AWS System Manager And The Dangers of Default Permissions

In September of 2018, Amazon Web Services (AWS) announced the addition of the Session Manager to the AWS Systems Manager. The session manager enables shell or remote desktop level access to your AWS EC2 Windows and Linux instances, along with other benefits. This is a great new feature, but care ... Read More

High Severity RunC Vulnerability Exposes Docker And Kubernetes Hosts

Often claimed as a worst-case scenario, a container breakout vulnerability has been discovered in RunC, the universal container runtime used by Docker, Kubernetes and other containerization systems. Further research has discovered that a similar version of the same vulnerability affects the LXC and Apache Mesos packages. Identified as CVE-2019-5736, this ... Read More
Critical Vulnerability Uncovered In Kubernetes

Critical Vulnerability Uncovered In Kubernetes

The first major security flaw has been uncovered in Kubernetes, the popular container orchestration system developed by Google. The vulnerability, identified as CVE-2018-1002105, carries a critical CVSS V3 rating of 9.8 due to low attack complexity, requiring no special privileges, and a network attack vector. The vulnerability is triggered when ... Read More
cloud

Achieve CIS Compliance in Cloud, Container and DevOps Environments

| | CIS, Cloud, Complaince, containers, DEVOPS, policy
If you are embracing DevOps, cloud and containers, you may be at risk if you’re not keeping your security methodologies up to date with these new technologies. New security techniques are required in order to keep up with current technology trends, and the Center for Internet Security (CIS) provides free ... Read More
Tripwire Data Collector Increases Operational Technology Visibility With Enhanced Web Scripting Capability

Tripwire Data Collector Increases Operational Technology Visibility With Enhanced Web Scripting Capability

Tripwire Data Collector has been providing industrial organizations with visibility into their operational technology (OT) environments since its release in mid-2018. Data can be gathered and monitored via multiple avenues – not only native industrial protocols, such as EtherNet/IP CIP and Modbus TCP, but also integrations with management applications like ... Read More
Auditing Amazon Machine Images with Tripwire For DevOps

Auditing Amazon Machine Images with Tripwire For DevOps

Tripwire For DevOps continues to add new features and capabilities. The newest of these is the ability to perform vulnerability scans against Amazon Machine Images (AMIs) in the same Tripwire For DevOps workflow used for your Docker containers. This blog will discuss the creation of AMIs and how to audit ... Read More

Tripwire For DevOps External Registry And Alert Capability

Although many organizations are shifting security to the left and embracing the integration of security tools into their continuous integration / continuous delivery pipelines, there are others who have different wants and needs. Private Registries One popular use case for Tripwire for DevOps is the scanning of private customer registries ... Read More

Infosecurity Europe Preview: Shifting Left – Integrated Container Security and DevSecOps

There is little doubt that DevOps philosophies have been taking over in many different types of organizations, providing the advantages of faster time to market as well as greater flexibility and resiliency. You’ve probably heard about shifting security to the left or of the need to inject security into each ... Read More

Study: DevOps Servers In The Wild Highlight Infrastructure Security Needs

A mature DevOps practice involves applying multiple tools at different steps of the delivery pipeline, and a new study from IntSights focuses on these tools that may be open to attack on the Internet. Each new tool added to your process can expand your attack surface area – and, in ... Read More

DevSecOps Survey Reveals Heightened Interest In Automated Security

| | DEVOPS, DevSecOps, security
The 5th annual DevSecOps community survey for 2018 from Sonatype reveals heightened interest in DevSecOps practices after the recent surge of high profile breaches as well as highlights security integration statistics among teams with mature DevSecOps workflows. In this blog post, we’ll discuss some of the important findings from the ... Read More