Author Teiva Harsanyi explains the advantages of the Go programming language for DevOps and cloud projects -- and how to avoid common pitfalls.
Software developer and consultant Daniel North gives his thoughts on common testing errors and how to simplify policy.
For all the talk and how-to guides about DevSecOps, it’s surprising how few organizations have actually managed to implement it and see tangible benefits. To learn why, we’ve asked Invicti application security experts Suha Akyuz and Dan Murphy to name the five most common mistakes that organizations make when attempting DevSecOps.
In this week's real-time analytics news: A paper by Arm, Intel, and NVIDIA describes a specification with a common format for AI training and inference.
The most common threat to business security is accidental firewall and cloud security group misconfigurations. Manual rule and policy management of complex ground-to-cloud networks introduces countless opportunities for error, and most breaches are attackers taking advantage of this low-hanging fruit. Time-consuming manual changes, fragmented ownership, and policy clutter all contribute to poor policy hygiene. Centralizing…
The Akuity Platform enables more secure and scalable Kubernetes application delivery, via a simple SaaS platform SUNNYVALE, Calif.–(BUSINESS WIRE)–Akuity.io, the enterprise company for Argo, today announced the general availability of the Akuity Platform, a fully-managed SaaS service for simpler, safer and faster Kubernetes application delivery, using Argo. Kubernetes, Argo and GitOps are essential to modern…
TEL AVIV, Israel (PRWEB) September 14, 2022 -- Jit and Bennetts share a common DevSecOps vision of empowering developers to build secure apps from Day Zero; Jit leverages ZAP, one of a growing list of open source tools Jit supports, and makes it easy for developers to build security into their products at the speed required for modern code development.
A look at why environment-specific Docker images are a valid solution to a number of common deployment concerns.
What Security Controls Do I Need for My Kubernetes Cluster? brooke.crothers Tue, 07/19/2022 - 18:10 5 views With increased adoption, heightened risks The majority (88%) of IT decision makers are exploring Kubernetes and containers, according to 2021 data from New Relic. However, as with any technology, new security concerns are emerging. A Red Hat survey of Kubernetes adoption and security showed that 55% of DevOps teams delayed an application release due to security issues 93% of developers experienced at least one Kubernetes security incident in the past year 46% say misconfiguration is the top security concern The main risks facing Kubernetes production environments can be summarized in the bullets below: Compromised images. Images should always be scanned before being used to create containers in a Kubernetes cluster - this avoids tampering. To ensure the security of images, organizations should implement strong governance policies that ensure images are securely built and stored in trusted registries. Compromised containers or malicious traffic. Containers and pods need to communicate with each other as part of normal operations. However, this communication can be exploited by threat actors. A breached container can affect other containers and pods. Lack of visibility. Visibility is critical to ensure Kubernetes clusters are secured. However, it can be challenging to gain and maintain visibility in containerized environments because of the large number of containers, the dynamic and ephemeral nature of these containers and their deployment across multi-cloud environments. Misconfigurations or use of insecure defaults. While Kubernetes provides a wide range of controls that can help organizations effectively secure clusters and applications, it does not provide secure configurations out of the box to cover all communications. Misconfiguration of secrets management is another concern. Secrets define how sensitive information, like keys and credentials, is accessed and stored. Many developers use secrets as environment variables or hardcoded within images making them vulnerable to attacks. Secrets should be managed with careful access control to protect them from unauthorized parties. Compliance. Achieving compliance in cloud-native environments is a highly challenging endeavor. To achieve compliance, organizations are usually required to implement certain security measures. This often requires enforcing best practices, benchmarks, and industry standards, as well as internal organizational policies. Authenticate your K8s clusters with machine identities To address the above challenges, organizations are required to implement a series of policies and controls to secure their clusters. These controls include defining a network policy, pod security policy and managing the Kubernetes secrets. Besides these important controls, organizations must focus their efforts on controlling access to their clusters. The primary access point for a Kubernetes cluster is the Kubernetes API, therefore we need to authenticate and authorize both developers and services accessing the API. Controlling and limiting who can access the cluster and what actions they are allowed to perform is the first line of defense. TLS all your API traffic Kubernetes expects that all API communication in the cluster is encrypted by default with TLS. The majority of cluster installation methods allow the necessary certificates to be created and distributed to the cluster components. API authentication API authentication covers both humans and clients accessing the API. For the human side of authentication, you must choose strong verification, based on multifactor authentication methods. The concept of least privilege is extremely crucial. Besides humans, you must also authenticate all API clients, even those that are part of the infrastructure like nodes, proxies, the scheduler, and volume plugins. These clients are typically service accounts or use X.509 client certificates, and they are created automatically at cluster startup or are setup as part of the cluster installation. Setting up an effective, flexible and scalable machine identity management program is the cornerstone of validating the authenticity of these machines. API authorization Once authenticated, every API call passes an authorization check. Kubernetes ships an integrated Role-Based Access Control (RBAC) component that matches an incoming user or group to a set of permissions bundled into roles. These permissions combine verbs (get, create, delete) with resources (pods, services, nodes) and can be namespace-scoped or cluster-scoped. As with authentication, simple and broad roles may be appropriate for smaller clusters, but as more users interact with the cluster, it may become necessary to separate teams into separate namespaces with more limited roles. The solution to overcome many of these challenges is to employ a common service for certificates via an API that is integrated with DevOps tooling. Venafi-as-a-Service integrates seamlessly with Kubernetes and Jetstack cert-manager to improve security and availability of your clusters, ensure compliance, and accelerate software development by reducing complexity. Combining the functionality and efficiency of Venafi and cert-manager allows DevOps engineers to extend the functionality of various different CA’s within Kubernetes with just one integration. Start your free trial today and begin your path to securing your containerized applications and multi-cloud environments. Related Posts The Risks of not Knowing How Many Kubernetes Ingresses your Organization Has Code Signing Risks and Containers: What You Need to Know Build It Now, Protect It Later Mentality Challenges the Security of Containers TLS Everywhere in Kubernetes: Not Just Entry and Exit Anastasios Arampatzis Cloud The adoption of Kubernetes and container-based platforms increases the need for security to protect cloud-first initiatives. An essential component of the Kubernetes security is authentication. Kubernetes clusters are machines and always need to be validated via machine identities to ensure the integrity and confidentiality of communications. Tale of 3 Clouds eBook: How Venafi Creates Digital Transformation Off UTM Medium Resources UTM Source Blog UTM Campaign Recommended-Resources…
