The AWS Architecture Icons release provides updated icons and guidelines to improve accessibility and align with AWS branding. Key updates include:
- Icons were updated to have a minimum contrast ratio of 3:1 for lines and 4.5:1 for text for accessibility. Line weight and text size were increased.
- The color palette was updated to match the new AWS brand colors of White, Galaxy, Nebula, Cosmos, Mars, Smile, Endor, and Orbit.
- The general icons library was expanded with new icons for concepts like cold storage, data streams, credentials, and more.
- Guidance was provided for specific services like using a generic instance icon for EC2 instead
Azure WAF is a cloud-native web application firewall service that provides powerful protection for web apps with simple deployment, low maintenance costs, and automatic updates. It acts as a content delivery network and can defend against common attacks like command execution, SQL injection, cross-site scripting, and more, as demonstrated in a presentation where custom rules were set up to create an Azure WAF.
The document discusses how IT is transforming to play a more strategic role through increased cloud adoption. This is driving the need to better organize and govern resources as well as modernize applications to improve ROI. It provides an overview of key Azure services for security, monitoring, automation, governance, and resiliency to securely manage hybrid cloud environments at scale.
The document provides an overview of a webinar on Microsoft security, compliance, and identity fundamentals presented by Vignesh Ganesan. The webinar covers Microsoft 365 security, Microsoft compliance solutions like information protection and governance, and Microsoft identity including Azure Active Directory. It summarizes the three main components that will be focused on: Microsoft security, Microsoft identity, and Microsoft compliance. It also outlines some of the key capabilities within each area and compares Microsoft's offerings to other vendors in the space.
This document provides an overview of DevOps on AWS and the AWS developer tools for continuous delivery including CodeCommit, CodeDeploy, CodePipeline, and Elastic Beanstalk. It discusses how these tools help implement a microservices architecture and continuous delivery approach to software development. Specifically, it describes how CodeCommit provides version control, CodeDeploy enables easy and reliable deployments, CodePipeline allows connecting tools for accelerated release processes, and Elastic Beanstalk provides a simple way to deploy applications.
Oracle Cloud Infrastructure (OCI) is a secure, scalable, and highly available cloud computing service provided by Oracle. It offers infrastructure services like compute, storage, and networking, and features built-in security, high performance, and hybrid integration capabilities. Customers can use OCI to run enterprise workloads, develop applications, process big data, and more, with flexible pricing and 24/7 technical support.
The AWS Architecture Icons release provides updated icons and guidelines to improve accessibility and align with AWS branding. Key updates include:
- Icons were updated to have a minimum contrast ratio of 3:1 for lines and 4.5:1 for text for accessibility. Line weight and text size were increased.
- The color palette was updated to match the new AWS brand colors of White, Galaxy, Nebula, Cosmos, Mars, Smile, Endor, and Orbit.
- The general icons library was expanded with new icons for concepts like cold storage, data streams, credentials, and more.
- Guidance was provided for specific services like using a generic instance icon for EC2 instead
Azure WAF is a cloud-native web application firewall service that provides powerful protection for web apps with simple deployment, low maintenance costs, and automatic updates. It acts as a content delivery network and can defend against common attacks like command execution, SQL injection, cross-site scripting, and more, as demonstrated in a presentation where custom rules were set up to create an Azure WAF.
The document discusses how IT is transforming to play a more strategic role through increased cloud adoption. This is driving the need to better organize and govern resources as well as modernize applications to improve ROI. It provides an overview of key Azure services for security, monitoring, automation, governance, and resiliency to securely manage hybrid cloud environments at scale.
The document provides an overview of a webinar on Microsoft security, compliance, and identity fundamentals presented by Vignesh Ganesan. The webinar covers Microsoft 365 security, Microsoft compliance solutions like information protection and governance, and Microsoft identity including Azure Active Directory. It summarizes the three main components that will be focused on: Microsoft security, Microsoft identity, and Microsoft compliance. It also outlines some of the key capabilities within each area and compares Microsoft's offerings to other vendors in the space.
This document provides an overview of DevOps on AWS and the AWS developer tools for continuous delivery including CodeCommit, CodeDeploy, CodePipeline, and Elastic Beanstalk. It discusses how these tools help implement a microservices architecture and continuous delivery approach to software development. Specifically, it describes how CodeCommit provides version control, CodeDeploy enables easy and reliable deployments, CodePipeline allows connecting tools for accelerated release processes, and Elastic Beanstalk provides a simple way to deploy applications.
Oracle Cloud Infrastructure (OCI) is a secure, scalable, and highly available cloud computing service provided by Oracle. It offers infrastructure services like compute, storage, and networking, and features built-in security, high performance, and hybrid integration capabilities. Customers can use OCI to run enterprise workloads, develop applications, process big data, and more, with flexible pricing and 24/7 technical support.
This document provides an overview of building secure cloud architecture. It discusses cloud characteristics and services models like IaaS, PaaS, and SaaS. It also covers the shared responsibility model between providers and customers. Additional topics include compliance requirements, privacy basics, architecting for availability, network separation, application protection, identity and access management, monitoring tools, log management, and containers security. The document aims to educate readers on best practices for securely designing cloud infrastructure and applications.
This is the Lesson 4 of the "Azure Governance - Free training" serie.
This document presents Azure Policy in-depth and lists all key items you should now when designing your Azure Policy Model.
Finally, the document describes all methods/tools (GUI & CLI) you can use to create, manage and assign Policy (Definition and Initiative Definition) to your Azure environment.
Creating and using a Custom Policies is also detailed on this document.
Oracle provides a comprehensive cloud infrastructure platform with compute, storage, networking and database services. Key features include fast NVMe SSD storage both locally and network attached, high performance bare metal and VM instances with GPU and AMD EPYC options, autonomous database services, and advanced networking capabilities like low latency and RDMA. Oracle's regional architecture and dedicated fast interconnects enable high availability across availability domains and regions.
