Zoncolan: How Facebook uses static analysis to detect and prevent security issues

Zoncolan helps security engineers scale their work by using static analysis to examine code and detect security or privacy issues. Facebook’s web codebase currently contains more than 100 million lines of Hack code, and changes thousands of times per day. To handle the sheer volume of code, we build sophisticated systems that help our security […]

Unplugging From Digital Controls to Safeguard Power Grids

Late last week, the U.S. House of Representatives passed legislation to mandate federal research on a radically ‘retro’approach to protect power grids from cyber attack: unplugging or otherwise isolating the most criticalequipment from grid operators’ digital control systems. Angus King, an independent senator from Maine whose identical bill passedthe Senate last month, says such a […]

How to detect Kubernetes vulnerability CVE-2019-11246 using Falco.

A recent CNCF-sponsored Kubernetes security audit uncovered CVE-2019-11246, a high-severity vulnerability affecting the command-line kubectl tool. If exploited, it could lead to a directory traversal, allowing a malicious container to replace or create files on a user’s workstation. This vulnerability stemmed from an incomplete fix of a previously disclosed vulnerability (CVE-2019-1002101). Source: sysdig

33(+) Kubernetes security tools

Kubernetes image scanning Kubernetes runtime security Kubernetes network security Image distribution and secrets management Kubernetes security audit End-to-end commercial security tools Join our live session to learn more! Kubernetes security tools … there are so freaking many of them; with different purposes, scopes and licenses. That’s why we decided to create this Kubernetes security tools […]

The Technical Side of the Capital One AWS Security Breach

On July 19th, 2019 Capital One got the red flag that every modern company hopes to avoid – their data had been breached. Over 106 million people affected. 140,000 Social Security numbers. 80,000 bank account numbers. 1,000,000 Social Insurance Numbers. Pretty messy right? Unfortunately, the 19th wasn’t when the breach occurred. It turns out that […]

I’m Not A Robot!

There is no one way to secure your API that fits all situations. But, you can learn the schemes, study how the biggest social networks are dealing with it and find out the industry standard; then apply it to your project in the way you see fit. At the end of this article, you’ll have […]

Detecting the Kubernetes API server DoS vulnerability (CVE-2019-1002100).

Recently, a new Kubernetes related vulnerability was announced that affected the kube-apiserver. This was a denial of service vulnerability where authorized users with write permissions could overload the API server as it is handling requests. The issue is categorized as a medium severity (CVSS score of 6.5) and can be resolved by upgrading the kube-apiserver […]

Mayhem, the Machine That Finds Software Vulnerabilities, Then Patches Them

Back in 2011, when the venture capitalist Marc Andreessen said that “software is eating the world,” it was still a fresh idea. Now it’s obvious that software permeates our lives. From complex electronics like medical devices and autonomous vehicles to simple objects like Internet-connected lightbulbs and thermometers, we’re surrounded by software. And that means we’re […]

Can Kubernetes Keep a Secret? It all depends what tool you’re using

At Soluto, we have super-devs who have full ownership: from writing code to deploying it to monitoring. When we made the shift to Kubernetes, we wanted to keep our devs independent and put a lot of effort into allowing them to create services rapidly. It all worked like a charm – until they had to […]

Docker and Kubernetes in high security environments

This is brief summary of parts of my master’s thesis and the conclusions to draw from it. This medium-story focuses on containerized application isolation. The thesis also covers segmentation of cluster networks in Kubernetes which is not discussed in this story.You can read my full thesis here; it’s available through open access:Container Orchestration in Security […]