VSHN.timer #27: Security

Welcome to another VSHN.timer! Every Monday, 5 links related to Kubernetes, OpenShift, CI / CD, and DevOps; all stuff coming out of our own chat system, making us think, laugh, or simply work better.

This week we are going to talk about the latest developments in cloud, DevOps, and network security.

1. As computers grow in power and speed, so do older algorithms become weak and insecure. This is unavoidable in our industry. The latest victim of this process was the SHA-1 cryptographic hash function. Published in 1993, and already considered potentially insecure since 2005, it has finally been broken down entirely. As the authors say: all common attacks on the MD5 message digest algorithm now work on SHA-1 as well. You’ve been warned.

https://sha-mbles.github.io/

2. Here at VSHN we’re strong supporters of Open Source, and we have shared lots of code with the community. We know the hard work it takes to release software, including good documentation, tests, keeping dependencies updated and supporting developers who contribute pull requests and raise issues. This collaboration represents, indeed, lots of happiness and lots of stress. But security has become a major issue lately in the Open Source community. Dan Lorenc from Google Cloud raises awareness in an excellent (if somewhat scary) article.

https://medium.com/better-programming/getting-serious-about-open-source-security-1d15609478fa

3. There’s never enough guidance to avoid security catastrophes. The SANS Institute has made freely available a massive poster called „Secure DevOps Toolchain and SWAT Checklist“ to print and pin to the walls of your organization. It includes a thorough checklist to secure web applications technologies, and lists of activities and checks to perform during development, deployment and maintenance. Couple this with some Docker Security 101 guidelines and you should sleep better at night. Oh, and don’t expose the .ssh folder in your web server. Just don’t.

https://www.sans.org/security-resources/posters/appsec/secure-devops-toolchain-swat-checklist-60

4. And if all the security prevention measures weren’t enough after all… here’s Hannah Culver from Blameless teaching us 5 best practices for postmortems. We’re very sorry!

https://www.blameless.com/5-best-practices-nailing-postmortems/

5. The tool of the week is Kubernetes Secret Decode, a kubectl plugin to show Kubernetes secrets encoded with base64.

https://github.com/ashleyschuett/kubernetes-secret-decode

How do you manage the security of your cloud deployments? Do you have any other tips and tricks to share with the community? Get in touch with us through the form at the bottom of this page, and see you next week for another edition of VSHN.timer.