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
Zero trust security is quickly rising as a preferred alternative to traditional security approaches. The key enabling technology underlying the zero trust security approach is next-gen access which combines the critical capabilities of such technologies as identity as a service (IDaaS), enterprise mobility management (EMM), and privileged access management (PAM). In this session, we highlight AWS security best practices in a zero trust security model. Specifically, we explore securing the AWS root account, controlling access to the AWS Management Console, and the AWS Command Line Interface, and managing developer access to Amazon EC2 instances and containerized applications that run on them.
This document provides an overview of Microsoft Azure including what Azure is, the platform services it offers, licensing and purchasing options, estimating costs, and resources for getting started with Azure. Azure is an on-demand cloud computing platform that provides infrastructure and platform services. It offers computing, networking, databases, analytics, mobile, IoT and enterprise application services. Customers can purchase Azure services through pay-as-you-go, commitment plans, or open licensing programs. The document recommends starting points for learning Azure and provides additional resources.
AWS Security, Identity, & Compliance - An Overview: AWS Security Week at the San Francisco Loft
Presenter: William Reid, CISM, FIP
Head of Security and Compliance Solution Architecture, AWS
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
Stephane Lapointe: Governance in Azure, keep control of your environmentsMSDEVMTL
June 11th 2018
Azure Group
Subject: Governance in Azure, keep control of your environments.
Speaker: Stephane Lapointe, Azure MVP
It's very easy to lose control over what's happening in your Azure environments. In this talk, see solutions for managing security, costs, and governance. We'll talk about tools like tags, RBAC, policies, Azure Security Center & Azure Advisors to implement initiatives that will greatly help your management in Azure.
This document provides an overview of Microsoft Azure security features, including:
- Shared responsibility model where Microsoft secures the platform and customers secure their data and applications
- Identity and access management, encryption of data at rest and in transit, network security controls, and logging/monitoring capabilities
- Security Center provides visibility into threats and advanced analytics to detect attacks
- Operations Management Suite allows collecting logs from Azure, on-premises, and other clouds to analyze security events
- Microsoft works with partners to provide additional virtual network appliances and security solutions to customers
1. Azure Governance provides native platform capabilities to ensure compliant use of cloud resources through environment factory, policy-based control, and resource visibility features.
2. Environment factory allows users to deploy and update cloud environments in a repeatable manner using composable artifacts like ARM templates.
3. Policy-based control enables real-time policy evaluation and enforcement as well as periodic and on-demand compliance assessment at scale across management groups.
here's where Microsoft has invested, across these areas: identity and access management, apps and data security, network security, threat protection, and security management.
We’ve put a tremendous amount of investment into these areas and the way it shows up is across a pretty broad array of product areas and features.
Our Identity and Access Management tools enable you to take an identity-based approach to security, and establish truly conditional access policies
Our App and Data Security help you protect your apps and your data as it moves around—both inside and outside your organization
Azure includes a robust networking infrastructure with built-in security controls for your application and service connectivity.
Our Threat Protection capabilities are built in and fully integrated, so you can strengthen both pre-breach protection with deep capabilities across e-mail, collaboration services, and end points including hardware based protection; and post-breach detection that includes memory and kernel based protection and response with automation.
And our Security Management tools give you the visibility and more importantly the guidance to manage policy centrally
This document summarizes a presentation on "Infrastructure as Code" for beginners. It discusses automating deployment, provisioning, environments, and virtual machine management through continuous integration/delivery practices and configuration management tools. Specific topics covered include deployment pipelines, desired state configuration, separating configuration for different environments, immutable infrastructure patterns, building golden images, and infrastructure automation through tools like Ansible, Packer and Terraform. A demo is provided to illustrate these concepts in action.
The document discusses Azure DDoS Protection Standard. It notes that DDoS attacks are increasing in frequency, size, and sophistication. Azure DDoS Protection Standard provides continuous monitoring, edge mitigation to protect datacenter bandwidth, regional failover, and global mitigation capacity of over 25 Tbps. It is designed to provide automatic network layer attack protection and analytics for virtual network resources.
Microsoft Cloud Adoption Framework for Azure: Governance ConversationNicholas Vossburg
This document outlines Microsoft's Cloud Adoption Framework (CAF) governance model for governing cloud adoption. It recommends starting with an assessment of the current state and future vision. Then establish a Minimum Viable Product (MVP) for governance using core Azure services like management groups, subscriptions, resource groups, Azure Policy and role-based access control. The MVP should focus on key areas like resource tagging, grouping and security baselines. Governance then evolves by maturing the MVP with each cloud release to better align with cloud adoption and IT functions.
On-premise to Microsoft Azure Cloud Migration.Emtec Inc.
This presentation sheds light on migrating on-premise apps to Microsoft Azure cloud. It also highlights the technical capabilities of Microsoft Azure cloud services.
Azure Cost Management is a native Azure service that helps you analyze costs, create and manage budgets, export data, and review and act on optimization recommendations to save money.
Amazon Elastic Compute Cloud (Amazon EC2) provides resizable compute capacity in the cloud and makes web scale computing easier for customers. Amazon EC2 provides a wide variety of compute instances suited to every imaginable use case, from static websites to high performance supercomputing on-demand, available via highly flexible pricing options. Amazon EC2 works with Amazon Elastic Block Store (Amazon EBS) and Auto Scaling to make it easy for you to get the performance and availability you need for your applications. This session will introduce the key features and different instance types offered by Amazon EC2, demonstrate how you can get started and provide guidance on choosing the right types of instance and purchasing options.
This document provides an overview of AWS multi-account architecture best practices and strategies for implementing a "landing zone" on AWS. It discusses setting up accounts for master, core services, shared services, development sandboxes, and team/group environments. The document then outlines steps for implementing a landing zone using the AWS Landing Zone solution, including setting up accounts for shared services, log archives, security and establishing baselines across team accounts.
Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures.
1. Be Secure by Design
2. Scan Dependencies
3. Use HTTPS Everywhere
4. Use Access and Identity Tokens
5. Encrypt and Protect Secrets
6. Verify Security with Delivery Pipelines
7. Slow Down Attackers
8. Use Docker Rootless Mode
9. Use Time-Based Security
10. Scan Docker and Kubernetes Configuration for Vulnerabilities
11. Know Your Cloud and Cluster Security
Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures.
