This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-06-01T23:06:27+00:00 www.secnews.physaphae.fr Wired Threat Level - Security News 2021-02-24T12:00:00+00:00 https://www.wired.com/story/gig-workers-gather-data-check-algorithm-math www.secnews.physaphae.fr/article.php?IdArticle=2392082 False None Uber None Wired Threat Level - Security News 2021-02-19T22:17:48+00:00 https://www.wired.com/story/uk-latest-country-tighten-screws-uber www.secnews.physaphae.fr/article.php?IdArticle=2373742 False None Uber,Uber None TroyHunt - Blog Security 2021-02-19T17:14:54+00:00 https://arstechnica.com/?p=1743797 www.secnews.physaphae.fr/article.php?IdArticle=2372034 False None Uber,Uber None TroyHunt - Blog Security 2021-02-18T18:12:18+00:00 https://arstechnica.com/?p=1743470 www.secnews.physaphae.fr/article.php?IdArticle=2367162 False None Uber None Wired Threat Level - Security News 2021-02-11T14:00:00+00:00 https://www.wired.com/story/aurora-partnership-toyota-self-driving-taxis www.secnews.physaphae.fr/article.php?IdArticle=2330495 False None Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Container Journal, 48% of respondents to a 2020 survey said that their organizations were using the platform. That’s up from 27% two years prior. These organizations could be turning to Kubernetes for the many benefits it affords them. As noted in its documentation, Kubernetes comes with the ability to distribute the container network traffic so as to keep organizations’ applications up and running. The platform is also capable of moving the actual state of any deployed containers to a desired state specified by the user as well of replacing and killing containers that don’t respond to a health check. The double-edged growth of Kubernetes clusters The benefits mentioned above trace back to the advantage of the Kubernetes cluster. At a minimum, a cluster consists of a control plane for maintaining the cluster’s desired state and a set of nodes for running the applications and workloads. Clusters make it possible for organizations to run containers across a group of machines in their environment. There’s just one problem: the number of clusters under organizations’ management is on the rise. This growth in clusters creates network complexity that complicates the task of securing a Kubernetes environment. As StackRox explains in a blog post: That’s because in a sprawling Kubernetes environment with several clusters spanning tens, hundreds, or even thousands of nodes, created by hundreds of different developers, manually checking the configurations is not feasible. And like all humans, developers can make mistakes – especially given that Kubernetes configuration options are complicated, security features are not enabled by default, and most of the community is learning how to effectively use components including Pod Security Policies and Security Context, Network Policies, RBAC, the API server, kubelet, and other Kubernetes controls. The last thing that organizations want to do is enable a malicious actor to authorize their Kubernetes environment. This raises an important question: how can organizations make sure they’re taking the necessary security precautions? Look to the Kubernetes API Server Organizations can help strengthen the security of their Kubernetes environment by locking down the Kubernetes API server. Also known as kube-apiserver, the Kubernetes API server is the frontend of the control plane that exposes the Kubernetes API. This element is responsible for helping end users, different parts of the cluster and external elements communicate with one another. A compromise of the API server could enable attackers to manipulate the communication between different Kubernetes components. This could include having them communicate with malicious resources that are hosted externally. Additionally, they could leverage this communication channel to spread malware like cryptominers amongst all the pods, activity which could threaten the availability of the organization’s applications and services. Fortunately, organizations can take several steps to secure the Kubernetes API server. Presented below are a few recommendations. Stay on top of Kubernetes updates From time to time, Kubernetes releases a software update that patches a vulnerability affecting the Kubernetes API server. It’s important that administrators implement those fixes on a timely basis. Otherwise, they could give malici]]> 2021-02-11T11:00:00+00:00 https://feeds.feedblitz.com/~/643985864/0/alienvault-blogs~The-Kubernetes-API-Server-Exploring-its-security-impact-and-how-to-lock-it-down www.secnews.physaphae.fr/article.php?IdArticle=2329673 False Malware,Vulnerability Uber None IT Security Guru - Blog Sécurité 2021-02-10T16:48:33+00:00 https://www.itsecurityguru.org/2021/02/10/researcher-manages-to-hack-into-35-tech-firms/?utm_source=rss&utm_medium=rss&utm_campaign=researcher-manages-to-hack-into-35-tech-firms www.secnews.physaphae.fr/article.php?IdArticle=2325105 False Hack Uber None InformationSecurityBuzzNews - Site de News Securite 2021-02-10T13:12:44+00:00 https://informationsecuritybuzz.com/expert-comments/microsoft-uber-and-tesla-amongst-tech-companies-vulnerable-to-new-automated-supply-chain-attack-expert-insight/ www.secnews.physaphae.fr/article.php?IdArticle=2324082 False None Uber,Uber None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-02-10T04:57:14+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/xrvY4re7MoE/dependency-confusion-supply-chain.html www.secnews.physaphae.fr/article.php?IdArticle=2323934 False None Uber None Security Affairs - Blog Secu 2021-02-09T22:27:22+00:00 https://securityaffairs.co/wordpress/114409/security/microsoft-february-2021-patch-tuesday.html?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-february-2021-patch-tuesday www.secnews.physaphae.fr/article.php?IdArticle=2321368 False None Uber None Bleeping Computer - Magazine Américain 2021-02-09T13:04:16+00:00 https://www.bleepingcomputer.com/news/security/researcher-hacks-microsoft-apple-more-in-novel-supply-chain-attack/ www.secnews.physaphae.fr/article.php?IdArticle=2318977 False Hack Uber,Uber None Bleeping Computer - Magazine Américain 2021-02-09T13:04:16+00:00 https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/ www.secnews.physaphae.fr/article.php?IdArticle=2323268 True Hack Uber,Uber None CVE Liste - Common Vulnerability Exposure 2021-02-05T22:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21303 www.secnews.physaphae.fr/article.php?IdArticle=2302251 False Tool Uber None InformationSecurityBuzzNews - Site de News Securite 2021-02-05T18:53:56+00:00 https://informationsecuritybuzz.com/expert-comments/new-malware-hijacks-kubernetes-clusters-to-mine-monero-experts-insight/ www.secnews.physaphae.fr/article.php?IdArticle=2300490 False Malware,Threat Uber 4.0000000000000000 Security Affairs - Blog Secu 2021-02-05T16:44:53+00:00 https://securityaffairs.co/wordpress/114241/malware/teamtnt-hildegard-malware-kubernetes.html?utm_source=rss&utm_medium=rss&utm_campaign=teamtnt-hildegard-malware-kubernetes www.secnews.physaphae.fr/article.php?IdArticle=2299916 False Malware Uber None SecurityWeek - Security News 2021-02-04T16:07:37+00:00 http://feedproxy.google.com/~r/Securityweek/~3/n7AqOjz03-Q/new-hildegard-malware-targets-kubernetes-systems www.secnews.physaphae.fr/article.php?IdArticle=2294675 False Malware Uber None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-02-03T20:50:54+00:00 https://threatpost.com/new-malware-hijacks-kubernetes-clusters-to-mine-monero/163629/ www.secnews.physaphae.fr/article.php?IdArticle=2290965 False Malware Uber None ComputerWeekly - Computer Magazine 2021-02-03T12:00:00+00:00 https://www.computerweekly.com/news/252495806/Crypto-malware-targets-Kubernetes-clusters-say-researchers www.secnews.physaphae.fr/article.php?IdArticle=2289996 False Malware Uber None CVE Liste - Common Vulnerability Exposure 2021-01-21T17:15:14+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8568 www.secnews.physaphae.fr/article.php?IdArticle=2227277 False None Uber None CVE Liste - Common Vulnerability Exposure 2021-01-21T17:15:14+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8567 www.secnews.physaphae.fr/article.php?IdArticle=2227276 False None Uber None CVE Liste - Common Vulnerability Exposure 2021-01-21T17:15:14+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8570 www.secnews.physaphae.fr/article.php?IdArticle=2227279 False None Uber None CVE Liste - Common Vulnerability Exposure 2021-01-21T17:15:14+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8569 www.secnews.physaphae.fr/article.php?IdArticle=2227278 False None Uber None CVE Liste - Common Vulnerability Exposure 2021-01-21T17:15:13+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8554 www.secnews.physaphae.fr/article.php?IdArticle=2227275 False None Uber None CVE Liste - Common Vulnerability Exposure 2021-01-20T22:15:11+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26278 www.secnews.physaphae.fr/article.php?IdArticle=2221967 False Vulnerability Uber None InfoSecurity Mag - InfoSecurity Magazine 2021-01-20T18:25:00+00:00 https://www.infosecurity-magazine.com:443/news/trump-pardons-google-trade-secret/ www.secnews.physaphae.fr/article.php?IdArticle=2220467 False None Uber,Uber None Wired Threat Level - Security News 2021-01-20T14:00:00+00:00 https://www.wired.com/story/opinion-social-media-bans-are-really-actually-shockingly-common www.secnews.physaphae.fr/article.php?IdArticle=2219234 False None Uber,Uber None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-01-19T20:20:03+00:00 https://threatpost.com/rob-joyce-nsa-cybersecurity-director/163160/ www.secnews.physaphae.fr/article.php?IdArticle=2216818 False None Uber None CVE Liste - Common Vulnerability Exposure 2021-01-15T21:15:13+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21251 www.secnews.physaphae.fr/article.php?IdArticle=2200501 False Vulnerability,Guideline Uber None CVE Liste - Common Vulnerability Exposure 2021-01-15T20:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21243 www.secnews.physaphae.fr/article.php?IdArticle=2199572 False Guideline Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC StackRox that they had recently adopted Kubernetes. Three quarters of survey participants went on to reveal that they had deployed the container orchestration platform in their production environments. Even so, nine out of 10 respondents told the company that their organizations had suffered a security incident in their container and Kubernetes environments over the last 12 months. Subsequently, nearly half (44%) of respondents said that they had delayed moving an application into production due to their security concerns. These findings highlight the need for organizations to strengthen their Kubernetes security. They can do this by focusing on the security of their pods. StackRox explains why in a blog post: Securing pods, and the containers that run as part of them, is a critical aspect of protecting your Kubernetes environments. Among other reasons, pods and containers are the individual