructures Team Lead @Portshift
    Service mesh is a new networking model that is made up by offloading lots of networking aspects from the application stack into sidecar proxies which are managed by a dedicated infrastructure/control-plane.
    Service mesh, ideally controls the flow of traffic and API calls between services but when services and resources outside the cluster (which might be crucial for your daily operation) are in the mix, or distributed clusters like multi-clouds, the challenges start to pile-up.

    In this webinar we will discuss how to address the daily scenarios of microservices communication inside and outside the mesh/Kubernetes clusters. We will show how Istio simplified their deployment and what is required to make it secure.

    Key Discussion Points and Best Practices:
    1. Microservices communication model inside the mesh
    2. Authorization and encryption
    3. Multi cluster and multi cloud: secure communication
    4. Expanding the cluster with Istio 1.6 and the concept of workload entry
    5. Q&As
  • Kubernetes Security: 7 Things You Should Consider Recorded: Jun 11 2020 50 mins
    Ariel Shuper, VP Product & Rafael Seidel, Senior Software Developer
    Kubernetes is by far the most widely used container orchestrator in the market, and Kubernetes adoption in production environments is rising. According to Gartner, “by 2022, more than 75% of global organizations will be running containerized applications in production.” Security concerns remain one of the leading constraints for using containers and Kubernetes, organizations can’t afford to treat security as an afterthought.
    Kubernetes is a highly flexible platform, allowing users to customize, modify and change almost any workmode and deployment options. Each deployment aspect is treated separately and its declarative nature creates large potential for misconfiguration pitfalls or overlooked definitions. Furthermore, Kuberntes architecture with the separation of the Master node, the API server, etcd from the worker nodes and the application pods, increases the amount of elements that need to be secured. Securing Kubernetes requires you to address the security challenges associated with each of these components.


    Key Discussion Points and Best Practices:
    1. Early detection of security risks - Vulnerable images, overly permissive roles, security misconfiguration and access credentials.
    2. Common misconfiguration errors with direct impact on the security posture
    3. Zero trust security model
    4. Kubernetes RBAC: Overlooked but a powerful tool
    5. Pod Security Policy and Pod Security context: Security gold mine
    6. Kubernetes Network policies - In cluster and external communication policies.
    7. Cluster resources protection
  • Adding Message Queues to Kubernetes Deployments Recorded: May 26 2020 39 mins
    Zohar Kaufman, VP R&D Portshift
    How to Remain Efficient and Secure

    Asynchronous messaging brokers like RabbitMQ and Kafka are commonly used for microservices applications. Although KubeMQ is the CNCF option for message broker and message queue, most enterprises still use Kafka and RabbitMQ in their Kubernetes deployments to create a messaging scheme that decouples message production by a producer from its processing by a consumer.

    But message brokers and queues imply a new security challenge for DevSecOps teams, as it eliminates the option to create any level of segmentation between microservices that use the message queues, classical Kubernetes network policies are useless when all services can communicate with the broker.

    In this webinar we’ll explore microservices deployments in Kubernetes using message brokers like Kafka, examine their deployments options. We’ll also examine the security angle of messaging queues and brokers and show how to create effective security governance for these deployments.

    Key Discussion Points:
    1.Messaging queues/brokers deployment options in Kubernetes clusters
    2.Explore the security challenges of native Kubernetes network policies
    3.Explore different options to implement efficient network security policies that addresses messages queues/brokers
  • How to Address Container Misconfiguration with Kubernetes API Firewall Recorded: May 12 2020 41 mins
    Ran Ilany, CEO & Co Founder Alexei Kravtsov, R&D Team Lead, Portshift
    An Innovative approach to Kubernetes Security.
    With the rising adoption of Kubernetes, the need for security is increasing as well. If the key to your Kubernetes environment falls into the wrong hands, your entire runtime would be in jeopardy. With Kubernetes there are plenty of benefits, but it also brings some risks to consider.
    To that end, Kubernetes API-Server resources can be accessed via a set of APIs either by an external user or a pod within the cluster using its service account details and permissions.
    Kubernetes allows defining permissions to access resources using RBAC, where it records which users, groups, service accounts can access targeted resources and to what exact action. Creating RBAC rules requires complex human operation of mapping service accounts, roles/cluster roles and actions using role/cluster role bindings usually resulting with minimum misconfiguration or even non rules so that privileges are left wide open and cluster admins are left unaware.