1. Be Secure by Design
2. Scan Dependencies
3. Use HTTPS Everywhere
4. Use Access and Identity Tokens
5. Encrypt and Protect Secrets
6. Verify Security with Delivery Pipelines
7. Slow Down Attackers
8. Use Docker Rootless Mode
9. Use Time-Based Security
10. Scan Docker and Kubernetes Configuration for Vulnerabilities
11. Know Your Cloud and Cluster Security
Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
This document provides an overview of building secure cloud architecture. It discusses cloud characteristics and services models like IaaS, PaaS, and SaaS. It also covers the shared responsibility model between providers and customers. Additional topics include compliance requirements, privacy basics, architecting for availability, network separation, application protection, identity and access management, monitoring tools, log management, and containers security. The document aims to educate readers on best practices for securely designing cloud infrastructure and applications.
This is the Lesson 4 of the "Azure Governance - Free training" serie.
This document presents Azure Policy in-depth and lists all key items you should now when designing your Azure Policy Model.
Finally, the document describes all methods/tools (GUI & CLI) you can use to create, manage and assign Policy (Definition and Initiative Definition) to your Azure environment.
Creating and using a Custom Policies is also detailed on this document.
Oracle provides a comprehensive cloud infrastructure platform with compute, storage, networking and database services. Key features include fast NVMe SSD storage both locally and network attached, high performance bare metal and VM instances with GPU and AMD EPYC options, autonomous database services, and advanced networking capabilities like low latency and RDMA. Oracle's regional architecture and dedicated fast interconnects enable high availability across availability domains and regions.
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
Zero trust security is quickly rising as a preferred alternative to traditional security approaches. The key enabling technology underlying the zero trust security approach is next-gen access which combines the critical capabilities of such technologies as identity as a service (IDaaS), enterprise mobility management (EMM), and privileged access management (PAM). In this session, we highlight AWS security best practices in a zero trust security model. Specifically, we explore securing the AWS root account, controlling access to the AWS Management Console, and the AWS Command Line Interface, and managing developer access to Amazon EC2 instances and containerized applications that run on them.
This document provides an overview of Microsoft Azure including what Azure is, the platform services it offers, licensing and purchasing options, estimating costs, and resources for getting started with Azure. Azure is an on-demand cloud computing platform that provides infrastructure and platform services. It offers computing, networking, databases, analytics, mobile, IoT and enterprise application services. Customers can purchase Azure services through pay-as-you-go, commitment plans, or open licensing programs. The document recommends starting points for learning Azure and provides additional resources.
AWS Security, Identity, & Compliance - An Overview: AWS Security Week at the San Francisco Loft
Presenter: William Reid, CISM, FIP
Head of Security and Compliance Solution Architecture, AWS
An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
Stephane Lapointe: Governance in Azure, keep control of your environmentsMSDEVMTL
June 11th 2018
Azure Group
Subject: Governance in Azure, keep control of your environments.
Speaker: Stephane Lapointe, Azure MVP
It's very easy to lose control over what's happening in your Azure environments. In this talk, see solutions for managing security, costs, and governance. We'll talk about tools like tags, RBAC, policies, Azure Security Center & Azure Advisors to implement initiatives that will greatly help your management in Azure.
This document provides an overview of Microsoft Azure security features, including:
- Shared responsibility model where Microsoft secures the platform and customers secure their data and applications
- Identity and access management, encryption of data at rest and in transit, network security controls, and logging/monitoring capabilities
- Security Center provides visibility into threats and advanced analytics to detect attacks
- Operations Management Suite allows collecting logs from Azure, on-premises, and other clouds to analyze security events
- Microsoft works with partners to provide additional virtual network appliances and security solutions to customers
1. Azure Governance provides native platform capabilities to ensure compliant use of cloud resources through environment factory, policy-based control, and resource visibility features.
2. Environment factory allows users to deploy and update cloud environments in a repeatable manner using composable artifacts like ARM templates.
3. Policy-based control enables real-time policy evaluation and enforcement as well as periodic and on-demand compliance assessment at scale across management groups.
here's where Microsoft has invested, across these areas: identity and access management, apps and data security, network security, threat protection, and security management.
We’ve put a tremendous amount of investment into these areas and the way it shows up is across a pretty broad array of product areas and features.
Our Identity and Access Management tools enable you to take an identity-based approach to security, and establish truly conditional access policies
Our App and Data Security help you protect your apps and your data as it moves around—both inside and outside your organization
Azure includes a robust networking infrastructure with built-in security controls for your application and service connectivity.
Our Threat Protection capabilities are built in and fully integrated, so you can strengthen both pre-breach protection with deep capabilities across e-mail, collaboration services, and end points including hardware based protection; and post-breach detection that includes memory and kernel based protection and response with automation.
And our Security Management tools give you the visibility and more importantly the guidance to manage policy centrally
This document summarizes a presentation on "Infrastructure as Code" for beginners. It discusses automating deployment, provisioning, environments, and virtual machine management through continuous integration/delivery practices and configuration management tools. Specific topics covered include deployment pipelines, desired state configuration, separating configuration for different environments, immutable infrastructure patterns, building golden images, and infrastructure automation through tools like Ansible, Packer and Terraform. A demo is provided to illustrate these concepts in action.
The document discusses Azure DDoS Protection Standard. It notes that DDoS attacks are increasing in frequency, size, and sophistication. Azure DDoS Protection Standard provides continuous monitoring, edge mitigation to protect datacenter bandwidth, regional failover, and global mitigation capacity of over 25 Tbps. It is designed to provide automatic network layer attack protection and analytics for virtual network resources.
Microsoft Cloud Adoption Framework for Azure: Governance ConversationNicholas Vossburg
This document outlines Microsoft's Cloud Adoption Framework (CAF) governance model for governing cloud adoption. It recommends starting with an assessment of the current state and future vision. Then establish a Minimum Viable Product (MVP) for governance using core Azure services like management groups, subscriptions, resource groups, Azure Policy and role-based access control. The MVP should focus on key areas like resource tagging, grouping and security baselines. Governance then evolves by maturing the MVP with each cloud release to better align with cloud adoption and IT functions.
