DevSecOps and Security. Container
- Introduction
- Kubernetes Security Compliance Frameworks
- Zero Trust Security
- Authentication and Authorization
- Quality Gates
- 16 Gates
- Kubernetes Threat Modelling
- Kubernetes Config Security Threats
- Security Linting on Kubernetes
- IaC and Security
- Multi-Level Security (MLS) vs Multi-Category Security (MCS). Make Secure Pipelines with Podman and Containers
- Project Calico
- The Falco Project
- Security Patterns for Microservice Architectures
- Anchore Container Security Solutions for DevSecOps
- Twistlock and Threat Stack Container Security
- OWASP
- Source Code Audit
- StackRox
- Secure Container Based CI/CD Workflows. Vulnerability Scanner for Container Images
- GitHub security
- Databases in DMZ and Intranet
- Removing Credentials From Git Repo
- Pentesting
- SQL Injection
- Credential Managers
- Secrets Management
- Serverless Security Best Practices
- Docker Images and Container Security
- Pod Security Policies
- Kubernetes Network Policies
- Static Analysis SAST
- Kubernetes Security Tools
- Helm Charts Security. Helm Secrets
- Password Recovery
- Attacks on Kubernetes via Misconfigured Argo Workflows
- PKI
- Network Intrusion Tools
- Other Security Tools
- Books
- CVEs
- Powershell
- Nmap scripts
- Let’s Encrypt SSL certificates
- WAF Web Application Firewall
- More Security Tools
- Videos
Introduction
- fiercesw.com: DevOps vs DevSecOps
- devopszone.info: DevSecOps Explained
- linkedin: Dear Google, my data has left your building!
- snyk.io: The State of Open Source Security 2020
- managedsentinel.com: Executive ViewโโโCurrent and Future Cybersecurity Architecture On One Page
- Exploring the (lack of) security in a typical Docker and Kubernetes installation
- kalilinuxtutorials.com: Deploying & Securing Kubernetes Clusters
- loves.cloud: Creating a fully automated DevSecOps CI/CD Pipeline
- redhat.com: Balancing Linux security with usability Your system should be secure, but open enough to serve its function. Here are some tips on how to strike that balance.
- thenewstack.io: Culture, Vulnerabilities and Budget: Why Devs and AppSec Disagree
- computing.co.uk: CloudBees gets busy with security, visibility and control as DevOps evolves CEO Sacha Labourey: ‘DevOps is a pretty good proxy for what needs to happen in any organisation’
- paloaltonetworks.com: Is Your Organization Protected Against IAM Misconfiguration Risks?
- devops.com: How to Successfully Integrate Security and DevOps
- helpnetsecurity.com: How to make DevSecOps stick with developers
- blog.christophetd.fr: Shifting Cloud Security Left โ Scanning Infrastructure as Code for Security Issues
- devclass.com: Docker: Itโs not dead yet, but thereโs a tendency to walk away, security report finds
- roxsrossve.medium.com: El camino hacia DevSecOps
- securityboulevard.com: DevOps vs. DevSecOps โ Hereโs How They Fit Together
- opensource.com: How to adopt DevSecOps successfully Integrating security throughout the software development lifecycle is important, but it’s not always easy.
- devops.com: DevSecOps Trends to Know For 2021
- devops.com: From Agile to DevOps to DevSecOps: The Next Evolution
- permission.site How much stuff one can do from a web browser these daysโscary stuff. Stay safe. Disable JS and most of stuff won’t work at all.
- ais.com: Leaping into DevSecOps from DevOps
- infoq.com: The Defense Department’s Journey with DevSecOps
- amazon.com: Building end-to-end AWS DevSecOps CI/CD pipeline with open source SCA, SAST and DAST tools
- infoq.com: 9 Trends That Are Influencing the Adoption of Devops and Devsecops in 2021
- addteq.com: The REAL Difference between DevOps and DevSecOps
- invensislearning.com: Difference between DevOps and DevSecOps
- techerati.com: DevSecOps: Eight tips for truly securing software
- devops.com: SecDevOps is the Solution to Cybersecurity ๐
- techrepublic.com: DevOps is getting code released faster than ever. But security is lagging behind
- redeszone.net: No configurar bien la nube es culpable de la mayorรญa de vulnerabilidades
- cybersecuritydive.com: Relationships between DevOps, security warm slowly Some hurdles stem from miscommunication, or balancing quick product releases with undesired security gaps. “Security people need developers to be more like security people and developers need security people to be more like developers.” James Arlen, CISO at Aiven.
- bbvanexttechnologies.com: Filosofรญa DevSecOps en el desarrollo de aplicaciones sobre Azure
- harness.io: Automated DevSecOps with StackHawk and Harness
- cloudify.co: Understanding DevSecOps And Its Challenges
- containerjournal.com: The What and Why of Cloud-Native Security
- sysdig.com: Top vulnerability assessment and management best practices
- thenewstack.io: Where Are You on the DevSecOps Maturity Curve?
- thenewstack.io: The Top 5 Secrets Management Mistakes and How to Avoid Them
- arsouyes.org: PKCS, pem, der, key, crt,… Interesting read on security and ssl/tls certificates
- torq.io: 5 Security Automation Examples for Non-Developers
- infoq.com: Serverless Security: What’s Left to Protect?
- dqindia.com: Secure your CI/CD pipeline with these tips from experts
- thenewstack.io: The DevSecOps Skillsets Required for Cloud Deployments
- devblogs.microsoft.com: You canโt have security for DevOps until you have DevOps for security
- goteleport.com: Anatomy of a Cloud Infrastructure Attack via a Pull Request
- cncf/tag-security: CNCF Security Technical Advisory Group ๐ CNCF Security Technical Advisory Group – secure access, policy control, privacy, auditing, explainability and more!
- enterprisersproject.com: 5 DevSecOps open source projects to know Teams that embrace the DevSecOps approach make security an integral part of the entire application life cycle. These open source projects aim to help
- thenewstack.io: 10 Steps to Simplify Your DevSecOps
- Promote a DevSecOps Culture
- Empower Teams to Build Security into the SDLC
- Plan Security Activities
- Improve Speed and Scale with Automation
- Start Early with Small Changes
- Tie in the Out-of-Band Activities
- Manage Security Vulnerabilities as Software Defects
- Collect and Analyze Data at Every Stage
- Learn from Your Failures
- Improve Velocity with Scalable Governance
- dzone: Top 10 Application Security Articles to Read Now See the 10 most popular articles on Application Security with topics covering bot attacks, resolving thefts, testing tools, security best practices, and more!
- redhat.com: 5 ways for teams to create an automation-first mentality DevSecOps can provide a competitive edge for your organization. Use these five strategies to get started.
- devops.com: Transform Mobile DevOps into Mobile DevSecOps
- softwebsolutions.com: What is DevSecOps and why your business needs it
- containerjournal.com: Siloscape: The Dark Side of Kubernetes Siloscape is the first known malware to operate exclusively from within a container and target backdoors inside poorly configured Kubernetes clusters. Prizmant details how the malware collects data at the cluster level, making any hosted databases, user credentials and any business-critical data inside an easy and obvious target for the autonomous attacker.
