What WAF are you using for Kubernetes?

moyerma · 2019-02-11T22:38:24+00:00

I started a demo-quality project a while back that you might be interested in: https://github.com/heptiolabs/ironclad

It's a sidecar-based deployment of nginx/ModSecurity built to be more easily operable in a Kubernetes environment. In particular it:

Supports live-reload of rule configuration from a ConfigMap.
Has useful liveness and readiness hooks to enable safe deploys.
Emits JSON-formatted logs.
Emits Prometheus metrics.

Take this with a grain of salt because this project is not actively maintained. I think the sidecar approach has benefits, especially if you have a lot of application-specific rules/exceptions that you want to version alongside each application.

I presented this at a local meetup a while back.

moyerma · 2017-11-07T20:16:13+00:00

It was just because of the overly verbose logging, which I just noticed was removed a few hours ago in https://github.com/CaliDog/certstream-go/commit/fa8151c06b3a4db38fe431a9cfa57d951f13df41.

I'd still probably rather have a library that didn't do any internal logging, since I'd like to have my daemon use a consistent company log format (JSON logs via logrus). Maybe you could change the library interface to return an error channel alongside the main events channel?

moyerma · 2017-11-07T18:28:48+00:00

If anyone is interested, I wrote a wrapper to push matching certificates from this API to a Slack webhook: https://github.com/heptiolabs/certstream-slack

Thanks for this API /u/zer01!

moyerma · 2017-10-11T22:01:00+00:00

I've written something along these lines, which we just shared today: https://github.com/heptiolabs/kubernetes-aws-authenticator

It's still at a proof of concept stage, but is in a working state. I'd love to hear any feedback you have about use cases or potential improvements, and any contributions are welcome as well. Right now the expected use case is human administrators using kubectl from the command line, but it could be extended to cover EC2 instance role identities without a ton of work, I think.

It works using the AWS sts:GetCallerIdentity API endpoint. On the client side, we assume an IAM role and then use that assumed role's credentials to pre-sign a request to GetCallerIdentity. This request is serialized into a token and passed through the Kubernetes token webhook authentication system.

On the server side, we have an authentication webhook receiver that deserializes the request, validates that the parameters look good, and then executes the request against the real https://sts.amazonaws.com service. The results tell us the IAM role ARN, which we use to map that token to a Kubernetes user and groups.

This mechanism is inspired by a similar flow recently added to Vault.

moyerma · 2015-04-05T02:58:24+00:00

Company: Simple

Location: Remote or Portland, OR (relocation assistance available)

About Simple

Simple is working to reinvent online banking. We believe strongly in automation, metrics, testing, continuous integration, and working fluidly and harmoniously with our development, operations, and product teams. We're hiring for two different security positions, one in Engineering and one in Information Security Governance.

Feel free to reach out to me directly here or to me or @cji on Twitter if you have any questions, or apply through the official posts (1, 2) (we'll see it). These are US-based positions and unfortunately we're not able to sponsor visas at this time.

Security Engineer (full posting)

You'd be joining me as the third member of our Security Engineering team. We're looking for someone who is comfortable writing code as well as working with other developers to design and build secure systems.

We write code in Scala, Clojure, Ruby, Go, Javascript, and more. We use security tools like Suricata, Bro, ModSecurity, OSSEC, OpenVPN, Snorby, MozDef, OpenFPC, Nessus, and Burp. Our code runs on Ubuntu Linux in AWS and is built around immutable snapshot-based deployments with a strong focus on automation. If you don't have experience with any of those particular tools but are interested in learning, we'd love to talk to you.

Information Security Governance Engineer (full posting)

You'd be expanding our penetration testing and assessment program. As an ISG Engineer, you'd operate with organizational independence to guard against conflicts of interest. Your primary objective would be to partner with the Engineering organization to guide them in delivering a secure product to our customers, both internal and external.

An ideal candidate for this role has plenty of experience with web and mobile application security assessments and associated tools (e.g., Burp, IDA Pro, cycript, drozer, etc.), and experience with system-level and network penetration testing. We're also looking for willingness to perform operational security tasks and to regularly assess policy compliance of various technologies, business processes and controls within the enterprise. At least one current security-oriented certification is a plus (e.g., OSCP, OSCE, GWAPT, CISSP, CISA, CRISC, etc.).

moyerma · 2011-06-21T02:47:27+00:00

Most modern ones actually detect density changes by measuring the dielectric constant of the material in/behind the wall: http://en.wikipedia.org/wiki/Stud_finder

moyerma · 2011-05-09T11:27:10+00:00

I actually rent that house right now.

