Skip to content

Security and DevSecOps. Container Security

Introduction

Kubernetes Security Compliance Frameworks

  • armosec.io: Kubernetes Security Compliance Frameworks 🌟
    • The challenge of administering security and maintaining compliance in a Kubernetes ecosystem is typically the same: an increasingly dynamic, changing landscape, be it new approaches of cyberattacks or adhering to changing regulations. Kubernetes security requires a complex and multifaceted approach since an effective strategy needs to:
      • Ensure clean code
      • Provide full observability
      • Prevent the exchange of information with untrusted services
      • Produce digital signatures for clean code and trusted applications
    • Since Kubernetes follows a loosely coupled architecture, securing the ecosystem involves a cross-combination of best practices, tools, and processes. It is also recommended to consider frameworks that issue specific guidelines for easing the complexity of administering the security and compliance of a Kubernetes ecosystem. Such frameworks help organizations create flexible, iterative, and cost-effective approaches to keeping clusters and applications safe and compliant while ensuring optimum performance. A typical framework’s guidance on Kubernetes security and compliance should essentially consider:
      • Architecture best practices
      • Security within CI/CD pipelines
      • Resource protection
      • Container runtime protection
      • Supply chain security
      • Network security
      • Vulnerability scanning
      • Secrets management and protection

Zero Trust Security

Authentication and Authorization

Quality Gates

16 Gates

  • medium: Focusing on the DevOps Pipeline 🌟 Delivering High Quality Working Software Faster with Agile DevOps. At Capital One, we design pipelines using the concept of the “16 Gates”. These are our guiding design principles and they are:
    • Source code version control
    • Optimum branching strategy
    • Static analysis
    • More than 80% code coverage
    • Vulnerability scan
    • Open source scan
    • Artifact version control
    • Auto provisioning
    • Immutable servers
    • Integration testing
    • Performance testing
    • Build deploy testing automated for every commit
    • Automated rollback
    • Automated change order
    • Zero downtime release
    • Feature toggle
  • github.com/hygieia/Hygieia 🌟 CapitalOne DevOps Dashboard

Kubernetes Threat Modelling

Kubernetes Config Security Threats

Security Linting on Kubernetes

IaC and Security

Multi-Level Security (MLS) vs Multi-Category Security (MCS). Make Secure Pipelines with Podman and Containers

Project Calico

The Falco Project

Security Patterns for Microservice Architectures

Anchore Container Security Solutions for DevSecOps

Twistlock and Threat Stack Container Security

OWASP

Source Code Audit

  • securecoding.com: Code Audit: How to Ensure Compliance for an Application A source code audit is a process of analyzing the source code of an application with the objective of discovering security vulnerabilities, security design problems, and places of potential improvement in programming practices. After the analysis, a report is generated that is used to implement a range of measures that guarantee the security and reliability of the code. Code audits can be carried out in parallel with penetration tests. They can test the exploitability of code vulnerabilities to better estimate the risk they pose. Ideally, code audits are performed throughout the application lifecycle. The faster a vulnerability is discovered, the easier it is to fix!

StackRox

Secure Container Based CI/CD Workflows. Vulnerability Scanner for Container Images

Securing Kubernetes With Anchore

Secure Containers with Notary or Cosign

GitHub security

Databases in DMZ and Intranet

Removing Credentials From Git Repo

Pentesting

SQL Injection

Credential Managers

keycloak

Git Credential Manager Core

Secrets Management

AWS Secret Manager

Password Hashing

Store private data in git repo

HashiCorp Vault

HashiCorp Vault Agent

Azure Key Vault

CyberArk and Ansible

CyberArk Conjur

SOPS for Kubernetes

Kapitan

Alternatives with Kubernetes External Secrets

Serverless Security Best Practices

Docker Images & Container Security

Sigstore

Container security best practices

Pod Security Policies

Kubernetes Network Policies

Static Analysis SAST

Kubernetes Security Tools

Helm Charts Security. Helm Secrets

Password Recovery

Attacks on Kubernetes via Misconfigured Argo Workflows

Network Intrusion Tools

Other Security Tools

Torq. No code Security Automation

Books

CVEs

Log4j Log4Shell

Powershell

Nmap scripts

Let’s Encrypt SSL certificates

More Security Tools

Back to top