- thenewstack.io: Infrastructure-as-Code: 6 Best Practices for Securing Applications ๐
- devops.com: Securing Your Software Development Pipelines
- thenewstack.io: How GitOps Benefits from Security-as-Code
- devops.com: Tips for a Successful DevSecOps Life Cycle
- blog.aquasec.com: Advanced Persistent Threat Techniques Used in Container Attacks In this blog, you will explore advanced persistent threat techniques used in container attacks, learn how rootkits work, and how adversaries are using them to attack cloud native environments.
- thenewstack.io: 5 Misconceptions About DevSecOps
- thenewstack.io: Why Cloud Native Systems Demand a Zero Trust Approach
- redhat.com: Considerations for implementing DevSecOps practices. Checklist ๐
- dzone: Security Matters: Vulnerability Scanning Done Right! ๐ Security has become the priority in every company these days. Let’s see how vulnerability scanning is done the right way.
- redhat.com: Getting DevSecOps to production and beyond Building security into DevOps practices helps safeguard the organization across the software development lifecycle.
- opensource.com: 5 open source security resources from 2021 This countdown is for the security articles for 2021 you need to read right now.
- redhat.com: Red Hat’s approach to DevSecOps
- thenewstack.io: Open Source Democratized Software. Now Letโs Democratize Security
- goteleport.com: Why DevSecOps is Going Passwordless
- infosecwriteups.com: How I Discovered Thousands of Open Databases on AWS My journey on finding and reporting databases with sensitive data about Fortune-500 companies, Hospitals, Crypto platforms, Startups during due diligence, and more.
- thenewstack.io: Want Real Cybersecurity Progress? Redefine the Security Team
- devops.com: Taking a DevSecOps Approach to API Security
- devops.com: Continuous Security: The Next Evolution of CI/CD
- about.gitlab.com: Fantastic Infrastructure as Code security attacks and how to find them IaC Security Scanning with Kubernetes
- devops.com: How to Seamlessly Transition to DevSecOps DevSecOps Isnโt Simple
- In the last few months, the cybersecurity world has been taken by storm following the discovery of the Log4Shell vulnerability. The zero-day had the potential to put much of the connected world at risk and left security teams scrambling to quickly apply security patches to software just before Christmas 2021.
- As a result of the chaos caused by Log4Shell, many organizations kicked off the new year by carrying out security assessments to identify ways to improve detection and mitigation of future vulnerabilities. One approach that is gaining a lot of attention is DevSecOps.
- DevSecOps introduces and automates security in the earlier phases of the software development life cycle rather than bolting it on at the end. The approach saves money, saves time on tedious manual tasks, helps organizations meet regulatory compliance requirements and significantly reduces the risk of critical security bugs being found after an applicationโs final build.
- However, when it comes to kicking off DevSecOps projects, there are a few challenges application security teams need to overcome first to ensure their programs fit seamlessly into CI/CD pipelines.
- bridgecrew.io: 6 key Kubernetes DevSecOps principles: People, processes, technology
- research.nccgroup.com: 10 real-world stories of how weโve compromised CI/CD pipelines
- thenewstack.io: SecOps in a Post-COVID World: 3 Security Trends to Watch
- medium.com/microservices-learning: How to implement security for microservices
- kubernetes.io: Overview of Cloud Native Security This overview defines a model for thinking about Kubernetes security in the context of Cloud Native security. The 4C’s of Cloud Native security:
- Cloud
- Clusters
- Containers
- Code
- sysdig.com: Triaging a Malicious Docker Container Malicious Docker containers are a relatively new form of attack, taking advantage of an exposed Docker API or vulnerable host to do their evil plotting.โโ
- blog.sonatype.com: Python Packages Upload Your AWS Keys, env vars, Secrets to the Web Last week, Sonatype discovered multiple Python packages that not only exfiltrate your secretsโAWS credentials and environment variables but rather upload these to a publicly exposed endpoint. These packages were discovered by Sonatype’s automated malware detection system, offered as a part of Nexus platform products, including Nexus Firewall.
- medium.com/@anshuman2121: DevSecOps: Implement security on CICD Pipeline
- medium.com/@jonathan_37674: What have we learned from scanning over 10K Kubernetes Clusters? ๐ Plan ahead and fight for fight misconfiguration and vulnerabilities across the SDLC with KubeScape, OS security platform providing a multi-cloud K8s single pane of glass.
- bleepingcomputer.com: Over 900,000 Kubernetes instances found exposed online
- Over 900,000 misconfigured Kubernetes clusters were found exposed on the internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks.
- Kubernetes is a highly versatile open-source container orchestration system for hosting online services and managing containerized workloads via a uniform API interface.
- It enjoys massive adoption and growth rates thanks to its scalability, flexibility in multi-cloud environments, portability, cost, app development, and system deployment time reductions.
- If Kubernetes isnโt configured properly, remote actors might be able to access internal resources and private assets that werenโt meant to be made public.
- Additionally, depending on the configuration, intruders could sometimes escalate their privileges from containers to break isolation and pivot to host processes, granting them intial access to internal corporate networks for futher attacks.
- sysdig.com: How to apply security at the source using GitOps | Eduardo Mรญnguez ๐
- medium.com/technology-hits: Incomplete Guide for Securing Containerized Environment ๐ And Understanding How Containers Present Unique Security Challenges. This article contains a collection of best practices and tips regarding securing containerized environments.
- medium.com/@jonathan_37674: How to Keep your CI/CD Pipelines Secure? | ARMO CI/CD sits at the core of DevOps. The main aim of CICD is to automate & streamline app development process by making small changes & adding incrementally. It helps in pushing features faster with fewer errors.
- freecodecamp.org: Authentication vs Authorization โ What’s the Difference?
- betanews.com: Cloud security is complex – but most vulnerabilities fall into three key categories
- medium.com/@pbijjala: Container security, an eco system view
- containerjournal.com: Kubernetes Security in Your CI/CD Pipeline
- acloudguru.com: Cloud security risks: Why you should make apps Secure by Design
- medium.com/google-cloud: Shifting (even further) Left on Kubernetes Resource Compliance Shifting left can help organizations optimize their use of fully-managed cloud environments and managed services, and tools like Open Policy Agent and Gatekeeper can help organizations ensure compliance in these environments
- hmaslowski.com: macOS Security hardening with Microsoft Intune
- kubewarden.io: Scanning secrets in environment variables This tutorial will teach you how to scan secrets in environment variables using Kubewarden and the env-variable-secrets-scanner-policy
- dzone.com: How To Manage Vulnerabilities in Modern Cloud-Native Applications The article describes how to secure cloud-native applications to identify, manage, and remediate vulnerabilities across the tech stack and ways of integrating security.
- auth0.com: A Passwordless Future! Passkeys for Java Developers Passkeys and WebAuthn for Java developers. Learn how to get started with passkeys for your Java and Spring Boot applications.
