Security
Zoncolan helps security engineers scale their work by using static analysis to examine code and detect security or privacy issues. Facebook’s web codebase currently contains more than 100 million lines of Hack code, and changes thousands of times per day. To handle the sheer volume of code, we build sophisticated systems that help our security engineers review code.
Read more
Unplugging From Digital Controls to Safeguard Power Grids
Late last week, the U.S. House of Representatives passed legislation to mandate federal research on a radically ‘retro’approach to protect power grids from cyber attack: unplugging or otherwise isolating the most criticalequipment from grid operators’ digital control systems. Angus King, an independent senator from Maine whose identical bill passedthe Senate last month, says such a managed retreat from networked controls may berequired to thwart the grid’s most sophisticated online adversaries. Grid cyber experts say the Securing Energy Infrastructure Act moving through Congress isa particular testament toMichael Assante, a gifted and passionate cybersecurity expert whodied earlier this monthfrom leukaemia at the age of 48.
Read more
How to detect Kubernetes vulnerability CVE-2019-11246 using Falco.
A recent CNCF-sponsored Kubernetes security audit uncovered CVE-2019-11246, a high-severity vulnerability affecting the command-line kubectl tool. If exploited, it could lead to a directory traversal, allowing a malicious container to replace or create files on a user’s workstation. This vulnerability stemmed from an incomplete fix of a previously disclosed vulnerability (CVE-2019-1002101).
Source: sysdig.com
33(+) Kubernetes security tools
Kubernetes image scanning Kubernetes runtime security Kubernetes network security Image distribution and secrets management Kubernetes security audit End-to-end commercial security tools Join our live session to learn more! Kubernetes security tools … there are so freaking many of them; with different purposes, scopes and licenses. That’s why we decided to create this Kubernetes security tools list, including open source projects and commercial platforms from different vendors, to help you choose the ones that look more interesting to you and guide you in the right direction depending on your Kubernetes security needs.
Read more
The Technical Side of the Capital One AWS Security Breach
On July 19th, 2019 Capital One got the red flag that every modern company hopes to avoid – their data had been breached. Over 106 million people affected.
140,000 Social Security numbers. 80,000 bank account numbers. 1,000,000 Social Insurance Numbers.
Pretty messy right? Unfortunately, the 19th wasn’t when the breach occurred.
It turns out that Paige Thompson, aka Erratic, had done the deed between March 22nd and March 23rd 2019.
Read more
I’m Not A Robot!
There is no one way to secure your API that fits all situations. But, you can learn the schemes, study how the biggest social networks are dealing with it and find out the industry standard; then apply it to your project in the way you see fit. At the end of this article, you’ll have a clear understanding of the different schemes.
I won’t go in depth on these here but I’ll do a deep dive on OAuth, the most widely used authorization framework, another time.
Read more
Detecting the Kubernetes API server DoS vulnerability (CVE-2019-1002100).
Recently, a new Kubernetes related vulnerability was announced that affected the kube-apiserver. This was a denial of service vulnerability where authorized users with write permissions could overload the API server as it is handling requests. The issue is categorized as a medium severity (CVSS score of 6.5) and can be resolved by upgrading the kube-apiserver to v1.11.8, v1.12.6, or v1.13.4.
In Kubernetes, the control plane on the master node consists of the API Server, the Controller Manager and Scheduler(s). The API Server is the central management entity that directly communicates with etcd and serves the Kubernetes API used both for internal cluster communication and external communication via kubectl or other clients. Sysdig has built the only cloud-native intelligence platform that is designed to secure, monitor and troubleshoot your next-generation environment.
Read more
Mayhem, the Machine That Finds Software Vulnerabilities, Then Patches Them
Back in 2011, when the venture capitalist Marc Andreessen said that “software is eating the world,” it was still a fresh idea. Now it’s obvious that software permeates our lives. From complex electronics like medical devices and autonomous vehicles to simple objects like Internet-connected lightbulbs and thermometers, we’re surrounded by software.
And that means we’re all more exposed to attacks on that software than everbefore. Every year, 111 billion lines are added to the mass of software code in existence, and every line presents a potential new target. Steve Morgan, founder and editor in chief at the research firm Cybersecurity Ventures, predicts that system break-ins made through a previously unknown weakness—what the industry calls “zero-day exploits”—will average one per day in the United States by 2021, up from one per week in 2015.
Read more
Can Kubernetes Keep a Secret? It all depends what tool you’re using
At Soluto, we have super-devs who have full ownership: from writing code to deploying it to monitoring. When we made the shift to Kubernetes, we wanted to keep our devs independent and put a lot of effort into allowing them to create services rapidly. It all worked like a charm – until they had to handle credentials.
This challenge leads us to build Kamus – an open source, GitOps, zero trust, secrets solution for Kubernetes applications. Kamus allows you to seamlessly encrypt secret values and commit them to source control. But before diving into how Kamus works, let’s do a quick recap of Kubernetes native secrets solution, and why we even need Kamus.
Read more
Docker and Kubernetes in high security environments
This is brief summary of parts of my master’s thesis and the conclusions to draw from it. This medium-story focuses on containerized application isolation. The thesis also covers segmentation of cluster networks in Kubernetes which is not discussed in this story.
You can read my full thesis here; it’s available through open access:Container Orchestration in Security Demanding Environments at the Swedish Police Authority.
Read more