By Reuven Harrison
The REST API architecture which originated from Roy Fielding’s dissertation from year 2000 is still the most common API architecture, 21 years later, although quite a few alternatives have emerged since, including GraphQL from Facebook, gRPC from Google and Vulcain which looks promising.
OpenAPI Specification (OAS) is a standard for documenting REST APIs, it is actually an evolution from the previous Swagger standard. Here’s a small example:
info: title: Tufin version: 1.0.0 openapi: 3.0.3 paths: /api/audit: get: parameters: - in: query name: limit required: true schema: description: Non-negative integers (including zero) example: '1000' format: non-negative integer pattern…By Effi Bar-She’an
Envoy is a L7 proxy and communication bus designed for large modern service-oriented architectures.
Envoy can be used to monitor and control HTTP connections. One way to do this is using the Lua scripting language, for example to intercept requests and responses. Another option, is using a Web Assembly (WASM) plugin.
As Golang developers, we can develop our WASM plugin using Go SDK.
Let’s write and run an Envoy proxy with a WASM extension written in Go :-)
First, you need to install Envoy:
$ brew update
$ brew install envoyNote, that alternatively you can work…
By Reuven Harrison
Hashing is an algorithm that generates a fixed-length string from an input.
There are many different hash algorithms with different properties, for example, SHA-256.
You can use openssl to generate a SHA-256 hash:
echo -n 'secret' | openssl dgst -sha256The output is the hash:
2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25bHashes have a special property: they are easy to compute but difficult to reverse: given the hash above, it difficult to find its origin, “secret”.
This makes hashes a good method to verify passwords: Rather than storing the password itself and risking it being stolen, you store the password’s hash and…
By Reuven Harrison
Creating a tree in go is easy with the built-in map type:
type Tree map[string]TreeIf you want a richer node type you can use a struct as the key:
type TreeNode struct {
Name string
Data int
}type Tree map[TreeNode]Tree
And for complex nodes (go requires map keys to be comparable), you can always use a pointer:
type Tree map[*regexp.Regexp]TreePrinting the tree may be useful for debugging and reporting so I created a small go module to print an ASCII tree from any map-based tree in go. The output looks like this:
├ root1…By Effi Bar-She’an
Analyzing files on an AWS S3 bucket is a common task with many examples for doing so available on the Internet, however, doing it in a way that enables unit tests, is somewhat of a mystery.
So here’s a complete example of a golang client that:
- Downloads each file from an S3 bucket to a local filesystem
- Does some work
- Deletes the temporary file from your filesystem
And, it is testable!
Let’s take a look at what the client looks like:
tufin.NewScanner("us-east-2", ".").Scan("my-bucket", func(file *os.File) {
log.Info(file.Name())
})The constructor accepts an AWS region and a local…
By Effi Bar-She’an and Reuven Harrison
Say you’re a DevOps or a security manager and you want to make sure
some or maybe all of your pods use Tor or some other proxy as an egress gateway.
There are three ways to instruct a client to use a proxy:
1. Set the HTTP_PROXY environment variable:
$ export HTTP_PROXY="http://ProxyIP:ProxyPort"HTTP_PROXY environment variable will be used as the proxy URL for HTTP requests and HTTPS requests, unless overridden by HTTPS_PROXY or NO_PROXY
2. Explicitly instructing the HTTP client to use a proxy. Here’s an example in golang:
proxy, _ := url.Parse("http://ProxyIP:ProxyPort") httpClient…By Michael Furman, Tufin Security Architect.
Google recently decided to roll out a new Chrome update with a new cookie policy that makes their browser more secure. This update includes two important changes to cookies that specifically relate to the SameSite Cookie attribute. These changes are also going to be enforced by all other major browsers.
So what are these changes?
Previously:
- The SameSite Cookie attribute had two settings: Strict and Lax.
- There was no default setting.
After the policy change:
- The SameSite Cookie attribute has a third setting: None.
- The SameSite cookie attribute is now Lax by default —…
By Reuven Harrison
Last week I met with the head of security and compliance of a large IT shop in Europe. The topic was how to transition their traditional IT to the cloud. My counterpart had concerns so I guessed he had already tried moving to the cloud and failed or simply understood the risks and knew that the stakes were high.
As I’ve been in his shoes in the past, I knew where he could go wrong. …
By Reuven Harrison
For starters:
Remember to enable a CNI that supports network policies when deploying the cluster!
A good policy should restrict ingress access:
- The default Kubernetes policy is “any-any-any allow” so every namespace should have a deny all policy to correct this insecure default
- No service should allow incoming traffic from external IPs unless it has a load-balancer or ingress attached to it
- Services with a load-balancer or ingress should only allow access from the load-balancer IPs:
- GKE: 130.211.0.0/22 and 35.191.0.0/16
- EKS: 143.231.0.0/16
- AKS: ? - Services should only accept traffic on the protocol/port that is served by its pods. …
By Reuven Harrison
The Kubernetes API server is a central component of Kubernetes. It allows cluster admins and other clients to manage and monitor the cluster through a rich set of APIs that can fetch and update the cluster state. It is therefore essential to secure the API server against attack. This post discusses network-level protection mechanisms that you can apply to the API server. For application-level protection (authn, authz and more) see this article.
Where Does the API Server Run?
The API server runs on a dedicated node called the Kubernetes Master. A cluster may have one or more such masters.
On some Kubernetes platforms…
Tufin
From the Security Policy Company. This blog is dedicated to cloud-native topics such as Kubernetes, cloud security and micro-services.