- infracloud.io: How to Prevent Secret Leaks in Your Repositories
- blog.devops.dev: End-to-End DevSecOps Kubernetes Project In todayโs rapidly evolving tech landscape, deploying applications using Kubernetes has become a crucial aspect of modern software development. This guide provides a detailed walkthrough for setting up an end-to-end Kubernetes project, covering everything from infrastructure provisioning to application deployment and monitoring.
- blog.stackademic.com: Advanced End-to-End DevSecOps Kubernetes Three-Tier Project using AWS EKS, ArgoCD, Prometheus, Grafana, and Jenkins
Kubernetes Security Compliance Frameworks
- armosec.io: Kubernetes Security Compliance Frameworks ๐
- The challenge of administering security and maintaining compliance in a Kubernetes ecosystem is typically the same: an increasingly dynamic, changing landscape, be it new approaches of cyberattacks or adhering to changing regulations. Kubernetes security requires a complex and multifaceted approach since an effective strategy needs to:
- Ensure clean code
- Provide full observability
- Prevent the exchange of information with untrusted services
- Produce digital signatures for clean code and trusted applications
- Since Kubernetes follows a loosely coupled architecture, securing the ecosystem involves a cross-combination of best practices, tools, and processes. It is also recommended to consider frameworks that issue specific guidelines for easing the complexity of administering the security and compliance of a Kubernetes ecosystem. Such frameworks help organizations create flexible, iterative, and cost-effective approaches to keeping clusters and applications safe and compliant while ensuring optimum performance. A typical frameworkโs guidance on Kubernetes security and compliance should essentially consider:
- Architecture best practices
- Security within CI/CD pipelines
- Resource protection
- Container runtime protection
- Supply chain security
- Network security
- Vulnerability scanning
- Secrets management and protection
- The challenge of administering security and maintaining compliance in a Kubernetes ecosystem is typically the same: an increasingly dynamic, changing landscape, be it new approaches of cyberattacks or adhering to changing regulations. Kubernetes security requires a complex and multifaceted approach since an effective strategy needs to:
Zero Trust Security
- dzone.com: What Is Zero Trust Security? ๐ Zero Trust security is an IT security framework that treats everyone and everything to be hostile (in a good way!).
- thenewstack.io: Secured Access to Kubernetes from Anywhere with Zero Trust | Tenry Fu ๐
- rafay.co: Securing Access to Kubernetes Environments with Zero Trust | Kyle Hunter ๐
- securityboulevard.com: Implementing Zero-Trust Security With Service Mesh and Kubernetes
- cncf.io: Seven zero trust rules for Kubernetes
- rtinsights.com: Implementing Zero Trust for Kubernetes
- cisecurity.org: Where Does Zero Trust Begin and Why is it Important?
- devops.com: DevOps Security: Your Complete Checklist
Authentication and Authorization
- thenewstack.io: How Do Authentication and Authorization Differ?
- osohq.com: Patterns for Authorization in Microservices
OpenID Connect and OAuth 2.0
- medium.com/getindata-blog: OAuth2-based authentication on Istio-powered Kubernetes clusters ๐ Starting with Envoy 1.17, authentication and authorization to Istio clusters don’t require setting up external services if you decide to use OAuth2 Learn how it works in this hands-on tutorial.
- oauth2-proxy/oauth2-proxy: OAuth2 Proxy ๐ A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.
- manfredmlange.medium.com: Containerized Keycloak in Development How to set up an OpenID Connect compliant development environment with Docker?
- redis.com: JSON Web Tokens (JWTs) are Not Safe (ebook)
- dev.to/fidalmathew: Session-Based vs. Token-Based Authentication: Which is better?
- dev.to/irakan: Is JWT really a good fit for authentication?
Quality Gates
- dzone: DevOps Pipeline Quality Gates: A Double-Edged Sword In theory, quality gates seem like a no-brainer, but it does come with a catch.
16 Gates
- medium: Focusing on the DevOps Pipeline ๐ Delivering High Quality Working Software Faster with Agile DevOps. At Capital One, we design pipelines using the concept of the โ16 Gatesโ. These are our guiding design principles and they are:
- Source code version control
- Optimum branching strategy
- Static analysis
- More than 80% code coverage
- Vulnerability scan
- Open source scan
- Artifact version control
- Auto provisioning
- Immutable servers
- Integration testing
- Performance testing
- Build deploy testing automated for every commit
- Automated rollback
- Automated change order
- Zero downtime release
- Feature toggle
- github.com/hygieia/Hygieia ๐ CapitalOne DevOps Dashboard
Kubernetes Threat Modelling
Kubernetes Config Security Threats
- cncf.io: Identifying Kubernetes Config Security Threats: Pods Running as Root
- thenewstack.io: How Kubernetes vulnerabilities have shifted since the first attacks
Kubernetes Ingress Security
- mirantis.com: Introduction to Istio Ingress: The easy way to manage incoming Kubernetes app traffic Leaving your cluster exposed can be risky. That’s why you need Istio Ingress, which only exposes the part that handles incoming traffic & allows routing rules based on routes, headers, IP addresses and more.
- armosec.io: How to secure Kubernetes Ingress? This article will look into how you can secure Ingress resources via adding TLS to Ingress and then procuring TLS/SSL certificates.
Security Linting on Kubernetes
- kubeLinter ๐ KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
- thenewstack.io: StackRox KubeLinter Brings Security Linting to Kubernetes
- github.com/yannh/kubeconform ๐ A FAST Kubernetes manifests validator, with support for Custom Resources!
IaC and Security
Multi-Level Security (MLS) vs Multi-Category Security (MCS). Make Secure Pipelines with Podman and Containers
- Why you should be using Multi-Category Security (MCS) for your Linux containers
- Using Podman and Containers to make a more secure pipeline
Project Calico
- Project Calico Secure networking for the cloud native era
- thenewstack.io: Project Calico: Kubernetes Security as SaaS
The Falco Project
- Falco.org Cloud-Native runtime security
- sysdig.com: Getting started with runtime security and Falco
- betterprogramming.pub: Kubernetes Security With Falco Comprehensive runtime security for your containers with a hands-on demo.
Security Patterns for Microservice Architectures
Anchore Container Security Solutions for DevSecOps
- Anchore Container image inspection and policy-based compliance
- thenewstack.io: Anchore: Scan Your Container Images for Vulnerabilities from the Command Line
Twistlock and Threat Stack Container Security
- Twistlock
- Threat Stack
- dzone: A Twistlock and Threat Stack Comparison Compare two of the most popular tools available for container security, and how their different approaches breed different solutions.
OWASP
- vashishtsumit89.medium.com: Security/Pen Testing: A guide to run OWASP Zap headless in containers for CI/CD pipeline
- redeszone.net: OWASP ZAP, audita la seguridad de webs y evita vulnerabilidades
- sonarqube.org: OWASP Top 10 - Weโve got you covered! See issues in the 10 most critical security risk categories in your web applications.
