By Reuven Harrison
The REST API architecture which originated from Roy Fielding’s dissertation from year 2000 is still the most common API architecture, 21 years later, although quite a few alternatives have emerged since, including GraphQL from Facebook, gRPC from Google and Vulcain which looks promising.
OpenAPI Specification (OAS) is a standard for documenting REST APIs, it is actually an evolution from the previous Swagger standard. Here’s a small example:
info: title: Tufin version: 1.0.0 openapi: 3.0.3 paths: /api/audit: get: parameters: - in: query name: limit required: true schema: description: Non-negative integers (including zero) example: '1000' format: non-negative integer pattern…
By Effi Bar-She’an
Envoy is a L7 proxy and communication bus designed for large modern service-oriented architectures.
Envoy can be used to monitor and control HTTP connections. One way to do this is using the Lua scripting language, for example to intercept requests and responses. Another option, is using a Web Assembly (WASM) plugin.
As Golang developers, we can develop our WASM plugin using Go SDK.
Let’s write and run an Envoy proxy with a WASM extension written in Go :-)
First, you need to install Envoy:
$ brew update
$ brew install envoy
Note, that alternatively you can work…
By Reuven Harrison
Hashing is an algorithm that generates a fixed-length string from an input.
There are many different hash algorithms with different properties, for example, SHA-256.
You can use openssl to generate a SHA-256 hash:
echo -n 'secret' | openssl dgst -sha256
The output is the hash:
2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b
Hashes have a special property: they are easy to compute but difficult to reverse: given the hash above, it difficult to find its origin, “secret”.
This makes hashes a good method to verify passwords: Rather than storing the password itself and risking it being stolen, you store the password’s hash and…
By Reuven Harrison
Creating a tree in go is easy with the built-in map type:
type Tree map[string]Tree
If you want a richer node type you can use a struct as the key:
type TreeNode struct {
Name string
Data int
}type Tree map[TreeNode]Tree
And for complex nodes (go requires map keys to be comparable), you can always use a pointer:
type Tree map[*regexp.Regexp]Tree
Printing the tree may be useful for debugging and reporting so I created a small go module to print an ASCII tree from any map-based tree in go. The output looks like this:
├ root1…
By Effi Bar-She’an
Analyzing files on an AWS S3 bucket is a common task with many examples for doing so available on the Internet, however, doing it in a way that enables unit tests, is somewhat of a mystery.
So here’s a complete example of a golang client that:
And, it is testable!
Let’s take a look at what the client looks like:
tufin.NewScanner("us-east-2", ".").Scan("my-bucket", func(file *os.File) {
log.Info(file.Name())
})
The constructor accepts an AWS region and a local…
By Effi Bar-She’an and Reuven Harrison
Say you’re a DevOps or a security manager and you want to make sure
some or maybe all of your pods use Tor or some other proxy as an egress gateway.
There are three ways to instruct a client to use a proxy:
1. Set the HTTP_PROXY
environment variable:
$ export HTTP_PROXY="http://ProxyIP:ProxyPort"
HTTP_PROXY
environment variable will be used as the proxy URL for HTTP requests and HTTPS requests, unless overridden by HTTPS_PROXY
or NO_PROXY
2. Explicitly instructing the HTTP client to use a proxy. Here’s an example in golang:
proxy, _ := url.Parse("http://ProxyIP:ProxyPort") httpClient…
By Michael Furman, Tufin Security Architect.
Google recently decided to roll out a new Chrome update with a new cookie policy that makes their browser more secure. This update includes two important changes to cookies that specifically relate to the SameSite Cookie attribute. These changes are also going to be enforced by all other major browsers.
So what are these changes?
Previously:
After the policy change:
By Reuven Harrison
Last week I met with the head of security and compliance of a large IT shop in Europe. The topic was how to transition their traditional IT to the cloud. My counterpart had concerns so I guessed he had already tried moving to the cloud and failed or simply understood the risks and knew that the stakes were high.
As I’ve been in his shoes in the past, I knew where he could go wrong. …
Remember to enable a CNI that supports network policies when deploying the cluster!
By Reuven Harrison
The Kubernetes API server is a central component of Kubernetes. It allows cluster admins and other clients to manage and monitor the cluster through a rich set of APIs that can fetch and update the cluster state. It is therefore essential to secure the API server against attack. This post discusses network-level protection mechanisms that you can apply to the API server. For application-level protection (authn, authz and more) see this article.
The API server runs on a dedicated node called the Kubernetes Master. A cluster may have one or more such masters.
On some Kubernetes platforms…
From the Security Policy Company. This blog is dedicated to cloud-native topics such as Kubernetes, cloud security and micro-services.