Photo by Ishant Mishra on Unsplash

Tools, techniques, and procedures to write secure Dockerfiles

Docker is a familiar name by now. It has been instrumental in streamlining and improving the workflows of developers, operations, and other engineering teams. In this article, we are going to learn best practices to write Dockerfiles using BuildKit features, linters, and other tools. We’ll also touch on leveraging OPA (Open Policy Agent) to write custom policies.

TL;DR: this article is based on A practical guide to writing secure Dockerfiles, a presentation that took place at the recent Container Day conference. The talk is available online as a video recording.

Practical Guide to Writing Secure Dockerfiles @ WeAreDevelopers Live —…


AllDayDevOps 2020

24 Hours, 180 Speakers, it’s Free and Online

If you are hearing about All Day DevOps for the first time, it’s not a virtual conference due to COVID-19. It’s been there for the past 5 years and it’s virtual since the beginning.

What is All Day DevOps 2020?

All Day DevOps is a global community of DevOps practitioners and thought leaders offering free learning and information exchanges. Founded in 2016, the community hosts an annual conference, live forums, and ongoing educational experiences online.

This year it’s 5th Annual All Day DevOps is on November 12, 2020. Starting at 9:00 AM GMT and continuing for 24 hours, there will be 6 simultaneous tracks, with each…


https://madhuakula.com/kubernetes-goat

Intentionally vulnerable cluster environment to learn and practice Kubernetes security.

I have been working in Containers, Kubernetes and it’s security for quite sometime. I felt that there is a gap between the security and technology understanding of the Kubernetes it self. We all learnt using different goats in security world like WebGoat. I wanted to create some simple environment where anyone can practice and learn to get started in Kubernetes Security.

That’s how it all started with Kubernetes Goat. But it has lot of extensive documented scenarios which are taken from real-world attacks, vulnerabilities and misconfigurations.


https://worditout.com/word-cloud/4251548/private/752ede061babc4da45ef0d8ea0599924

Your go to container for hacking Kubernetes Clusters

Hacker Container is a simple alpine based docker container with commonly used tools and utilities while performing security assessments for containerised and Kuberentes cluster environments.

The repository and project information can be found here https://github.com/madhuakula/hacker-container

Why Hacker Container?

While performing and testing container or Kubernetes infrastructure, I always have to install some common tools inside a container to perform further exploitation and later movement with in the cluster.

To give an example, I have found redis service within the cluster without any authentication and network security policies. …


Penetration Testing World — Part 2

Hello Folks,

This article is part of the series called How does the pen testing world do penetration testing. If you haven’t read the Part-1 please check the below link.

Different standard organisations activities to perform penetration testing

There are different suggested methodologies for penetration testing, some of the main ones are

  • PTES Methodology
  • OWASP Methodology
  • OSSTMM Methodology
  • ISSAF Methodology

PTES Methodology

PTES is a newer standard designed to provide both businesses and security service providers with a common language and scope for performing penetration. The industry has used the term Penetration Test in a variety of ways in the past. This has driven a large amount of confusion to…


Photo by Glenn Carstens-Peters on Unsplash

Docker is everywhere! In modern day to day development and operations, we use Docker images and containers to run our applications ranging from developer laptop, raspberry pi, staging servers to including production environments.

As we use modern technologies and tools, we tend to forget securing them while building and serving customers. That is why we can write and codify our security into policies and validate them against the Dockerfiles (Infrastructure as a Code) to identify the potential security risks before deploying them into production.

What is Conftest?

Conftest is a utility to help you write tests against structured configuration data. For instance you…


TL;DR: Woah! What an exciting ride it was :)

Image by Gerd Altmann from Pixabay

Hello everyone, I’m not sure how I should start writing this post. It’s been one amazing ride these last few years at Appsecco. I believe all good stories need to be told, so here’s me writing about my journey as one of the earliest core team member of an amazing company with an even more amazing team!

An unbelievable opportunity

It all started when I was about to quit my previous job and was thinking of moving outside India for sometime. Given that I had worked with Akash before, I sought his opinion and ended up accepting an offer to work with him…


All Day DevOps — World’s largest DevOps conference

Speaking and working experience with one of the worlds largest online community

Hello Everyone,

This blog post is all about All Day DevOps, especially why you should submit your proposal to see the world class experience of presenting your research. I have added my experience as a veteran at speaking and organizing All Day DevOps event for the past 3 years and it’s keep growing :)

First of all let me tell you what is All Day DevOps

All Day DevOps is a FREE online community responsible for creating the world’s largest DevOps conference.

✅ 24 Hours ✅ Live Streaming ✅ 125 Speakers ✅ Five Tracks ✅ 38 Time Zones ✅ World…


Docker Hub Hack of 190k accounts compromised and put everyone at risk!

As most of you must be aware, Docker Hub has been compromised very recently and this attack has put almost 190K users at risk. According to me, this is one of the craziest supply chain attacks in the recent history. I say so, because it is not easy to make oneself foolproof against this attack. We might have to review multiple things before we feel safe, and still, we cannot provide the guarantee that we are secure enough.

Read more about this hack in Hacker News thread

For your benefit, I have come up with a list of checks which…


Automated Defense using Cloud Services for AWS, Azure and GCP at Black Hat USA 2019, Las Vegas

We are back at Black Hat USA with our sold out training at Black Hat USA 2018!

I’m really excited to announce that our sold-out training from Black Hat USA 2018 will be running at Black Hat USA 2019 in Las Vegas.

The training was a great success in Las Vegas in August 2018 and I’m really happy that I’ve been invited, along with my colleague Akash, to run our updated session in August 2019.

You can register here https://www.blackhat.com/us-19/training/schedule/index.html#automated-defence-using-cloud-services-for-aws-azure-and-gcp-142671547062991 and there’s an early-bird discount until May 24th!

Here are the some glimpse about the training

Madhu Akula

Leader, Advisor, Author, Speaker & Trainer | #Security #CloudNative, #Kubernetes, #DevSecOps, #DevOps | Tweets @madhuakula | Never ending learner!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store