Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In the first part of this blog post, we setup SSL/TLS for a MySQL database, using the built in self-signed certificates. The main problem using out of the box self-signed certificates is that clients can't verify that they're talking to the right database host, and it's not possible to verify the certificate chain. In this post we'll cover upgrading the client connection to VERIFY_IDENTITY and how to use Machine ID to continuously renew certificates.

Transport Layer Security is a security protocol used for facilitating seamless and safe communication between servers and web browsers. Put it his way, TLS encrypts data so that only the intended recipient and the sender can access it. Currently, TLS 1.2 and TLS 1.3 are the most commonly used TLS versions. After some major upgrades, TLS’s 1.3 version has emerged as one of the most extensively used and the safest security protocols for websites that need a high-end encryption service.

The Center for Internet Security’s Critical Security Controls has become an industry standard set of controls for securing the enterprise. Now on version 8, the original 20 controls are down to 18 with several sub controls added. The first six basic controls can prevent 85 percent of the most common cyber attacks, and even though the controls have been developed with traditional data centers and process in mind, there is no reason they can’t be adapted to DevOps practices.

Kubernetes is the de-facto container management platform of today and the future. It has increased the scalability and flexibility of applications and eliminated vendor lock-in. Kubernetes also brings a lot of security native features; however, with security, the devil is always in the details. By default, the security of cloud services, applications, and infrastructure is not in the scope of Kubernetes. This does not mean that running Kubernetes is destructive and makes your applications vulnerable.

Microsoft SQL Server is a popular relational database management system created and maintained by Microsoft. It’s effective in numerous use cases: storage and retrieval of data as part of a DBMS, transaction processing and analytics applications. However, there are some essential measures you must take to protect your database from cybercriminals and security breaches, as the default security settings are relatively insufficient to keep your database safe.

Snyk’s Senior Product Marketing Manager, Frank Fischer, recently hosted a webinar about the value in using a developer security platform to secure code, dependencies, containers, and infrastructure as code (IaC). During this talk, Fischer discussed the shift in software security that has occurred over the past decade, the need for developers to take part in the security process, and the value of Snyk in securing the entire development lifecycle.

Open Policy Agent (OPA) is widely used to provide security and compliance policy guardrails for Kubernetes. The built-in role-based access controls in Kubernetes are not sufficient for fine-grained policy. OPA is a proven solution for implementing strong, granular policy checks for cluster resources during Admission Control. OPA users implement fine-grained policy in the form of rules written in Rego, the declarative policy language of OPA.

Cross-cluster migration of Kubernetes workloads continues to be challenging since workloads are isolated from each other by design. There are several reasons why you may want to separate your workloads, whether it is to reduce complexity or to have the cluster closer to the user base. However, this can be complex as Kubernetes has many components.

Shifting security left means preventing developers from using unacceptably vulnerable software supply chain components as early as possible: before their first build. By helping assure that no build is ever created using packages with known vulnerabilities, this saves substantial remediation costs in advance. Some JFrog customers restrict the use of open source software (OSS) packages to only those that have been screened and approved by their security team.