- cloud.google.com: OWASP Top 10 mitigation options on Google Cloud ๐ Terrific guidance in this paper that explains each attack vector and which product(s) can help
- thenewstack.io: Latest OWASP Top 10 Surfaces Web Development Security Bugs
- thenewstack.io: OWASP Top 10: A Guide to the Worst Software Vulnerabilities
- owasp.org: OWASP API Security Project ๐
-
traceable.ai: Use the OWASP API Top 10 To Secure Your APIs The OWASP API Top 10 documents the risks associated with API development. Here are the vulnerabilities highlighted in the most recent OWASP API Top 10:
- Broken Object Level Authorization (BOLA)
- Broken User Authentication
- Excessive Data Exposure
- Lack of Resources and Rate Limiting
- Broken Function Level Authorization
- Mass Assignment
- Security Misconfiguration
- Injection
- Improper Assets Management
- Insufficient Logging and Monitoring
-
cequence.ai: The OWASP API Security Top 10 From a Real-World Perspective
- securityonline.info: VAmPI: Vulnerable REST API with OWASP top 10 vulnerabilities
- github.com/OWASP: OWASP Kubernetes Top 10 ๐
Source Code Audit
- securecoding.com: Code Audit: How to Ensure Compliance for an Application A source code audit is a process of analyzing the source code of an application with the objective of discovering security vulnerabilities, security design problems, and places of potential improvement in programming practices. After the analysis, a report is generated that is used to implement a range of measures that guarantee the security and reliability of the code. Code audits can be carried out in parallel with penetration tests. They can test the exploitability of code vulnerabilities to better estimate the risk they pose. Ideally, code audits are performed throughout the application lifecycle. The faster a vulnerability is discovered, the easier it is to fix!
StackRox
Secure Container Based CI/CD Workflows. Vulnerability Scanner for Container Images
- trivy A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI
- returngis.net: Buscar vulnerabilidades en imรกgenes de Docker con Snyk
- iximiuz.com: The need for slimmer containers. Scanning official Python images with Snyk
- gkovan.medium.com: A Zero Trust Approach for Securing the Supply Chain of Microservices Packaged as Container Images (sigstore, kyverno, openshift tekton, quarkus) ๐
- thenewstack.io: Find Vulnerabilities in Container Images with Docker Scan
- medium.com/@nanditasahu031: DevSecOps โ Implementing Secure CI/CD Pipelines ๐
- deepfence/YaraHunter Malware scanner for cloud-native, as part of CI/CD and at Runtime. Deepfence YaraHunter scans container images, running Docker containers, and filesystems to find indicators of malware. It uses a YARA ruleset to identify resources that match known malware signatures, and may indicate that the container or filesystem has been compromised. - https://deepfence.io/
Securing Kubernetes With Anchore
- Securing Kubernetes With Anchore
- Anchore: Secure Container Based CI/CD Workflows
- Jenkins Plugin: Anchore Container Image Scanner
Container Signing. Secure Containers with Notary or Cosign
- Notary Notary is a project that allows anyone to have trust over arbitrary collections of data
- Cosign: Container Signing Container Signing, Verification and Storage in an OCI registry. Cosign supports:
- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
- Built-in binary transparency and timestamping service (Rekor)
- infracloud.io: Enforcing Image Trust on Docker Containers using Notary
- medium: Verify Container Image Signatures in Kubernetes using Notary or Cosign or both Connaisseur v2.0 adds support for multiple keys and signature solutions.
- infracloud.io: How to Secure Containers with Cosign and Distroless Images
- appvia.io: Tutorial: Keyless Sign and Verify Your Container Images With Cosign
- github.blog: Safeguard your containers with new container signing capability in GitHub Actions (cosign)
- chrisns/cosign-keyless-demo: Cosign Keyless GitHub Action Demo Proof of concept that uses cosign and GitHub’s in built OIDC for actions to sign container images, providing a proof that what is in the registry came from your GitHub action.
- blog.chainguard.dev: How To Verify Cosigned Container Images In Amazon ECS
- justinpolidori.it: Secure Your Docker Images With Cosign (and OPA Gatekeeper) Learn how combining Gatekeeper + Cosign for image signature validation with the new external_data feature lets you stop untrusted docker images from being deployed on your Kubernetes cluster.
- sysdig.com: How to secure Kubernetes deployment with signature verification Cosign and Connaisseur allow us to secure the Kubernetes deployment with signature verification, ensuring that our images do not change
- medium.com/@slimm609: Secure image signing with Cosign and AWS KMS
- itnext.io: Securing Kubernetes Workloads: A Practical Approach to Signed and Encrypted Container Images Podman โ one tool to rule them all
GitHub security
Databases in DMZ and Intranet
Removing Credentials From Git Repo
Pentesting
- forbes.com: DevOps Drives Pentesting Delivered As A Service
- emagined.com: How to conduct a penetration test
- securityboulevard.com: Kubernetes Pentest Methodology Part 3
SQL Injection
Credential Managers
keycloak
- keycloak.org Open Source Identity and Access Management For Modern Applications and Services
- Securing Kubernetes Apps with Keycloak and Gatekeeper
- Authorizing multi-language microservices with Louketo Proxy
- developers.redhat.com: A deep dive into Keycloak
- blog.getambassador.io: Step-by-Step Centralized Authentication for Kubernetes with Keycloak and the Ambassador Edge Stack
- blog.sighup.io: How to run Keycloak in HA on Kubernetes How to setup Keycloak, the Open Source Identity and Access Management, in HA on Kubernetes.
- developers.redhat.com: Authentication and authorization using the Keycloak REST API
- faun.pub: Integrate Keycloak with HashiCorp Vault A How-To guide using Terraform
- openshift.com: Geographically Distributed Stateful Workloads - Part 3: Keycloak
- blog.flant.com: Running fault-tolerant Keycloak with Infinispan in Kubernetes
- baeldung.com: A Quick Guide to Using Keycloak with Spring Boot
- medium.com/@charled.breteche: Securing Grafana with Keycloak SSO In this article you will learn how to deploy and configure Keycloak in a local Kubernetes cluster, then deploy Grafana and use the Keycloak instance for authentication and authorization
- dev.to: KeyCloak with Nginx Ingress
- medium.com/@amirhosseineidy: Kubernetes authentication with keycloak oidc
- medium.com/@martin.hodges: How to install Keycloak IAM on your Kubernetes cluster, backed by Postgres In this article I look at installing Keycloak and integrating with a Kong API Gateway inside a Kubernetes cluster to provide an OAuth and OIDC solution for your services.
Git Credential Manager Core
- Git Credential Manager Core GCM Core is a free, open-source, cross-platform credential manager for Git.
- Git Credential Manager Core: Building a universal authentication experience
Secrets Management
- blog.gitguardian.com: Secrets in source code (episode ⅔). Why secrets in git are such a problem
- harness.io: Managing Secrets in CI/CD Pipelines ๐ How has your organization dealt with the challenge of managing secrets while delivering with CI/CD pipelines? Learn how to improve your process in the article.
- smallstep.com: How to Handle Secrets on the Command Line ๐
- cloud.google.com: Analyze secrets with Cloud Asset Inventory Query information about all the secrets across your entire GoogleCloudTech organization! Secret Manager is now integrated with Asset Inventory!