On-premise to Microsoft Azure Cloud Migration.Emtec Inc.
This presentation sheds light on migrating on-premise apps to Microsoft Azure cloud. It also highlights the technical capabilities of Microsoft Azure cloud services.
Azure Cost Management is a native Azure service that helps you analyze costs, create and manage budgets, export data, and review and act on optimization recommendations to save money.
Amazon Elastic Compute Cloud (Amazon EC2) provides resizable compute capacity in the cloud and makes web scale computing easier for customers. Amazon EC2 provides a wide variety of compute instances suited to every imaginable use case, from static websites to high performance supercomputing on-demand, available via highly flexible pricing options. Amazon EC2 works with Amazon Elastic Block Store (Amazon EBS) and Auto Scaling to make it easy for you to get the performance and availability you need for your applications. This session will introduce the key features and different instance types offered by Amazon EC2, demonstrate how you can get started and provide guidance on choosing the right types of instance and purchasing options.
This document provides an overview of AWS multi-account architecture best practices and strategies for implementing a "landing zone" on AWS. It discusses setting up accounts for master, core services, shared services, development sandboxes, and team/group environments. The document then outlines steps for implementing a landing zone using the AWS Landing Zone solution, including setting up accounts for shared services, log archives, security and establishing baselines across team accounts.
Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures.
1. Be Secure by Design
2. Scan Dependencies
3. Use HTTPS Everywhere
4. Use Access and Identity Tokens
5. Encrypt and Protect Secrets
6. Verify Security with Delivery Pipelines
7. Slow Down Attackers
8. Use Docker Rootless Mode
9. Use Time-Based Security
10. Scan Docker and Kubernetes Configuration for Vulnerabilities
11. Know Your Cloud and Cluster Security
Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
Are you securing your microservice architectures by hiding them behind a firewall? That works, but there are better ways to do it. This presentation recommends 11 patterns to secure microservice architectures.
1. Be Secure by Design
2. Scan Dependencies
3. Use HTTPS Everywhere
4. Use Access and Identity Tokens
5. Encrypt and Protect Secrets
6. Verify Security with Delivery Pipelines
7. Slow Down Attackers
8. Use Docker Rootless Mode
9. Use Time-Based Security
10. Scan Docker and Kubernetes Configuration for Vulnerabilities
11. Know Your Cloud and Cluster Security
Blog post: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
Security Patterns for Microservice Architectures - Oktane20Matt Raible
Matt Raible presented 11 security patterns for microservice architectures: 1) be secure by design, 2) scan dependencies, 3) use HTTPS everywhere, 4) use access and identity tokens, 5) encrypt and protect secrets, 6) verify security with delivery pipelines, 7) slow down attackers, 8) use Docker rootless mode, 9) use time-based security, 10) scan Docker and Kubernetes configurations for vulnerabilities, and 11) know your cloud and cluster security. He discussed each pattern in detail and provided examples and recommendations for implementation.
This document provides an overview of crafting secure and composable Sitecore SaaS-based applications. It discusses increasing attack surfaces with SaaS and microservices architectures. It then covers security topics like the layered security model, zero trust architecture, securing Docker and Kubernetes, infrastructure as code, automated security testing, and a reference security solution architecture. The presentation emphasizes security by design, automation, and people/process through concepts like DevSecOps. It aims to educate on building security into applications from the start through frameworks, best practices and automation.
Top 6 Practices to Harden Docker Images to Enhance Security9 series
Dockers can be considered equivalent to containers. Different verses of tools and platforms of containers are being used to develop containers to work more profitably. However, there are so many principles for protecting applications based on the container by collaborating with other secured applications.
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...Eric Smalling
Container scanning tools, industry publications, and application security experts are constantly telling us about best practices for how to build our images and run our containers. Often these non-functional requirements seem abstract and are not described well enough for those of us that don’t have an appsec background to fully understand why they are important. In this session, we will go over several of the most common practices, show examples of how your workloads can be exploited if not followed and, most importantly, how to easily find and fix your Dockerfiles and deployment manifests before you commit your code.
Presented at KubeHuddle NA 2023 in Toronto, ON May 18th 2023
Numerous packaging & delivering applications are available in the global market, and out of all, Docker has created its prominent reputation amongst countless organizations around the globe.
Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle.
Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image.
Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible.
During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system.
Contacts:
LinkedIn - https://www.linkedin.com/in/vshynkar/
GitHub - https://github.com/sqerison
-------------------------------------------------------------------------------------
Materials from the video:
The policies and docker files examples:
https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90
The repo with the helm chart used in a demo:
https://github.com/sqerison/argo-rollouts-demo
Tools that showed in the last section:
https://github.com/armosec/kubescape
https://github.com/aquasecurity/kube-bench
https://github.com/controlplaneio/kubectl-kubesec
https://github.com/Shopify/kubeaudit#installation
https://github.com/eldadru/ksniff
Further learning.
A book released by CISA (Cybersecurity and Infrastructure Security Agency):
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
O`REILLY Kubernetes Security:
https://kubernetes-security.info/
O`REILLY Container Security:
https://info.aquasec.com/container-security-book
Thanks for watching!
AWS live hack: Docker + Snyk Container on AWSEric Smalling
Slides from session 3 of the Snyk AWS live hack series
Dec 15, 2021 with Eric Smalling, Dev Advocate at Snyk, and Peter McKee, Head of Dev Relations & Community at Docker.
DockerCon SF 2015: Faster, Cheaper, SaferDocker, Inc.
This document discusses how Docker can help organizations achieve faster, cheaper, and safer development and operations. It outlines how Docker enables microservices architectures and continuous delivery for faster development. Using Docker allows consolidating resources for cheaper and more efficient infrastructure. Following security best practices like immutable deployments and role-based access helps ensure safer applications. The document provides examples of how different types of workloads can benefit from Docker in production environments.
