Cloud Native Security

Cloud Native Security

by Chris Binnie, Rory McCune
Released August 2021
Publisher(s): Wiley
ISBN: 9781119782230

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Explore the latest and most comprehensive guide to securing your Cloud Native technology stack 

Cloud Native Security delivers a detailed study into minimizing the attack surfaces found on today’s Cloud Native infrastructure. Throughout the work hands-on examples walk through mitigating threats and the areas of concern that need to be addressed. The book contains the information that professionals need in order to build a diverse mix of the niche knowledge required to harden Cloud Native estates. 

The book begins with more accessible content about understanding Linux containers and container runtime protection before moving on to more advanced subject matter like advanced attacks on Kubernetes. You’ll also learn about: 

  • Installing and configuring multiple types of DevSecOps tooling in CI/CD pipelines 
  • Building a forensic logging system that can provide exceptional levels of detail, suited to busy containerized estates 
  • Securing the most popular container orchestrator, Kubernetes 
  • Hardening cloud platforms and automating security enforcement in the cloud using sophisticated policies 

Perfect for DevOps engineers, platform engineers, security professionals and students, Cloud Native Security will earn a place in the libraries of all professionals who wish to improve their understanding of modern security challenges. 

Table of contents

  1. Cover
  2. Title Page
  3. Introduction
    1. Meeting the Challenge
    2. A Few Conventions
    3. Companion Download Files
    4. How to Contact the Publisher
  4. Part I: Container and Orchestrator Security
    1. CHAPTER 1: What Is A Container?
      1. Common Misconceptions
      2. Container Components
      3. Kernel Capabilities
      4. Other Containers
      5. Summary
    2. CHAPTER 2: Rootless Runtimes
      1. Docker Rootless Mode
      2. Running Rootless Podman
      3. Summary
    3. CHAPTER 3: Container Runtime Protection
      1. Running Falco
      2. Configuring Rules
      3. Summary
    4. CHAPTER 4: Forensic Logging
      1. Things to Consider
      2. Salient Files
      3. Breaking the Rules
      4. Key Commands
      5. The Rules
      6. Parsing Rules
      7. Monitoring
      8. Ordering and Performance
      9. Summary
    5. CHAPTER 5: Kubernetes Vulnerabilities
      1. Mini Kubernetes
      2. Options for Using kube-hunter
      3. Container Deployment
      4. Inside Cluster Tests
      5. Minikube vs. kube-hunter
      6. Getting a List of Tests
      7. Summary
    6. CHAPTER 6: Container Image CVEs
      1. Understanding CVEs
      2. Trivy
      3. Exploring Anchore
      4. Clair
      5. Summary
  5. Part II: DevSecOps Tooling
    1. CHAPTER 7: Baseline Scanning (or, Zap Your Apps)
      1. Where to Find ZAP
      2. Baseline Scanning
      3. Scanning Nmap's Host
      4. Adding Regular Expressions
      5. Summary
    2. CHAPTER 8: Codifying Security
      1. Security Tooling
      2. Installation
      3. Simple Tests
      4. Example Attack Files
      5. Summary
    3. CHAPTER 9: Kubernetes Compliance
      1. Mini Kubernetes
      2. Using kube-bench
      3. Troubleshooting
      4. Automation
      5. Summary
    4. CHAPTER 10: Securing Your Git Repositories
      1. Things to Consider
      2. Installing and Running Gitleaks
      3. Installing and Running GitRob
      4. Summary
    5. CHAPTER 11: Automated Host Security
      1. Machine Images
      2. Idempotency
      3. Secure Shell Example
      4. Kernel Changes
      5. Summary
    6. CHAPTER 12: Server Scanning With Nikto
      1. Things to Consider
      2. Installation
      3. Scanning a Second Host
      4. Running Options
      5. Command-Line Options
      6. Evasion Techniques
      7. The Main Nikto Configuration File
      8. Summary
  6. Part III: Cloud Security
    1. CHAPTER 13: Monitoring Cloud Operations
      1. Host Dashboarding with NetData
      2. Cloud Platform Interrogation with Komiser
      3. Summary
    2. CHAPTER 14: Cloud Guardianship
      1. Installing Cloud Custodian
      2. More Complex Policies
      3. IAM Policies
      4. S3 Data at Rest
      5. Generating Alerts
      6. Summary
    3. CHAPTER 15: Cloud Auditing
      1. Runtime, Host, and Cloud Testing with Lunar
      2. AWS Auditing with Cloud Reports
      3. CIS Benchmarks and AWS Auditing with Prowler
      4. Summary
    4. CHAPTER 16: AWS Cloud Storage
      1. Buckets
      2. Native Security Settings
      3. Automated S3 Attacks
      4. Storage Hunting
      5. Summary
  7. Part IV: Advanced Kubernetes and Runtime Security
    1. CHAPTER 17: Kubernetes External Attacks
      1. The Kubernetes Network Footprint
      2. Attacking the API Server
      3. Attacking etcd
      4. Attacking the Kubelet
      5. Summary
    2. CHAPTER 18: Kubernetes Authorization with RBAC
      1. Kubernetes Authorization Mechanisms
      2. RBAC Overview
      3. RBAC Gotchas
      4. Auditing RBAC
      5. Summary
    3. CHAPTER 19: Network Hardening
      1. Container Network Overview
      2. Restricting Traffic in Kubernetes Clusters
      3. CNI Network Policy Extensions
      4. Summary
    4. CHAPTER 20: Workload Hardening
      1. Using Security Context in Manifests
      2. Mandatory Workload Security
      3. PodSecurityPolicy
      4. PSP Alternatives
      5. Summary
  8. Index
  9. Copyright
  10. About the Authors
  11. About the Technical Editor
  12. End User License Agreement

Product information

  • Title: Cloud Native Security
  • Author(s): Chris Binnie, Rory McCune
  • Release date: August 2021
  • Publisher(s): Wiley
  • ISBN: 9781119782230