Although CVE-2024-3177 has a low impact and potentially minimal attack surface, it does highlight the importance of utilizing a policy engine (Kyverno) and a central governing authority (Nirmata Policy Manager) to ensure a firm security stance when inevitably more troublesome issues occur (XZ, Leaky Vessel, Sys:All, Ingress-Controller). Before discussing CVE-2024-3177, let’s define Kyverno: a policy engine specifically designed for Kubernetes. It allows you to define and manage policies as Kubernetes resources, meaning you don’t need to learn a new programming language. These po ..read more

  The recent compromise of the XZ compression library underscores the dangers present within modern software supply chains. This incident emphasizes why vigilance and robust security measures are necessities, particularly when utilizing open-source projects. The incident is a first of its kind and will have ripple effects throughout the community. We will need to look at what changes to the current maintainer accreditation, and acceptance practices will prevent the issue in the future. Despite the initial breakdown, this incident highlights the power of open source. The rapid detection o ..read more

This year, KubeCon + CloudNativeCon Europe 2024 drew over 12,000 tech enthusiasts from the leading cloud native and open source communities, and celebrated the milestone of Kubernetes’ tenth anniversary. Four days with 223 sessions and 90 CNCF project maintainer-hosted sessions provided valuable insights on the evolution and maturity of cloud native technologies, Kubernetes, platform engineering, supply chains, and security and governance. As the curtains closed on yet another remarkable KubeCon event, our team gathered some valuable insights about state-of-the-art cloud-native software develo ..read more

Introduction Recently, Akamai’s Tomer Peled announced a security threat to Kubernetes clusters, CVE-2023-5528. A user who can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. With a CVSS score of 7.2, this vulnerability presents a critical risk of full cluster compromise on default Kubernetes clusters before version 1.28.4.    Assessing Vulnerability Exposure Organizations employing Kubernetes versions before 1.28.4, particularly those incorporating Windows nodes, are advised to prioritize updates to mitigate this vulner ..read more

We are very excited to announce that team Nirmata is a Silver sponsor of  KubeCon + CloudNativeCon Europe 2024 from March 19-22. Our team is all geared up for this event that promises innovation and collaboration for the future of cloud native technologies.  We are eagerly looking forward to the opportunities to engage in insightful conversations with the cloud-native community and showcase what we are building at Nirmata to address challenges related to cloud-native security and governance. Join us for discussions on emerging trends in cloud-native technologies and how it can power ..read more

Preventive security measures and detection and response strategies, particularly in the context of preventing misconfigurations versus runtime security, represent two fundamental approaches in the cybersecurity domain. Each plays a crucial role in an organization’s overall security posture. Below, we compare and contrast these approaches focusing on their application, benefits, limitations, and key differences.   Preventive Security: Preventing Misconfigurations This approach focuses on avoiding security incidents by ensuring correct configurations in code, servers, networks, Kubernetes ..read more

The shift from reactive to proactive measures marks a significant paradigm change for application security. This transformation is pivotal in the way organizations approach the security of their applications in an increasingly fast-paced and interconnected world. Let’s dive deeper into these concepts to understand their impact on modern application security. Understanding Reactive Security Reactive security refers to strategies and measures that organizations implement in response to security incidents that have already occurred. This approach typically involves: Incident Response: Reacting ..read more

As Infrastructure as Code (IaC) continues to gain popularity among DevOps practitioners for its efficiency and scalability, the recent Terraform license ambiguity has prompted the emergence of alternative solutions. OpenTofu, marking its first stable release, enters the scene as a robust IaC tool, providing users with a reliable option for managing and provisioning cloud infrastructure. Whether you are just beginning your journey with OpenTofu or contemplating a migration from other tools, it’s essential to enhance your infrastructure’s security and compliance posture. A key recommendation is ..read more

The recent buzz surrounding the actively exploited runc vulnerabilities “Leaky Vessels”  (CVE-2024-21626) serves as a timely reminder of two essential container security principles: image trust and comprehensive patching. Let’s delve into why these aspects are crucial for your containerized environments. Trustworthy Images are Foundational: It might seem self-evident, but avoiding untrusted images is paramount. My experience conducting Kubernetes security reviews highlights this as the most frequent pitfall. In the context of the runc vulnerability, pulling an image from an unreliable s ..read more

Image by intographics from Pixabay This blog post was co-authored by Khaled Emara. About Kyverno Kyverno is a policy engine designed for Kubernetes and cloud native workloads. Policies can be managed as Kubernetes resources, and no new language is required to write policies. Policy reports and exceptions are also Kubernetes resources. This approach allows using familiar tools such as kubectl, git, and kustomize to manage policies and results.  Kyverno policies can validate, mutate, generate, and clean up Kubernetes resources, as well as verify image signatures and artifacts to ..read more