units of compute that are ultimately subject to adversarial techniques that may be used as part of any attack on your Kubernetes clusters. Since pods are also the smallest resource you can deploy and manage in Kubernetes, applying security at this level ensures greater fine-grained controls that are scoped to individual application components. Organizations can specifically use Pod Security Policies (PSPs) to strengthen their pod security. Before that even happens, they need to figure out what they want to define within those PSPs. That’s where security context comes into play. What are security contexts? According to Kubernetes’ documentation, security contexts define the privileges and access control settings for a selected pod or container. These settings include Linux Capabilities through which users can specify whether to give a process some privileges but not those of a root user. They also include AllowPrivilegeEscalation, or controls through which users can make a process more privileged than its parent process. Additional examples of security contexts are available here. To set up security contexts, users need to have a Kubernetes cluster and the kubectl command-line tool configured to communicate with that cluster. They can then include the “securityContext” field in the specification for their pod or container. This action applies whatever security settings they want to their selected resource. Moving on with Pod Security Policies Once they know the security context, organizations can create a Pod Security Policy. Kubernetes notes elsewhere on its website that a PSP functions as a cluster-level resource that defines the security conditions under which a pod is allowed to run. Such a policy encapsulates and enforces one or more security contexts chosen by the user.]]> 2021-01-14T11:00:00+00:00 https://feeds.feedblitz.com/~/641585278/0/alienvault-blogs~Security-context-The-starting-point-for-how-Kubernetes-Pod-security-works www.secnews.physaphae.fr/article.php?IdArticle=2188855 False None Uber None InfoSecurity Mag - InfoSecurity Magazine 2021-01-08T16:49:00+00:00 https://www.infosecurity-magazine.com:443/news/red-hat-to-acquire-stackrox/ www.secnews.physaphae.fr/article.php?IdArticle=2159643 False None Uber None SecurityWeek - Security News 2021-01-07T23:37:05+00:00 http://feedproxy.google.com/~r/Securityweek/~3/uHmCn5nyM8w/red-hat-buys-container-security-firm-stackrox www.secnews.physaphae.fr/article.php?IdArticle=2155167 False None Uber None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-01-07T22:21:27+00:00 https://threatpost.com/biden-cybersecurity-advisor-nsc/162867/ www.secnews.physaphae.fr/article.php?IdArticle=2154687 False None Uber None TechRepublic - Security News US 2021-01-07T19:58:21+00:00 https://www.techrepublic.com/article/amazon-disney-and-uber-reveal-remote-interviewing-and-hiring-processes/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=2154299 False None Uber,Uber None Ars Technica - Risk Assessment Security Hacktivism 2021-01-05T22:33:31+00:00 https://arstechnica.com/?p=1733028 www.secnews.physaphae.fr/article.php?IdArticle=2148692 False None Uber,Uber None Darknet - The Darkside - Site de news Américain GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security and development teams streamline the configuration process and save time looking for generic bugs and vulnerabilities. The tool consists of individual modules called Detectors, each scanning for a specific vulnerability. Installing and Using GKE Auditor to Detect Google Kubernetes Engine Misconfigurations Installation git clone https://github.com/google/gke-auditor cd ./gke-auditor/ ./build.sh Usage The tool has to be built by running the build.sh script first. Read the rest of GKE Auditor – Detect Google Kubernetes Engine Misconfigurations now! Only available at Darknet. ]]> 2021-01-01T10:59:21+00:00 https://www.darknet.org.uk/2021/01/gke-auditor-detect-google-kubernetes-engine-misconfigurations/?utm_source=rss&utm_medium=social&utm_campaign=darknetfeed www.secnews.physaphae.fr/article.php?IdArticle=2139015 False Tool Uber None Wired Threat Level - Security News 2020-12-22T13:00:00+00:00 https://www.wired.com/story/uber-lyfts-gig-work-law-expand-california www.secnews.physaphae.fr/article.php?IdArticle=2120365 False None Uber None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2020-12-16T05:41:20+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/cR5A2uSoAhE/what-is-geocoding-how-to-find.html www.secnews.physaphae.fr/article.php?IdArticle=2105107 False None Uber None Palo Alto Network - Site Constructeur 2020-12-12T00:00:19+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/aoWMVTzNn4I/ www.secnews.physaphae.fr/article.php?IdArticle=2148680 False None Uber None TechRepublic - Security News US 2020-12-10T16:23:06+00:00 https://www.techrepublic.com/article/how-to-install-kubernetes-on-ubuntu-server-without-docker/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=2089471 False None Uber None IT Security Guru - Blog Sécurité 2020-12-08T12:21:41+00:00 https://www.itsecurityguru.org/2020/12/08/a-guide-to-kubernetes-security/?utm_source=rss&utm_medium=rss&utm_campaign=a-guide-to-kubernetes-security www.secnews.physaphae.fr/article.php?IdArticle=2084888 False None Uber None Bleeping Computer - Magazine Américain 2020-12-08T09:20:00+00:00 https://www.bleepingcomputer.com/news/security/all-kubernetes-versions-affected-by-unpatched-mitm-vulnerability/ www.secnews.physaphae.fr/article.php?IdArticle=2085092 False Vulnerability Uber None Wired