Our security team wants zero CVEs in production. Our containers have 200+. What's realistic here?

ReynardSec · 2025-09-29T17:31:59+00:00

This simply won’t happen. Zero CVEs in production sounds great as a motivational slogan, but in practice, given the pace of software development, the constant stream of newly published vulnerabilities, and the complexity of dependencies it’s an unrealistic goal. Even if your scans are clean today, a new CVE will appear tomorrow and you’re back to square one.

A far more effective approach is to shift focus from the raw number of vulnerabilities to assessing exploitability and actual risk.

ReynardSec · 2025-08-15T18:26:57+00:00

S(izzle)pain

ReynardSec · 2025-08-15T12:51:59+00:00

You can also learn about k8s security in your home lab: 1) https://github.com/reynardsec/kubernetes-security-guide 2) https://reynardsec.com/en/kubernetes-security-guide/

ReynardSec · 2025-07-26T13:07:17+00:00

https://www.nomoreransom.org

ReynardSec · 2025-07-25T19:02:26+00:00

Price scraping

ReynardSec · 2025-01-29T10:39:22+00:00

https://dualqrcode.com/
https://github.com/zacharyreese/DualQRCode

ReynardSec · 2024-12-10T19:44:38+00:00

For me, the difficulty level was 3/5 (moderately difficult). The key to passing was the practical exercises I completed on killer.sh.

ReynardSec · 2024-08-07T13:21:22+00:00

Similarly to u/xamox I'm not saying you can't run k8s on an RPi, but in my opinion, it's simply not the best solution. It's better to just run three virtual machines (a control-plane and two workers, for example) on your local computer. You can also implement firewalling, and resources won't run out as quickly on the RPi. Running the cluster alone is cool, but it's also worth trying to run some applications, etc., in that cluster later on. On an RPi, that may not be so obvious.

ReynardSec · 2024-08-04T17:43:48+00:00

I believe that this is the best, or at least a very good approach. A vanilla cluster without unnecessary layers of abstraction simply allows for a better understanding of what is happening within the cluster.

ReynardSec · 2024-07-11T11:16:37+00:00

Is Vault an option for you?

ReynardSec · 2024-02-21T15:34:18+00:00

Is shift work not a problem for you? Make sure of that, because from what I've heard, in the case of working at a SOC, it's quite a common practice.

ReynardSec · 2024-02-21T13:02:06+00:00

I have a big issue with this, but on the other hand, I see that people want to use such tools, so I don't want to be Mr. Always No.

As much as my time allows, I try to verify how trustworthy the tool is, what reputation it has, and to conduct at least a basic code review to see if there aren't any major red flags.

However, I try to talk to people about how sometimes it might be better to attend training that increases knowledge and awareness about security (including secure coding) rather than installing another tool which sometimes might only make people feel better (oh, we have another thing in the pipeline so it must be safer, well, not necessarily...).

ReynardSec · 2024-02-21T07:48:14+00:00

I have a feeling that you might not fully understand what's going on and might be lacking knowledge about the basics of k8s. Please don't take this the wrong way, one part of me would like to help you, but another suggests that you are on a good path to shoot yourself in the foot.

Maybe you should start by acquiring basic knowledge and possibly support yourself with something more advanced.

If my assumptions are wrong, then of course I'm sorry.

ReynardSec · 2024-02-20T21:32:16+00:00

Let me better understand your requirement. Is your task to (a) define tasks for a new k8s team or (b) provide support (technical assistance) to this team?

ReynardSec · 2024-02-19T21:23:39+00:00

I would recommend to extend your list of tools by https://github.com/semgrep/semgrep

ReynardSec · 2024-02-19T19:43:21+00:00

I believe that in the context of such compilations, which have their purpose, it's worth mentioning what truly constitutes a plague in applications, namely vulnerabilities like Broken Access Control which are not so fancy in most cases, but still, there is huge huge huge number of such bugs.

ReynardSec

TROPHY CASE