Security and DevSecOps. Container Security¶
- Authentication and Authorization
- Quality Gates
- 16 Gates
- Kubernetes Threat Modelling
- Kubernetes Config Security Threats
- Security Linting on Kubernetes
- IaC and Security
- Multi-Level Security (MLS) vs Multi-Category Security (MCS). Make Secure Pipelines with Podman and Containers
- Project Calico
- Security Patterns for Microservice Architectures
- Anchore Container Security Solutions for DevSecOps
- Twistlock and Threat Stack Container Security
- Secure Container Based CI/CD Workflows. Vulnerability Scanner for Container Images
- GitHub security
- Databases in DMZ and Intranet
- Removing Credentials From Git Repo
- SQL Injection
- Credential Managers
- Secrets Management
- Serverless Security Best Practices
- Docker Images & Container Security
- Pod Security Policies
- Kubernetes Network Policies
- Static Analysis SAST
- Kubernetes Security Tools
- Helm Charts Security
- Password Recovery
- Attacks on Kubernetes via Misconfigured Argo Workflows
- More Security Tools
- fiercesw.com: DevOps vs DevSecOps
- devopszone.info: DevSecOps Explained
- linkedin: Dear Google, my data has left your building!
- snyk.io: The State of Open Source Security 2020
- managedsentinel.com: Executive View — Current and Future Cybersecurity Architecture On One Page
- Exploring the (lack of) security in a typical Docker and Kubernetes installation
- kalilinuxtutorials.com: Deploying & Securing Kubernetes Clusters
- loves.cloud: Creating a fully automated DevSecOps CI/CD Pipeline
- redhat.com: Balancing Linux security with usability Your system should be secure, but open enough to serve its function. Here are some tips on how to strike that balance.
- thenewstack.io: Culture, Vulnerabilities and Budget: Why Devs and AppSec Disagree
- computing.co.uk: CloudBees gets busy with security, visibility and control as DevOps evolves CEO Sacha Labourey: ‘DevOps is a pretty good proxy for what needs to happen in any organisation’
- paloaltonetworks.com: Is Your Organization Protected Against IAM Misconfiguration Risks?
- devops.com: How to Successfully Integrate Security and DevOps
- helpnetsecurity.com: How to make DevSecOps stick with developers
- blog.christophetd.fr: Shifting Cloud Security Left — Scanning Infrastructure as Code for Security Issues
- devclass.com: Docker: It’s not dead yet, but there’s a tendency to walk away, security report finds
- roxsrossve.medium.com: El camino hacia DevSecOps
- securityboulevard.com: DevOps vs. DevSecOps – Here’s How They Fit Together
- opensource.com: How to adopt DevSecOps successfully Integrating security throughout the software development lifecycle is important, but it’s not always easy.
- devops.com: DevSecOps Trends to Know For 2021
- devops.com: From Agile to DevOps to DevSecOps: The Next Evolution
- permission.site How much stuff one can do from a web browser these days—scary stuff. Stay safe. Disable JS and most of stuff won’t work at all.
- ais.com: Leaping into DevSecOps from DevOps
- infoq.com: The Defense Department’s Journey with DevSecOps
- amazon.com: Building end-to-end AWS DevSecOps CI/CD pipeline with open source SCA, SAST and DAST tools
- infoq.com: 9 Trends That Are Influencing the Adoption of Devops and Devsecops in 2021
- addteq.com: The REAL Difference between DevOps and DevSecOps
- invensislearning.com: Difference between DevOps and DevSecOps
- techerati.com: DevSecOps: Eight tips for truly securing software
- devops.com: SecDevOps is the Solution to Cybersecurity 🌟
- techrepublic.com: DevOps is getting code released faster than ever. But security is lagging behind
- redeszone.net: No configurar bien la nube es culpable de la mayoría de vulnerabilidades
- cybersecuritydive.com: Relationships between DevOps, security warm slowly Some hurdles stem from miscommunication, or balancing quick product releases with undesired security gaps. “Security people need developers to be more like security people and developers need security people to be more like developers.” James Arlen, CISO at Aiven.