Threat Level - Security News 2020-12-07T21:06:56+00:00 https://www.wired.com/story/uber-gives-up-self-driving-dream www.secnews.physaphae.fr/article.php?IdArticle=2083601 False None Uber 5.0000000000000000 Wired Threat Level - Security News 2020-12-04T13:00:00+00:00 https://www.wired.com/story/gadget-lab-podcast-483 www.secnews.physaphae.fr/article.php?IdArticle=2077021 False None Uber None TechRepublic - Security News US 2020-12-03T21:00:00+00:00 https://www.techrepublic.com/article/kubernetes-the-smart-persons-guide/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=2075874 False None Uber None InformationSecurityBuzzNews - Site de News Securite Expert Insight: Docker Malware Is Now Common – Devs Need To React Accordingly]]> 2020-12-02T12:20:16+00:00 https://www.informationsecuritybuzz.com/expert-comments/expert-insight-docker-malware-is-now-common-devs-need-to-react-accordingly/ www.secnews.physaphae.fr/article.php?IdArticle=2072139 False Malware Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC StackRox found that nearly 91% of surveyed organizations had adopted Kubernetes, with a majority (75%) of participants revealing that they had deployed the container orchestration platform into their production environments. Even so, nine in 10 respondents said that they had experienced a security incident involving a misconfiguration, vulnerability or runtime error in their container and Kubernetes environments over the last 12 months. Nearly half (44%) went on to say that they had delayed moving an application into production as a result of their security concerns. These findings highlight the need for organizations to ensure their Kubernetes configurations complement their security requirements. As part of this process, administrators can focus in on protecting their clusters, which are part of the Kubernetes architecture. After defining what a cluster is, this blog post will explore the two sets of components that exist within a cluster and provide guidance on how organizations can secure those components along the way. Understanding the Kubernetes cluster On its website, Kubernetes says that customers get a cluster—or a set of one or more worker machines called “nodes” that are responsible for running a containerized application—whenever they deploy Kubernetes. These nodes host pods, groups of one or more containers which function as the application workload’s components. Ultimately, Kubernetes makes it possible for administrators to manage the nodes and the cluster more generally, including events that affect either, by using the control plane. Administrators can secure a Kubernetes cluster by specifically directing their efforts to the control plane and the worker nodes. The control plane Within the control plane, administrators can focus their security measures on five components: kube-apiserver, etcd, kube-scheduler, kube-controller-manager and cloud-controller-manager. kube-apiserver The kube-apiserver is the main implementation of a Kubernetes API server within a Kubernetes deployment. It scales horizontally as administrators deploy more instances of kube-apiserver to balance traffic within their environments. As the front end for the Kubernetes control plane, the API server potentially exposes the Kubernetes API. Administrators can secure this element by upgrading to the newest version of Kubernetes and by applying updates, thereby closing security gaps. From there, administrators can restrict access to the Kubernetes API server by setting up authentication for Kubernetes API clients and ensuring all API traffic is encrypted using TLS. etcd A key value store, etcd functions as the backing store for all Kubernetes cluster data. Administrators might want to consider having a back-up plan for that data. Similar to the kube-apiserver, they can once again turn to encryption, authentication and access control as a means of gaining visibility over read and write access to that data store. kube-scheduler Within the control plane, administrators can use the kube-scheduler component to function for newly created pods that don’t have an a]]> 2020-12-02T12:00:00+00:00 https://feeds.feedblitz.com/~/639499898/0/alienvault-blogs~How-to-secure-a-Kubernetes-cluster www.secnews.physaphae.fr/article.php?IdArticle=2071824 False Vulnerability Uber None TechRepublic - Security News US 2020-12-01T17:12:00+00:00 https://www.techrepublic.com/article/kubernetes-will-deliver-the-app-store-experience-for-enterprise-software-says-weaveworks-ceo/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=2070686 False None Uber None Wired Threat Level - Security News 2020-11-30T12:00:00+00:00 https://www.wired.com/story/ride-hail-companies-making-life-harder-scooters www.secnews.physaphae.fr/article.php?IdArticle=2067097 False None Uber None TechRepublic - Security News US 2020-11-25T14:50:14+00:00 https://www.techrepublic.com/article/experts-share-tips-on-how-to-get-prepared-for-kubernetes-jobs/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=2055256 False None Uber None TechRepublic - Security News US 2020-11-12T16:04:56+00:00 https://www.techrepublic.com/article/how-to-check-your-kubernetes-yaml-files-for-best-practices/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=2031079 False None Uber None Wired Threat Level - Security News 2020-11-10T12:00:00+00:00 https://www.wired.com/story/whos-still-covered-californias-gig-worker-law www.secnews.physaphae.fr/article.php?IdArticle=2026926 False None Uber None Wired Threat Level - Security News 2020-11-04T21:04:54+00:00 