Skip to content

DevSecOps and Security. Container Security

Introduction

Kubernetes Security Compliance Frameworks

  • armosec.io: Kubernetes Security Compliance Frameworks 🌟
    • The challenge of administering security and maintaining compliance in a Kubernetes ecosystem is typically the same: an increasingly dynamic, changing landscape, be it new approaches of cyberattacks or adhering to changing regulations. Kubernetes security requires a complex and multifaceted approach since an effective strategy needs to:
      • Ensure clean code
      • Provide full observability
      • Prevent the exchange of information with untrusted services
      • Produce digital signatures for clean code and trusted applications
    • Since Kubernetes follows a loosely coupled architecture, securing the ecosystem involves a cross-combination of best practices, tools, and processes. It is also recommended to consider frameworks that issue specific guidelines for easing the complexity of administering the security and compliance of a Kubernetes ecosystem. Such frameworks help organizations create flexible, iterative, and cost-effective approaches to keeping clusters and applications safe and compliant while ensuring optimum performance. A typical framework’s guidance on Kubernetes security and compliance should essentially consider:
      • Architecture best practices
      • Security within CI/CD pipelines
      • Resource protection
      • Container runtime protection
      • Supply chain security
      • Network security
      • Vulnerability scanning
      • Secrets management and protection

Zero Trust Security

Authentication and Authorization

Quality Gates

16 Gates

  • medium: Focusing on the DevOps Pipeline 🌟 Delivering High Quality Working Software Faster with Agile DevOps. At Capital One, we design pipelines using the concept of the “16 Gates”. These are our guiding design principles and they are:
    • Source code version control
    • Optimum branching strategy
    • Static analysis
    • More than 80% code coverage
    • Vulnerability scan
    • Open source scan
    • Artifact version control
    • Auto provisioning
    • Immutable servers
    • Integration testing
    • Performance testing
    • Build deploy testing automated for every commit
    • Automated rollback
    • Automated change order
    • Zero downtime release
    • Feature toggle
  • github.com/hygieia/Hygieia 🌟 CapitalOne DevOps Dashboard

Kubernetes Threat Modelling

Kubernetes Config Security Threats

Security Linting on Kubernetes

IaC and Security

Multi-Level Security (MLS) vs Multi-Category Security (MCS). Make Secure Pipelines with Podman and Containers

Project Calico

The Falco Project

Security Patterns for Microservice Architectures

Anchore Container Security Solutions for DevSecOps

Twistlock and Threat Stack Container Security

OWASP

Source Code Audit

  • securecoding.com: Code Audit: How to Ensure Compliance for an Application A source code audit is a process of analyzing the source code of an application with the objective of discovering security vulnerabilities, security design problems, and places of potential improvement in programming practices. After the analysis, a report is generated that is used to implement a range of measures that guarantee the security and reliability of the code. Code audits can be carried out in parallel with penetration tests. They can test the exploitability of code vulnerabilities to better estimate the risk they pose. Ideally, code audits are performed throughout the application lifecycle. The faster a vulnerability is discovered, the easier it is to fix!

StackRox

Secure Container Based CI/CD Workflows. Vulnerability Scanner for Container Images

Securing Kubernetes With Anchore

Secure Containers with Notary or Cosign

GitHub security

Databases in DMZ and Intranet

Removing Credentials From Git Repo

Pentesting

SQL Injection

Credential Managers

keycloak

Git Credential Manager Core

Secrets Management

Anti Patterns. Wrong Secrets

  • commjoen/wrongsecrets: OWASP WrongSecrets Examples with how to not use secrets. Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.

AWS Secret Manager

Password Hashing

Store private data in git repo

HashiCorp Vault

HashiCorp Vault Agent

Azure Key Vault

CyberArk and Ansible

CyberArk Conjur


SOPS for Kubernetes

AKS Secrets

  • mehighlow.medium.com: Hardened-AKS/Secrets Commonly, an application requires access to data and, usually, such access must be restricted. So, you need to provide your pod/deployment/replicaSet/DaemonSet with secrets. Learn how you can do so in AKS

Kapitan

Alternatives with Kubernetes External Secrets

Serverless Security Best Practices

Docker Images & Container Security

Sigstore

Container security best practices

Pod Security Policies

Kubernetes Network Policies

Static Analysis SAST

Kubernetes Security Tools

Helm Charts Security. Helm Secrets

Password Recovery

Attacks on Kubernetes via Misconfigured Argo Workflows

PKI

  • devops.com: How to Automate PKI for DevOps With Open Source Tools The ultimate goal of PKI for DevOps is to provision PKI credentials for business applications without hard-coded secrets, which is one less risk to concern the security team. The goal of DevOps for PKI is to automatically deploy a completely configured PKI solution, which is one less roadblock for DevOps teams.

Network Intrusion Tools

Other Security Tools

Torq. No code Security Automation

Books

CVEs

Log4j Log4Shell

Powershell

Nmap scripts

Let’s Encrypt SSL certificates

WAF Web Application Firewall

More Security Tools

Videos

Click to expand!

Twitter

Click to expand!