    Our webinar will review the challenges of setting kubernetes RBAC rules and major security risks that can be caused due to misconfigurations, we will also present ways to overcome these pitfalls.
    We will also demo an easy way to review RBAC permissions and their associated risk scope with Portshift, and also cover a runtime audit of API usage and an advanced ,automatic method to enforce API policy for who can access what, where and in which action.


    Key Discussion Points:
    1. The importance of securing K8s RBAC permissions
    2. A comparison of current silos offerings
    3. The advantages of having the workload identity at Runtime
    4. Review and live demo of Portshift’s K8s API server protection
  • Secure your CI/CD pipelines with workload identity Recorded: Apr 30 2020 33 mins
    Sam Olukotun, Solutions Engineer at CircleCI. Ariel Shuper, VP Product at Portshift
    DevSecOps has become a key term among today’s software developers. CircleCI integrates with tools for vulnerability scanning, secrets management, and policy compliance to help DevOps engineers increase CI/CD maturity.

    CircleCI and Portshift’s integration allows users to quickly identify vulnerabilities and surface dependencies in their application(s). In addition to the classical vulnerabilities scanning, Portshift’s orb creates a unique workload identity to each image which will be used to authenticate and authorize the image when it’ll be used to deploy new pod.

    In today’s webinar, we’ll review how to execute pre-configured DevSecOps jobs in your CircleCI pipelines using the Portshift scanner and workload identity orb. We’ll demo how to build secure docker images by including Portshift’s workload identity creation and vulnerability scanner in your container development pipeline. Portshift’s orb allows users to perform vulnerability scans and to collect image identity attributes. Images’ identity is a critical component in Portshift’s runtime authorization.
  • Simplifying Kubernetes Pod Security Policies: Effective Containers Security Recorded: Apr 16 2020 40 mins
    Ariel Shuper, VP Product Portshift.io
    An Innovative approach to Kubernetes Security
    The Kubernetes Pod Security Policy (PSP), allows users to set fine-grained authorizations for pod creation and update. Pod Security Policy defines a set of conditions (a.k.a Security context) that pods must meet to be accepted by the cluster; when a request to create or update a pod does not meet the conditions in the Pod Security Policy, that request is rejected and an error is returned.
    Despite the huge benefits PSP provides Kubernetes users, its adoption is relatively low and even PSP adopters select minimal security context for their pods. Some of the reasons for this anomaly are the complex settings (RBAC mechanism) and the lack of granular implementations (ServiceAccount level).
    On this webinar we explore the benefits and challenges of setting up PSP authorization rules. We will also cover innovative methods Portshift uses to apply PSP without the complex RBAC settings and with fine-grained granular implementation.

    Key Discussion Points:
    1.What are Pod Security Profiles
    2. The attack vectors eliminated by PSP
    3. Recommended PSP profiles (strict and flexible profile)
    4. Granular PSP implementations

    Ariel Shuper is VP Product @Portshift, specializing in cloud native based security for microservices. Ariel was the head of serverless security offering at Aqua security and prior to that, he spent 5 years in various roles at Check-Point Technologies, focusing on security posture and network security in public clouds. Ariel has been a presenter at events such as Microsoft Tech Summit, Build, KubeCon/CloudNativeCon, and various serverless events.
  • Do You Know your Kubernetes runtime vulnerabilities? Recorded: Apr 7 2020 35 mins
    Zohar Kaufman, VP R&D
    Introducing Kubei Open Source Scanner - Spot, Analyze, Secure.