https://www.wired.com/story/200-million-uber-lyft-write-own-labor-law www.secnews.physaphae.fr/article.php?IdArticle=2015890 False None Uber None Security Affairs - Blog Secu 2020-10-30T18:17:41+00:00 https://securityaffairs.co/wordpress/110189/security/kubernetes-control-plane-security-strategy.html?utm_source=rss&utm_medium=rss&utm_campaign=kubernetes-control-plane-security-strategy www.secnews.physaphae.fr/article.php?IdArticle=2005055 False None Uber None Veracode - Application Security Research, News, and Education Blog Veracode???s Chris Wysopal and Chris Eng joined Enterprise Strategy Group (ESG) Senior Analyst Dave Gruber and award-winning security writer and host of the Smashing Security podcast, Graham Cluley, at Black Hat USA to unveil the findings from a new ESG research report, Modern Application Development Security. The research is based on a survey of nearly 400 developers and security professionals, which explored the dynamic between the roles, their trigger points, the extent to which security teams understand modern development, and the buying intentions of application security (AppSec) teams. As the presenters went through the data, it led to a larger discussion about AppSec best practices and what steps organizations can take to mature their programs. Here are the best practices laid out during the presentation as an easy-to-follow checklist as well as supporting data from the ESG report. Application security controls are highly integrated into the CI/CD toolchain. In the ESG survey, 43 percent of organizations agreed that DevOps integration is most important to improving AppSec programs, but only 56 percent of respondents answered that they use a highly integrated set of security controls throughout their DevOps process. Integrating security measures into the CI/CD toolchain not only makes it easier for developers to run AppSec tests, but it also helps organizations discover security issues sooner, which speeds up time to deployment. Application security best practices are formally documented. In order to have a successful AppSec program, everyone needs to be on the same page regarding best practices. The CISO should help facilitate the formal documentation of AppSec best practices. Developers and security professionals can reference the list and use it to guide their decisions. Application security training is included as part of the ongoing development security training program. Developers have been increasingly tasked with implementing security measures, including writing secure code and remediating vulnerabilities. Most developers don???t receive secure code training courses in college, so it is up to organizations to offer security training. But according to the survey, more than 20 percent of organizations only provide training when developers join the team. Developers should have multiple, at-leisure training opportunities throughout the year, like virtual or hands-on programs ??? such as Veracode Security Labs. Chris Wysopal pointed out the importance of human touchpoints as part of ongoing developer training. If someone is checking in on developers to make sure they???re completing their training, they???ll likely take it more seriously. Consider a security champions program. The security champions are developers who have an interest in learning about security. If you have at least one security champion on every scrum team, that person can help ensure that their peers are up to speed on the latest security training and best practices. Ongoing developer security training includes formal training programs, and a high percentage of developers participate. At-leisure security training is a great way for developers to learn on their own time. But it is also important to implement formal security training with a set completion date and a skills assessment. Without formal security training, developers may not develop the skills they need to write secure code and remediate vulnerabilities. This could lead to slower and more expensive deployments because of rework or vulnerable code being pushed to production. Accordin]]> 2020-10-29T13:04:48+00:00 https://www.veracode.com/blog/intro-appsec/software-security-checklist-based-most-effective-appsec-programs www.secnews.physaphae.fr/article.php?IdArticle=2103305 False Tool,Vulnerability,Guideline Uber None TechRepublic - Security News US 2020-10-26T10:48:20+00:00 https://www.techrepublic.com/article/microsoft-azure-this-new-technology-allows-you-to-manage-kubernetes-containers-across-the-hybrid-cloud/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=1996667 False None Uber None TechRepublic - Security News US 2020-10-21T19:19:33+00:00 https://www.techrepublic.com/article/94-of-organizations-run-into-kubernetes-challenges/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=1989661 False None Uber None Wired Threat Level - Security News 2020-10-20T11:00:00+00:00 https://www.wired.com/story/fate-gig-workers-hands-california-voters www.secnews.physaphae.fr/article.php?IdArticle=1987332 False None Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC State of Container and Kubernetes Security Fall 2020 survey, for instance, StackRox found that 91% of respondents were using Kubernetes to orchestrate their containers and that three quarters of organizations were using the open-source container-orchestration system in production. Even so, nine in 10 respondents told StackRox in its poll that they had experienced a security event in their container and Kubernetes environment in the last 12 months. Two-thirds of organizations said those incidents had involved a misconfiguration. These findings highlight the need for organizations to enhance the security of their Kubernetes environments against misconfiguration incidents. In this blog post, we’ll narrow our focus and discuss how one type of misconfiguration in particular—embracing default pod communication—endangers organizations’ security. We’ll then discuss how organizations can use either Pod Security Policies (PSPs) or OPA Gatekeeper to ensure the security of their pods. Understanding the Security Challenges of Pod Communication To understand the security challenges inherent in default Kubernetes pod communication, it’s important that we first define what a pod is and does. Pods consist of one or more containers, shared storage/network resources and specifications for running those containers, according to the Kubernetes website. When framed in Docker terms, pods act as groups of Docker containers that share namespaces and filesystem volumes. These small computing units help organizations to group containers together and have these resources collaborate on specific projects or sets of work. Where organizations run into challenges is the way in which pods communicate by default. As noted elsewhere on Kubernetes website, the standard configuration for pods is non-isolated in that they are capable of accepting traffic from any source. This is a problem, as this type of open communication potentially enables malicious actors to abuse the Kubernetes environment for nefarious purposes. Digital attackers could stage an attack in which they create a malicious container and use that to compromise its corresponding pod, for instance. That actor could then abuse unrestricted communication between pods to move laterally throughout the Kubernetes environment, deploying cryptominers and installing infostealing malware along the way. Using Security Context to Address These Challenges Fortunately, organizations can address these security challenges associated with pods using what are known as security contexts. Kubernetes notes on its site that security contexts function as configurations that help to define the security properties of a pod or a container. These configurations include access controls that govern who can access a pod or container and whether a Kubernetes resource is privileged. With the right security contexts, organizations can therefore prevent unauthorized actors from gaining access to a container, from elevating privileges on a compromised resource and from moving laterally on the network. Enforcing Security Context with Pod Security Policies When it comes time to enforce a security context, organizations may choose to use pod security policies (PSPs). These cluster-level resources manage the specifications under which a pod is allowed to run on a s]]> 2020-10-19T11:00:00+00:00 https://feeds.feedblitz.com/~/637232922/0/alienvault-blogs~PSPs-vs-OPA-Gatekeeper-Breaking-down-your-Kubernetes-Pod-security-options www.secnews.physaphae.fr/article.php?IdArticle=1985636 False Malware Uber None TechRepublic - Security News US 2020-10-09T17:50:04+00:00 https://www.techrepublic.com/article/how-to-become-a-kubernetes-expert/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=1966077 False None Uber None CSO - CSO Daily Dashboard two felonies for failing to report a 2016 breach that exposed 607,000 personal records, CISOs are scrambling to determine their own personal liability for breaches in their organizations. The charges - obstruction of justice and misprision of a felony (failure to report a crime) - carry with them the potential of jail time of up to five years and three years, respectively.  ]]> 2020-10-05T03:00:00+00:00 https://www.csoonline.com/article/3584071/uber-breach-case-a-watershed-moment-for-cisos-liability-risk.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=1956734 False None Uber None TechRepublic - Security News US 2020-09-28T13:00:01+00:00 https://www.techrepublic.com/article/how-to-transition-a-developer-career-into-kubernetes/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=1944254 False None Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC ZDNet, Flexera’s “2020 State of the Cloud Report” found that about two-thirds (65%) of organizations were using Docker and that another 14% intended to begin using it at some point. Slightly fewer organizations (58%) were using Kubernetes at the time of the survey, by comparison, with 22% of participants saying they planned to adopt it. Even so, misconfigurations with both containers and Kubernetes are posing a problem. StackRox’s “State of Kubernetes and Container Security Winter 2020” report found that nearly all (94%) of respondents had experienced a security incident in their container environments over the past 12 months, per Security magazine’s coverage. The majority (69%) of those security events amounted to a misconfiguration incident, followed by runtime issues and vulnerabilities at 27% and 24%, respectively. In keeping with those experiences, 61% of survey participants cited misconfigurations as their most worrisome security risk for their container and Kubernetes environments followed by vulnerabilities (27%) and runtime attacks (12%). These findings beg the question: why are misconfigurations such an issue for organizations’ Kubernetes and container environments? This blog post will answer this question by first defining containers and Kubernetes and explaining the benefits of each technology. It will then explore how misconfigurations open the door for attacks from malicious actors. Finally, it will briefly provide a few recommendations on how organizations can reduce the probability of suffering a misconfiguration incident. Why use containers and Kubernetes? According to CIO, a container contains everything that’s needed to run a software program. It includes an application along with its dependencies, libraries and other components. Bundling these components together enables a container to run regardless of the system’s OS distribution or the underlying infrastructure. Those aren’t the only benefits of containers, either. Containers might be only tens of megabytes in size, for instance. A server can therefore host more containers than virtual machines, notes CIO, as a virtual machine consists of an entire OS that might be several gigabytes in size. Consequently, virtual machines usually take several minutes to boot up and begin running, while containers can run almost instantly. This quality makes containers more dynamic in that organizations can spin them up and wind them down at a moment’s notice. Finally, organizations can take advantage of containers’ smaller size and dynamism to split an application into several modules that extend across several containers. Under this approach, developers can make changes to a module and deploy them without needing to redesign the whole app. As the number of containers grows, organizations need some way of managing them all in an organized fashion. That’s where Kubernetes comes in as an orchestration platform. Per its website, Kubernetes enables organizations to manage their containerized workloads and services. It allows organizations to load balance and distribute network traffic in order to stabilize a deployment. It also enables organizations to restart containers that fail and kill those]]> 2020-09-22T11:00:00+00:00 https://feeds.feedblitz.com/~/635839134/0/alienvault-blogs~Why-misconfigurations-are-such-an-issue-in-your-containers-and-Kubernetes www.secnews.physaphae.fr/article.php?IdArticle=1932079 False Malware Uber None Wired Threat Level - Security News 2020-09-21T12:00:00+00:00 https://www.wired.com/story/could-a-century-old-tb-shot-protect-against-other-respiratory-diseases www.secnews.physaphae.fr/article.php?IdArticle=1930198 False None Uber None TechRepublic - Security News US 2020-09-17T20:20:31+00:00 https://www.techrepublic.com/article/how-to-easily-deploy-lan-accessible-pods-to-a-kubernetes-cluster/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=1923737 False None Uber None Wired Threat Level - Security News 2020-09-17T18:55:26+00:00 https://www.wired.com/story/why-not-uber-charged-fatal-self-driving-car-crash www.secnews.physaphae.fr/article.php?IdArticle=1923526 False None Uber None Wired Threat Level - Security News 2020-09-15T19:14:39+00:00 https://www.wired.com/story/vtube-streaming-twitch-pokimane www.secnews.physaphae.fr/article.php?IdArticle=1918955 False None Uber None Wired Threat Level - Security News 2020-09-11T16:00:00+00:00 https://www.wired.com/2020/09/geeks-guide-daniel-greene www.secnews.physaphae.fr/article.php?IdArticle=1911238 False None Uber None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2020-09-09T01:23:41+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/dopZk9gliXA/cloud-monitoring.html www.secnews.physaphae.fr/article.php?IdArticle=1906640 False None Uber None Wired Threat Level - Security News 2020-09-08T15:30:00+00:00 https://www.wired.com/story/uber-pledges-electric-doesnt-own-cars www.secnews.physaphae.fr/article.php?IdArticle=1905688 False None Uber None Dark Reading - Informationweek Branch 2020-09-02T10:00:00+00:00 https://www.darkreading.com/cloud/why-kubernetes-clusters-are-intrinsically-insecure-(and-what-to-do-about-them)/a/d-id/1338747?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple www.secnews.physaphae.fr/article.php?IdArticle=1894621 False None Uber None TechRepublic - Security News US 2020-09-01T17:43:50+00:00 https://www.techrepublic.com/article/what-you-need-to-know-about-kubernetes-that-they-dont-tell-you/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=1892997 False None Uber None Adam Shostack - American Security Blog 2020-08-28T16:47:49+00:00 https://adam.shostack.org/blog/2020/08/the-uber-cso-indictment/?utm_source=rss&utm_medium=rss&utm_campaign=the-uber-cso-indictment www.secnews.physaphae.fr/article.php?IdArticle=1887123 False None Uber None TechRepublic - Security News US 2020-08-25T15:56:42+00:00 https://www.techrepublic.com/article/how-to-limit-cpu-ranges-in-a-kubernetes-pod/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=1881462 False None Uber None InformationSecurityBuzzNews - Site de News Securite Former Uber Security Chief Charged With Paying Hush Money To Cover Up 2016 Hack]]> 2020-08-24T15:21:46+00:00 https://www.informationsecuritybuzz.com/expert-comments/former-uber-security-chief-charged-with-paying-hush-money-to-cover-up-2016-hack/ www.secnews.physaphae.fr/article.php?IdArticle=1879487 False Data Breach,Hack Uber None InformationSecurityBuzzNews - Site de News Securite Expert Commentary: Uber Covers-up Ransom Payment For PII Of 57M Drivers]]> 2020-08-24T03:38:10+00:00 https://www.informationsecuritybuzz.com/expert-comments/expert-commentary-uber-covers-up-ransom-payment-for-pii-of-57m-drivers/ www.secnews.physaphae.fr/article.php?IdArticle=1878509 False None Uber None Zataz - Magazine Francais de secu 2020-08-21T15:52:23+00:00 https://www.zataz.com/lancien-chef-de-la-securite-duber-accuse-davoir-dissimule-un-piratage-informatique/ www.secnews.physaphae.fr/article.php?IdArticle=1874610 False None Uber None Wired Threat Level - Security News 2020-08-21T15:46:10+00:00 https://www.wired.com/story/uber-exec-joe-sullivan-data-breach-indictment www.secnews.physaphae.fr/article.php?IdArticle=1874641 False None Uber None BBC - BBC News - Technology 2020-08-21T10:04:22+00:00 https://www.bbc.co.uk/news/technology-53861375 www.secnews.physaphae.fr/article.php?IdArticle=1873958 False Hack Uber None Wired Threat Level - Security News 2020-08-20T21:25:00+00:00 https://www.wired.com/story/uber-lyft-win-reprive-wont-quit-california-now www.secnews.physaphae.fr/article.php?IdArticle=1873130 False None Uber None ZD Net - Magazine Info 2020-08-20T20:51:02+00:00 https://www.zdnet.com/article/former-uber-cso-charged-for-2016-hack-cover-up/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1873013 False Hack Uber None Dark Reading - Informationweek Branch 2020-08-20T16:30:00+00:00 https://www.darkreading.com/attacks-breaches/former-uber-cso-charged-in-hack-cover-up/d/d-id/1338714?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple www.secnews.physaphae.fr/article.php?IdArticle=1872978 False Hack Uber None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2020-08-20T14:39:35+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/Bj5Kn5McO6M/uber-data-breach-cover-ups.html www.secnews.physaphae.fr/article.php?IdArticle=1873202 False Data Breach,Guideline Uber None Wired Threat Level - Security News 2020-08-20T12:00:00+00:00 https://www.wired.com/story/uber-lyft-flee-california-austin www.secnews.physaphae.fr/article.php?IdArticle=1871883 False None Uber None Wired Threat Level - Security News 2020-08-07T00:53:29+00:00 https://www.wired.com/story/ubers-food-delivery-company-losing-money www.secnews.physaphae.fr/article.php?IdArticle=1846137 False None Uber None Security Affairs - Blog Secu 2020-08-04T21:36:48+00:00 https://securityaffairs.co/wordpress/106770/deep-web/ubereats-data-leaked-dark-web.html?utm_source=rss&utm_medium=rss&utm_campaign=ubereats-data-leaked-dark-web www.secnews.physaphae.fr/article.php?IdArticle=1842365 False Data Breach,Threat Uber None TechRepublic - Security News US 2020-07-31T23:17:39+00:00 https://www.techrepublic.com/article/how-diamanti-wants-to-bridge-kubernetes-into-the-cloud/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=1835450 False None Uber None ZD Net - Magazine Info 2020-07-30T11:43:00+00:00 https://www.zdnet.com/article/us-prosecutors-want-ubers-ex-self-driving-chief-to-serve-years-in-prison-for-stealing-google-trade-secrets/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1832952 False Guideline Uber None TechRepublic - Security News US 2020-07-29T17:25:24+00:00 https://www.techrepublic.com/article/how-to-deploy-a-multi-container-pod-to-a-kubernetes-cluster/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=1831567 False None Uber None Wired Threat Level - Security News 2020-07-26T11:00:00+00:00 https://www.wired.com/story/californias-air-pollution-cops-eyeing-uber-lyft www.secnews.physaphae.fr/article.php?IdArticle=1825659 False None Uber None Tech Worm - Desc 2020-07-25T05:22:55+00:00 https://www.techworm.net/2020/07/carry-minati-youtube-channel-hacked.html www.secnews.physaphae.fr/article.php?IdArticle=1824004 False Hack Uber None TechRepublic - Security News US 2020-07-24T14:56:14+00:00 https://www.techrepublic.com/article/linux-foundation-offering-kubernetes-certifications-courses-and-exams-as-demand-spikes/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=1823095 False None Uber None TechRepublic - Security News US 2020-07-23T16:51:23+00:00 https://www.techrepublic.com/article/how-to-use-cron-with-kubernetes-to-schedule-tasks/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=1821091 False None Uber None IT Security Guru - Blog Sécurité 2020-07-23T11:22:16+00:00 https://www.itsecurityguru.org/2020/07/23/twilios-sdk-compromised-by-attackers/?utm_source=rss&utm_medium=rss&utm_campaign=twilios-sdk-compromised-by-attackers www.secnews.physaphae.fr/article.php?IdArticle=1820688 False None Uber None InformationSecurityBuzzNews - Site de News Securite Twilio’s SDK Compromised by Attackers – Expert Reaction]]> 2020-07-23T07:46:55+00:00 https://www.informationsecuritybuzz.com/expert-comments/twilios-sdk-compromised-by-attackers-expert-reaction/ www.secnews.physaphae.fr/article.php?IdArticle=1820287 False None Uber None Wired Threat Level - Security News 2020-07-20T15:00:00+00:00 https://www.wired.com/story/the-terrible-consequences-of-australias-uber-bushfires www.secnews.physaphae.fr/article.php?IdArticle=1815082 False None Uber 3.0000000000000000 ZD Net - Magazine Info 2020-07-20T07:14:47+00:00 https://www.zdnet.com/article/uber-drivers-demand-to-see-algorithms-data-that-determines-their-working-lives/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1814431 False None Uber None Checkpoint - Fabricant Materiel Securite 2020-07-16T13:45:26+00:00 https://blog.checkpoint.com/2020/07/16/twitter-platform-compromise/ www.secnews.physaphae.fr/article.php?IdArticle=1808032 False None Uber None Tech Worm - Desc 2020-07-16T13:44:18+00:00 https://www.techworm.net/2020/07/twitter-accounts-hacked-bitcoin-scam.html www.secnews.physaphae.fr/article.php?IdArticle=1808042 False None Uber None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2020-07-15T22:11:20+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/siWihZWg4Lo/verified-twitter-hacked.html www.secnews.physaphae.fr/article.php?IdArticle=1807092 False Hack Uber None