Securing supply chain components : an offensive approach on containerization technology
Ασφάλεια στην εφοδιαστική αλυσίδα : μία προσέγγιση επιτιθέμενου στη τεχνολογία containerization
View/
Keywords
Kubernetes ; Supply chain securityAbstract
The rapid adoption of containerized environments help deploying and having available software content in production, became easier than ever, with high availability, scalability there is virtual no downtime. Companies, either been corporations or small startups have adopted development pipelines that are build for performing in a constant on-demand schedule. As a result these technologies open new attack vectors for threat actors as the chain of supplying scales. These attacks exploit misconfigurations either from human or machine error during deployment, vulnerable and unpatched dependencies or services, compromised registries allowing adversaries to gain unauthorized access, pivot, escalate and exfiltrate data or disclosed information, inject malicious binaries in production pipelines. One technology that is commonly used is Kubernetes(k8s), a prevalent tool for scaling almost indefinitely as long resources allow; thus responsible and proper handling of deployment hygiene should be mandatory from everyone operating. This thesis is going to focus on that particular tool, analyze the probable attack vectors by detecting possible misconfigurations during deployment. The usage of detection tools are required in every phase of deployment, past, post and future. We will be developing a CLI tool in Python that handles a few of the most common misconfigurations. The tool analyzes Kubernetes deployments for common vulnerabilities, such as overly permissive RBAC roles, exposed secrets, privileged containers, and insecure network policies—all of which are key attack vectors in supply chain compromises. By automating the detection of these misconfigurations, this research provides a proactive security approach, helping organizations harden their clusters against real-world adversarial techniques, as outlined in frameworks such as MITRE ATT&CK.
Department
Σχολή Τεχνολογιών Πληροφορικής και Επικοινωνιών. Τμήμα ΠληροφορικήςNumber of pages
82Language
EnglishCollections
Except where otherwise noted, this item's license is described as
Αναφορά Δημιουργού 3.0 Ελλάδα
Αναφορά Δημιουργού 3.0 Ελλάδα