    Easy, quick scanning of relevant runtime images. All and only runtime images.
    For container security, there are plenty of open-source tools that can help prevent another cyber security fiasco.
    Container image scanning should be a core part of your security strategy. Although image scanning won't protect you from all possible security vulnerabilities, it's the primary means of defense against security flaws or insecure code within container images.
    Image scanning is usually integrated with the CI/CD or the image registry. Portshift’s open source solution - Kubei, takes another approach and scans the containers that actually run in production.
    On our webinar we will review the capabilities of some open-source scanning solutions and introduce you to the unique benefits of Runtime Kubernetes Scanning with Kubei. Know immediately which containers have vulnerabilities, where these vulnerabilities exist (pod, container and namespace), and what needs to be patched or replaced. Kubei couples your Kubernetes information with the vulnerability information for a quick, easy remediation

    Key Discussion Points:
    1. The importance of container image scanning
    2. A comparison of Open-Source tools for image scanning solutions -
    Clair, Anchore, KubeXRay, Snyk, Trivy
    3. The advantages of Runtime Image Scanning
    4. Review and live demo of Kubei - Kubernetes Runtime Image Scanner

    Zohar Kaufman is Portshift’s Co-Founder and VP R&D. As a vateran in cyber security, Zohar spent 20 years managing software, networking and embedded system development teams and was previously the founder and VP of R&D at CTERA Networks and VP of R&D at SofaWare technologies.
  • Istio Service Mesh from GA to istiod, Where Do We Go From Here Recorded: Mar 23 2020 36 mins
    Alexei Kravtsov, R&D Team Lead
    Cloud-native applications can include thousands of clustered containers, distributed components, and complex interactions. To build them effectively, developers need a new approach to infrastructural concerns like monitoring, storage, scaling, orchestration, and security. The Istio service mesh offers a configurable infrastructure layer that reliably and efficiently manages service discovery, load balancing, encryption, authentication and authorization, circuit breakers, and more.
    On our webinar we will explore the main features of istio, the architectural overview, what is new with istiod (1.5), and review additional open source tools to help you manage Istio.

    Key Discussion Points:
    1. Istio’s features overview
    2. Architectural overview
    3. Features added between Istio 1.0 and 1.5
    4. Architectural changes between Istio 1.0 and 1.5
    5. New Istio control plane: istiod (1.5+)
    6. Istio’s direction in the near future

    Alexei is the Cloud Security Infrastructures Team Lead at Portshift, leading on Zero Trust authorization solutions in multi-cloud environments, using open source projects customization such as Envoy and Istio. Alexei has worked in enterprise software for 5+ years, and was formerly a Senior Architect of Network Security CheckPoint, working on DPI data-path acceleration using HW.
  • Sidecar Proxy a Silent Partner for Better Security Recorded: Feb 13 2020 38 mins
    Ariel Shuper, VP Product, Portshift.io
    Join Ariel Shuper for this webinar to learn more about the benefits and advantages of sidecar proxies.

    The usage of sidecar proxies in kubernetes originated from the need to address deployment challenges like traffic management, granular microservices observability and microservices fine-tuned security. Sidecars reduce the complexity in the microservice code by abstracting the common infrastructure-related functionalities to a different layer. Following the introduction of service meshes (e.g. Istio, LinkerD, consul, AppMesh etc) the insertion and configuration of sidecar proxies became easier and simpler leading to proliferation of use-cases and deployment options.
    In this webinar we’ll examine how the usage of sidecar proxies in the application design pattern abstracts communications complexities increases the security posture Kubernetes pods and simplifies observability and traffic management.

    Join our webinar to learn about:
    1.The role of the sidecar
    2.The benefit of service mesh for sidecar management
    3.Simplifying service-to-service communications policies
    4.Enhanced Kubernetes runtime security

    The webinar will be hosted by Ariel Shuper, VP Product @Portshift.
    Shuper specializes in cloud native identity based security for microservices. Ariel was the head of serverless security offering at Aqua security and prior to that, he spent 5 years in various roles at Check-Point Technologies, focusing on security posture and network security in public clouds. Ariel has been a presenter at events such as Microsoft Tech Summit, Build, KubeCon/CloudNativeCon, and various other serverless events.
Single pane of glass for containers and Kubernetes security
Portshift is a Kubernetes-native security leader leveraging the power of Kubernetes and Service-Mesh to deliver a single source of truth for containers and cloud-native applications protection. Portshift is the only solution offering an agentless approach, with a single Kubernetes admission controller for seamless integration.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Do You Know your Kubernetes runtime vulnerabilities?
  • Live at: Apr 7 2020 5:00 pm
  • Presented by: Zohar Kaufman, VP R&D
  • From:
Your email has been sent.
or close