This week's articles
A Survey of Istio's Network Security Features
Great write up of Istio's security misconfigurations and bypasses of policies. In particular, it focuses on Istio's security features that are used to control service network interactions. The post also walks through lab-based examples in order to concretely illustrate the limits of each of these features, possible misconfigurations, and what can be done to ensure operators’ intended security goals are met.
App-Layer Encryption in AWS
CashApp's first blog post in a series on how they are making App-Layer Encryption easy for engineers building services in the cloud.
Continuous Cloud Security Monitoring (CCSM)
AppSec Cali 2020 talk which provides a summary of Continuous Cloud Security Monitoring (CCSM) strategies, techniques, and best practices so you don't have to spend the next 12 months reading AWS white papers. Takeaways from this presentation will be methods to immediately apply logging, monitoring, alerting, and Honey[Things] to detect and respond to threats in AWS environments.
Everyone might be a cluster-admin in your Kubernetes cluster
By default, Kubernetes is fairly secure: every namespace gets a default service account, which has no assigned permissions. But many apps and manifests people blindly deploy into their clusters affect the RBAC controls in ways the users may not even understand. k8s-pod-rbac-breakout
is a project meant to demonstrate how one particular Kubernetes visualization tool gives every pod running in the default namespace full cluster-admin privileges, so any pod would then be able to do almost anything to almost any resource in the cluster!
Advanced Persistence Threats: The Future of Kubernetes Attacks
As Kubernetes grows in popularity, the sophistication of attackers will improve, and security by obscurity will no longer be sufficient. What could an attacker who understands Kubernetes at a deep level be capable of? This talk explores the dark corners of clusters and shine a light on several new advanced attacks on Kubernetes.
On-Demand Container Scanning API
is an open python API built using Trivy, Flask, Gunicorn, and Nginx that for now has two public endpoints (more endpoints and tools coming): the first provides a trivy report of all opened vulnerabilities for the container specified, whereas the second provides a list of open CVEs on the container.