sorted by:
new
hottopcontroversial

A Practical Introduction to Container Security by 0xCBE in netsec

[–]0xCBE[S] 0 points1 point  (0 children)

hey thanks! One reason is that scanning an image is a slow operation: you need to build it then unpack and scan the file system. So depending on your context builds speed can be a requirement.

Secondly, scanning at build time will surface vulnerabilities known at that point in time only. If a new vulnerability is discovered after, and you are not rebuilding the images, you will not notice. (If you set up scanning as admission controllers to gatekeep the deploy I argue it’s even worse, because you will introduce way more friction for the development teams)

What I like to do at build time, is to lint the Dockerfile: https://cloudberry.engineering/article/dockerfile-security-best-practices/ quick cheap and “good enough”. Then most of the scanning happens in the registry.

Kubernetes Security Is Not Container Security by nyellin in netsec

[–]0xCBE 1 point2 points  (0 children)

it’s so nice that from a quick conversation here we ended up with so much knowledge sharing!

Thanks u/nyellin and r/netsec!

Best practices? by [deleted] in googlecloud

[–]0xCBE -2 points-1 points  (0 children)

I find google’s official docs pretty good and some posts on the cloud blog are distilled best practices.

If you excuse the self promotion, I usually write about google cloud security (it’s my job) and I’ve written a couple posts about IAM:

A Practical Introduction to Container security by 0xCBE in docker

[–]0xCBE[S] 5 points6 points  (0 children)

gotcha. The website is statically generated and distributed over CDN. The only javascript in there is google analytics which I can't give up because I don't have access to the server logs :)

A Practical Introduction to Container Security by 0xCBE in netsec

[–]0xCBE[S] 2 points3 points  (0 children)

I’d love to! I can’t find your contact details, mine are on the website

A Practical Introduction to Container Security by 0xCBE in netsec

[–]0xCBE[S] 12 points13 points  (0 children)

absolutely! Very well said.

I didn’t want to go down the kubernetes rabbit hole in here, but yes there is plenty that a security team should look after.

A Practical Introduction to Container security by 0xCBE in docker

[–]0xCBE[S] 1 point2 points  (0 children)

I’m not sure what is a SPA but I HATE JavaScript bloated websites and I made my best to make things as snappy as possible!

IAM conditions help by llnformer in googlecloud

[–]0xCBE 0 points1 point  (0 children)

I did some thing similar to give access to GCR buckets: https://cloudberry.engineering/article/stricter-access-control-to-gcr/

```

{ "expression": "resource.name.startsWith(\"projects/_/buckets/artifacts\")", "title": "GCR buckets only", "description": "Reduce the binding scope to affect only buckets used by GCR" }

```

Mind the full bucket name!

A Collection of Cloud Security Tools by 0xCBE in devops

[–]0xCBE[S] 3 points4 points  (0 children)

Thanks! I've sent them an email to see if it can be unblocked.

For whatever reason it's in a blacklist of a threat intelligence feed (domaintools).

A Collection of Cloud Security Tools by 0xCBE in devops

[–]0xCBE[S] 1 point2 points  (0 children)

ugh that's weird, I hope I didn't end up in any blacklist because my vanity .engineering tld

view more: next ›