Tag: Security Posture
-
Artifact Registry VEX in GCP
Introduction Vulnerability Exchange (VEX) or Vulnerability Exploitability eXchange is a communication format that is used to share detailed information about the exploitability of vulnerabilities in software products. VEX documents provide essential details about vulnerabilities, focusing on whether they are exploitable in the specific context of the software or environment in which they are found. Given…
-
Google Cloud Privileged Access Management
Today’s vast array of identities whether they are human-centric identities or machine-identities have a large amount of permissions tied to them, given the attack surface of cloud identities can be tied to resources that are also mapped to other services this can be a sticky situation. Most hyperscalers have best practices documented on Identity and…
-
Defender for Containers (CWPP)
If you’re managing production-grade workloads on a major cloud platform, it’s essential to assess your security framework, particularly as you shift towards microservices and orchestration. A key yet often overlooked solution in this space is Microsoft Defender for Containers. Part of the broader Microsoft Defender for Cloud, this tool provides critical visibility and protection for…
-
AWS Config
Cloud operations with the control plane leverage a large amount of API’s and permissions behind the scenes abstracted from the end users. To continuously address these changes and states in your environment natively you can use AWS Config. Visually the set up for this in a simple configuration is shown below to illustrate the service…
-
KubeArmor Explored
KubeArmor is a cloud-native runtime security enforcement system that works with restricting behavior (this resides with execution, file access, and network operations) of pods, containers, and nodes (VM’s) at the system level. The way this tool works is by using Linux Security Modules which to no surprise are enamored in the Certified Kubernetes Security Specialist…
-
Otterize Intent Based Access Control in Kubernetes
Introduction Otterize is a organization that provides open-source CLI tool and a cloud-managed platform for managing kubernetes policies in a client-centric manner. In a nutshell, instead of mapping network policies depending on the CNI that you’re utilizing either Cilium, Calico, or Flannel this will alter the normal syntax you can put Intent-based for the workloads…
-
Conftest and authoring custom checks in Policy as Code
Introduction In the rapidly evolving world of Infrastructure as Code (IaC), ensuring compliance and security is paramount. How can we use tools that agnostically enforce guard rails uninformedly? One way to do this without incurring extravagant costs is using Conftest a wrapper of OPA. In this latest blog I’m going to cover how Conftest seamlessly…
-
Azure Kubernetes Service with Notary and Ratify
Introduction Azure Kubernetes Service while having many additions and capabilities continues to implement more native security controls and recently announced the use of signed images with leveraging the open-source project Ratify for a parameter known as ImageIntegrity. This is not only a step-forward of first party native capabilities but also a guard-rail that extends the…
-
Wazuh on Kubernetes
Wazuh is a open-source XDR and SIEM with cloud workload protection in this blog post we are covering the kubernetes deployment of resources for Wazuh in a cluster. For starters we are going to need to clone our repo to follow along mind you I’m hosting this in AKS. For clusters involving EKS in the…
-
Chaos Studio Experiments in AKS
Introduction Chaos Studio was presented as a service in Microsoft Azure that is to measure and understand your applications service resilience, I’ve wrote about using LitmusChaos previously in a blog but felt like I could create more on this topic as application resiliency is not only pivotal to organizations operations. Chaos Engineering is the practice…