Adrian Cockcroft on his top predictions for the cloud computing industry in 2015 and beyond, as well as how cloud-native applications, continuous-delivery and DevOps techniques, will speed the pace of innovation and disruption.
For more about Adrian be sure to check out his page on Battery Ventures:
https://www.battery.com/our-team/member/adrian-cockcroft/
Follow Adrian on Twitter: @adrianco
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentRoy Kim
This is a presentation I held at a local Azure user group. The session abstract: Azure Key Vault is a tool for securely storing and accessing secrets. We will go through a popular Azure PaaS Architecture pattern using Key Vault to store a password. I will demo and walk through the general configuration of a dedicated Azure Function app, Azure SQL and Key Vault that was deployed with automation. I will then go through fairly advanced techniques and best practices on how to deploy Azure Key Vault and a password secret with ARM templates. Finally, a very brief look at my Azure DevOps Pipeline to deploy the ARM template. You will come away with an understanding of an applied use case of leveraging Azure Key vault for a PaaS solution in better managing a password secret.
Docker development Best Practices recommends using Docker Hub or CI/CD pipelines to build and tag Docker images on pull requests. Images should be signed by development, security, and testing teams before production. Different environments should be used for development and testing. Docker should be updated to the latest version for security features.
Docker container Best Practices include frequently backing up a single manager node for restoration. Cloud deployment of containers on AWS or Azure uses Kubernetes. Load balancers like NGINX help control Docker containers for availability and scalability.
Dockerfile Best Practices are to not use Dockerfiles as build scripts, define environment variables, commit Dockerfiles to repositories, be mindful of base image size, do not expose secrets
Tampere Docker meetup - Happy 5th Birthday DockerSakari Hoisko
Part of official docker meetup events by Docker Inc.
https://events.docker.com/events/docker-bday-5/
Meetup event:
https://www.meetup.com/Docker-Tampere/events/248566945/
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesTrend Micro
Dave Asprey, VP of Cloud Security at Trend Micro, presented on encryption techniques for securing data and applications in public clouds. He outlined 16 pieces of advice, including encrypting network traffic, files systems, and data in shared storage. Only allow decryption keys to enter the cloud during decryption. Minimize the number of services per virtual machine instance and only open necessary ports. Use host-based intrusion detection and system hardening tools.
It's clear that Docker speeds up development and makes testing and deployment more efficient. As Docker moves into production new use cases and patterns are emerging that address availability and security concerns. With microservices, safety is part of the architecture that developers need to understand and build for. It's no longer good enough to wrap a firewall around an entire app when it goes to production, and have a cold standby in case it breaks.
Secure Application Development InfoShare 2022Radu Vunvulea
The document discusses secure application development in the cloud. It covers six main topics: 1) why cloud security is important, 2) secrets management, 3) access control using Azure RBAC, 4) use of open-source libraries and scanning for vulnerabilities, 5) scanning code for vulnerabilities, and 6) continuous vulnerability scanning of cloud infrastructure and applications. The key takeaways are that security breaches are inevitable in the cloud; secrets, access control, vulnerabilities scanning, and compliance with security best practices are critical.
This document discusses using Docker containers to deploy high performance computing (HPC) applications across private and public clouds. It begins with an abstract describing cloud bursting using Docker containers when demand spikes. The introduction provides background on Docker, a container-based virtualization technology that is more lightweight than hypervisor-based virtual machines. The authors implement a model for deploying distributed applications using Docker containers, which have less overhead than VMs since they share the host operating system and libraries. The system overview shows the process of creating Docker images of web applications, deploying them to containers on private cloud, and bursting to public cloud when thresholds are exceeded. The implementation details installing Docker and deploying applications within containers on the private cloud, then pushing the images
Similar to Security Patterns for Microservice Architectures (20)
What AI Means For Your Product Strategy And What To Do About ItVMware Tanzu
The document summarizes Matthew Quinn's presentation on "What AI Means For Your Product Strategy And What To Do About It" at Denver Startup Week 2023. The presentation discusses how generative AI could impact product strategies by potentially solving problems companies have ignored or allowing competitors to create new solutions. Quinn advises product teams to evaluate their strategies and roadmaps, ensure they understand user needs, and consider how AI may change the problems being addressed. He provides examples of how AI could influence product development for apps in home organization and solar sales. Quinn concludes by urging attendees not to ignore AI's potential impacts and to have hard conversations about emerging threats and opportunities.
Make the Right Thing the Obvious Thing at Cardinal Health 2023VMware Tanzu
This document discusses the evolution of internal developer platforms and defines what they are. It provides a timeline of how technologies like infrastructure as a service, public clouds, containers and Kubernetes have shaped developer platforms. The key aspects of an internal developer platform are described as providing application-centric abstractions, service level agreements, automated processes from code to production, consolidated monitoring and feedback. The document advocates that internal platforms should make the right choices obvious and easy for developers. It also introduces Backstage as an open source solution for building internal developer portals.
Enhancing DevEx and Simplifying Operations at ScaleVMware Tanzu
Cardinal Health introduced Tanzu Application Service in 2016 and set up foundations for cloud native applications in AWS and later migrated to GCP in 2018. TAS has provided Cardinal Health with benefits like faster development of applications, zero downtime for critical applications, hosting over 5,000 application instances, quicker patching for security vulnerabilities, and savings through reduced lead times and staffing needs.
Dan Vega discussed upcoming changes and improvements in Spring including Spring Boot 3, which will have support for JDK 17, Jakarta EE 9/10, ahead-of-time compilation, improved observability with Micrometer, and Project Loom's virtual threads. Spring Boot 3.1 additions were also highlighted such as Docker Compose integration and Spring Authorization Server 1.0. Spring Boot 3.2 will focus on embracing virtual threads from Project Loom to improve scalability of web applications.