- bbvanexttechnologies.com: Filosofía DevSecOps en el desarrollo de aplicaciones sobre Azure
- harness.io: Automated DevSecOps with StackHawk and Harness
- cloudify.co: Understanding DevSecOps And Its Challenges
- containerjournal.com: The What and Why of Cloud-Native Security
- sysdig.com: Top vulnerability assessment and management best practices
- thenewstack.io: Where Are You on the DevSecOps Maturity Curve?
- thenewstack.io: The Top 5 Secrets Management Mistakes and How to Avoid Them
- arsouyes.org: PKCS, pem, der, key, crt,… Interesting read on security and ssl/tls certificates
- torq.io: 5 Security Automation Examples for Non-Developers
- infoq.com: Serverless Security: What’s Left to Protect?
- dqindia.com: Secure your CI/CD pipeline with these tips from experts
- thenewstack.io: The DevSecOps Skillsets Required for Cloud Deployments
- devblogs.microsoft.com: You can’t have security for DevOps until you have DevOps for security
- goteleport.com: Anatomy of a Cloud Infrastructure Attack via a Pull Request
- cncf/tag-security: CNCF Security Technical Advisory Group 🌟 CNCF Security Technical Advisory Group – secure access, policy control, privacy, auditing, explainability and more!
- enterprisersproject.com: 5 DevSecOps open source projects to know Teams that embrace the DevSecOps approach make security an integral part of the entire application life cycle. These open source projects aim to help
Authentication and Authorization¶
- dzone: DevOps Pipeline Quality Gates: A Double-Edged Sword In theory, quality gates seem like a no-brainer, but it does come with a catch.
- medium: Focusing on the DevOps Pipeline 🌟 Delivering High Quality Working Software Faster with Agile DevOps. At Capital One, we design pipelines using the concept of the “16 Gates”. These are our guiding design principles and they are:
- Source code version control
- Optimum branching strategy
- Static analysis
- More than 80% code coverage
- Vulnerability scan
- Open source scan
- Artifact version control
- Auto provisioning
- Immutable servers
- Integration testing
- Performance testing
- Build deploy testing automated for every commit
- Automated rollback
- Automated change order
- Zero downtime release
- Feature toggle
- github.com/hygieia/Hygieia 🌟 CapitalOne DevOps Dashboard
Kubernetes Threat Modelling¶
Kubernetes Config Security Threats¶
- cncf.io: Identifying Kubernetes Config Security Threats: Pods Running as Root
- mirantis.com: Introduction to Istio Ingress: The easy way to manage incoming Kubernetes app traffic Leaving your cluster exposed can be risky. That’s why you need Istio Ingress, which only exposes the part that handles incoming traffic & allows routing rules based on routes, headers, IP addresses and more.
- thenewstack.io: How Kubernetes vulnerabilities have shifted since the first attacks
Security Linting on Kubernetes¶
- kubeLinter 🌟 KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
- thenewstack.io: StackRox KubeLinter Brings Security Linting to Kubernetes
IaC and Security¶
Multi-Level Security (MLS) vs Multi-Category Security (MCS). Make Secure Pipelines with Podman and Containers¶
- Why you should be using Multi-Category Security (MCS) for your Linux containers
- Using Podman and Containers to make a more secure pipeline
- Project Calico Secure networking for the cloud native era
- thenewstack.io: Project Calico: Kubernetes Security as SaaS
Security Patterns for Microservice Architectures¶
Anchore Container Security Solutions for DevSecOps¶
- Anchore Container image inspection and policy-based compliance
- thenewstack.io: Anchore: Scan Your Container Images for Vulnerabilities from the Command Line
Twistlock and Threat Stack Container Security¶
- Threat Stack
- dzone: A Twistlock and Threat Stack Comparison Compare two of the most popular tools available for container security, and how their different approaches breed different solutions.
- vashishtsumit89.medium.com: Security/Pen Testing: A guide to run OWASP Zap headless in containers for CI/CD pipeline
- redeszone.net: OWASP ZAP, audita la seguridad de webs y evita vulnerabilidades
- sonarqube.org: OWASP Top 10 - We’ve got you covered! See issues in the 10 most critical security risk categories in your web applications.
