Striving to become a master Go/Cloud developer; Father ๐จโ๐งโ๐ฆ; ๐ค/((Full Stack Web|Unity3D) + Developer)/g; Science supporter ๐ฉโ๐ฌ; https://coder.today
Securing a container is not an easy task, you need some Linux Admin knowledge. Also as a technology is not so secure, from what I know the cloud providers runs them in VMs for further protection.
But like the article says, the biggest issue are the users, what apps they put in there and what images they use.
We already know that the weakest link in security are the humans so why containers would be any different :( :)
I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io.
Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.
Location
Scotland
Education
Self teached Developer
Work
Developer Advocate for Mobile and API Security at approov.io
With containers the security of what is running inside of them may have declined because Developers are now tasked with something that shouldn't be for them to do... at least in a professional level.
Infrastructure is not for developers, but for DevOps, thus the later ones should be the ones creating the Container Stack to be used across development and production.
Trying to be the jack of all ends up in being the Jack of none and in the end Security is sacrificed, because no one can be the master of all.
NOTE:
Thanks for the link, but please next time put (pdf) so that we know we are opening a potential dangerous target... don't trust blindly in PDF's.
Striving to become a master Go/Cloud developer; Father ๐จโ๐งโ๐ฆ; ๐ค/((Full Stack Web|Unity3D) + Developer)/g; Science supporter ๐ฉโ๐ฌ; https://coder.today
I agree, me as a Dev I rely on the devops to do those stuff for me and fix/consult if I did a mistake. I happen to know few more things because I have a passion for these sort of things (cloud, docker..) but is not my call to decide in the end.
PDF's can harm the browser? I presume some attacks can happen if opened by a full-capable reader, but I think the browser is limited, or not?
I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io.
Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.
Location
Scotland
Education
Self teached Developer
Work
Developer Advocate for Mobile and API Security at approov.io
Well any site you visit can exploit vulnerabilities in the browser to compromise your computer. So always suspect of sites that keep spinning after all content have been loaded.
Imho DevOps is not a role, DevOps is a culture and mindset - therefore it is for developers.
But people should receive the proper training and get enabled to keep security in mind - at best in a automated way... There are so many tools for ci/cd pipelines that take care of open ports, fuzzing input, container security....
I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io.
Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.
Location
Scotland
Education
Self teached Developer
Work
Developer Advocate for Mobile and API Security at approov.io
I know that DevOps should be known as a culture but in practice as become a role category, let's say it is like the SysAdmin of the Cloud. We just need to take a look to job posts to see that DevOps is seen by the majority as role.
While everyone is pushing to the developer the responsibility of the infrastructure that is a huge mistake that is later paid with security holes, despite any software you put on it.
Developers time should be spent in solving the business problem they have been tasked with, not figuring out the infrastructure, because if they have to do it they will just try to make it work... and we all know how it end ups when the developer only tries to make it work.
Well you hit 2 fine nerves
But like the article says, the biggest issue are the users, what apps they put in there and what images they use.
We already know that the weakest link in security are the humans so why containers would be any different :( :)
With containers the security of what is running inside of them may have declined because Developers are now tasked with something that shouldn't be for them to do... at least in a professional level.
Infrastructure is not for developers, but for DevOps, thus the later ones should be the ones creating the Container Stack to be used across development and production.
Trying to be the jack of all ends up in being the Jack of none and in the end Security is sacrificed, because no one can be the master of all.
NOTE:
Thanks for the link, but please next time put (pdf) so that we know we are opening a potential dangerous target... don't trust blindly in PDF's.
I agree, me as a Dev I rely on the devops to do those stuff for me and fix/consult if I did a mistake. I happen to know few more things because I have a passion for these sort of things (cloud, docker..) but is not my call to decide in the end.
PDF's can harm the browser? I presume some attacks can happen if opened by a full-capable reader, but I think the browser is limited, or not?
Well any site you visit can exploit vulnerabilities in the browser to compromise your computer. So always suspect of sites that keep spinning after all content have been loaded.
Regarding PDF's exploits see this article
Imho DevOps is not a role, DevOps is a culture and mindset - therefore it is for developers.
But people should receive the proper training and get enabled to keep security in mind - at best in a automated way... There are so many tools for ci/cd pipelines that take care of open ports, fuzzing input, container security....
I know that DevOps should be known as a culture but in practice as become a role category, let's say it is like the SysAdmin of the Cloud. We just need to take a look to job posts to see that DevOps is seen by the majority as role.
While everyone is pushing to the developer the responsibility of the infrastructure that is a huge mistake that is later paid with security holes, despite any software you put on it.
Developers time should be spent in solving the business problem they have been tasked with, not figuring out the infrastructure, because if they have to do it they will just try to make it work... and we all know how it end ups when the developer only tries to make it work.
If the devs produce software that is full with security issues - it has a business impact. just not a positive one ;)