Learn how how to install Git on Ubuntu 20.04 step by step so that you can manage your repositories quickly and easily from the command line. After installing Git, you'll be able to automate common tasks for your repositories stored on GitLab, GitHub and similar platforms.
Most machine learning project failures can be traced back to four main pitfalls. Here’s wh…
Conventional wisdom says that DevSecOps is critical to modern software and application development, but it’s not without its challenges. This Digital Dialogue between industry experts, including two VMware product managers, provides guidance on how to avoid common DevSecOps pitfalls.
Here are the six most common RDS misconfigurations related to security and compliance that DevSecOps teams should be aware of.
Docker is a technology for packaging components of your stack as isolated containers. It’s common practice to run each of your processes in its own container, creating a clean divide between components. This enhances modularity and lets you access the scalability benefits of containerization.
Enterprises need to overcome seven common DevSecOps myths that are preventing them from making the shift, here's a look how.
Here are three common AppSec strategies businesses use to ensure more secure code.
The CDEvents project aims to establish schemas for how common CI/CD events are described throughout the pipeline.
Discover observability use cases, such as longer-term trending, to help your organization quickly identify and fix platform problems.
Docker Engine exposes a REST API which you can use to control your containers without the docker CLI. The API exposes equivalent functionality using HTTP network calls. You can script common Docker operations using your favorite programming language or remotely control one of your hosts. The CLI internally relies on the same API to provide its built-in commands.
Commissioner to device makers: 'We're not forcing anybody to enter the internal market, but if they want to do so, they must comply'…
A look at the common challenges of managing clusters at scale and best practices for securing kubectl access and authentication from anywhere.
Weekly Blog PostAt The Corner Of Cyber And BlogShould Being Hacked Lead To A Termination Of Employment?Sunset in Carlsbad California“What happened, people?”“Sir, we got hacked again through the firewall. Somehow they found a vulnerability.”“What, are you kidding me. How much do we play that managed service provider you recommended!!”“Sir, there are anytime more vulnerabilities than solutions.”“What are you now just telling me this!!”Cybersecurity people each day work like doctors hours for half the pay, yet carry more burden, stress, and anxiety than most professions. Protecting intellectual property, enabling adequate security, unauthorized access to systems, and maintaining the organization’s security posture are always top of mind for security personnel. All company employees should have “ a corporate-wide cybersecurity resource added” to each job description.Having to worry about a job over a cyberattack should not be top of mind for a person that works in this field.Breaches, hacks, data exfiltration, and account takeovers will happen. Bread crumbs were dropped on the virtual ground months before most attacks happened. Cybersecurity experts, including global technology companies like Cisco, Google, and Amazon, have had their share of attacks. Yet, the owner of the data protection, risk management, and cyber protection should not fall on one department, one engineer, or one director. Cybersecurity is 100% should be viewed as a “team sport.” Everyone in the organization should be considered a stakeholder in the battle dealing with cyber attacks. Yet, many organizations still want to silo and compartmentalize cyber and IT instead of blending the organization into the security fabric.Moving the Bar from Vertical to HorizontalThe good news, thanks to DevOps, this progression of the silo mindset is changing. Thanks to the Agile movement for product development, this revolutionary mindset broke down traditional IT thinking and moved from a north/south model (Waterfall) to a horizontal conception. Placing all resources and workstreams on an equal playing field promotes a “common goal” culture over the traditional blame game. Using collective sprints and workstreams, intelligent and forward-thinking organizations interweave resources from AppDev, DevOps, SecOps, and NetOps to reduce the overall risk by having integrated sprint cycles including all domains not just a specific task.Organizations that have adopted “the horizontal model,” including additional training for everyone, see tighter security integration in each phase of their product design, production, and support. Companies that integrate pen-testing into their ongoing continuous security threat reduction program see less common error attacks against their platforms.No one model is perfect. Even the most tightly designed security models at the NSA, CERN, CIA, and Bank of England will get hacked. However, these organizations leveraging the teaming model for better joint incident response and a combined teaming to learn from the experience is a much better way for organizations to function.Everyone is a member of the Security Team.Finger points, blame games, and playing “dumb” will not stop future cyber attacks. Because of the complexity of a cyber event, employee negligence should not be the first reaction of an organization. Companies leverage over time audits and other checkpoints during the year to validate the company’s resources, tools, and overall effectiveness, not just one department that monitors entity behavior analytics.Word of the advice. Cybersecurity professionals do more than most do in one day, even on weekends and Superbowl Sunday. If these value resources feel the support from the organization, they are less likely to listen to offers from other firms. The security policy, all cybersecurity systems, and dealing with suspicious is a complete team sport with everyone within the organization becoming the solution.All the best,John…
By sidestepping common mistakes, developers can transcend ingrained testing paradigms and elevate both quality and experience.
Threat Modeling Should Be A Team SportPen-tester, Vulnerability Scanning, Risk Management, and Threat Modeling should be one engagement.Pen-tester, Vulnerability Scanning, Risk Management, and Threat Modeling should be one engagement.In 2020, a group of threat modeling practitioners, researchers, and authors wrote the Threat Modeling Manifesto. The manifesto contains values and principles connected to the practice and adoption of threat modeling:Threat modeling is the process of capturing, organizing, and analyzing this information. This is applied to software and risk identification elements. Typical threat modeling efforts also produce a prioritized list of security improvements to an application’s concept, requirements, design, or implementation.Threat modeling is a structured method of assessing risks associated with a system or application. Developers must take time to understand what threats exist to their system. Once they know what threats exist, they must assess the impact of each threat and decide if any of them pose a high enough risk to warrant mitigation.Commonalities with Vulnerability Scanning, Pen-testing, and Risk management Audit.By analyzing each auditing method, each has common characteristics with other assessments.They include:Form a team. This team should include all stakeholders, including business owners, developers, network architects, security experts, and C-level execs.Establish the scope. Define and describe what the model covers. Create an inventory of all components and data and map them to architecture.Determine likely threats. Create what-if exercise builds and threat scenarios, including the threat or attack trees, to identify possible vulnerabilities or weaknesses.Rank each threat. Determine the level of risk each threat poses and rank them to prioritize risk mitigation.Implement mitigations. Decide how to mitigate each threat or reduce the risk.Document results. Document all findings and actions so future changes to the application, threat landscape, and operating environment are assessed and the threat model updated.Collaboration between Pen Testing and Threat Modeling.Threat modeling teams that test applications and platforms use similar techniques as pen testers. Threat modeling is usually carried out by internal AppDev, DevOps, and SecOps teams. Pen testers, however, are typically a 3rd party external with the expertise for ethical hacking engagement.The 1st level of engagement could include collaboration across the threat modeling team and the pen testers achieved in the same agile sprints. While selecting the team for the threat modeling, defining the scope, and documenting the expected threats, a 3rd party white-hat pen tester could be a team member. White-hat pen engagements often involve the AppDev and pen tester working together to determine a full scope engagement. The white-pen tester customarily granted access to usernames and passwords, IP addresses of the targeting hosts, and the expectation of testing criteria. Forming a collaboration between a white-hat 3rd pen tester and the internal threat modeling team would produce a complete 360-degree view. Without a partnership, threat modeling results would be based solely on internal resource knowledge.The 2nd level of engagement would be a collaboration between a black-hat pen tester and a threat modeling team. The black-hat tester would have no prior knowledge of the application or platform within this collaboration engagement. SecOps would be the internal sponsor of this engagement, not AppDev, DevOps, and NetOps.Threat Collaboration Modeling Across the Application LifecycleThreat modeling is best applied continuously throughout a software development project. The process is essentially the same at different levels of abstraction, although the information gets more and more granular throughout the lifecycle. Ideally, a high-level threat model should be defined early in the concept or planning phase and then refined throughout the lifecycle.Updating threat collaboration models is advisable after events such as:The App Dev team released a new featureSecurity incident occursArchitectural or infrastructure changesThis threat modeling pen-testing collaboration workstream should be added as a business operational function with every application or variance of a platform.SummaryIn the spirit of the DevOps movement, risk management, pen-testing, and vulnerability scanning should be considered a “sprint” within the agile security model supporting threat modeling engagements. Small to mid-size enterprise organizations could save money while gaining greater insight into their environment by executing these audits into a unified project instead of silo (waterfall) work cycles. The true benefactor of this new model would be the risk management team. By pulling together outputs from these “sprints” into a centralized contextual risk scoring methodology, organizations will better assess the environment by cross-correlation data sources from pen-testing, scanning, and IT audit control reviews.
A phenomenon we have encountered often, when helping companies overcome drift, is a common neglect of the entire SaaS toolchain. Learn why this is troubling.