Cloud Native Security

Read more

Explore the latest and most comprehensive guide to securing your Cloud Native technology stack
 
Cloud Native Security delivers a detailed study into minimizing the attack surfaces found on today's Cloud Native infrastructure. Throughout the work hands-on examples walk through mitigating threats and the areas of concern that need to be addressed. The book contains the information that professionals need in order to build a diverse mix of the niche knowledge required to harden Cloud Native estates.
 
The book begins with more accessible content about understanding Linux containers and container runtime protection before moving on to more advanced subject matter like advanced attacks on Kubernetes. You'll also learn about:
* Installing and configuring multiple types of DevSecOps tooling in CI/CD pipelines
* Building a forensic logging system that can provide exceptional levels of detail, suited to busy containerized estates
* Securing the most popular container orchestrator, Kubernetes
* Hardening cloud platforms and automating security enforcement in the cloud using sophisticated policies
 
Perfect for DevOps engineers, platform engineers, security professionals and students, Cloud Native Security will earn a place in the libraries of all professionals who wish to improve their understanding of modern security challenges.

List of contents

Introduction xix
 
Part I Container and Orchestrator Security 1
 
Chapter 1 What is a Container? 3
 
Common Misconceptions 4
 
Container Components 6
 
Kernel Capabilities 7
 
Other Containers 13
 
Summary 14
 
Chapter 2 Rootless Runtimes 17
 
Docker Rootless Mode 18
 
Installing Rootless Mode 20
 
Running Rootless Podman 25
 
Setting Up Podman 26
 
Summary 31
 
Chapter 3 Container Runtime Protection 33
 
Running Falco 34
 
Configuring Rules 38
 
Changing Rules 39
 
Macros 41
 
Lists 41
 
Getting Your Priorities Right 41
 
Tagging Rulesets 42
 
Outputting Alerts 42
 
Summary 43
 
Chapter 4 Forensic Logging 45
 
Things to Consider 46
 
Salient Files 47
 
Breaking the Rules 49
 
Key Commands 52
 
The Rules 52
 
Parsing Rules 54
 
Monitoring 58
 
Ordering and Performance 62
 
Summary 63
 
Chapter 5 Kubernetes Vulnerabilities 65
 
Mini Kubernetes 66
 
Options for Using kube-hunter 68
 
Deployment Methods 68
 
Scanning Approaches 69
 
Hunting Modes 69
 
Container Deployment 70
 
Inside Cluster Tests 71
 
Minikube vs. kube-hunter 74
 
Getting a List of Tests 76
 
Summary 77
 
Chapter 6 Container Image CVEs 79
 
Understanding CVEs 80
 
Trivy 82
 
Getting Started 83
 
Exploring Anchore 88
 
Clair 96
 
Secure Registries 97
 
Summary 101
 
Part II DevSecOps Tooling 103
 
Chapter 7 Baseline Scanning (or, Zap Your Apps) 105
 
Where to Find ZAP 106
 
Baseline Scanning 107
 
Scanning Nmap's Host 113
 
Adding Regular Expressions 114
 
Summary 116
 
Chapter 8 Codifying Security 117
 
Security Tooling 117
 
Installation 118
 
Simple Tests 122
 
Example Attack Files 124
 
Summary 127
 
Chapter 9 Kubernetes Compliance 129
 
Mini Kubernetes 130
 
Using kube-bench 133
 
Troubleshooting 138
 
Automation 139
 
Summary 140
 
Chapter 10 Securing Your Git Repositories 141
 
Things to Consider 142
 
Installing and Running Gitleaks 144
 
Installing and Running GitRob 149
 
Summary 151
 
Chapter 11 Automated Host Security 153
 
Machine Images 155
 
Idempotency 156
 
Secure Shell Example 158
 
Kernel Changes 162
 
Summary 163
 
Chapter 12 Server Scanning With Nikto 165
 
Things to Consider 165
 
Installation 166
 
Scanning a Second Host 170
 
Running Options 171
 
Command-Line Options 172
 
Evasion Techniques 172
 
The Main Nikto Configuration File 175
 
Summary 176
 
Part III Cloud Security 177
 
Chapter 13 Monitoring Cloud Operations 179
 
Host Dashboarding with NetData 180
 
Installing Netdata 180
 
Host Installation 180
 
Container Installation 183
 
Collectors 186
 
Uninstalling Host Packages 186
 
Cloud Platform Interrogation with Komiser 186
 
Installation Options 190
 
Summary 191
 
Chapter 14 Cloud Guardianship 193
 
Installing Cloud Custodian 193
 
Wrapper Installation 194
 
Python Installation 195
 
EC2 Interaction 196
 
More Complex Policies 201
 
IAM Policies 202
&

About the author

CHRIS BINNIE is a Technical Consultant who has worked for almost 25 years with critical Linux systems in banking and government, both on-premise and in the cloud. He has written two Linux books, has written for Linux and ADMIN magazines and has five years of experience in DevOps security consultancy roles.
RORY MCCUNE has over 20 years of experience in the Information and IT security arenas. His professional focus is on container, cloud, and application security and he is an author of the CIS Benchmarks for Docker and Kubernetes and has authored and delivered container security training at conferences around the world.

Summary

Explore the latest and most comprehensive guide to securing your Cloud Native technology stack

Cloud Native Security delivers a detailed study into minimizing the attack surfaces found on today's Cloud Native infrastructure. Throughout the work hands-on examples walk through mitigating threats and the areas of concern that need to be addressed. The book contains the information that professionals need in order to build a diverse mix of the niche knowledge required to harden Cloud Native estates.

The book begins with more accessible content about understanding Linux containers and container runtime protection before moving on to more advanced subject matter like advanced attacks on Kubernetes. You'll also learn about:
* Installing and configuring multiple types of DevSecOps tooling in CI/CD pipelines
* Building a forensic logging system that can provide exceptional levels of detail, suited to busy containerized estates
* Securing the most popular container orchestrator, Kubernetes
* Hardening cloud platforms and automating security enforcement in the cloud using sophisticated policies

Perfect for DevOps engineers, platform engineers, security professionals and students, Cloud Native Security will earn a place in the libraries of all professionals who wish to improve their understanding of modern security challenges.