By Effi Bar-She’an and some other guy

Steps:

  1. Writing a Golang UDP server
  2. Testing our UDP server using netcat (nc), a utility for reading from and writing to network connections using UDP (or TCP)
  3. Configure and run nginx to send access-logs to our Golang server
  4. Create a custom access-log format
  5. Parsing access-log json sent from nginx

Writing a Go UDP server

package main import ( "context" "net" log "github.com/sirupsen/logrus" ) func main() { if err := serve(context.Background(), ":6060"); err != nil { os.Exit(1) } } // serve is capable of answering to a single client at a time func serve(ctx context.Context, address string) error {…


By Reuven Harrison

tl;dr oasdiff is a tool for comparing OpenAPI Specifications; also a Go module.

OpenAPI Specification (previously known as Swagger) is a standard for documenting REST APIs. Here’s a small example:

info:
title: Tufin
version: 1.0.0
openapi: 3.0.3
paths:
/api/audit:
get:
parameters:
- in: query
name: limit
required: true
schema:
description: Non-negative integers
example: '1000'
format: non-negative integer
pattern: '^(?:\d+)$'
type: integer
responses:
'200':
description: OK

While working with OpenAPI, we needed to track API changes. We found some diff tools but they ignored certain kinds of changes, for example, there was no indication of schema changes. …


By Effi Bar-She’an

Envoy is a L7 proxy and communication bus designed for large modern service-oriented architectures.

Envoy can be used to monitor and control HTTP connections. One way to do this is using the Lua scripting language, for example to intercept requests and responses. Another option, is using a Web Assembly (WASM) plugin.

As Golang developers, we can develop our WASM plugin using Go SDK.

Let’s write and run an Envoy proxy with a WASM extension written in Go :-)

First, you need to install Envoy:

$ brew update
$ brew install envoy

Note, that alternatively you can work…


By Reuven Harrison

Hashing is an algorithm that generates a fixed-length string from an input.

There are many different hash algorithms with different properties, for example, SHA-256.

You can use openssl to generate a SHA-256 hash:

echo -n 'secret' | openssl dgst -sha256

The output is the hash:

2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b

Hashes have a special property: they are easy to compute but difficult to reverse: given the hash above, it difficult to find its origin, “secret”.

This makes hashes a good method to verify passwords: Rather than storing the password itself and risking it being stolen, you store the password’s hash and…


By Reuven Harrison

Creating a tree in go is easy with the built-in map type:

type Tree map[string]Tree

If you want a richer node type you can use a struct as the key:

type TreeNode struct {
Name string
Data int
}
type Tree map[TreeNode]Tree

And for complex nodes (go requires map keys to be comparable), you can always use a pointer:

type Tree map[*regexp.Regexp]Tree

Printing the tree may be useful for debugging and reporting so I created a small go module to print an ASCII tree from any map-based tree in go. The output looks like this:

├ root1…


By Effi Bar-She’an

Analyzing files on an AWS S3 bucket is a common task with many examples for doing so available on the Internet, however, doing it in a way that enables unit tests, is somewhat of a mystery.

So here’s a complete example of a golang client that:

  1. Downloads each file from an S3 bucket to a local filesystem
  2. Does some work
  3. Deletes the temporary file from your filesystem

And, it is testable!

Let’s take a look at what the client looks like:

tufin.NewScanner("us-east-2", ".").Scan("my-bucket", func(file *os.File) {
log.Info(file.Name())
})

The constructor accepts an AWS region and a local…


By Effi Bar-She’an and Reuven Harrison

Say you’re a DevOps or a security manager and you want to make sure
some or maybe all of your pods use Tor or some other proxy as an egress gateway.

There are three ways to instruct a client to use a proxy:

1. Set the HTTP_PROXY environment variable:

$ export HTTP_PROXY="http://ProxyIP:ProxyPort"

HTTP_PROXY environment variable will be used as the proxy URL for HTTP requests and HTTPS requests, unless overridden by HTTPS_PROXY or NO_PROXY

2. Explicitly instructing the HTTP client to use a proxy. Here’s an example in golang:

proxy, _ := url.Parse("http://ProxyIP:ProxyPort") httpClient…


By Michael Furman, Tufin Security Architect.

Google recently decided to roll out a new Chrome update with a new cookie policy that makes their browser more secure. This update includes two important changes to cookies that specifically relate to the SameSite Cookie attribute. These changes are also going to be enforced by all other major browsers.

So what are these changes?

Previously:

  • The SameSite Cookie attribute had two settings: Strict and Lax.
  • There was no default setting.

After the policy change:

  • The SameSite Cookie attribute has a third setting: None.
  • The SameSite cookie attribute is now Lax by default —…


By Reuven Harrison

Last week I met with the head of security and compliance of a large IT shop in Europe. The topic was how to transition their traditional IT to the cloud. My counterpart had concerns so I guessed he had already tried moving to the cloud and failed or simply understood the risks and knew that the stakes were high.

As I’ve been in his shoes in the past, I knew where he could go wrong. …


By Reuven Harrison

Remember to enable a CNI that supports network policies when deploying the cluster!

  1. The default Kubernetes policy is “any-any-any allow” so every namespace should have a deny all policy to correct this insecure default
  2. No service should allow incoming traffic from external IPs unless it has a load-balancer or ingress attached to it
  3. Services with a load-balancer or ingress should only allow access from the load-balancer IPs:
    - GKE: 130.211.0.0/22 and 35.191.0.0/16
    - EKS: 143.231.0.0/16
    - AKS: ?
  4. Services should only accept traffic on the protocol/port that is served by its pods.

Tufin

From the Security Policy Company. This blog is dedicated to cloud-native topics such as Kubernetes, cloud security and micro-services.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store