Policies as code is a powerful tool to test and validate your configuration.
And probably one of the most famous engines for policies as code is OPA aka Open Policy Agent.
The beautiful part of it is that it’s kind of platform agnostic i.e. there are tools that implement OPA for different things. Threfore, OPA policies are usually not limited to a single application.
The hard part of OPA is that it uses Rego langugage, which is not quite similar to the popular general purpose programming langugages. If you payed attention to langugages like Prolog at school, Rego might be not a big issue for you.
However, if you don’t remember those classes or didn’t have them at all (like myself, he-he), this article on how to get started with Rego might be helpful for you!
#opa #policy #security
And probably one of the most famous engines for policies as code is OPA aka Open Policy Agent.
The beautiful part of it is that it’s kind of platform agnostic i.e. there are tools that implement OPA for different things. Threfore, OPA policies are usually not limited to a single application.
The hard part of OPA is that it uses Rego langugage, which is not quite similar to the popular general purpose programming langugages. If you payed attention to langugages like Prolog at school, Rego might be not a big issue for you.
However, if you don’t remember those classes or didn’t have them at all (like myself, he-he), this article on how to get started with Rego might be helpful for you!
#opa #policy #security
Getting Started with Rego Policies
A few tips and tricks to get you up and running with Rego, a declarative language for writing authorization policies.
Here is a brief and neat comparison between External Secrets Operator and Secret Storage CSI for Kubernetes.
Both tools allows one to fetch secrets from an external storage like HashiCorp Vault. However, they work a little bit differently. If ESO creates a k8s secret based on the external one, SSC mounts a secret as a CSI volume.
You may ask, why use one of these if Banzai Bank Vaults exists? Well, not everyone uses HashiCorp Vault. Also, in case you have multiple secret storages (for whatever reason), one of these tools may be a good solution to reduce the footprint for secrets management.
#kubernetes #security
Both tools allows one to fetch secrets from an external storage like HashiCorp Vault. However, they work a little bit differently. If ESO creates a k8s secret based on the external one, SSC mounts a secret as a CSI volume.
You may ask, why use one of these if Banzai Bank Vaults exists? Well, not everyone uses HashiCorp Vault. Also, in case you have multiple secret storages (for whatever reason), one of these tools may be a good solution to reduce the footprint for secrets management.
#kubernetes #security
Medium
Comparing External Secrets Operator with Secret Storage CSI as Kubernetes External Secrets is Deprecated
Hello. This is riddle from SRE Group, Development Division of mixi, Inc.
This a pure Friday material, but I totally forgot about this one yesterday.
So, a systemd security patch broke DNS on Azure VMs on the 30th of August.
Here’s the bug report.
This only affected Ubuntu 18.04 version, which is extremely popular, TBH.
Well, shit happens. Yet, the worrisome part of this story is that according to The Register:
> Azure is recommending that Ubuntu 18.04 users disable automatic security updates for the time being.
#azure #security #dns
So, a systemd security patch broke DNS on Azure VMs on the 30th of August.
Here’s the bug report.
This only affected Ubuntu 18.04 version, which is extremely popular, TBH.
Well, shit happens. Yet, the worrisome part of this story is that according to The Register:
> Azure is recommending that Ubuntu 18.04 users disable automatic security updates for the time being.
#azure #security #dns
The Register
Ubuntu Linux 18.04 systemd security patch breaks DNS in Microsoft Azure
Snafu disrupts VMs as cloud giant offers workarounds
Uber apparently has been hacked.
There are not many details in the mainstream tech press, as well as there’s no official write up yet, only a tweet about the incident.
However, here’s an interesting Twitter thread about the scope of the attack (the scope is huge!).
If you rather prefer a web page view, here’s the same thread via Unroll app.
The key takeaways from that thread:
- Rely on MFA protected from phishing such as hardware keys
- Pay as much attention to your internal network as to the public facing interfaces
#security
There are not many details in the mainstream tech press, as well as there’s no official write up yet, only a tweet about the incident.
However, here’s an interesting Twitter thread about the scope of the attack (the scope is huge!).
If you rather prefer a web page view, here’s the same thread via Unroll app.
The key takeaways from that thread:
- Rely on MFA protected from phishing such as hardware keys
- Pay as much attention to your internal network as to the public facing interfaces
#security
CNN
Uber investigating ‘cybersecurity incident’ after hacker claims to access internal systems
Uber said Thursday that it was investigating a "cybersecurity incident" after a hacker shared evidence that they had breached the ride-hailing giant's computer systems with journalists and security researchers.
A list of security tools for AWS. It has both defensive and offensive as well as auditing tools.
This list is really huge, so I’m pretty sure that if you’re working on hardening your AWS setup, you’ll find something interesting for you there.
#security #aws
This list is really huge, so I’m pretty sure that if you’re working on hardening your AWS setup, you’ll find something interesting for you there.
#security #aws
GitHub
GitHub - toniblyx/my-arsenal-of-aws-security-tools: List of open source tools for AWS security: defensive, offensive, auditing…
List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc. - toniblyx/my-arsenal-of-aws-security-tools
It looks like on Tuesday, Nov 1st, we will need to patch OpenSSL 3.x.x.
A critical vulnerability has been found in OpenSSL versions 3.0.0 through 3.0.6. So, older version are likely not affected by this problem.
