Scanning images running in k8s? It's easy if you do it smart.
Our first article was about the elimination of the vulnerability mess using proper testing. you can find it here. You can find there a lot of useful information regarding testing and two different approaches applied - Traditional and “Shift left”. To describe this in the most convenient way, we use some real case examples. We would like to continue this way, and because we know that not always you are able to scan images before they are used/running, we will focus on this case now. We also realize over time that in our previous article was “something” missing. We identify what the “something” represents, and we decided to add it by this article, which can be considered as a free continuation of the previous one.
Let’s start and set the scene in a way that we will use Kubernetes (k8s) as an environment where our service(s) will be deployed and run. Every service or application that runs on top of the k8s consists of multiple containers, that are grouped into objects named pods. To eliminate vulnerabilities within the services which we are providing, we would like to not only discover vulnerabilities on the “supply chain” level but also on our containers. Actually, images from which containers are instanced, for our currently running services. It is possible using appropriate scans. That is exactly the point where SafeSCARF can help you in a way that it can periodically scan k8s clusters, and put the results into a single place for further notifications and analysis.
Eliminate Vulnerability Mess With Proper Testing
All security specialists nowadays are fully occupied by the Log4j “vulnerability” which can potentionally have huge business impact. We try to use this as a opprotunity for our blog post to show you the difference between the traditional security approach and shift security left. So, as most of you already know, the last series of vulnerabilities with huge impact all around the world was in the Log4j logging Java component. Log4Shell vulnerability has a “basic” CVSS 10, while the “temporal” changes every day as the exploit becomes more mature, so the levels of remediation also change from bad to good and wise-versa (CVE-2021-44228, CVE-2021 - 45046, CVE-2021-45105). We are sure that no one wants to have vulnerability like this on their systems. Engineers from all around the world are using their power to discover which systems they are owning are vulnerable to Log4Shell. We can just address some of the tools that are currently in use to discover this kind of vulnerability, like network scanners (OpenVAS, Nmap, Nexpose, Nessus, etc.) image scanners (Trivy, Anchore, Xray, Clair, etc.) dependency scanners, and all other scanners that are currently available. This vulnerability easily explains how something that is not considered a critical component can be the vector for “bad guys” to ruin our Christmas, rest time, etc. Therefore, we should improve our vulnerability management program. Let’s do it, we try to show you how.
CDPA - why sometimes a yes and sometimes a no?
We all heard several times about GDPR and its implications on our daily business. Sometimes this abbreviation drives us crazy because it brings us more issues than solutions. But it is not always so bad…
Among other things, GDPR brought to our attention so called data processing agreements, or, as they are known in our organization, commissioned data processing agreements (abbreviation “CDPA”). CDPA is here with us for quite a long time, but only after GDPR many people start to focus more on it.
Freelancer or an employee – does it even matter?
The answer to this question is very straightforward – yes. Now, you may ask “Why?”. Simply, because based on the type of the relationship, the parties may have different rights and obligations. When we are talking about employer-employee relationship, we need to have a look on the labor law, while in case of or company-freelancer relationship, the commercial law will be relevant.
As you may know, law regulating these matters differs from country to country.
High availability in the Cloud: Legacy cloud application design
This is a continuation of the previous blog post High availability in the Cloud: Pan-Net Cloud concepts. Still, we are trying to focus here on VM-based (legacy) deployed applications.
In the topic’s context, we talk about the physical architecture of the application, leaving out the logical architecture as it does not directly map to infrastructure objects. So, when designing the physical architecture of the application, architects incorporate concepts of fault tolerance and resiliency right at the beginning.
Squeezing the most out of argparse
In this post, I would like to argue that Python’s argparse is often the right tool for the job, and you do not need to install additional CLI argument parsers. The straightforward reason to choose it might be that you want to write a simple script that you pass to your colleagues, and you do not want to bother them with the installation of dependencies. You want to make it as portable as possible.
High availability in the Cloud: Pan-Net Cloud concepts
High availability is one of the most essential and desirable metrics for all cloud services. Pan-net’s activities are focused on the development, delivery, and operations of cloud and cloud applications for external and internal customers. This means that high availability and fault tolerance topics are relevant for absolutely all areas of our activity - from internal development to large-scale vendor software solutions deployed on Pan-Net infrastructure.
The consistency of application technical design with the high availability concepts of the infrastructure - is a factor directly affecting the availability indicators of the final system.
New Boron cloud release from Pan-Net up and running in Salzburg and Vienna!
We are happy to announce that we have successfully upgraded our cloud in Bijelo Polje, Podgorica, Budapest and Salzburg to Boron and deployed a new Boron datacenter in Vienna, so we have production applications already successfully running on the new infrastructure version!
Boron is a new Common Infrastructure Team (CIT) cloud release from Pan-Net, designed for both IT and NT workloads – dedicated compute with carrier grade acceleration for NT and cost-effective scalable shared compute for IT.
Public Cloud for Telco Applications - A Sales Guide
How to sell public cloud for Telco Applications? Over the past year the focus of Hyperscalers (AWS, Google, Microsoft) on cloud solutions for core Telco applications has intensified. This has many reasons: Telco application suppliers are in the process to re-design their software to a more cloud-native architecture - driven for example by new 5G stand-alone (SA) core software releases. Furthermore, edge cloud is getting more relevant and the disaggregation of applications and platform will also happen at the edge with initiatives like O-RAN.
Hygiene in identity and access management
As all complex systems need to maintain a certain level of sustainability, transparency and cleanliness, we at IAM care about these buzzwords quite a lot. Furthermore, we try to bring them to practice as well. Why is this theme so important to us? What do you mean by system hygiene? I’ll try to explain in this article. I’ve written about IAM, IDM and IGA in the last article in case you’d need to refresh memory on what field of security I’m talking about.