This week's articles
What I Learned Watching All 44 AppSec Cali 2019 Talks
watched, analyzed, and summarized every talk from AppSec Cali 2019 and wrote detailed summaries for each one of them. This post is a great source of information covering DevSecOps, scaling security, threat modeling, building a security program, & more. All from one of the best security conferences currently in the industry.
So you're interested in container security but not sure where to get started?
Here's a YouTube playlist of some great talks for you to get up to speed.
Istio as an Example of When Not to Do Microservices
A micro-services approach may be appropriate when the culmination of an application’s architecture has become a bottleneck (as a result of the various people/process/tech factors) for making changes and “going faster”, but it is not the only approach.
How to Monitor the Kubernetes API Server
Learning how to monitor the Kubernetes API server is of vital importance when running Kubernetes in production. Monitoring kube-apiserver
will let you detect and troubleshoot latency, errors, and validate the service performs as expected. This post covers how you can collect the most important metrics from the kube-apiserver
and use them to monitor this service.
Elastic Cloud on Kubernetes (ECK) 1.0 is now generally available
ElasticCloud on Kubernetes (ECK) is now generally available. With ECK, users have a seamless way to deploy, manage, and operate the ElasticStack on Kubernetes.
Announcing General Availability of CloudSploit for GCP
Aqua Security announced the general availability of CloudSploit for Google Cloud Platform (GCP). This release also includes a Center for Internet Security (CIS) benchmark certification for GCP (more on this in the CSP-related section).
Announcing the Kubernetes bug bounty program
The Kubernetes Product Security Committee is launching a new bug bounty program
, funded by the CNCF, to reward researchers finding security vulnerabilities in Kubernetes.
From the cloud providers
is an open source reverse proxy that enables OIDC authentication to various backends. In the case of EKS, it can be used for OIDC authentication to multiple EKS clusters using the same user identity given by a third party provider. This post will explore how Kube-OIDC-Proxy works, how to deploy it into multiple EKS clusters and how to leverage other open source tooling to provide a seamless authentication experience to end users.
Exploring container security: Announcing the CIS Google Kubernetes Engine Benchmark
Google released a CIS GKE Benchmark (a subset of the Kubernetes Benchmark) that removes what you're not responsible for and is specific to GKE. For the CIS GKE Benchmark, there's Security Health Analytics
, a security product that integrates into Security Command Center and that has built-in checks for several CIS GCP and GKE Benchmark items.
Introducing Microsoft Application Inspector
Microsoft released an open source code analyzer called Microsoft Application Inspector
to identify "interesting" features and metadata, like the use of cryptography, connecting to a remote entity, and the platforms it runs on.