Docker and container security are broad problem spaces and there are many low hanging fruits one can harvest to mitigate risks. A good starting point is to follow some best practices when writing Dockerfiles. I’ve compiled a list of common docker security issues and how to avoid them. For every issue I’ve also written an Open Policy Agent (OPA) rule ready to be used to statically analyze your Dockerfiles with conftest. You can’t shift more left than this! You can find the .rego rule set...| Cloudberry Engineering
At Spotify, we actively manage more than 800 Google Cloud Platform projects. As such, maintaining a proper security posture at scale has proven to be a challenging task. In an effort to seamlessly audit and strengthen the security stance of our massive cloud infrastructure, we are investing various resources into building our own tools and methodologies.| cloudberry.engineering
I’ve spent a good year working on a security strategy to manage multi-cloud environments, in this article I want to share what I wish we did in advance to be better prepared.| cloudberry.engineering
Using Apps Script for scripting GSuite / Google Workplace will generate Google Cloud Platform (GCP) projects in the background.| cloudberry.engineering
Securing containers is a complex task. The problem space is broad, vendors are on fire, there are tons of checklists and best practices and it’s hard to prioritize solutions. So if you had to implement a container security strategy where would you start?| cloudberry.engineering
Identity and Access Management (IAM) is an important piece of the cloud puzzle and it’s usually a source of headaches from a security point of view. Let’s try to give some pointers from a blue team perspective. If you are a security team that just inherited a bunch of Google Cloud Platform (GCP) accounts, this guide is for you.| cloudberry.engineering
A constant source of pain in Google Cloud Platform (GCP) and everywhere else is the amount of unmaintained resources: idle virtual machines, old buckets, IAM policies, DNS records and so on. They contribute to the attack surface and the chance of a vulnerability increase with time. Shutting off resources is a such a low hanging fruit from a risk perspective that as a security engineer you should make it a daily habit. After all the most secure computer is the one that’s been turned off!| cloudberry.engineering
Public cloud providers share some security responsibility with their customers. This means that as a security practitioner, what you should take into account in your threat model is going to be different in the cloud than on premise environments.| cloudberry.engineering
Service Accounts in Google Cloud Platform (GCP) are the main vector to hack an account: it’s easy to use them wrong and end up with a compromised key and a lot of headaches.| cloudberry.engineering
I’ve built a directory of open source cloud security tools.| cloudberry.engineering
In the context of incident response lateral movement is how attackers are able to penetrate deeper inside a system. Understanding this concept is critical to contain an ongoing breach.| cloudberry.engineering
Google Cloud Registry (GCR) is the Docker container registry offered by Google Cloud Platform (GCP). Under the hood it’s an interface on top of Google Cloud Storage (GCS), and it’s so thin that access control is entirely delegated to the storage layer.| cloudberry.engineering
Securing our Cloud infrastructure is incredibly important. We are now taking another step forward by leveraging open source tools we developed in partnership with Google.| cloudberry.engineering