Marco De Benedictis
PhD, Senior Consultant at ControlPlane
Turin, Italy
Actions
Marco De Benedictis is a senior security engineer with several years of experience consulting on high-end cybersecurity projects within the private and public sectors. Marco received a PhD in Computer and Control Engineering and is now employed at ControlPlane, where he focuses on Kubernetes and container security for several customers in assessing and improving the security posture of enterprise cloud-native infrastructures and applications.
Links
Area of Expertise
Topics
Keeping Kubernetes Safe: The Lowdown on Locked Namespaces
Kubernetes namespaces are widely used by developers and infrastructure maintainers to group resources within clusters, yet their role as pivotal security boundaries often gets overlooked.
Many well-established and upcoming Kubernetes features rely on secure namespace management, from in-cluster DNS resolution to Network Policies, Limit Ranges, Pod Security Standards, and Gateway API Cross-Namespace Routing.
The talk will investigate the implications of compromise within a cluster if an adversary successfully tampers existing namespaces or crafts new ones by delving into real-world use cases, including multi-tenancy and cluster-native policy enforcement.
A spectrum of mitigations and best practices to lock down namespaces effectively will be presented, covering strategies from Role-Based Access Control (RBAC) to advanced object validation using admission controllers, including secure approaches with namespace templating in multi-tenant environments.
Hacking the Kubernetes Renaissance: Lowering Risk of Large-scale Deployments
Kubernetes is a powerful and complex platform, that can provide huge benefits as well as significant dilemmas to an organisation. Without a structured Kubernetes design, deployment and operation strategy, organisations may involuntarily introduce additional operational and security risks which become more challenging to address as the infrastructure scales up (or out).
This talk presents a risk-aware and risk-driven technical approach based on threat modelling (of infrastructure, people, and supply chains) to derive security requirements, technical controls and countermeasures, both native to Kubernetes (including release 1.25) and provided by open-source tools.
To validate this approach, the presentation also reveals real-world challenges that customers face to stay up to speed with the ever-evolving threat landscape in their Kubernetes journey.
Untrusted Execution: Attacking the Cloud Native Supply Chain
Should we trust the code we run in our production workloads? Not if a motivated attacker can compromise our organisation's complex software supply chains.
While hardened Kubernetes runtimes can mitigate some attacks, motivated threat actors and software implants can be very hard to detect. Supply chain security looks to address some of these threats, but how can we apply that by-design and by-default? Securing software supply chains end-to-end is a non-trivial task, and requires consideration on preserving security properties such as integrity.
In this talk we: - Undertake a risk-based threat model of software supply chain attacks against our clusters - Compare the open source supply chain security controls available to us - Propose a solution for end-to-end supply chain security built on open-source tools such as Kubernetes, Helm, Tekton, Sigstore, SPIFFE/Spire, Vault, in-toto.
Marco De Benedictis
PhD, Senior Consultant at ControlPlane
Turin, Italy
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top