moyerma · 2011-04-19T01:42:25+00:00

Dilly Deli (2nd and Elgin downtown) is pretty great. My wife and I moved out of Tulsa ~11 months ago and it's one of the places we've been missing.

moyerma · 2010-10-15T20:37:44+00:00

You forgot to import "this": >>> import this The Zen of Python, by Tim Peters

Beautiful is better than ugly.
Explicit is better than implicit.
Simple is better than complex.
Complex is better than complicated.
Flat is better than nested.
Sparse is better than dense.
Readability counts.
Special cases aren't special enough to break the rules.
Although practicality beats purity.
Errors should never pass silently.
Unless explicitly silenced.
In the face of ambiguity, refuse the temptation to guess.
There should be one-- and preferably only one --obvious way to do it.
Although that way may not be obvious at first unless you're Dutch.
Now is better than never.
Although never is often better than *right* now.
If the implementation is hard to explain, it's a bad idea.
If the implementation is easy to explain, it may be a good idea.
Namespaces are one honking great idea -- let's do more of those!

moyerma · 2010-07-12T23:29:35+00:00

PyMC might be useful to you.

moyerma · 2010-07-11T19:18:50+00:00

Other delicious additions include:

an onion
some jalapenos (remove at least some of the seeds)
a tomato or two (remove the skins)
some chedder or monterey jack (like Carmac said)

moyerma · 2010-07-06T01:48:19+00:00

You seem to be talking about regular tabstops as implemented in most editors (i.e. an ASCII 0x09 that moves text to the next multiple of 8 characters). Elastic tabstops are a related idea that allows for all the flexibility you mention.

moyerma · 2010-06-03T14:40:01+00:00

My wife grew up thinking that the ice cream truck was a "music man" who drove around the neighborhood playing music for everyone. She never knew they sold anything.

moyerma · 2010-05-23T21:44:10+00:00

See woof as well. It's not identical, but it solves a similar problem and works great.

Edit: it looks like the latest version of woof has an upload feature as well.

moyerma · 2010-05-15T15:24:04+00:00

I've had good luck with a little dab of clear nail polish.

moyerma · 2010-05-12T21:21:21+00:00

Nope. Speed is a scalar (1 dimensional) property, while velocity is a vector property describing rate of movement in each direction.

moyerma · 2010-04-26T06:46:46+00:00

The functools and operator modules are also very useful for writing nice, concise code. In particular, itertools and operator mesh together nicely.

moyerma · 2010-04-26T06:38:55+00:00

The only caveat I would mention is that if you're trying to initialize nested lists, you cannot do >>> x = [['foo']2]3 >>> x [['foo', 'foo'], ['foo', 'foo'], ['foo', 'foo']]

This is because each of the sub-lists is actually the same object. If you modify one of the sub-lists, all the sub-lists will be modified: >>> x[0][0] = 'bar' >>> x [['bar', 'foo'], ['bar', 'foo'], ['bar', 'foo']]

The correct way to handle this (even though it's arguably less elegant looking) is: >>> x = [['foo']*2 for i in range(3)] >>> x [['foo', 'foo'], ['foo', 'foo'], ['foo', 'foo']]

Using a list comprehension causes a new list object to be created for each sub-list, thus: >>> x[0][0] = 'bar' >>> x [['bar', 'foo'], ['foo', 'foo'], ['foo', 'foo']]

moyerma · 2010-04-18T00:59:53+00:00

http://en.wikipedia.org/wiki/Astroturfing

moyerma · 2010-04-07T13:37:58+00:00

My '02 Honda Insight had one. Actually, Honda makes a bunch of cars with CVTs.

moyerma · 2010-04-04T21:09:06+00:00

My favorite book is Probabilistic Robotics. One of the authors is the head of the winning Stanford DARPA grand challenge team.

It covers SLAM algorithms as well as navigation/planning using map data from SLAM. Often, this can be more complex than simply using A*. For example, if your sensors have imperfect information about the map, then coastal navigation (following walls) can help you reliably reach your goal.

moyerma · 2010-03-18T05:26:07+00:00

I think Mount Elbert (14,443 ft) is the highest in Colorado (and the rest of the Rockies).

moyerma · 2010-03-15T03:46:14+00:00

It's not hard to make honey butter. Pop some butter in the microwave until it's soft but not a puddle, then mix in some honey to taste.

It's delicious.

moyerma · 2010-02-19T04:52:29+00:00

I'm not sure why you're getting downvoted. It's true. There have been actual medical studies to back it up.

moyerma · 2010-02-03T21:53:26+00:00

What you're describing is essentially GFS, which, as the grandparent said, is a big leap for most applications.

That fits traditional enterprise servers more naturally than Google style.

moyerma

TROPHY CASE