- sops: Simple and flexible tool for managing secrets ๐
- jenkins-x.io: Setting up the secrets for your installation Jenkins X 3.x uses Kubernetes External Secrets to manage populating secrets from your underlying secret store.
- fpcomplete.com: Announcing Amber, encrypted secrets management
- jfrog.com: How to protect your secrets with Spectral and JFrog Pipelines
- github.com/keilerkonzept/aws-secretsmanager-files Writes AWS Secrets Manager secrets to files on disk. Single binary, no dependencies. osx & linux & windows.
- medium: How to Handle Secrets Like a Pro Using Gitops
- youtube: Which of your Kubernetes Apps are accessing Secrets? ๐ How do you know which apps across all your clusters are using Kubernetes Secrets? How are you sure that your secrets are not leaking? In the next 5 minutes, you will learn right that.
- jenkins-x/gsm-controller gsm-controller is a Kubernetes controller that copies secrets from Google Secrets Manager into Kubernetes secrets. The controller watches Kubernetes secrets looking for an annotation, if the annotation is not found on the secret nothing more is done.
- GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp: Google Secret Manager Provider for Secret Store CSI Driver Google Secret Manager provider for the Secret Store CSI Driver. Allows you to access secrets stored in Secret Manager as files mounted in Kubernetes pods.
- devops.com: DevOps Teams Struggling to Keep Secrets A growing number of organizations are suffering security incidents related to exposed secrets in DevOps CI/CD pipelines, according to a recent ThycoticCentrify report. The study paints a troubling picture: Only 5% of survey respondents said most of their development teams use the same secrets management processes and tools. The incidents run the gamut, from secrets published in the clear in public cloud code repositories to insecure third-party code to vulnerabilities in the organizationโs own code or configurations.
- thorsten-hans.com: Encrypt your Kubernetes Secrets with Mozilla SOPS By default, Kubernetes Secrets (secrets) are stored with base64 encoding in YAML files. The lack of encryption for secrets often leads to the question of how to store secrets securely. Obviously, you donโt want to put your sensitive configuration data into a git repository, because it is just encoded. echo
| base64 -d. - A typical solution is using services like Azure Key Vault, or HashiCorp Vault to persist sensitive data. Those services can be integrated with Kubernetes by using the Secrets Store CIS driver. However, relying on an additional service means that you have to manage and maintain that service in addition to Kubernetes. Additionally, depending on the service you use to store your sensitive data, some sensitive configuration must be stored somewhere to configure the CIS driver.
- As an alternative, you can use Mozilla SOPS (SOPS) to encrypt and decrypt your Kubernetes secret files. Secrets that are encrypted via SOPS can be stored in source control. Encrypted secrets will be decrypted locally just before theyโll be deployed to Kubernetes. This article demonstrates how to encrypt and decrypt Kubernetes secrets (YAML files) using SOPS in combination with Azure Key Vault, which allows you to store your secrets along with other Kubernetes manifests directly in git.
- developers.redhat.com: Protect secrets in Git with the clean/smudge filter
- kubeopsskills/cloud-secret-resolvers: Cloud Secret Resolvers (CSR) Cloud Secret Resolvers is a set of tools to help your applications (on Kubernetes) to retrieve any credentials from cloud managed vaults without the needed to write additional boilerplate code in your applications!.
- thenewstack.io: Managing Secrets in Your DevOps Pipeline
- thenewstack.io: Kubernetes Secrets Management: 3 Approaches, 9 Best Practices Developers must make early design choices about where to store secrets, how to retrieve them and how to make them available in an application.
- siddhivinayak-sk.medium.com: Kubeseal & SealedSecret: Make your โsecretsโ secure in SCM by using โsealed secretโ In this article, you will learn the theory and practice behind encrypting your secrets with SealedSecret & Kubeseal
Anti Patterns. Wrong Secrets
- commjoen/wrongsecrets: OWASP WrongSecrets Examples with how to not use secrets. Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
AWS Secret Manager
- medium: AWS Secret Manager: Protect sensitive information and functionality ๐ Protect Your Secrets in ApplicationsSecrets are frequently used to protect sensitive information and functionality.
- blog.opstree.com: AWS Secret Manager
- aws/secrets-store-csi-driver-provider-aws: AWS Secrets Manager and Config Provider for Secret Store CSI Driver AWS offers two services to manage secrets and parameters conveniently in your code. AWS Secrets Manager allows you to easily rotate, manage, and retrieve database credentials, API keys, certificates, and other secrets throughout their lifecycle. AWS Systems Manager Parameter Store provides hierarchical storage for configuration data. The AWS provider for the Secrets Store CSI Driver allows you to make secrets stored in Secrets Manager and parameters stored in Parameter Store appear as files mounted in Kubernetes pods.
- medium.com/@ishana98dadhich: Integrating AWS Secret Manager with EKS and use Secrets inside the Pods: Part-1 This blog provides you enough details on how you can use secrets (managed by AWS Secrets Manager) inside AWS EKS pods.
- unixarena.com: Terraform โ Source credentials from AWS secret Manager
Password Hashing
- pyca/bcrypt Modern(-ish) password hashing for your software and your servers.
- argon2-cffi
- docs.python.org: scrypt (standard library)
- cryptography.io: scrypt (cryptography)
Store private data in git repo
HashiCorp Vault
- hashicorp/vault A tool for secrets management, encryption as a service, and privileged access management
- hashicorp/vault-csi-provider: HashiCorp Vault Provider for Secrets Store CSI Driver HashiCorp Vault provider for the Secrets Store CSI driver allows you to get secrets stored in Vault and use the Secrets Store CSI driver interface to mount them into Kubernetes pods
- vaultproject.io Manage Secrets and Protect Sensitive Data. Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
- medium: Coding for Secrets Reliability with HashiCorp Vault
- hashicorp.com: Vault & Kubernetes: Better Together
- OpenShift Blogs:
- https://www.openshift.com/blog/managing-secrets-openshift-vault-integration
- https://www.openshift.com/blog/vault-integration-using-kubernetes-authentication-method
- https://www.openshift.com/blog/integrating-vault-with-legacy-applications
- https://www.openshift.com/blog/integrating-hashicorp-vault-in-openshift-4
- Vault Learning Resources: Vault 1.5 features and more
- medium: Securing K8s Ingress Traffic with HashiCorp Vault PKIaaS and JetStack Cert-Manager
- hashicorp.com: Automate Secret Injection into CI/CD Workflows with the GitHub Action for Vault
- hashicorp.com: Use AWS Lambda Extensions to Securely Retrieve Secrets From HashiCorp Vault Developers no longer have to make their Lambda functions Vault-aware.
- github.com/kelseyhightower: Serverless Vault with Cloud Run This tutorial walks you through deploying Hashicorp’s Vault on Cloud Run, Google Cloud’s container based Serverless compute platform.
- confluent.io: How to Manage Secrets for Confluent with Kubernetes and HashiCorp Vault
- digitalvarys.com: Simple Introduction to HashiCorp Vault
- hashicorp.com: HCP Vault is now generally available on AWS ๐
- hashicorp.com: Serverless Secrets with HashiCorp Vault Learn how to securely store and retrieve credentials across providers for applications running within AWS Lambda, Azure Functions, and Google Cloud Functions.
