Docker is a familiar name by now. It has been instrumental in streamlining and improving the workflows of developers, operations, and other engineering teams. In this article, we are going to learn best practices to write Dockerfiles using BuildKit features, linters, and other tools. We’ll also touch on leveraging OPA (Open Policy Agent) to write custom policies.
TL;DR: this article is based on A practical guide to writing secure Dockerfiles, a presentation that took place at the recent Container Day conference. The talk is available online as a video recording.
If you are hearing about All Day DevOps for the first time, it’s not a virtual conference due to COVID-19. It’s been there for the past 5 years and it’s virtual since the beginning.
All Day DevOps is a global community of DevOps practitioners and thought leaders offering free learning and information exchanges. Founded in 2016, the community hosts an annual conference, live forums, and ongoing educational experiences online.
This year it’s 5th Annual All Day DevOps is on November 12, 2020. Starting at 9:00 AM GMT and continuing for 24 hours, there will be 6 simultaneous tracks, with each…
I have been working in Containers, Kubernetes and it’s security for quite sometime. I felt that there is a gap between the security and technology understanding of the Kubernetes it self. We all learnt using different goats in security world like WebGoat. I wanted to create some simple environment where anyone can practice and learn to get started in Kubernetes Security.
That’s how it all started with Kubernetes Goat. But it has lot of extensive documented scenarios which are taken from real-world attacks, vulnerabilities and misconfigurations.
Hacker Container is a simple alpine based docker container with commonly used tools and utilities while performing security assessments for containerised and Kuberentes cluster environments.
The repository and project information can be found here https://github.com/madhuakula/hacker-container
While performing and testing container or Kubernetes infrastructure, I always have to install some common tools inside a container to perform further exploitation and later movement with in the cluster.
To give an example, I have found redis service within the cluster without any authentication and network security policies. …
This article is part of the series called How does the pen testing world do penetration testing. If you haven’t read the Part-1 please check the below link.
There are different suggested methodologies for penetration testing, some of the main ones are
PTES is a newer standard designed to provide both businesses and security service providers with a common language and scope for performing penetration. The industry has used the term Penetration Test in a variety of ways in the past. This has driven a large amount of confusion to…
Docker is everywhere! In modern day to day development and operations, we use Docker images and containers to run our applications ranging from developer laptop, raspberry pi, staging servers to including production environments.
As we use modern technologies and tools, we tend to forget securing them while building and serving customers. That is why we can write and codify our security into policies and validate them against the Dockerfiles (Infrastructure as a Code) to identify the potential security risks before deploying them into production.
Conftest is a utility to help you write tests against structured configuration data. For instance you…
Hello everyone, I’m not sure how I should start writing this post. It’s been one amazing ride these last few years at Appsecco. I believe all good stories need to be told, so here’s me writing about my journey as one of the earliest core team member of an amazing company with an even more amazing team!
It all started when I was about to quit my previous job and was thinking of moving outside India for sometime. Given that I had worked with Akash before, I sought his opinion and ended up accepting an offer to work with him…
This blog post is all about All Day DevOps, especially why you should submit your proposal to see the world class experience of presenting your research. I have added my experience as a veteran at speaking and organizing All Day DevOps event for the past 3 years and it’s keep growing :)
First of all let me tell you what is All Day DevOps
All Day DevOps is a FREE online community responsible for creating the world’s largest DevOps conference.
✅ 24 Hours ✅ Live Streaming ✅ 125 Speakers ✅ Five Tracks ✅ 38 Time Zones ✅ World…
As most of you must be aware, Docker Hub has been compromised very recently and this attack has put almost 190K users at risk. According to me, this is one of the craziest supply chain attacks in the recent history. I say so, because it is not easy to make oneself foolproof against this attack. We might have to review multiple things before we feel safe, and still, we cannot provide the guarantee that we are secure enough.
Read more about this hack in Hacker News thread
For your benefit, I have come up with a list of checks which…
I’m really excited to announce that our sold-out training from Black Hat USA 2018 will be running at Black Hat USA 2019 in Las Vegas.
The training was a great success in Las Vegas in August 2018 and I’m really happy that I’ve been invited, along with my colleague Akash, to run our updated session in August 2019.
You can register here https://www.blackhat.com/us-19/training/schedule/index.html#automated-defence-using-cloud-services-for-aws-azure-and-gcp-142671547062991 and there’s an early-bird discount until May 24th!
Leader, Advisor, Author, Speaker & Trainer | #Security #CloudNative, #Kubernetes, #DevSecOps, #DevOps | Tweets @madhuakula | Never ending learner!