- cloud.google.com: OWASP Top 10 mitigation options on Google Cloud 🌟 Terrific guidance in this paper that explains each attack vector and which product(s) can help
Secure Container Based CI/CD Workflows. Vulnerability Scanner for Container Images¶
- trivy A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI
- returngis.net: Buscar vulnerabilidades en imágenes de Docker con Snyk
- iximiuz.com: The need for slimmer containers. Scanning official Python images with Snyk
- gkovan.medium.com: A Zero Trust Approach for Securing the Supply Chain of Microservices Packaged as Container Images (sigstore, kyverno, openshift tekton, quarkus) 🌟
Securing Kubernetes With Anchore¶
- Securing Kubernetes With Anchore
- Anchore: Secure Container Based CI/CD Workflows
- Jenkins Plugin: Anchore Container Image Scanner
- Notary Notary is a project that allows anyone to have trust over arbitrary collections of data
- infracloud.io: Enforcing Image Trust on Docker Containers using Notary
Databases in DMZ and Intranet¶
Removing Credentials From Git Repo¶
- forbes.com: DevOps Drives Pentesting Delivered As A Service
- emagined.com: How to conduct a penetration test
- securityboulevard.com: Kubernetes Pentest Methodology Part 3
- keycloak.org Open Source Identity and Access Management For Modern Applications and Services
- Securing Kubernetes Apps with Keycloak and Gatekeeper
- Authorizing multi-language microservices with Louketo Proxy
- developers.redhat.com: A deep dive into Keycloak
- blog.getambassador.io: Step-by-Step Centralized Authentication for Kubernetes with Keycloak and the Ambassador Edge Stack
- blog.sighup.io: How to run Keycloak in HA on Kubernetes How to setup Keycloak, the Open Source Identity and Access Management, in HA on Kubernetes.
- developers.redhat.com: Authentication and authorization using the Keycloak REST API
- faun.pub: Integrate Keycloak with HashiCorp Vault A How-To guide using Terraform
- openshift.com: Geographically Distributed Stateful Workloads - Part 3: Keycloak
Git Credential Manager Core¶
- Git Credential Manager Core GCM Core is a free, open-source, cross-platform credential manager for Git.
- Git Credential Manager Core: Building a universal authentication experience
- blog.gitguardian.com: Secrets in source code (episode ⅔). Why secrets in git are such a problem
- harness.io: Managing Secrets in CI/CD Pipelines 🌟 How has your organization dealt with the challenge of managing secrets while delivering with CI/CD pipelines? Learn how to improve your process in the article.
- smallstep.com: How to Handle Secrets on the Command Line 🌟
- cloud.google.com: Analyze secrets with Cloud Asset Inventory Query information about all the secrets across your entire GoogleCloudTech organization! Secret Manager is now integrated with Asset Inventory!
- sops: Simple and flexible tool for managing secrets 🌟
- jenkins-x.io: Setting up the secrets for your installation Jenkins X 3.x uses Kubernetes External Secrets to manage populating secrets from your underlying secret store.
- medium: AWS Secret Manager: Protect sensitive information and functionality 🌟 Protect Your Secrets in ApplicationsSecrets are frequently used to protect sensitive information and functionality.
- fpcomplete.com: Announcing Amber, encrypted secrets management
- jfrog.com: How to protect your secrets with Spectral and JFrog Pipelines
- github.com/keilerkonzept/aws-secretsmanager-files Writes AWS Secrets Manager secrets to files on disk. Single binary, no dependencies. osx & linux & windows.
- medium: How to Handle Secrets Like a Pro Using Gitops
- youtube: Which of your Kubernetes Apps are accessing Secrets? 🌟 How do you know which apps across all your clusters are using Kubernetes Secrets? How are you sure that your secrets are not leaking? In the next 5 minutes, you will learn right that.
- jenkins-x/gsm-controller gsm-controller is a Kubernetes controller that copies secrets from Google Secrets Manager into Kubernetes secrets. The controller watches Kubernetes secrets looking for an annotation, if the annotation is not found on the secret nothing more is done.
Store private data in git repo¶
- vaultproject.io Manage Secrets and Protect Sensitive Data. Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
- medium: Coding for Secrets Reliability with HashiCorp Vault
- hashicorp.com: Vault & Kubernetes: Better Together
- OpenShift Blogs:
- Vault Learning Resources: Vault 1.5 features and more
- medium: Securing K8s Ingress Traffic with HashiCorp Vault PKIaaS and JetStack Cert-Manager
- hashicorp.com: Automate Secret Injection into CI/CD Workflows with the GitHub Action for Vault
- hashicorp.com: Use AWS Lambda Extensions to Securely Retrieve Secrets From HashiCorp Vault Developers no longer have to make their Lambda functions Vault-aware.