- thenewstack.io: HashiCorp Releases HCP Vault to Combat โSecrets Managementโ Fatigue
- datadoghq.com: Monitor HashiCorp Vault metrics and logs
- thenewstack.io: Reasons to Implement HashiCorp Vault and Other Zero Trust Tools
- hashicorp.com: Retrieve HashiCorp Vault Secrets with Kubernetes CSI Learn how to use CSI to expose secrets on a volume within a Kubernetes pod and retrieve them using our beta Vault Provider for the Kubernetes Secrets Store CSI Driver.
- testdriven.io: Running Vault and Consul on Kubernetes
- hashicorp.com: Onboarding Applications to Vault Using Terraform: A Practical Guide ๐ Learn how to build an automated HashiCorp Vault onboarding system with Terraform using sensible naming standards, ACL policy templates, pre-created application entities, and workflows driven by VCS and CI/CD.
- hashicorp.com: Managing SSH Access at Scale with HashiCorp Vault Learn how to build scalable, role-based SSH access with SSH certificates and HashiCorp Vault.
- devopscube.com: How to Setup Vault in Kubernetes- Beginners Tutorial ๐
- hashicorp.com: Retrieve HashiCorp Vault Secrets with Kubernetes CSI ๐ Learn how to use CSI to expose secrets on a volume within a Kubernetes pod and retrieve them using our beta Vault Provider for the Kubernetes Secrets Store CSI Driver.
- devopscube.com: Vault Agent Injector Tutorial: Inject Secrets to Pods Using Vault Agent
- hashicorp.com: Announcing HashiCorp Vault 1.8
- hashicorp.com: A Kubernetes User’s Guide to HashiCorp Nomad Secret Management Learn how secrets management in Kubernetes compares to HashiCorp Nomad, and see why HashiCorp Vault is a powerful solution for both.
- igorzhivilo.com: Scheduled backup of Vault secrets with Jenkins on Kubernetes If you ever wondered how to save the secrets of HashiCorp’s Vault on a daily basis.
- hashicorp.com: HashiCorp Vault Use Cases and Best Practices on Azure
- medium: Install Hashicorp Vault on Kubernetes using Helm - Part 1 | Marco Franssen
- piotrminkowski.com: Vault on Kubernetes with Spring Cloud
- hashicorp.com: Integrating Azure AD Identity with HashiCorp Vault โ Part 1: Azure Application Auth via OIDC
- medium.com/@pratyush.mathur: Secrets Management Using Vault in K8S
- hashicorp.com: Kubernetes Vault Integration via Sidecar Agent Injector vs. CSI Provider In this post, you will explore the different methods of integrating HashiCorp Vault with Kubernetes and learn how to choose the best solution for your use case.
- hashicorp.com: Manage Kubernetes Secrets for Flux with HashiCorp Vault Configure the Secrets Store CSI driver with HashiCorp Vault to securely inject secrets into Flux or other GitOps tools on Kubernetes.
- hashicorp.com: How to Integrate Your Application with Vault: Static Secrets Learn how to retrieve static secrets from HashiCorp Vault in a real-world setting using a new sample application.
- blog.devops.dev: Using Vault in Kubernetes Production for Security Engineers
-
hashicorp.com: HashiCorp Vault 1.11 Adds Kubernetes Secrets Engine, PKI Updates, and More ๐
- Favorite OSS feature is the K8S secrets engine that can generate K8S service accounts as dynamic secrets.
- Favorite Ent feature is that Autopilot can now perform safe, automated upgrades.
- Plus a dozen other improvements…
-
medium.com/@nikhil.purva: Securing Kubernetes Secrets with HashiCorp Vault
- hashicorp.com: The State of Vault and Kubernetes, and Future Plans Get an overview of the most common ways to use HashiCorp Vault and Kubernetes together, and get a preview of a new method we’re considering.
- alexandre-vazquez.com: How To Inject Secrets in Pods To Improve Security with Hashicorp Vault in 5 Minutes ๐
- adfinis.com: Secret zero with ACME As of Vault 1.14, the HashiCorp Vault PKI engine can issue certificates using the standard ACME protocol. The Automatic Certificate Management Environment (ACME) was made popular by Letโs Encrypt, which has been the default mechanism to request valid certificates from a public CA for over 10 years.
- medium.com/@martin.hodges: Introduction to Vault to provide secret management in your Kubernetes cluster One of the core Kubernetes resources is a Secret. However, these Secrets are not actually secure, as anyone with access to the cluster may be able to read and update the secret. This article introduces Vault into the cluster to securely manage secrets.
- medium.com/@martin.hodges: Enabling TLS on your Vault cluster on Kubernetes In this article I look at adding TLS secured connections to our unprotected Vault cluster. We will do this to ensure our secrets remain, well, secret.
- medium.com/@calvineotieno010: Managing Application Secrets with Hashicorp Vault
- medium.com/@muppedaanvesh: A Hands-On Guide to Vault in Kubernetes Manage k8s Secrets Using HashiCorp Vault: With Practical Examples
HashiCorp Vault Agent
- Vault Agent ๐
- harness.io: Tutorial: How to Use the New Vault Agent Integration Method With Harness
- harness.io: Tutorial: Vault Agent Advanced Use Case With Kubernetes Delegates and Shared Volumes ๐
- hashicorp.com: Why Use the Vault Agent for Secrets Management?
- medium.com/nerd-for-tech: PKI Certs Injection to K8s Pods with Vault Agent Injector In this article, you’ll learn how to use the Vault Agent Injector to dynamically generate and Inject PKI Certs to Pods by rendering secrets to a shared volume, containers within the pod will consume Vault secrets without being Vault aware.
- hashicorp.com: Refresh Secrets for Kubernetes Applications with Vault Agent Learn the system signal and live reload methods for updating Kubernetes applications when secrets change. See an example via a Spring Boot application.
Azure Key Vault
- docs.microsoft.com: Azure Key Vault
- azure.github.io: Azure Key Vault Provider for Secrets Store CSI Driver
- akv2k8s.io: Azure Key Vault to Kubernetes akv2k8s ๐ Azure Key Vault to Kubernetes (akv2k8s) makes Azure Key Vault secrets, certificates and keys available in Kubernetes and/or your application - in a simple and secure way
- Azure Key Vault to Kubernetes Azure Key Vault to Kubernetes (akv2k8s for short) makes it simple and secure to use Azure Key Vault secrets, keys and certificates in Kubernetes.
