SweetOps #security for February, 2019

Archive: https://archive.sweetops.com/security/

2019-02-11

Maciek Strömich

10:10:30 PM

https://seclists.org/oss-sec/2019/q1/119

oss-sec: CVE-2019-5736: runc container breakout (all versions) attachment image

2019-02-12

Erik Osterman (Cloud Posse)

06:21:47 AM

finally an official fork of bitly oauth2 proxy

Erik Osterman (Cloud Posse)

06:21:48 AM

https://github.com/pusher/oauth2_proxy

pusher/oauth2_proxy

A reverse proxy that provides authentication with Google, Github or other provider - pusher/oauth2_proxy

Erik Osterman (Cloud Posse)

06:22:02 AM

with fixes for OIDC support

2019-02-13

zadkiel

11:30:56 AM

It works well!

zadkiel

11:37:59 AM

the official stable chart has been updated to reflect that: https://github.com/helm/charts/tree/master/stable/oauth2-proxy not sure https://github.com/cloudposse/charts/tree/master/incubator/oauth2-proxy is still needed (it’s out of date)

helm/charts

Curated applications for Kubernetes. Contribute to helm/charts development by creating an account on GitHub.

cloudposse/charts

The “Cloud Posse” Distribution of Kubernetes Applications - cloudposse/charts

pecigonzalo

02:19:15 PM

Its a shame that buzzfeed/sso is so poorly documented

Erik Osterman (Cloud Posse)

06:47:08 PM

and doesn’t support OIDC, WebSockets or half the jazz of bitly’s proxy

pecigonzalo

10:09:41 AM

There is that as well

pecigonzalo

02:19:30 PM

because the idea of splitting the proxy part (so it can be used as sidecar) is really nice

pecigonzalo

02:19:48 PM

Im also looking at https://ory.sh but seems so young (oathkeeper)

ORY - Open Source OAuth2 and OpenID Connect Access Control & API Security

Implement OAuth 2.0 and OpenID Connect in minutes with open source from ORY. Works in both new and existing systems.

2019-02-14

2019-02-18

mbarrien

06:14:56 PM

I’ve been pretty active in getting http://github.com/pomerium/pomerium up and working, which is a fork of buzzfeed/sso with OIDC support (not my project, but have been contributing to it since I found it).

pomerium/pomerium

Pomerium is an identity-aware access proxy. Contribute to pomerium/pomerium development by creating an account on GitHub.

antonbabenko

06:28:14 PM

This is awesome! I’ve been looking for such tool because I don’t want to deal with VPN.

pomerium/pomerium

Pomerium is an identity-aware access proxy. Contribute to pomerium/pomerium development by creating an account on GitHub.

pecigonzalo

10:47:52 AM

Not sure pomerium is the full picture for zero-trust and no vpn. I particularly miss A) documentation B) where is this covered? “device state.”

2019-02-20

Maciek Strömich

07:28:16 PM

Yay https://coocoor.com/advisory/cve/CVE-2019-8912

CVE-2019-8912 attachment image

2019-02-26

Erik Osterman (Cloud Posse)

08:33:59 PM

https://www.lightbluetouchpaper.org/2019/02/26/struck-by-a-thunderbolt/

2019-02-27

Maciek Strömich

08:52:01 AM

https://snyk.io/blog/top-ten-most-popular-docker-images-each-contain-at-least-30-vulnerabilities/

we found that 44% of docker image scans had known vulnerabilities, and for which there were newer and more secure base image available. Most vulnerabilities originate in the base image you selected. For that reason, remediation should focus on base image fixes.

Maciek Strömich

08:52:10 AM

and https://snyk.io/blog/88-increase-in-application-library-vulnerabilities-over-two-years/

88% increase in application library vulnerabilities over two years | Snyk attachment image

A good number of security vulnerabilities are discovered and fixed in non-official channels. We measured Snyk DB to uncover 67% more vulnerabilities than public databases. In 2018, new disclosures for npm grew by 47%, and Maven Central grew by 27%