- github.com/kelseyhightower: Serverless Vault with Cloud Run This tutorial walks you through deploying Hashicorp’s Vault on Cloud Run, Google Cloud’s container based Serverless compute platform.
- confluent.io: How to Manage Secrets for Confluent with Kubernetes and HashiCorp Vault
- digitalvarys.com: Simple Introduction to HashiCorp Vault
- hashicorp.com: HCP Vault is now generally available on AWS 🌟
- hashicorp.com: Serverless Secrets with HashiCorp Vault Learn how to securely store and retrieve credentials across providers for applications running within AWS Lambda, Azure Functions, and Google Cloud Functions.
- thenewstack.io: HashiCorp Releases HCP Vault to Combat ‘Secrets Management’ Fatigue
- datadoghq.com: Monitor HashiCorp Vault metrics and logs
- thenewstack.io: Reasons to Implement HashiCorp Vault and Other Zero Trust Tools
- hashicorp.com: Retrieve HashiCorp Vault Secrets with Kubernetes CSI Learn how to use CSI to expose secrets on a volume within a Kubernetes pod and retrieve them using our beta Vault Provider for the Kubernetes Secrets Store CSI Driver.
- testdriven.io: Running Vault and Consul on Kubernetes
- hashicorp.com: Onboarding Applications to Vault Using Terraform: A Practical Guide 🌟 Learn how to build an automated HashiCorp Vault onboarding system with Terraform using sensible naming standards, ACL policy templates, pre-created application entities, and workflows driven by VCS and CI/CD.
- hashicorp.com: Managing SSH Access at Scale with HashiCorp Vault Learn how to build scalable, role-based SSH access with SSH certificates and HashiCorp Vault.
- devopscube.com: How to Setup Vault in Kubernetes- Beginners Tutorial 🌟
- Vault Agent 🌟
- hashicorp.com: Retrieve HashiCorp Vault Secrets with Kubernetes CSI 🌟 Learn how to use CSI to expose secrets on a volume within a Kubernetes pod and retrieve them using our beta Vault Provider for the Kubernetes Secrets Store CSI Driver.
- devopscube.com: Vault Agent Injector Tutorial: Inject Secrets to Pods Using Vault Agent
- hashicorp.com: Announcing HashiCorp Vault 1.8
- hashicorp.com: A Kubernetes User’s Guide to HashiCorp Nomad Secret Management Learn how secrets management in Kubernetes compares to HashiCorp Nomad, and see why HashiCorp Vault is a powerful solution for both.
- igorzhivilo.com: Scheduled backup of Vault secrets with Jenkins on Kubernetes If you ever wondered how to save the secrets of HashiCorp’s Vault on a daily basis.
- hashicorp.com: HashiCorp Vault Use Cases and Best Practices on Azure
- hashicorp/vault-csi-provider: HashiCorp Vault Provider for Secrets Store CSI Driver HashiCorp Vault provider for the Secrets Store CSI driver allows you to get secrets stored in Vault and use the Secrets Store CSI driver interface to mount them into Kubernetes pods
Azure Key Vault to Kubernetes akv2k8s¶
- akv2k8s.io 🌟 Azure Key Vault to Kubernetes (akv2k8s) makes Azure Key Vault secrets, certificates and keys available in Kubernetes and/or your application - in a simple and secure way
CyberArk and Ansible¶
- ansible.com: Simplifying secrets management with CyberArk and Red Hat Ansible Automation Platform
- ansible.com: Automating Security with CyberArk and Red Hat Ansible Automation Platform
SOPS for Kubernetes¶
Alternatives with Kubernetes External Secrets¶
- GitOps secret management with bitnami-labs Sealed Secret and GoDaddy Kubernetes External Secrets 🌟
- Kubernetes External Secrets 🌟 Integrate external secret management systems with Kubernetes. Kubernetes External Secrets allows you to use external secret management systems, like AWS Secrets Manager or HashiCorp Vault, to securely add secrets in Kubernetes.