- Neoteroi/essentials-configuration-keyvault Azure Key Vault source for essentials-configuration
- techcommunity.microsoft.com: In preview: Azure Key Vault secrets provider extension for Arc enabled Kubernetes clusters
- vcloud-lab.com: Create Azure Key Vault Certificates on Azure Portal and Powershell
CyberArk and Ansible
- ansible.com: Simplifying secrets management with CyberArk and Red Hat Ansible Automation Platform
- ansible.com: Automating Security with CyberArk and Red Hat Ansible Automation Platform
CyberArk Conjur
SOPS for Kubernetes
AKS Secrets
- mehighlow.medium.com: Hardened-AKS/Secrets Commonly, an application requires access to data and, usually, such access must be restricted. So, you need to provide your pod/deployment/replicaSet/DaemonSet with secrets. Learn how you can do so in AKS
Kapitan
- Kapitan: Generic templated configuration management for Kubernetes, Terraform and other things
- medium: Declarative secret management for GitOps with Kapitan
Alternatives with Kubernetes External Secrets
- GitOps secret management with bitnami-labs Sealed Secret and GoDaddy Kubernetes External Secrets ๐
- Kubernetes External Secrets ๐ Integrate external secret management systems with Kubernetes. Kubernetes External Secrets allows you to use external secret management systems, like AWS Secrets Manager or HashiCorp Vault, to securely add secrets in Kubernetes.
- thenewstack.io: GoDaddyโs Project to Secure, Rotate Kubernetes Secrets ๐
- aws.amazon.com: Managing secrets deployment in Kubernetes using Sealed Secrets ๐
- dzone: Managing Secrets Deployment in GitOps Workflow ๐ The importance of keeping your secrets safe.
- blog.container-solutions.com: The Birth of the External Secrets Community
- itnext.io: Secrets injection at runtime from external Vault into Kubernetes โ POC
- jx-secret-postrenderer ๐ a helm postrenderer for working with helm and Kubernetes External Secrets. This post renderer lets you use helm charts which contain Secret resources and have those secrets managed by Kubernetes External Secrets without having to modify your charts. Want seamless support for kubernetes external secrets with existing helm charts? but you’re not using Jenkins X yet? then why not try this helm post renderer.
- thenewstack.io: Managing Kubernetes Secrets with AWS Secrets Manager ๐
- K8s Vault Webhook ๐ - github: k8s-vault-webhook A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers
- portworx.com: Implementing Data Security on Red Hat OpenShift ๐
Bitwarden
- thenewstack.io: Walkthrough: Bitwardenโs New Secrets Manager
- morey.tech: Bitwarden and External Secrets
Serverless Security Best Practices
Docker Images and Container Security
- thehackernews.com: Docker Images Containing Cryptojacking Malware Distributed via Docker Hub
- sysdig.com: 12 Container image scanning best practices to adopt in production
- infracloud.io: The Ten Commandments of Container Security
- medium: KubeSecOps Pipeline(Container security) in a cloudnative ecosystem
- sysdig.com: Sysdig 2021 container security and usage report: Shifting left is not enough ๐
- itnext.io: Hardening Docker and Kubernetes with seccomp ๐
- redhat.com: Improving Linux container security with seccomp ๐ Try this method of using an OCI runtime hook for tracing syscalls before you build a container.
- openshift.com: Signing and Verifying Container Images ๐
- redhat.com: Introducing Red Hat Vulnerability Scanner Certification
- docs.microsoft.com: Introduction to Azure Defender for container registries Defender for Container Registries Continuous Image Scan for vulnerabilities is now available for General Availability (GA)
- techbeacon.com: 17 open-source container security tools ๐
- about.gitlab.com: How to secure your container images with GitLab and Grype - grype: a vulnerability scanner for container images and filesystems
- GoogleContainerTools/container-structure-test validate the structure of your container images
- dynatrace.com: Container security: What it is, why itโs tricky, and how to do it right
- betterprogramming.pub: Secure Your Kubernetes Cluster With Seccomp A hands-on guide to applying the principle of least-privilege on containerโs syscalls
Sigstore
- sigstore.dev A new standard for signing, verifying and protecting software. Making sure your softwareโs what it claims to be.
- youtube: Hands-on Introduction to sigstore | Rawkode Live In this tutorial, youโll learn how to sign and verify container images with co-sign, with and without a private key.
- opensource.com: Sign and verify container images with this open source tool (sigstore) The sigstore project aims at securing supply chain technology.
Container security best practices
- sysdig.com: Container security best practices: Ultimate guide ๐
- dzone: A Practical Guide for Container Security Explore container security’s fundamental principles and strategies, learn 2 specific methods, and examine tools and techniques for securing keys, tokens, and passwords.
Pod Security Policies
- octetz.com: Setting Up Pod Security Policies By default, Kubernetes allows anything capable of creating a Pod to run a fairly privileged container that can compromise a system. Pod Security Policies protect clusters from privileged pods by ensuring the requester is authorised.
- infracloud.io: Kubernetes Pod Security Policies with Open Policy Agent In this blog post, you will learn about the Pod Security Policy admission controller. Then you will see how Open Policy Agent can implement Pod Security Policies.
Kubernetes Network Policies
- medium.com: K8s Network Policies Demystified and Simplified ๐
- blog.nody.cc: Verify your Kubernetes Cluster Network Policies: From Faith to Proof
- medium: Kubernetes Network Policies: Are They Really Useful?
Static Analysis SAST
Kubernetes Security Tools
- europeclouds.com: Implementing Aqua Security to Secure Kubernetes
- Pomerium is an identity-aware proxy that enables secure access to internal applications. Pomerium brings consistent authz/authn, tooling, and auditing across cloud and on-premise deployments. No VPN or cloud provider account is required
- cloud.redhat.com: Top Open Source Kubernetes Security Tools of 2021 ๐๐
- fluentbit.io Fluent Bit is an open source Log Processor and Forwarder which allows you to collect any data like metrics and logs from different sources, enrich them with filters and send them to multiple destinations. It’s the preferred choice for containerized environments like Kubernetes.
- kubearmor.io Runtime protection for Kubernetes & other cloud Workloads. KubeArmor uses eBPF and Linux Security Modules (LSM) to provide policy based system
to restrict any unwanted, malicious behavior of cloud-native workloads at runtime.
- itnext.io: Protecting Your Kubernetes Environment With KubeArmor In this article, you will learn how to use KubeArmor to define policies and protect your containerized workloads. You will test the setup against the ShellShock vulnerability and compare it to AppArmor.
Helm Charts Security. Helm Secrets
- medium: Whoโs at the Helm? Or, how to deploy 25+ CVEs to prod in one command!
- itnext.io: Helm 3 โ Secrets management, an alternative approach ๐
- itnext.io: Manage Auto-generated Secrets In Your Helm Charts ๐
- dev-vibe.medium.com: Encrypt Helm sensitive data A guide on how to stay safe when pushing helm values files containing Your passwords and other sensitive data to the version control tool.
Password Recovery
Attacks on Kubernetes via Misconfigured Argo Workflows
PKI
- devops.com: How to Automate PKI for DevOps With Open Source Tools The ultimate goal of PKI for DevOps is to provision PKI credentials for business applications without hard-coded secrets, which is one less risk to concern the security team. The goal of DevOps for PKI is to automatically deploy a completely configured PKI solution, which is one less roadblock for DevOps teams.
Network Intrusion Tools
- cybersecsi/HOUDINI: Hundreds of Offensive and Useful Docker Images for Network Intrusion - https://houdini.secsi.io
Other Security Tools
- itnext.io: Top 6 Threat Detection Tools for Containers Essentials to Securing Threats for Containerized Cloud-Native Applications
- thenewstack.io: AWS Open Sources Security Tools AWS is open sourcing its Cedar policy language and authorization engine and Snapchange, an open source snapshot-based fuzzing tool.
