Aqua Blog
Experts insight, best practices and advice on cloud native security, trends, threat intelligence and compliance
Kubernetes CVE-2019-1002100

Mitigating the Kubernetes API Server Patch Permission DoS Vulnerability (CVE-2019-1002100)

A new medium severity vulnerability in the open source Kubernetes has been disclosed (CVE-2019-1002100) that can, if exploited, lead to a denial-of-service on the K8s API server, which in turn may lead to the cluster becoming inoperable.

The best mitigation is to remove the “patch” permissions from untrusted users, …

Continue reading ›
Securing-Serverless-Functions-blog-image

Securing Serverless Functions with Aqua

Serverless is generating significant interest and hype, backed up by real-world adoption, and creating a need for better security controls. I've been working with our customers to create the right approach and tooling to protect their FaaS environments ,and from this research, given the extremely short duration of …

Continue reading ›
Istio Security

Istio: Canary Deployments, Dynamic Routing & Tracing

In this series of blog posts we had an introduction to Istio, and an overview of its security features. This post completes the series with a look at how we can leverage Istio’s traffic control features to provide increased observability and control over the operation and deployment of our applications.

Continue reading ›
affecting RunC and Docker  BLOG 650_315

Mitigating High Severity RunC Vulnerability (CVE-2019-5736)

Yesterday it was disclosed that a new high severity (CVSS score 7.2) vulnerability (CVE-2019-5736) was found in runc, that allows an attacker to potentially compromise the container host. Patches are already available from most providers (see below). Aqua customers can also prevent this vulnerability from being …

Continue reading ›
Blog-image-Amazon-Firecracker-650x315.jpg

Amazon Firecracker: Isolating Serverless Containers and Functions

Infrastructure protection, sandboxed containers, MicroVM hypervisors– these are interchangeable terms describing emerging technologies to isolate micro-services from their underlying infrastructure. These isolation technologies aim to protect the underlying host that runs containers and functions against malicious …

Continue reading ›
featured_kubesec_blog.png

Impressions from KubeSec, The First Enterprise Kubernetes Security Summit

On Monday, “day 0” of this year’s KubeCon/CloudNativeCon, we held our first KubeSec Enterprise Summit event, co-located with KubeCon under the auspices of the CNCF. Aqua hosted the event together with our partners Red Hat and AWS. The event was over-subscribed, and we had to make special allowance for late …

Continue reading ›
Istio-Security_BLOG650_315.png

Istio Security: Zero-Trust Networking

This is the second in our series of blog posts on Istio, and will focus on Istio’s security features: what they are, how they work and how they help protect your workloads and your data.

Building, deploying and maintaining secure, cloud native software requires multiple overlapping solutions at different stages of …

Continue reading ›
Severe-Privilege--BLOG-650_315.png

Severe Privilege Escalation Vulnerability in Kubernetes (CVE-2018-1002105)

Earlier this week, a severe vulnerability in Kubernetes (CVE-2018-1002105) was disclosed that allows an unauthenticated user to perform privilege escalation and gain full admin privileges on a cluster. The CVE was given the high severity score of 9.8 (out of 10) and it affects all Kubernetes versions from 1.0 …

Continue reading ›
Kubernetes security

Enterprise Kubernetes Security at KubeCon + CloudNativeCon

KubeCon + CloudNativeCon North America is just around the corner, and looks like it is going to break attendance records, becoming the largest gathering of the Kubernetes and cloud native community ever!

Such massive adoption by large organizations in their production deployments, brings with it security and …

Continue reading ›
Amazon-ECS-Workloads-On-Demand-BLOG650_315_S.png

How to Secure Amazon ECS Workloads On Demand

In support of Amazon’s announcement this week at re:Invent surrounding the new AWS Container Marketplace, we’ve made the Aqua Container Security Platform available for on-demand consumption (pay as you go), via the newly minted AWS Container category in the Marketplace. 

We have several new listings in the AWS …

Continue reading ›
Serverless functions risk

Serverless Security: The Importance of FaaS Risk Assessment

In my previous blog, I discussed the serverless services spectrum and the unique security considerations of serverless functions. In this post, I’d like to elaborate on the importance of preliminary risk assessment checks and their contribution to an effective security strategy, based on lessons learned in …

Continue reading ›