This page provides an in-depth look at how Cloudflare harnesses physical chaos to bolster Internet security and explores the potential of public randomness and timelock encryption in applications.
There is the story of Cloudflare’s LavaRand, a system that uses physical entropy sources like lava lamps for Internet security, has grown over four years, diversifying beyond its original single source. Cloudflare handles millions of HTTP requests secured by TLS, which requires secure randomness. LavaRand contributes true randomness to Cloudflare’s servers, enhancing the security of cryptographic protocols.
Introducing three new AI models – Haiku, Sonnet, and Opus – with ascending capabilities for various applications1. Opus and Sonnet are now accessible via claude.ai and the Claude API, with Haiku coming soon. Opus excels in benchmarks for AI systems.
All models feature improved analysis, forecasting, content creation, code generation, and multilingual conversation abilities.
kubectl trick of the week.
.bahsrc
function k_get_images_digests {
ENV="$1";
APP="$2"
kubectl --context ${ENV}-aks \
-n ${ENV}-security get pod \
-l app.kubernetes.io/instance=${APP} \
-o json| jq -r '.items[].status.containerStatuses[].imageID' |uniq -c
}
alias k-get-images-id=k_get_images_digests
Through this alias you can get all the image digests of a specific release filtering by its label and then filter for unique values
After the big license change now someone talks about a big sell in Hashicorp 😦 https://archive.is/iPekU
Bash
To generate strong random #password you don’t need online suspicious services but just old plain bash/WSL. This function leverages your filesystem folder /dev/urandom, the output is cryptographically secure and we then match only acceptable characters in a list and finally cut a 16 length string.
Keep it with you as an alias in your .bashrc maybe 🙂
function getNewPsw(){
tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' </dev/urandom | head -c 16; echo
}
DevOps companies have always been in a constant pursuit of making their software development process faster, efficient, and secure. In the quest for better software security, a shift is happening from using traditional vulnerability scanners to utilizing Software Bill of Materials (SBOM) generation. This article explains why devops companies are making the switch and how SBOM generation provides better security for their software.
A CVE is known to all, it’s a security flaw call It’s a number assigned, to an exposure we’ve spied It helps track and prevent, any cyber threats that might hide!
Vulnerability scanners are software tools that identify security flaws and vulnerabilities in the code, systems, and applications. They have been used for many years to secure software and have proven to be effective. However, the increasing complexity of software systems, the speed of software development, and the need for real-time security data have exposed the limitations of traditional vulnerability scanners.
Executive Order 14028
Executive Order 14028, signed by President Biden on January 26, 2021, aims to improve the cybersecurity of federal networks and critical infrastructure by strengthening software supply chain security. The order requires federal agencies to adopt measures to ensure the security of software throughout its entire lifecycle, from development to deployment and maintenance.
NIST consulted with the National Security Agency (NSA), Office of Management and Budget (OMB), Cybersecurity & Infrastructure Security Agency (CISA), and the Director of National Intelligence (DNI) and then defined “critical software” by June 26, 2021.
Such guidance shall include standards, procedures, or criteria regarding providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website.
Object Model
SBOM generation is a newer approach to software security that provides a comprehensive view of the components and dependencies that make up a software system. SBOMs allow devops companies to see the full picture of their software and understand all the components, including open-source libraries and dependencies, that are used in their software development process. This information is critical for devops companies to have, as it allows them to stay on top of security vulnerabilities and take the necessary measures to keep their software secure.
The main advantage of SBOM generation over vulnerability scanners is that SBOMs provide a real-time view of software components and dependencies, while vulnerability scanners only provide information about known vulnerabilities.
One practical example of a SBOM generation tool is Trivy, an open-source vulnerability scanner for container images and runtime environments. It detects vulnerabilities in real-time and integrates with the CI/CD pipeline, making it an effective tool for devops companies.
Another example is Anchore Grype, a cloud-based SBOM generation tool that provides real-time visibility into software components and dependencies, making it easier for devops companies to stay on top of security vulnerabilities.
Finally, Dependency Track is another great tool by OWASP that allows organizations to identify and reduce risk in the software supply chain. The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software through community-led open-source software projects.
The main features of Dependency Track include:
Continuous component tracking: Dependency Track tracks changes to software components and dependencies in real-time, ensuring up-to-date security information.
Vulnerability Management: The tool integrates with leading vulnerability databases, including the National Vulnerability Database (NVD), to provide accurate and up-to-date information on known vulnerabilities.
Policy enforcement: Dependency Track enables organizations to create custom policies to enforce specific security requirements and automate the enforcement of these policies.
Component Intelligence: The tool provides detailed information on components and dependencies, including licenses, licenses and age, and other relevant information.
Integration with DevOps tools: Dependency Track integrates with popular DevOps tools, such as Jenkins and GitHub, to provide a seamless experience for devops teams.
Reporting and Dashboards: Dependency Track provides customizable reports and dashboards to help organizations visualize their software components and dependencies, and identify potential security risks.
Here we’re going to see together how to solve a bugged Kubernetes architecture, thanks to a nice KodeKloud challenge, where:
The persistent volume claim can’t be bound to the persistent volume
Load the ‘AppArmor` profile called ‘custom-nginx’ and ensure it is enforced.
The deployment alpha-xyz use an insecure image and needs to mount the ‘data volume’.
‘alpha-svc’ should be exposed on ‘port: 80’ and ‘targetPort: 80’ as ClusterIP
Create a NetworkPolicy called ‘restrict-inbound’ in the ‘alpha’ namespace. Policy Type = ‘Ingress’. Inbound access only allowed from the pod called ‘middleware’ with label ‘app=middleware’. Inbound access only allowed to TCP port 80 on pods matching the policy
‘external’ pod should NOT be able to connect to ‘alpha-svc’ on port 80
1 Persistent Volume Claim
So first of all we notice the PVC is there but is pending, so let’s look into it
One of the first differences we notice is the kind of access which is ReadWriteOnce on the PVC while ReadWriteMany on the PV.
Also we want to check if that storage is present on the cluster.
Let’s fix that creating a local-storage resource:
Get the PVC YAML, delete the extra lines and modify access mode:
For this exercise the permitted images are: ‘nginx:alpine’, ‘bitnami/nginx’, ‘nginx:1.13’, ‘nginx:1.17’, ‘nginx:1.16’and ‘nginx:1.14’. We use ‘trivy‘ to find the image with the least number of ‘CRITICAL’ vulnerabilities.
My goal is to call a service on an AKS cluster (aks1/US) from a pod on a second AKS cluster (aks2/EU). These clusters will be on different regions and should communicate over a private network.
Above you can see a schema of the two possible ending architectures. ExternalName or ExternalIP service on the US AKS pointing to a private EU ingress controller IP.
So, after some reading and some video listening, it seemed for me that the best option was to use an externalName service on AKS2 calling a service defined in a custom private DNS zone (ecommerce.private.eu.dev), being these two VNets peered before.
Address space for aks services:
dev-vnet 10.0.0.0/14
=======================================
dev-test1-aks v1.22.4 - 1 node
dev-test1-vnet 11.0.0.0/16
=======================================
dev-test2-aks v1.22.4 - 1 node
dev-test2-vnet 11.1.0.0/16
After some trials I can get connectivity between pods networks but I was never able to reach the service network from the other cluster.
I don’t have any active firewall
I’ve peered all three networks: dev-test1-vnet, dev-test2-vnet, dev-vnet (services CIDR)
I’ve create a Private DNS zones private.eu.dev where I’ve put the “ecommerce” A record (10.0.129.155) that should be resolved by the externalName service