- thenewstack.io: GoDaddy’s Project to Secure, Rotate Kubernetes Secrets 🌟
- aws.amazon.com: Managing secrets deployment in Kubernetes using Sealed Secrets 🌟
- dzone: Managing Secrets Deployment in GitOps Workflow 🌟 The importance of keeping your secrets safe.
- blog.container-solutions.com: The Birth of the External Secrets Community
- itnext.io: Secrets injection at runtime from external Vault into Kubernetes — POC
- jx-secret-postrenderer 🌟 a helm postrenderer for working with helm and Kubernetes External Secrets. This post renderer lets you use helm charts which contain Secret resources and have those secrets managed by Kubernetes External Secrets without having to modify your charts. Want seamless support for kubernetes external secrets with existing helm charts? but you’re not using Jenkins X yet? then why not try this helm post renderer.
- thenewstack.io: Managing Kubernetes Secrets with AWS Secrets Manager 🌟
- K8s Vault Webhook 🌟 - github: k8s-vault-webhook A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers
Serverless Security Best Practices¶
Docker Images & Container Security¶
- thehackernews.com: Docker Images Containing Cryptojacking Malware Distributed via Docker Hub
- sysdig.com: 12 Container image scanning best practices to adopt in production
- infracloud.io: The Ten Commandments of Container Security
- medium: KubeSecOps Pipeline(Container security) in a cloudnative ecosystem
- sysdig.com: Sysdig 2021 container security and usage report: Shifting left is not enough 🌟
- itnext.io: Hardening Docker and Kubernetes with seccomp 🌟
- redhat.com: Improving Linux container security with seccomp 🌟 Try this method of using an OCI runtime hook for tracing syscalls before you build a container.
- openshift.com: Signing and Verifying Container Images 🌟
- redhat.com: Introducing Red Hat Vulnerability Scanner Certification
- docs.microsoft.com: Introduction to Azure Defender for container registries Defender for Container Registries Continuous Image Scan for vulnerabilities is now available for General Availability (GA)
- techbeacon.com: 17 open-source container security tools 🌟
- about.gitlab.com: How to secure your container images with GitLab and Grype - grype: a vulnerability scanner for container images and filesystems
- sigstore.dev A new standard for signing, verifying and protecting software. Making sure your software’s what it claims to be.
- youtube: Hands-on Introduction to sigstore | Rawkode Live In this tutorial, you’ll learn how to sign and verify container images with co-sign, with and without a private key.
- GoogleContainerTools/container-structure-test validate the structure of your container images
Pod Security Policies¶
- octetz.com: Setting Up Pod Security Policies By default, Kubernetes allows anything capable of creating a Pod to run a fairly privileged container that can compromise a system. Pod Security Policies protect clusters from privileged pods by ensuring the requester is authorised.
- infracloud.io: Kubernetes Pod Security Policies with Open Policy Agent In this blog post, you will learn about the Pod Security Policy admission controller. Then you will see how Open Policy Agent can implement Pod Security Policies.
Kubernetes Network Policies¶
- medium.com: K8s Network Policies Demystified and Simplified 🌟
- blog.nody.cc: Verify your Kubernetes Cluster Network Policies: From Faith to Proof
Static Analysis SAST¶
Kubernetes Security Tools¶
- europeclouds.com: Implementing Aqua Security to Secure Kubernetes
- Pomerium is an identity-aware proxy that enables secure access to internal applications. Pomerium brings consistent authz/authn, tooling, and auditing across cloud and on-premise deployments. No VPN or cloud provider account is required
- cloud.redhat.com: Top Open Source Kubernetes Security Tools of 2021 🌟🌟
Helm Charts Security¶
- medium: Who’s at the Helm? Or, how to deploy 25+ CVEs to prod in one command!
Attacks on Kubernetes via Misconfigured Argo Workflows¶
- it.slashdot.org: And the Top Source of Critical Security Threats Is…PowerShell Microsoft’s CLI management tool was the source of more than a third of critical security threats detected by Cisco in the second half of 2020, according to eSecurity Planet.
More Security Tools¶
- zdnet.com: Google releases new open-source security software program: Scorecards How safe is that open-source software in the Git library, the one with the questionable history? Scorecard 2.0 can quickly tell you just how secure, or not, it really is.
- sysadminxpert.com: How to do Security Auditing of CentOS System Using Lynis Tool