Github Actions provide the ability to define a build workflow, and for projects that are building an OCI (Docker) image, there are custom actions available for running the Trivy container security scanner. In this article, I will show you how to modify your GitHub Action to run the Trivy security scanner against your image, and … Github: security scanning built into GitHub Actions image build
GitLab Pipelines provide the ability to define a build workflow, and for projects that are building an OCI (Docker) image, there is a convenient method for doing container security scanning as part of the build process. Include Container Scanning As described in the official documentation, add the following include to your .gitlab-ci.yml pipeline definition. include: … GitLab: security scanning built into GitLab Pipelines image build
Trivy is an open-source tool that can scan your containers and produce reports on known critical issues at the binary and OS package level. In this article, I will describe how to scan images directly from your local Debian/Ubuntu machine, whether you built the image locally or pulled it down remotely. Installation on Debian/Ubuntu Per … Kubernetes: Trivy for container scanning from CLI
HashiCorp Vault is a secret and encryption management system that allows your organization to secure sensitive information such as API keys, certificates, and passwords. It has tight integrations with Kubernetes that allows containers to fetch secrets without requiring hardcoding them into environment variables, files, or external services. The official docs already provide usage scenarios, so … Vault: HashiCorp Vault deployed into Kubernetes cluster for secret management
The Spring Security framework provides a robust and customizable framework for authentication and authorization for Spring based applications. Using Spring Security, a Spring developer can add OIDC authentication and OAuth2 protection of resources by including the libraries in the build, configuring the Spring application.yml, and enabling various component configurations and annotations. In this article, I … Java: Spring Security OAuth2/OIDC protecting Client App and Resource Server
If you currently store sensitive credentials in plaintext to automate scripting or integration to other systems, you should consider an extra layer of security by storing them encrypted using GPG. There is no fullproof way to hide sensitive information for a service that also needs to decrypt them as part of normal operations (think DVD … Linux: Using GPG encrypted credentials for enhanced security
Having your production servers go through a proxy like Squid for internet access can be an architectural best practice that provides network security as well as caching efficiencies. In a previous article, I showed how you can enforce whitelists for specific domains when using HTTP/HTTPS. Now let’s do the same thing for FTP connections, proxying … Squid: Enabling whitelisted FTP proxying using Squid
The Meltdown vulnerability affects Intel and some ARM (but not AMD) processor chips and can allow unprivileged access to memory in the kernel and other processes. Canonical has committed to kernel patches to address this issue and they are now available from the both the updates and security official Ubuntu repositories. In this article, I’ll step through patching an … Ubuntu: Testing the official released kernel patches for Meltdown CVE-2017-5754
The Meltdown vulnerability affects Intel and some ARM (but not AMD) processor chips and can allow unprivileged access to memory in the kernel and other processes. Canonical has committed to kernel patches to address this issue by January 9, 2018 and the first candidate kernel patches have now been released for Xenial and Trusty LTS. UPDATE Jan 11 … Ubuntu: Testing the first candidate kernel patches for Meltdown CVE-2017-5754
The Meltdown vulnerability affects Intel and some ARM (but not AMD) processor chips and can allow unprivileged access to memory in the kernel and other processes. Canonical has committed to kernel patches to address this issue by January 9, 2018. A paper coming out of Graz University of Technology in Austria and written by Daniel Gruss, Moritz Lipp, Michael … Ubuntu: Testing the KAISER kernel patch for Meltdown CVE-2017-5754
The Meltdown vulnerability affects Intel and some ARM (but not AMD) processor chips and can allow unprivileged access to memory in the kernel and other processes. Canonical has committed to kernel patches to address this issue by January 9, 2018. If you need to check your system, or perhaps have already patched your systems but want to … Ubuntu: Determine system vulnerability for Meltdown CVE-2017-5754
The Spectre vulnerability affects Intel, AMD, and ARM processor chips (each to various degrees) and can allow unprivileged access to memory in the kernel and other processes. Canonical has committed to kernel patches to address this issue by January 9, 2018. If you need to check your system, or perhaps have already patched your systems … Ubuntu: Determine system vulnerability for Spectre CVE-2017-5715 CVE-2017-5753
The Tor project is free software that helps protect your privacy by making it difficult for a 3rd party to analyze your network requests or link your traffic back to your network access point. See the Tor overview page for reasons why this may be important to world citizens, corporations, or specific professions. Simplified, this … Ubuntu: Installing Tor on Ubuntu 14.04 and 16.04
tcpdump comes standard on Ubuntu servers and is an invaluable tool in determining traffic coming in and out of a host. As network infrastructures have become more complex and security conscious, validating network flow from client hosts through potentially multiple proxies and ultimately to a destination host and port has become more important than ever. … Ubuntu: Using tcpdump for analysis of network traffic and port usage
The PingFederate server provides best-in-class Identity Management and SSO. However, due to US laws governing export of cryptography, the default SSL protocols and cipher suites need to be configured to harden the solution. Below are the steps involved with making these post-installation changes.
If you are running an Ubuntu server for any extended period of time, security issues will arise that affect the kernel, distribution, or packages installed on that host. While there is a minimal stability risk with automatically applying security fixes, I feel those are dwarfed by the risks of running hosts that have known security … Ubuntu: Unattended Upgrades for security patches
The Dirty COW vulnerability affects the kernel of most base Ubuntu versions. Especially when running an Ubutu HWE stack, it can be a bit confusing to determine if your kernel and Ubuntu version are affected. If you need to validate patching, then you can use a simple C program to exercise this read-only write vulnerability … Ubuntu: Determine system vulnerability for Dirty COW CVE-2016-5195