Platforms, Platform Engineering, & Platform as a ProductVMware Tanzu
This document discusses building platforms as products and reducing developer toil. It notes that platform engineering now encompasses PaaS and developer tools. A quote from Mercedes-Benz emphasizes building platforms for developers, not for the company itself. The document contrasts reactive, ticket-driven approaches with automated, self-service platforms and products. It discusses moving from considering platforms as a cost center to experts that drive business results. Finally, it provides questions to identify sources of developer toil, such as issues with workstation setup, running software locally, integration testing, committing changes, and release processes.
This document provides an overview of building cloud-ready applications in .NET. It defines what makes an application cloud-ready, discusses common issues with legacy applications, and recommends design patterns and practices to address these issues, including loose coupling, high cohesion, messaging, service discovery, API gateways, and resiliency policies. It includes code examples and links to additional resources.
Dan Vega discussed new features and capabilities in Spring Boot 3 and beyond, including support for JDK 17, Jakarta EE 9, ahead-of-time compilation, observability with Micrometer, Docker Compose integration, and initial support for Project Loom's virtual threads in Spring Boot 3.2 to improve scalability. He provided an overview of each new feature and explained how they can help Spring applications.
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfVMware Tanzu
Spring Cloud Gateway is a gateway that provides routing, security, monitoring, and resiliency capabilities for microservices. It acts as an API gateway and sits in front of microservices, routing requests to the appropriate microservice. The gateway uses predicates and filters to route requests and modify requests and responses. It is lightweight and built on reactive principles to enable it to scale to thousands of routes.
This document appears to be from a VMware Tanzu Developer Connect presentation. It discusses Tanzu Application Platform (TAP), which provides a developer experience on Kubernetes across multiple clouds. TAP aims to unlock developer productivity, build rapid paths to production, and coordinate the work of development, security and operations teams. It offers features like pre-configured templates, integrated developer tools, centralized visibility and workload status, role-based access control, automated pipelines and built-in security. The presentation provides examples of how these capabilities improve experiences for developers, operations teams and security teams.
The document provides information about a Tanzu Developer Connect Workshop on Tanzu Application Platform. The agenda includes welcome and introductions on Tanzu Application Platform, followed by interactive hands-on workshops on the developer experience and operator experience. It will conclude with a quiz, prizes and giveaways. The document discusses challenges with developing on Kubernetes and how Tanzu Application Platform aims to improve the developer experience with features like pre-configured templates, developer tools integration, rapid iteration and centralized management.
The Tanzu Developer Connect is a hands-on workshop that dives deep into TAP. Attendees receive a hands on experience. This is a great program to leverage accounts with current TAP opportunities.
The Tanzu Developer Connect is a hands-on workshop that dives deep into TAP. Attendees receive a hands on experience. This is a great program to leverage accounts with current TAP opportunities.
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023VMware Tanzu
This document discusses simplifying and scaling enterprise Spring applications in the cloud. It provides an overview of Azure Spring Apps, which is a fully managed platform for running Spring applications on Azure. Azure Spring Apps handles infrastructure management and application lifecycle management, allowing developers to focus on code. It is jointly built, operated, and supported by Microsoft and VMware. The document demonstrates how to create an Azure Spring Apps service, create an application, and deploy code to the application using three simple commands. It also discusses features of Azure Spring Apps Enterprise, which includes additional capabilities from VMware Tanzu components.
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootVMware Tanzu
The document discusses 15 factors for building cloud native applications with Kubernetes based on the 12 factor app methodology. It covers factors such as treating code as immutable, externalizing configuration, building stateless and disposable processes, implementing authentication and authorization securely, and monitoring applications like space probes. The presentation aims to provide an overview of the 15 factors and demonstrate how to build cloud native applications using Kubernetes based on these principles.
SpringOne Tour: The Influential Software EngineerVMware Tanzu
The document discusses the importance of culture in software projects and how to influence culture. It notes that software projects involve people and personalities, not just technology. It emphasizes that culture informs everything a company does and is very difficult to change. It provides advice on being aware of your company's culture, finding ways to inculcate good cultural values like writing high-quality code, and approaches for influencing decision makers to prioritize culture.
SpringOne Tour: Domain-Driven Design: Theory vs PracticeVMware Tanzu
This document discusses domain-driven design, clean architecture, bounded contexts, and various modeling concepts. It provides examples of an e-scooter reservation system to illustrate domain modeling techniques. Key topics covered include identifying aggregates, bounded contexts, ensuring single sources of truth, avoiding anemic domain models, and focusing on observable domain behaviors rather than implementation details.
Malibou Pitch Deck For Its €3M Seed Roundsjcobrien
French start-up Malibou raised a €3 million Seed Round to develop its payroll and human resources
management platform for VSEs and SMEs. The financing round was led by investors Breega, Y Combinator, and FCVC.
Project Management: The Role of Project Dashboards.pdfKarya Keeper
Project management is a crucial aspect of any organization, ensuring that projects are completed efficiently and effectively. One of the key tools used in project management is the project dashboard, which provides a comprehensive view of project progress and performance. In this article, we will explore the role of project dashboards in project management, highlighting their key features and benefits.
A neural network is a machine learning program, or model, that makes decisions in a manner similar to the human brain, by using processes that mimic the way biological neurons work together to identify phenomena, weigh options and arrive at conclusions.
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...kalichargn70th171
In today's business landscape, digital integration is ubiquitous, demanding swift innovation as a necessity rather than a luxury. In a fiercely competitive market with heightened customer expectations, the timely launch of flawless digital products is crucial for both acquisition and retention—any delay risks ceding market share to competitors.
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
Preparing Non - Technical Founders for Engaging a Tech AgencyISH Technologies
Preparing non-technical founders before engaging a tech agency is crucial for the success of their projects. It starts with clearly defining their vision and goals, conducting thorough market research, and gaining a basic understanding of relevant technologies. Setting realistic expectations and preparing a detailed project brief are essential steps. Founders should select a tech agency with a proven track record and establish clear communication channels. Additionally, addressing legal and contractual considerations and planning for post-launch support are vital to ensure a smooth and successful collaboration. This preparation empowers non-technical founders to effectively communicate their needs and work seamlessly with their chosen tech agency.Visit our site to get more details about this. Contact us today www.ishtechnologies.com.au
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLESanfaltahir1010
Image: Include an image that represents the concept of precision, such as a AI helix or a futuristic healthcare
setting.
