Skip to content

DevSecOps and Security. Container

  1. Introduction
  2. Kubernetes Security Compliance Frameworks
  3. Zero Trust Security
  4. Authentication and Authorization
    1. OpenID Connect and OAuth 2.0
  5. Quality Gates
  6. 16 Gates
  7. Kubernetes Threat Modelling
  8. Kubernetes Config Security Threats
    1. Kubernetes Ingress Security
  9. Security Linting on Kubernetes
  10. IaC and Security
  11. Multi-Level Security (MLS) vs Multi-Category Security (MCS). Make Secure Pipelines with Podman and Containers
  12. Project Calico
  13. The Falco Project
  14. Security Patterns for Microservice Architectures
  15. Anchore Container Security Solutions for DevSecOps
  16. Twistlock and Threat Stack Container Security
  17. OWASP
  18. Source Code Audit
  19. StackRox
  20. Secure Container Based CI/CD Workflows. Vulnerability Scanner for Container Images
    1. Securing Kubernetes With Anchore
    2. Container Signing. Secure Containers with Notary or Cosign
  21. GitHub security
  22. Databases in DMZ and Intranet
  23. Removing Credentials From Git Repo
  24. Pentesting
  25. SQL Injection
  26. Credential Managers
    1. keycloak
    2. Git Credential Manager Core
  27. Secrets Management
    1. Anti Patterns. Wrong Secrets
    2. AWS Secret Manager
    3. Password Hashing
    4. Store private data in git repo
    5. HashiCorp Vault
      1. HashiCorp Vault Agent
    6. Azure Key Vault
    7. CyberArk and Ansible
    8. CyberArk Conjur
    9. SOPS for Kubernetes
    10. AKS Secrets
    11. Kapitan
    12. Alternatives with Kubernetes External Secrets
    13. Bitwarden
  28. Serverless Security Best Practices
  29. Docker Images and Container Security
    1. Sigstore
    2. Container security best practices
  30. Pod Security Policies
  31. Kubernetes Network Policies
  32. Static Analysis SAST
  33. Kubernetes Security Tools
  34. Helm Charts Security. Helm Secrets
  35. Password Recovery
  36. Attacks on Kubernetes via Misconfigured Argo Workflows
  37. PKI
  38. Network Intrusion Tools
  39. Other Security Tools
    1. Torq. No code Security Automation
    2. Security-Guard
  40. Books
  41. CVEs
    1. Log4j Log4Shell
  42. Powershell
  43. Nmap scripts
  44. Let’s Encrypt SSL certificates
  45. WAF Web Application Firewall
  46. More Security Tools
  47. Videos
  48. Twitter

Introduction

Kubernetes Security Compliance Frameworks

  • armosec.io: Kubernetes Security Compliance Frameworks ๐ŸŒŸ
    • The challenge of administering security and maintaining compliance in a Kubernetes ecosystem is typically the same: an increasingly dynamic, changing landscape, be it new approaches of cyberattacks or adhering to changing regulations. Kubernetes security requires a complex and multifaceted approach since an effective strategy needs to:
      • Ensure clean code
      • Provide full observability
      • Prevent the exchange of information with untrusted services
      • Produce digital signatures for clean code and trusted applications
    • Since Kubernetes follows a loosely coupled architecture, securing the ecosystem involves a cross-combination of best practices, tools, and processes. It is also recommended to consider frameworks that issue specific guidelines for easing the complexity of administering the security and compliance of a Kubernetes ecosystem. Such frameworks help organizations create flexible, iterative, and cost-effective approaches to keeping clusters and applications safe and compliant while ensuring optimum performance. A typical frameworkโ€™s guidance on Kubernetes security and compliance should essentially consider:
      • Architecture best practices
      • Security within CI/CD pipelines
      • Resource protection
      • Container runtime protection
      • Supply chain security
      • Network security
      • Vulnerability scanning
      • Secrets management and protection