Torq. No code Security Automation
- https://torq.io No-code Security Automation
- sentinelone.com: Reducing Human Effort in Cybersecurity | Why We Are Investing in Torqโs Automation Platform
Security-Guard
- pkg.go.dev/knative.dev/security-guard
- developer.ibm.com: Secure microservices by monitoring behavior An open source Kubernetes-native extension to secure containerized applications.
Books
CVEs
- sysdig.com: Mitigating CVE-2021-20291: DoS affecting CRI-O and Podman
- armosec.io: Use Kubescape to check if your Kubernetes clusters are exposed to the latest K8s Symlink vulnerability (CVE-2021-25741)
Log4j Log4Shell
- medium: CVE-2021โ44228: finding Log4j vulnerable k8s pods with bash & trivy
- sysdig.com: Mitigating log4j with Runtime-based Kubernetes Network Policies
- github.com/aws-samples: Apache Log4j2 CVE-2021-44228 node agent AWS has developed an RPM that performs a JVM-level hot-patch which disables JNDI lookups from the Log4j2 library, mitigating Log4j2 CVE-2021-44228. The Apache Log4j2 CVE-2021-44228 node agent is an open source project built by the Kubernetes team at AWS. It is designed to run as a DaemonSet and mitigate the impact of Log4j2 CVE-2021-44228, which affects applications running Apache Log4j2 versions < 2.15.0 when processing inputs from untrusted sources. Running this DeamonSet will patch JVMs running in containers as well as on the host.
- proferosec/log4jScanner This tool provides you with the ability to scan internal (only) subnets for vulnerable log4j web services.
- Apache Log4j Security Vulnerabilities
- cloud.redhat.com: Log4Shell: Practical Mitigations and Impact Analysis of the Log4j Vulnerabilities
- edition.cnn.com: The Log4j security flaw could impact the entire internet. Here’s what you should know
- yahoo/check-log4j To determine if a host is vulnerable to log4j CVEโ2021โ44228
- welivesecurity.com: Lo que todo lรญder de una empresa debe saber sobre Log4Shell Se estรกn detectando cientos de miles de intentos de ataque que buscan explotar la vulnerabilidad.
- genbeta.com: “Internet estรก en llamas”: Cloudflare ha detectado mรกs de 24.600 ataques por minuto que explotaban la vulnerabilidad Log4Shell
- dynatrace.com: Log4Shell vulnerability
- Maelstromage/Log4jSherlock Log4j Scanner coded in Powershell, so you can run it in windows! This tool scans for JAR, WAR, EAR, JPI, HPI that contain the effected JndiLookup.class even in nested files. Scans nested files searches for the effected JNDI class. pulls version and reports in CSV, JSON, and txt log. reports error i.e. access issues to folders where files could be missed.
- blog.mimacom.com: A Summary of log4j Exploit in a Log4shell - What Happened and What You Can Do About It
- cyberscoop.com: The Log4j flaw is the latest reminder that quick security fixes are easier said than done
- vpnranks.com: Belgian Defense Ministry Under Cyber Attack Due to Log4j Vulnerability
- dynatrace.com: Log4Shell vulnerability discovery and mitigation require automatic and intelligent observability
- thenewstack.io: Yet Another Log4j Security Problem Appears
- cisagov/log4j-scanner log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.
- venturebeat.com: What Log4Shell teaches us about open source security
- tanzu.vmware.com: Log4Shell Vulnerability Spotlights the Importance of Adopting Trusted Open Source Software Providers for the Enterprise
- google/log4jscanner A log4j vulnerability filesystem scanner and Go package for analyzing JAR files.
- thehackernews.com: Microsoft Warns of Continued Attacks Exploiting Apache Log4j Vulnerabilities
- zdnet.com: Log4j: Google and IBM call for list of critical open source projects After attending a meeting at the White House, Google also proposed creating an organization to serve as a marketplace for open source maintenance.
Powershell
- it.slashdot.org: And the Top Source of Critical Security Threats Is…PowerShell Microsoft’s CLI management tool was the source of more than a third of critical security threats detected by Cisco in the second half of 2020, according to eSecurity Planet.
Nmap scripts
- therecord.media: UK government plans to release Nmap scripts for finding vulnerabilities
- ncsc.gov.uk: Introducing Scanning Made Easy Trial project makes vulnerability scanning easier.
Let’s Encrypt SSL certificates
WAF Web Application Firewall
More Security Tools
- zdnet.com: Google releases new open-source security software program: Scorecards How safe is that open-source software in the Git library, the one with the questionable history? Scorecard 2.0 can quickly tell you just how secure, or not, it really is.
- sysadminxpert.com: How to do Security Auditing of CentOS System Using Lynis Tool
- tryhackme.com: Metasploit: Introduction An introduction to the main components of the Metasploit Framework. Metasploit is a powerful tool that can support all phases of a penetration testing engagement
- bridgecrew The codified cloud security platform for developers. Complete security and compliance visibility streamlined into developer-friendly workflows.
- curiefense/curiefense Curiefense extends Envoy proxy to defend against a variety of threats, including SQL and command injection, cross site scripting (XSS), account takeovers (ATOs) and more
- socket.dev: Introducing Socket Socket’s mission is to make open source safer. A platform that protects your most critical apps from software supply chain attacks.
- itbusinessedge.com: Okta vs. Azure AD: IAM Tool Comparison
- deepfence/ThreatMapper ๐ ๐ฅ ๐ฅ Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more. ๐ฅ ๐ฅ ThreatMapper hunts for vulnerabilities in your production platforms and ranks these vulnerabilities based on their risk of exploitation. You can then prioritize the issues that present the greatest risk to the security of your applications.
- github.com/goauthentik/authentik authentik is an open-source Identity Provider focused on flexibility and versatility
- github.com/openappsec/openappsec open-appsec provides preemptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It can be deployed as an add-on to Kubernetes Ingress, NGINX, Envoy and API Gateways.
- Microsoft Security Copilot
- github.com/prowler-cloud/prowler ๐๐ Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more.
Videos
Click to expand!
Click to expand!
End to End Encryption Explained#infosec #cybersecurity #pentesting #oscp #informationsecurity #hacking #cissp #redteam #technology #DataSecurity #CyberSec #Hackers #tools #bugbountytips #Linux #infosec #itsecurity #cybersecuritytips #securitybreach #encryption pic.twitter.com/eejf8JL9VF
— Shubham Sharma (@Shubham_pen) February 13, 2022
Critical Log Review Checklist For Security Incidents - by @SANSInstitute #infosec #cybersecurity #pentesting #oscp #informationsecurity #hacking #cissp #redteam #technology #DataSecurity #CyberSec #Hackers #tools #bugbountytips #Linux #infosec #itsecurity #cybersecuritytips pic.twitter.com/4zWIq1pkYO
— Shubham Sharma (@Shubham_pen) February 13, 2022