Objective: Provide a foundational understanding of precision medicine and its departure from traditional
approaches
Role of theory: Discuss how genomics, the study of an organism's complete set of AI ,
plays a crucial role in precision medicine.
Customizing treatment plans: Highlight how genetic information is used to customize
treatment plans based on an individual's genetic makeup.
Examples: Provide real-world examples of successful application of AI such as genetic
therapies or targeted treatments.
Importance of molecular diagnostics: Explain the role of molecular diagnostics in identifying
molecular and genetic markers associated with diseases.
Biomarker testing: Showcase how biomarker testing aids in creating personalized treatment plans.
Content:
• Ethical issues: Examine ethical concerns related to precision medicine, such as privacy, consent, and
potential misuse of genetic information.
• Regulations and guidelines: Present examples of ethical guidelines and regulations in place to safeguard
patient rights.
• Visuals: Include images or icons representing ethical considerations.
Content:
• Ethical issues: Examine ethical concerns related to precision medicine, such as privacy, consent, and
potential misuse of genetic information.
• Regulations and guidelines: Present examples of ethical guidelines and regulations in place to safeguard
patient rights.
• Visuals: Include images or icons representing ethical considerations.
Content:
• Ethical issues: Examine ethical concerns related to precision medicine, such as privacy, consent, and
potential misuse of genetic information.
• Regulations and guidelines: Present examples of ethical guidelines and regulations in place to safeguard
patient rights.
• Visuals: Include images or icons representing ethical considerations.
Real-world case study: Present a detailed case study showcasing the success of precision
medicine in a specific medical scenario.
Patient's journey: Discuss the patient's journey, treatment plan, and outcomes.
Impact: Emphasize the transformative effect of precision medicine on the individual's
health.
Objective: Ground the presentation in a real-world example, highlighting the practical
application and success of precision medicine.
Data challenges: Address the challenges associated with managing large sets of patient data in precision
medicine.
Technological solutions: Discuss technological innovations and solutions for handling and analyzing vast
datasets.
Visuals: Include graphics representing data management challenges and technological solutions.
Objective: Acknowledge the data-related challenges in precision medicine and highlight innovative solutions.
Data challenges: Address the challenges associated with managing large sets of patient data in precision
medicine.
Technological solutions: Discuss technological innovations and solutions
What to do when you have a perfect model for your software but you are constrained by an imperfect business model?
This talk explores the challenges of bringing modelling rigour to the business and strategy levels, and talking to your non-technical counterparts in the process.
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
Enhanced Screen Flows UI/UX using SLDS with Tom KittPeter Caitens
Join us for an engaging session led by Flow Champion, Tom Kitt. This session will dive into a technique of enhancing the user interfaces and user experiences within Screen Flows using the Salesforce Lightning Design System (SLDS). This technique uses Native functionality, with No Apex Code, No Custom Components and No Managed Packages required.
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...kalichargn70th171
In today's fiercely competitive mobile app market, the role of the QA team is pivotal for continuous improvement and sustained success. Effective testing strategies are essential to navigate the challenges confidently and precisely. Ensuring the perfection of mobile apps before they reach end-users requires thoughtful decisions in the testing plan.
14 th Edition of International conference on computer visionShulagnaSarkar2
About the event
14th Edition of International conference on computer vision
Computer conferences organized by ScienceFather group. ScienceFather takes the privilege to invite speakers participants students delegates and exhibitors from across the globe to its International Conference on computer conferences to be held in the Various Beautiful cites of the world. computer conferences are a discussion of common Inventions-related issues and additionally trade information share proof thoughts and insight into advanced developments in the science inventions service system. New technology may create many materials and devices with a vast range of applications such as in Science medicine electronics biomaterials energy production and consumer products.
Nomination are Open!! Don't Miss it
Visit: computer.scifat.com
Award Nomination: https://x-i.me/ishnom
Conference Submission: https://x-i.me/anicon
For Enquiry: Computer@scifat.com
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISTier1 app
Are you ready to unlock the secrets hidden within Java thread dumps? Join us for a hands-on session where we'll delve into effective troubleshooting patterns to swiftly identify the root causes of production problems. Discover the right tools, techniques, and best practices while exploring *real-world case studies of major outages* in Fortune 500 enterprises. Engage in interactive lab exercises where you'll have the opportunity to troubleshoot thread dumps and uncover performance issues firsthand. Join us and become a master of Java thread dump analysis!
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemPeter Muessig
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
1. Matt Raible | @mraible
September 3, 2020
Security Patterns For
Microservice Architectures
Photo by PURE - VIRTUAL on https://unsplash.com/photos/HY1XMkaIvFY
2. @mraible
Who is Matt Raible?
Father, Husband, Skier, Mountain
Biker, Whitewater Rafter
Bus Lover
Web Developer and Java Champion
Okta Developer Advocate
Blogger on raibledesigns.com and
developer.okta.com/blog
@mraible
3.
4.
5.
6. @mraible
Why Microservices?
IF
you are developing a large/complex application
AND
you need to deliver it rapidly, frequently and reliably
over a long period of time
THEN
the Microservice Architecture is often a good choice
7. @mraible
The information on security patterns for
microservice security is limited
microservices.io
Why Security Patterns
for Microservices?
