TL;DR style notes from articles I read today.
3 steps toward improving container security
- Vet the use of code from online sources. Use discovery tools to manage and scale up containers securely with runtime protection.
- Focus on how you build access rules and permissions. Understand the level of granularity needed right from day one to build this.
- Harden the container host with policies to prevent resource abuse. Use access control groups, and run containers with read-only images.
- Secure content inside containers by limiting Linux OS features running within it.
- Enforce image source integrity protection to track content changes and determine who made them.
Full post here, 5 mins read
Five strategies to remove single points of DNS failure
- Stay aware of trends that can compromise the 13 root name servers.
- Choose a top-level domain more likely to stay up under large-scale attacks or software faults, unlikely to change hands and with significant investment in infrastructure.
- Choose a DNS provider that uses Anycast and is large and scalable; use a different company to service your endpoints.
- Keep track of expiration dates of domains and SSL certificates.
- Don’t couple your endpoints and DNS zone control in one provider.
Full post here, 11 mins read
Secure databases in complex backend systems with these 5 best practices
- Keep application and database servers on different physical machines, with a high-performance host for the apps & high-level security for databases.
- Set up web application firewalls, and anti-malware & anti-ransomware solutions for the database server and review them regularly. Turn off any services not frequently used.
- Encrypt data residing on servers with a private key and also encrypt before transit.
- Limit the number of users accessing the database. Allow access only when required. Maintain and monitor activity logs. Keep database credentials hashed and salted.
- Patch the OS and third-party software, APIs and plug-ins using the latest versions. Remove or deactivate unused apps.
- Schedule regular backups and use a database proxy to accept requests only from trusted sources.
Full post here, 6 mins read