This repo will contain info about various security related projects and information in order to build, deploy and manage apps in a secure way.
- Software supply chain security
- Understand your dependencies
- How does HTTPS work? What's a CA? What's a self-signed Certificate?
https://www.youtube.com/watch?v=T4Df5_cojAs
-
Dan Lorenc video on Sigstore tools and cosign https://www.youtube.com/watch?v=gCi9_4NYyR0
-
CNCF Security TAG Supply Chain WG 2021-06-10 https://www.youtube.com/watch?v=TVNyL2_ljtg
-
OCB: Secure your Open Source Supply Chain with Sigstore https://www.youtube.com/watch?v=yKrbUGSwrEw
https://www.redhat.com/en/blog/sigstore-open-answer-software-supply-chain-trust-and-security
-
Helm charts for sigstore components: https://artifacthub.io/packages/search?ts_query_web=sigstore
-
Cosign image signatures https://blog.sigstore.dev/cosign-image-signatures-77bab238a93
-
How to sign a release of OSS https://blog.sigstore.dev/how-to-sign-a-release-of-oss-e96ee94286fc
-
Dan Lorenc built a kube admission controller https://github.com/dlorenc/cosigned
-
Integration of sigstore with connaisseur (a kubernetes admission controller) https://blog.sigstore.dev/verify-oci-container-image-signatures-in-kubernetes-33663a9ec7d8 https://github.com/sse-secure-systems/connaisseur
-
sigstore with ambient credentials and workload identity https://dlorenc.medium.com/a-bit-of-ambiance-comes-to-sigstore-f80d1d6b1c30
-
Maven Central requires PGP signing for artifacts
- https://kotlinlang.org/docs/security.html
- https://github.com/junit-team/junit5/commit/729ffce00cfb57a08815f4e5844aa79230704cda
- https://docs.gradle.org/current/userguide/dependency_verification.html
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
-
https://github.com/IBM/integrity-shield/tree/main/admission-controller
-
https://ibm.github.io/integrity-enforcer/README_OVERVIEW.html (need to investigate this)
-
https://cloud.redhat.com/blog/better-kubernetes-security-with-open-policy-agent-opa-part-1
-
https://cloud.redhat.com/blog/better-kubernetes-security-with-open-policy-agent-opa-part-2
- https://github.com/open-policy-agent/gatekeeper
- https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/governance/governance#managing-gatekeeper-operator-policies
- https://github.com/kyverno/kyverno/
- https://docs.google.com/document/d/1d2Qm47wjjoyGDT8v3_ijB1Q4mGYV5cncAQoQniiR414/edit#heading=h.s8qsd3dl8lqi
- https://nirmata.com/2021/08/12/kubernetes-supply-chain-policy-management-with-cosign-and-kyverno/
- https://github.com/IBM/portieris
- https://www.ibm.com/cloud/blog/trusted-workloads-signing-container-images-in-your-kubernetes-workflow
Issue to track work on Deployment policies (i.e. admission controller to verify container image is signed)
- OWASP ZAP (open source tool)
https://owasp.org/www-project-zap/
- Burp suite (commercial paid product used by professional hackers)
- dvws-node
Damn Vulnerable Web Service (example web app of what not to do - contains many vulnerabilities)
https://github.com/snoopysecurity/dvws-node
- https://developer.ibm.com/learningpaths/secure-context-constraints-openshift/
- https://developer.ibm.com/learningpaths/secure-context-constraints-openshift/scc-tutorial/
- https://docs.openshift.com/container-platform/4.1/authentication/using-service-accounts-in-applications.html
- To disble the service account secrets being mounted into a pod
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.name }}
automountServiceAccountToken: false
The automountServiceAccountToken: false will ensure that the service account secret does not get mounted.
As a best practice, create a service account per app.
-
Helm Provenance and Integrity: https://helm.sh/docs/topics/provenance/#the-workflow
-
Integrating Helm into the sigstore project: https://medium.com/@sabre1041/integrating-helm-into-the-sigstore-project-d51564ea001f
-
Security in Development The IBM Secure Engineering Framework https://www.redbooks.ibm.com/redpapers/pdfs/redp4641.pdf
-
Thread modeling in the context of microservice architectures (Stride Model) https://developer.ibm.com/articles/threat-modeling-microservices-openshift-4/
-
GitHub deploy keys are more secure then github personal access tokens when used in a pipeline (jenkins, tekton etc.) https://docs.github.com/en/developers/overview/managing-deploy-keys
-
SLSA (pronounced Salsa) - Supply-chain Levels for Software Artifacts
-
OSS security scorecard
-
Container terminology https://developers.redhat.com/blog/2018/02/22/container-terminology-practical-introduction#
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent