A new CVE, (CVE-2016-9962), for the docker container runtime and runc were recently released. Fixed packages are being prepared and shipped for RHEL as well as Fedora and CentOS. This CVE reports that if you
execd into a running container, the processes inside of the container could attack the process that just entered the container.
If this process had open file descriptors, the processes inside of the container could
ptrace the new process and gain access to those file descriptors and read/write them, even potentially get access to the host network, or execute commands on the host.
Continue reading “SELinux Mitigates container Vulnerability”
This is my sixth post dedicated to the use of Identity Management (IdM) and related technologies to address the Payment Card Industry Data Security Standard (PCI DSS). This specific post is related to requirement seven (i.e. the requirement to restrict access to cardholder data by business need to know). The outline and mapping of individual articles to the requirements can be found in the overarching post that started the series.
Section 7 of the PCI DSS standard talks about access control and limiting the privileges of administrative accounts. IdM can play a big role in addressing these requirements. IdM provides several key features that are related to access control and privileged account management. The first one is
Continue reading “PCI Series: Requirement 7 – Restrict Access to Cardholder Data by Business Need to Know”
The usage of open source technologies has grown significantly in the public sector. In fact, according to a published memo, open source technologies allow the Department of Defense to “develop and update its software-based capabilities faster than ever, to anticipate new threats and respond to continuously changing requirements”. Cybersecurity threats are on the rise and organizations need to ensure that the software they use in their environments is safe. IT teams need the ability to quickly identify and mitigate breaches. They also need to deploy preventative measures and ensure that all stakeholders are protected.
Continue reading “Red Hat Virtualization and Security”
As applications are designed, redesigned, or even simply thought about at a high level, we frequently think about technical barriers along side business needs. Business needs may dictate that a new architecture move forward, but technical limitations can sometimes counter how far forward – unless there is something to bridge the gap. The new Neutron network integration between Red Hat Virtualization (RHV) and Red Hat OpenStack Platform (RHOSP) provides such a bridge for business and technical solutions.
Continue reading “Integrating Red Hat Virtualization and Red Hat OpenStack Platform with Neutron Networking”
This article is third in a series dedicated to the use of Identity Management (IdM) and related technologies to address the Payment Card Industry Data Security Standard (PCI DSS). This specific post covers the PCI DSS requirement related to not using vendor-supplied defaults for system passwords and other security parameters. The outline and mapping of individual articles to the requirements can be found in the overarching post that started the series.
The second section of the PCI-DSS standard applies to defaults – especially passwords and other security parameters. The standard calls for the reset of passwords (etc.) for any new system before placing it on the network. IdM can help here. Leveraging IdM for centralized accounts and policy information allows for a simple automated provisioning of new systems with
Continue reading “PCI Series: Requirement 2 – Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters”
In my last post, we discussed how the needs of an enterprise-grade Internet of Things (IoT) solution require a more diligent approach than what’s involved when putting together a Proof of Concept (PoC). In this post, we’ll explore how businesses can leverage their existing infrastructure to create scalable IoT deployments.
While my previous post reviewed a “list of ingredients” needed to build out an industrial-grade IoT solution, the massive scale and reach of IoT solutions for businesses requires some additional considerations, namely
Continue reading “Bringing Intelligence to the Edge”
If you’re heading to DockerCon 16 next week in Seattle, connect with us to see why Fortune 500 organizations trust Red Hat for enterprise deployments. Red Hat subject matter experts will be onsite to walk you through real-world use cases for securely developing, deploying and managing container-based applications.
Attend the State of Container Security Session
Join two of Red Hat’s Docker contributors discussing the state of container security today. Senior Software Engineer Mrunal Patel and Thomas Cameron, Global Evangelist of Emerging Technology are presenting on how you can secure your containerized microservices without slowing down development.
Continue reading “Red Hat at DockerCon 16 in Seattle”
There is a lot of confusion around which pieces of your application you should break into multiple containers and why. I recently responded to this thread on the Docker user mailing list which led me to writing today’s post. In this post I plan to examine an imaginary Java application that historically ran on a single Tomcat server and to explain why I would break it apart into separate containers. In an attempt to make things interesting – I will also aim to
Continue reading “Container Tidbits: When Should I Break My Application into Multiple Containers?”
Cloud conversations are evolving at a seemingly ever increasing pace. In my experience, nearly all “…what is the cloud?” type conversations have long since past. In fact, for some organizations, private and public clouds are now central to daily business operations. For the both the early and late majority, however, their (usually large) install base of traditional applications makes the cloud far from reality. These organizations tend to have significant investments in proprietary virtualization, management, and operations technologies, and it’s not a given that these applications are cloud ready (today). While many proprietary technology vendors offer re-packaged versions of existing products to create a thin veil of “cloudiness” – this style of cloud enablement usually comes at a heavy price
Continue reading “Conversations from the Field: Building a Bridge to the Cloud”
In Architecting Containers Part 1 we explored the difference between the user space and kernel space. In Architecting Containers Part 2 we explored why the user space matters to developers, administrators, and architects. In today’s post we will highlight a handful of important ways the choice of the user space can affect application deployment and maintenance.
While there are many ways for a given container architecture to affect and/or influence your application, the user space provides tooling that is often overlooked, namely
Continue reading “Architecting Containers Part 3: How the User Space Affects Your Application”