Posts
-
Securing the Docker Ecosystem: Part 3: Strategies to Secure the Container Runtime
Our previous two articles about securing the Docker ecosystem addressed two specific and critical areas: the Daemon and the container Build Phase. In each article, we shed light on the dark side of various default configurations, presented evidence of the latest attack methods during the build phase, danced with the Daemon and secured its weak underbelly… and less fantastically, we provided expertly-articulated recommendations and best practices to help you in your Docker-securing endeavors. If you haven’t read these articles yet, here are the links to the first and second blog posts.
-
Securing the Docker Ecosystem: Part 2: Strategies to Secure the Container Build
Welcome back to Securing the Docker Ecosystem - our three-part series on improving the security posture of your Docker ecosystem. In each article, we address one particular aspect of Docker through a security lens.
-
Securing the Docker Ecosystem: Part 1: Strategies to Secure the Docker Daemon
In recent times, two key advancements, the acceleration of the software development cycle and the increasing complexity of the application stack, have triggered the need for faster and easier ways of pushing code into production. In this context, more lightweight, flexible, and resource-efficient approaches, such as “containers”, have become increasingly popular. To this end, more and more organisations have adopted Docker technology as the de facto standard in their application container space.
-
Adaptive AppSec Learning for Developers: The Advantages that Organisations Just Can't Afford to Ignore
Ever heard of a pilot who flew a real plane after merely reading about it in a manual?
Or a chef in a five star restaurant who served real customers after only reviewing a couple of recipe books?
Or a professional musician who gave a real performance after simply memorizing some musical compositions? -
Stretching the Elasticsearch
Breaking: Elasticsearch instance left open wide by SomeCompany exposing millions of records, including passwords and other personal data… now to sports
Sound familiar? Headlines like this have become increasingly at home as front page news items over the past several years since the adoption of Elasticsearch, a powerful distributed search and analytics engine based on the Lucene indexing library, has exponentially increased. A seamless dovetailing of its rising popularity, and its stark lack of default-enabled security features, has ensured the widespread presence of misconfigured instances in the wild. This article explores the impact of a number of misconfigurations that occur when the best practice guidelines provided by the (excellent) official documentation are neglected.
-
The Key to Achieving PCI DSS Compliance: Effective PCI Training For Developers
Data is everywhere… but so are data thieves!
Any organization that collects, processes, analyzes, or stores data needs to be aware of the risks to this data. And this is especially true for organizations that collect, process, analyze, or store financial data. -
7 Kubernetes security challenges, and how to steer the container ship
Kubernetes Container Orchestration!…
Now that we have your attention, let’s dig a little deeper into Kubernetes, an open-source orchestration layer that manages container-based applications.
In this article we’ll explore some of the security challenges you’re going to face when administering Kubernetes clusters, and the appropriate preventative measures to batten down the Kubernetes hatches. -
Why is practical AppSec training for developers vital for your organization?
All applications risk being hacked without robust, properly configured application security controls in place. Whereas employing a team of ethical hackers may help in providing assurance on the resilience of the system post-deployment, having a secure Software Development Life Cycle (SDLC) better equips organizations in addressing security concerns at the foundational level. Building security early in the SDLC is more cost efficient and scalable, enabling organizations to identify and correct security issues earlier in the development life cycle.