Batman kid

Nginx Ingress: The Security Hero We Need!

I love Nginx Ingress! It is a very powerful Kubernetes Ingress, with so many capabilities. But I think it does not get enough appreciation in the AppSec world. Just by using Nginx Ingress, you could get so many security features for almost free. And even better, you can enable them once – and every workload in the cluster will have them! For example, you can monitor and chase after developers to enable security headers. Or just do it once, test it once, and forget. That’s it. An entire class of bugs doesn’t exist anymore. Isn’t that existing? Let’s see what else Nginx ingress can do for us! Continue reading “Nginx Ingress: The Security Hero We Need!”
beetle on green leaf

Killing Classes of Bugs with Refined Types

A lot of application security defence mitigation fall into validation and sanitization. Many nasty bugs like XSS, SQLi, command injection etc can be avoided by just doing good input validation. Problem is – input validation is boring, and also – sometimes pretty complex. But it doesn’t have to be that way – and this is where using a language like Scala can help us out. Let’s see how! Continue reading “Killing Classes of Bugs with Refined Types”
measure

AppSec Learning SRE principles: Metrics and Measurements

The field of SRE (site reliability engineering) – is relatively matured, and there is a lot written about it. Especially, Google released a really good book discussing how SRE works at Google. What can we, AppSec engineers (ASE?), can learn from SRE principles to improve our field? Today I want to focus on one aspect: metrics and measurements – something that is my personal focus right now. What metrics SRE define and measure and can we define something similar? Continue reading “AppSec Learning SRE principles: Metrics and Measurements”

What’s inside the box?

In the last two weeks, I was working on releasing the first OSS release of Kamus, a secret management solution for Kubernetes. To release Kamus, I had to publish a few docker images to Docker Hub and the CLI – which is deployed as an NPM package. This was the first time I had to deal with deploying packages to a repository. Doing this process thought made me thinks a lot about the (in)security of this process, and I want to share these thoughts with you. It’s all sums up to one small question – what’s inside the box? Do you know what you install when you download a package from a repository?

Continue reading “What’s inside the box?”