Subimage is our hosted offer built over the cartography (https://github.com/cartography-cncf/cartography), the open source of security we created in Lyft in 2019, originally shared with HN here: https://news.ycombinator.com/iteem? id = 19517977. You can think of us as an open core wiz alternative.
In 2016, I worked with Microsoft Red Red Team in Microsoft, where we built an Infra mapping service to find the shortest paths to take advantage of our targets. We are very effective as well as the blue team. In 2019, I was associated with Lyft, where we applied the same ideas to aws and beyond, helping build up and open source of cartomography. Over the past six years, the community is incredible to improve and see more than 70 companies (which I know) to use it.
Kunaal and I first worked together 2020 when we helped the Lyftstrap deprivation program and used cartolography as its background: https: //eng.lyft.com/vulnerability-managimatuundement-at-lyforforforc …. This is actually where the name name is from: Lyft services are made up of one or more “subiargiya” a memorable engineering challenge we have decided to name our company.
Cartography has taken metadata from several sources – SaaS, Cloud Services, an internal service of a company – and writes it in a graph database. This simple technique is less powerful to model if the errors are not visible errors to attack areas such as access, network.
The subimage selects where the cartography is leaving: This is a perfect host solution that provides specific recommendations for problems found. Action fix depends on the company size: Small teams can run to AWS CLI Commins, while larger orgs require Inprastructure-As-Code Plet Request Request.
Here’s a demo demo that shows how we can use the subimage to understand and act if our stripe api key is unexpectedly used: https://www.youtube.com/watch?v=rbcr35hb5hk.
Subimage also provides a natural language interface to easily answer questions about our infra: Https: //imgum.com/axubane Antilate-Nage-Dey-quece-quer ….
Security is a competitive space, but there are some variations:
First, we allow a deeper level of adaptation to which the security team can enhance their graph with their own internal data, not just data from the main cloud providers. If it can be declared as JSON structure, you can graph; Here’s a demo: https://www.youtube.com/watch?v=rvwdjoa_w. This flexibility is necessary to answer the questions such as: which buckets of storage have pii? Who owns them? Who gave up on https://example.com/api/payment? Which company director is the risk owner?
Because it’s built in cartography, teams can also write custom python plugins if they want: https: //cartography-cncf.gub.io/cartography/deev/wartering-i ….
Second, our core principle is moving. Security teams drown in alerts. The trails of tracking roads from critical properties to the most exploited errors, helping teams cut into noise and precede threats.
Finally, we were established in open source. We created the cartutography and as it develops, so is the subimage. Cartography is a CNCF project (https://eng.lyft.com/cartography-joins-the-cncf-66b7be099A7), which means it’s perfect open source and stay like that.
Go forward, we continue to cartography while launching the subimage as a fully offered offered. Our roadmap includes access to access (Prune excess authorization and enforcement of security invariants, revision changes to information changes).
Thanks for reading! If it sounds interesting, try https://github.com/cartography-cncf/cartography.
It is an honor to share the subimage with HN, especially following projects here for more than a decade. We want to hear your questions, feedback, and challenges you face with security and infra!
2025-02-24 19:22:00