Zero Trust Security

Authentication and Authorization

OpenID Connect and OAuth 2.0

Quality Gates

16 Gates

  • medium: Focusing on the DevOps Pipeline ๐ŸŒŸ Delivering High Quality Working Software Faster with Agile DevOps. At Capital One, we design pipelines using the concept of the โ€œ16 Gatesโ€. These are our guiding design principles and they are:
    • Source code version control
    • Optimum branching strategy
    • Static analysis
    • More than 80% code coverage
    • Vulnerability scan
    • Open source scan
    • Artifact version control
    • Auto provisioning
    • Immutable servers
    • Integration testing
    • Performance testing
    • Build deploy testing automated for every commit
    • Automated rollback
    • Automated change order
    • Zero downtime release
    • Feature toggle
  • github.com/hygieia/Hygieia ๐ŸŒŸ CapitalOne DevOps Dashboard

Kubernetes Threat Modelling

Kubernetes Config Security Threats

Kubernetes Ingress Security

Security Linting on Kubernetes

IaC and Security

Multi-Level Security (MLS) vs Multi-Category Security (MCS). Make Secure Pipelines with Podman and Containers

Project Calico

The Falco Project

Security Patterns for Microservice Architectures

Anchore Container Security Solutions for DevSecOps

Twistlock and Threat Stack Container Security

OWASP

Source Code Audit

  • securecoding.com: Code Audit: How to Ensure Compliance for an Application A source code audit is a process of analyzing the source code of an application with the objective of discovering security vulnerabilities, security design problems, and places of potential improvement in programming practices. After the analysis, a report is generated that is used to implement a range of measures that guarantee the security and reliability of the code. Code audits can be carried out in parallel with penetration tests. They can test the exploitability of code vulnerabilities to better estimate the risk they pose. Ideally, code audits are performed throughout the application lifecycle. The faster a vulnerability is discovered, the easier it is to fix!

StackRox

Secure Container Based CI/CD Workflows. Vulnerability Scanner for Container Images

Securing Kubernetes With Anchore

Container Signing. Secure Containers with Notary or Cosign

GitHub security

Databases in DMZ and Intranet

Removing Credentials From Git Repo

Pentesting

SQL Injection

Credential Managers

keycloak

Git Credential Manager Core

Secrets Management

Anti Patterns. Wrong Secrets

  • commjoen/wrongsecrets: OWASP WrongSecrets Examples with how to not use secrets. Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.

AWS Secret Manager

Password Hashing

Store private data in git repo

HashiCorp Vault

HashiCorp Vault Agent

Azure Key Vault

CyberArk and Ansible

CyberArk Conjur

SOPS for Kubernetes

AKS Secrets

  • mehighlow.medium.com: Hardened-AKS/Secrets Commonly, an application requires access to data and, usually, such access must be restricted. So, you need to provide your pod/deployment/replicaSet/DaemonSet with secrets. Learn how you can do so in AKS

Kapitan

Alternatives with Kubernetes External Secrets

Bitwarden

Serverless Security Best Practices

Docker Images and Container Security

Sigstore

Container security best practices

Pod Security Policies

Kubernetes Network Policies

Static Analysis SAST

Kubernetes Security Tools

Helm Charts Security. Helm Secrets

Password Recovery

Attacks on Kubernetes via Misconfigured Argo Workflows

PKI

  • devops.com: How to Automate PKI for DevOps With Open Source Tools The ultimate goal of PKI for DevOps is to provision PKI credentials for business applications without hard-coded secrets, which is one less risk to concern the security team. The goal of DevOps for PKI is to automatically deploy a completely configured PKI solution, which is one less roadblock for DevOps teams.

Network Intrusion Tools

Other Security Tools

Torq. No code Security Automation

Security-Guard

Books

CVEs

Log4j Log4Shell

Powershell

Nmap scripts

Let’s Encrypt SSL certificates

WAF Web Application Firewall

More Security Tools

Videos

Click to expand!

Twitter

Click to expand!