Yet, Ubuntu 22.04 and RHEL 9.x have OpenSSL 3.x.x, hence require an upgrade.
The same news from another source.
#security
A critical vulnerability has been found in OpenSSL versions 3.0.0 through 3.0.6. So, older version are likely not affected by this problem.
Yet, Ubuntu 22.04 and RHEL 9.x have OpenSSL 3.x.x, hence require an upgrade.
The same news from another source.
#security
ZDNET
OpenSSL warns of critical security vulnerability with upcoming patch
We don't have the details yet, but we can safely say that come Nov. 1, everyone -- and I mean everyone -- will need to patch OpenSSL 3.x.
So, recently I posted about the TLS vulnerability that was patched on the 1st of November.
Here someone gathered the list of affected operation systems and patched version references
Make sure to check if you’re covered!
#security #tls
Here someone gathered the list of affected operation systems and patched version references
Make sure to check if you’re covered!
#security #tls
Telegram
CatOps
It looks like on Tuesday, Nov 1st, we will need to patch OpenSSL 3.x.x.
A critical vulnerability has been found in OpenSSL versions 3.0.0 through 3.0.6. So, older version are likely not affected by this problem.
Yet, Ubuntu 22.04 and RHEL 9.x have OpenSSL…
A critical vulnerability has been found in OpenSSL versions 3.0.0 through 3.0.6. So, older version are likely not affected by this problem.
Yet, Ubuntu 22.04 and RHEL 9.x have OpenSSL…
Disk encryption in AWS is close to useless and potentially harmful.
No, it’s not like AWS is going to do anything with your data.
tl;dr: Encryption at rest protects you from cases when someone steals your disk. However, such an attack vector is so hard in a cloud environment that it’s completely worthless for an attacker.
However, the correct implementation of the encryption at rest will take time and effort that you can put into real risk mitigation and security hardening instead.
#security #aws
No, it’s not like AWS is going to do anything with your data.
tl;dr: Encryption at rest protects you from cases when someone steals your disk. However, such an attack vector is so hard in a cloud environment that it’s completely worthless for an attacker.
However, the correct implementation of the encryption at rest will take time and effort that you can put into real risk mitigation and security hardening instead.
#security #aws
Mellow Root
Disk encryption in AWS is close to useless and potentially harmful
Security theater is the practice of taking security measures that are considered to provide the feeling of improved security while doing little or nothing to...
A couple of days ago I attended a CNCF meetup here in Berlin (full recording is available on YouTube). So, I want to share some things that were presented there.
- NeuVector - an open-source security solution for Kubernetes recently bought by Suse. It has UI, so one can do click-ops if they want, but one can then export all the rules into custom definitions and apply in any other cluster. Obviously, you can configure NeuVector using only YAML as well. Feel free to explore their GitHub. Although, the website has more information about the tool.
- Tetragon - another real-time observability/security tool based on eBPF by the developers of Cilium. It doesn’t do CVE scans like NeuVector, but provides some real-time visibility and rules enforcement. Also, it doesn’t have a fancy UI.
- Cilium service mesh. It’s also based on eBPF. Check it out if you want to have a service mesh, but not sure about heavyweight solutions like Istio.
- Despite that several Cilium-based tools I mentioned before, the second talk was about the Cilium Cluster Mesh. It’s not new, but this solution looks very promising, especially if you’re running multiple clusters for HA or multi-region purposes.
#Kubernetes #security #networking
- NeuVector - an open-source security solution for Kubernetes recently bought by Suse. It has UI, so one can do click-ops if they want, but one can then export all the rules into custom definitions and apply in any other cluster. Obviously, you can configure NeuVector using only YAML as well. Feel free to explore their GitHub. Although, the website has more information about the tool.
- Tetragon - another real-time observability/security tool based on eBPF by the developers of Cilium. It doesn’t do CVE scans like NeuVector, but provides some real-time visibility and rules enforcement. Also, it doesn’t have a fancy UI.
- Cilium service mesh. It’s also based on eBPF. Check it out if you want to have a service mesh, but not sure about heavyweight solutions like Istio.
- Despite that several Cilium-based tools I mentioned before, the second talk was about the Cilium Cluster Mesh. It’s not new, but this solution looks very promising, especially if you’re running multiple clusters for HA or multi-region purposes.
#Kubernetes #security #networking
YouTube
Kubernetes & Cloud Native Berlin Meetup New Year Edition
Welcome to the live stream of the Kubernetes & Cloud Native Berlin Meetup - Jan 2023. Doors open for the in person meet up at 5 pm. The talks will begin at 6 pm, so stay tuned.
Find more information here: https://www.meetup.com/berlin-kubernetes-meetup…
Find more information here: https://www.meetup.com/berlin-kubernetes-meetup…
Your SSO session can be stolen.
At least Grammarly, with their white partner prepared an internal phishing attack and get access to their OTP SSO session.
As a result, they choose to move to FIDO2, to prevent the possibility of that attack vector.
More about the attack and why choose FIDO2 in Part 1.
About implementation and problems - in Part 2.
#security
At least Grammarly, with their white partner prepared an internal phishing attack and get access to their OTP SSO session.
As a result, they choose to move to FIDO2, to prevent the possibility of that attack vector.
More about the attack and why choose FIDO2 in Part 1.
About implementation and problems - in Part 2.
#security