9. @mraible
11 Security Patterns for Microservice Architectures
1. Be Secure by Design
2. Scan Dependencies
3. Use HTTPS Everywhere
4. Use Access and Identity Tokens
5. Encrypt and Protect Secrets
6. Verify Security with Delivery
Pipelines
7. Slow Down Attackers
8. Use Docker Rootless Mode
9. Use Time Based Security
10. Scan Docker and Kubernetes
Configuration for Vulnerabilities
11. Know Your Cloud and Cluster
Security
42. @mraible
Services can use access tokens to
talk to any other internal services
Single place to look for all definitions
Easier to manage
Faster
Opens you up to rogue services
causing problems
If one service’s token is
compromised, all services are at risk
Vague service boundaries
Authorization Servers: Many to One
Pros Cons
44. @mraible
Clearly defined security boundaries Slower (more talking over the network)
Hard to manage
Many authorization servers
Many scopes in many places
Hard to document/understand
Authorization Servers: One to One
Pros Cons
53. @mraible
7. Slow Down Attackers
Beyond CI/CD: How
Continuous Hacking of
Docker Containers and
Pipeline Driven Security
Keeps Ygrene Secure
by Zach Arnold and Austin Adams
https://bit.ly/2xrUsJe
54. @mraible
Create a whitelist of base images
Pull only cryptographically signed base images
Sign the metadata of a published image cryptographically
Use only Linux distros that verify the integrity of the package
Only allow HTTPS for third-party dependencies
Don’t build images with a sensitive host path as a volume mount
Hacking Docker Recommendations
55. @mraible
Run static code analysis for known vulnerabilities
Run automated dependency checkers to ensure latest versions
Spin up your service and run automated penetration bots on the
running containers
Check out zaproxy (https://www.zaproxy.org)
What About the Code?
62. Docker
Image
Security Best
Practices
https://snyk.io
In Snyk’s State of open source security report 2019, we found each of
the top ten docker images to include as many as 580 vulnerabilities in
their system libraries.
Choose images with fewer OS libraries and tools lower
the risk and attack surface of the container
Use multi-stage builds
A verbose image tag with which to pin both version and operating
system, for example: FROM node:8-alpine
Sign your images with the help of Notary
It’s easy to accidentally leak secrets, tokens, and keys into images
when building them. To stay safe, follow these guidelines:
We put a lot of trust into docker images. It is critical to make sure the
image we’re pulling is the one pushed by the publisher, and that no one
has tampered with it.
Scan your docker images for known vulnerabilities and integrate it as
part of your continuous integration. Snyk is an open source tool that
scans for security vulnerabilities in open source application libraries and
docker images.
Use Snyk to scan a docker image:
$ snyk test --docker node:10 --file=path/to/
Dockerfile
Use Snyk to monitor and alert to newly disclosed vulnerabilities in a
docker image:
$ snyk monitor --docker node:10
Create a dedicated user and group on the image, with minimal
permissions to run the application; use the same user to run this process.
For example, Node.js image which has a built-in node generic user: Docker image owners can push new versions to the same tags, which may
result in inconsistent images during builds, and makes it hard to track if a
vulnerability has been fixed. Prefer one of the following:
Arbitrary URLs specified for ADD could result in MITM attacks, or sources of
malicious data. In addition, ADD implicitly unpacks local archives which may
not be expected and result in path traversal and Zip Slip vulnerabilities.
Use COPY, unless ADD is specifically required.
Labels with metadata for images provide useful information for users.
Include security details as well.
Use and communicate a Responsible Security Disclosure policy by adopting a
SECURITY.TXT policy file and providing this information in your images labels.
Use multi-stage builds in order to produce smaller and cleaner images, thus
minimizing the attack surface for bundled docker image dependencies.
Enforce Dockerfile best practices automatically by using a static code analysis tool
such as hadolint linter, that will detect and alert for issues found in a Dockerfile.
Don’t leak sensitive information to docker
images
Prefer minimal base images
Sign and verify images to mitigate MITM attacks
Find, fix and monitor for open source
vulnerabilities
Least privileged user
Use fixed tags for immutability
Use COPY instead of ADD
Use labels for metadata
Use multi-stage builds for small secure images
Use a linter
5.1.
3.
4.
2.
6.
7.
8.
9.
10.
Prefer alpine-based images over full-blown system OS images
Use the Docker secrets feature to mount sensitive files without
caching them (supported only from Docker 18.04).
An image hash to pin the exact contact, for example:
FROM node:<hash>
Use a .dockerignore file to avoid a hazardous COPY instruction,
which pulls in sensitive files that are part of the build context
Verify the trust and authenticity of the images you pull
FROM node:10-alpine
USER node
CMD node index.js
@omerlh
Authors:
DevSecOps Engineer at Soluto by Asurion
@liran_tal
Node.js Security WG & Developer Advocate at Snyk
10
63. Top 5 Docker Vulnerabilities
https://resources.whitesourcesoftware.com/blog-whitesource/top-5-docker-vulnerabilities
65. @mraible
The 4C’s of Cloud Native Security
https://unsplash.com/photos/_uAVHAMjGYAhttps://kubernetes.io/docs/concepts/security/#the-4c-s-of-cloud-native-security
66. @mraible
7. Statically Analyze YAML
8. Run Containers as a Non-Root
User
9. Use Network Policies
(to limit traffic between pods)
10. Scan Images and Run IDS
(Intrusion Detection System)
11. Run a Service Mesh
11 Ways (Not) to Get Hacked
1. Use TLS Everywhere
2. Enable RBAC with Least Privilege,
Disable ABAC, and use Audit Logging
3. Use a Third-Party Auth provider
(like Google, GitHub - or Okta!)
4. Separate and Firewall your etcd
Cluster
5. Rotate Encryption Keys
6. Use Linux Security Features and a
restricted PodSecurityPolicy
67. Run a Service Mesh
https://www.redhat.com/en/topics/microservices/what-is-a-service-mesh
68. @mraible
1. Be Secure by Design
2. Scan Dependencies
3. Use HTTPS Everywhere
4. Use Access and Identity Tokens
5. Encrypt and Protect Secrets
6. Verify Security with Delivery
Pipelines
Excellent Security Patterns for Microservice Architectures
7. Slow Down Attackers
8. Use Docker Rootless Mode
9. Use Time Based Security
10. Scan Docker and Kubernetes
Configuration for Vulnerabilities
11. Know Your Cloud and Cluster
Security
70. @mraible
Learn More About API Security
1. Transport Layer Security
2. DOS Mitigation Strategies
3. Sanitizing Data
4. Managing API Credentials
5. Authentication
6. Authorization
7. API Gateways
https://developer.okta.com/books/api-security 👉