Kubernetes Podcast from Google Kubernetes Pen Testing, with Jesper Larsson
12 snips
Nov 29, 2023 Jesper Larsson, a Freelance PenTester, discusses the importance of security in Kubernetes and infrastructure as code. They cover topics such as access permissions, web application vulnerabilities, pen testing experiences, and common mistakes to avoid. Jesper also shares his background in hacking and penetration testing, emphasizing the significance of networking at meetups. The podcast explores vulnerabilities in third-party software companies and the limitations of using example code. They also discuss an AI tool for analyzing overprivileged accounts in Google Cloud.
AI Snips
Chapters
Transcript
Episode notes
Banking SaaS Hack
- Jesper Larsson penetrated a banking authentication service, escalating access from an application vulnerability.
- He gained control over the entire cloud infrastructure, potentially affecting major banks using the service.
Know Your Product
- Understand your product's backend processes, network paths, and Kubernetes topology.
- Restrict access rights, minimize egress traffic, and use monitoring to detect anomalies.
Config Maps and Service Accounts
- Avoid storing secrets in config maps; they are readable by everyone.
- Remove unused service accounts and their revisions within your cloud environment.