6

Top 10 Kubernetes Security Risks Every DevSecOps Pro Should Know

 1 year ago
source link: https://factory.faun.dev/newsletters/i/top-10-kubernetes-security-risks-every-devsecops-pro-should-know-e85463b4-8c00-433f-b49b-46aa85f5b8be
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Top 10 Kubernetes Security Risks Every DevSecOps Pro Should Know

 
Zeno
 
Remarkable posts, stories, tools, tutorials and tips from the DevSecOps community!
🌐 View in your browser   |  ✍️ Publish on FAUN   |  🦄 Become a sponsor
 
 
Patrons
 
 
Advertise with FAUN
 
 
Meet developers where they are, not where you want them to be. Fill the form and download our mediakit.
 
3636be96506a7dbf4b95c8a3b3c7003f.png
 
 
 
 
🔔Announcement

We're thrilled to announce Humans Behind Code!

Humans Behind Code (HBC) is a project by FAUN, where developers meet other developers and learn about the people behind the tools, libraries, frameworks, and other projects they use to build their applications.

We interview developers and ask them about their projects, their motivations, their struggles, and their successes. It's about sharing knowledge and helping each other grow.

👉 If you're a Developer or a maintainer of a widely adopted Open Source project and you think it's worth talking about it and your experiences in building it, join Humans Behind Code!

Best,
Aymen from FAUN.

If you have any questions, just hit the reply button!
 
443ff51bd80e8c57c4bf8d5261f33756.png
 
From FAUNers 🐾
 
 
A Remote Code Execution in JXPath Library (CVE-2022-41852)
 
 
On 6th October 2022 new CVE was released for critical vulnerability with the identifier CVE-2022-41852. This vulnerability affects a Java library called Apache Commons JXPath, which is used for processing XPath syntax. All versions (including latest version) are affected by this vulnerability.

According to NIST the vulnerability score is 9.8 CRITICAL with CVSS:

Currently, there is no official fix for this vulnerability, but we might have a solution that should protect the application, however, it will disable the use of functions in all XPaths completely.

Check out this article to understand if you're vulnerable and understand the vulnerability using a PoC.

By @tutorialboy24
 
 
👉 Create your FAUN Page if it's not done yet and start sharing your blog posts, news, and tools on FAUN Developer Community, collect badges and more!
 
Sponsors
 
 
Best VPN Deal
 
 
NordVPN 68% Black Friday discount is here!

👉 Access anything online without restrictions
👉 Add extra layers of security to your digital life
👉 Get the best online protection tools along with your NordVPN service.
👉 Get 3 months FREE with the 2-year plan
 
93f3001674cbe10569ff014b55ae568e.jpg
 
 
From the web
 
 
Detect and respond to security events in Azure with Microsoft Sentinel
 
 
This article presents how to detect and respond to different security events in Azure and DevOps platforms using Microsoft Sentinel
 
 
 
Linux Security Hardening and Other Tweaks   ✅
 
 
A collection of kernel and userland settings one can change to improve the security and usability of a Linux system. Targeted at Arch, but should work for other distros too.
 
 
 
A Technical DevSecOps Adoption Framework   ✅
 
 
This blog post describes a new DevSecOps adoption framework (created by Vanessa Jackson and Lyndsi Hughes) that guides the planning and implementation of a roadmap to functional CI/CD pipeline capabilities.
 
 
 
Top 10 Kubernetes Security Risks Every DevSecOps Pro Should Know   ✅
 
 
The mission to run any containerized application on any infrastructure makes security a challenge on Kubernetes.
 
 
 
How to Find Secrets that are Accidentally Committed to GIT
 
 
Secrets that can be exploded to the internet include Slack tokens, Database credentials, cloud access, secret keys and developer tokens.

When a secret makes its way to a Git repository, it stays there forever, sitting in one or more of your commits, waiting to be found and used against you. Developers often forget that Git-based repository history is never deleted.

Many tools in the market can scan your repository, or commits before pushing, to ensure that no secrets are stored or pushed to the remote origin.
 
 
 
Supporters
 
 
70% off on the 2TB Internxt Annual Plan
 
 
✅ Encrypted file storage and sharing
✅ Access your files from any device
✅ Get access to all our services

Discount available until December 5th.
 
0ac3fb825985951fb9f1906bfa6c39bf.png
 
 
Post Developers Jobs for Free on FAUN
 
 
Reach developers where they are not where you want them to be.
Post jobs for free reach thousands of developers.
 
f63f3b0d9238b8fa327ffa160fdef617.png
 
 
Quick Hits
 
 
CloudTruth raises $5.25 million to solve cloud configuration issues for Software Developers and CloudOps teams.
  • CloudTruth, a unified configuration management company, announced it has raised $5.25 million in seed funding led by Glasswing Ventures and Gutbrain Ventures, with additional funding from Stage 1 Ventures and York IE. 
  • CloudTruth unifies access and visibility into companies’ infrastructure, application, and secrets configuration data. CloudTruth’s API, CLI, and GUI enable companies to manage their parameters, templates, environment variables, and secrets from one central location.
 
 
Progress survey reveals the factors driving the adoption and evolution of DevSecOps over the next two years.
  • Progress, a provider of application development and infrastructure software, announced the results of its 2022 survey, “DevSecOps: Simplifying Complexity in a Changing World.”
  • More than 600 IT, security, application development and DevOps decision makers globally shared insights into the level of DevSecOps maturity and challenges faced across their organizations. 
  • 17% of organizations still considered themselves at an exploratory and proof-of-concept stage in respect to DevSecOps
  • 86% experienced challenges in their current approaches to security and 51% admitted that they didn’t fully understand how security fits into DevSecOps.
  • 71% agreed that culture was the biggest barrier to DevSecOps progress.
 
 
Tools
 
 
DovAmir/awesome-design-patterns
 
 
A curated list of software and architecture related design patterns.
 
 
 
rebataur/djkube
 
 
Tool for Django Developers to setup full stack EKS Kubernetes with all necessary tools including DevSecOps in 40 minutes
 
 
 
Twingate-Labs/tg-ip-lookup
 
 
Lookup an IP address to find out which public cloud it originates from
 
 
 
jube-home/jube
 
 
Jube is open-source transaction and event monitoring software. Jube implements real-time data wrangling, artificial intelligence, decision making and case management. Jube is particularly strong when implemented in fraud and abuse detection use cases.
 
 
 
Meme of the week
 
 
 
9778673be548e947ccc753d7e8fbb5b9.jpg
Zeno #347: Top 10 Kubernetes Security Risks Every DevSecOps Pro Should Know
Legend: ✅ = editors' choice / ♻️ = Old but gold / ✨ = sponsored / 🔰 = beginner friendly

You received this email because you are subscribed to FAUN.
🐾 FAUN is a world wide community of developers 👣 We help developers learn and grow by keeping them up with what matters.

You can manage your subscription options here (recommended) or use the old way here (legacy). If you have any problem, read this or reply to this email.

Important: We are gradually migrating to a new system. If you don't create an account on FAUN (here), you will stop receiving our weekly newsletter.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK