{"product_id":"cloud-native-security-isbn-9781119782230","title":"Cloud Native Security","description":"\u003cp\u003e\u003cb\u003eExplore the latest and most comprehensive guide to securing your Cloud Native technology stack\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003ci\u003eCloud Native Security\u003c\/i\u003e delivers a detailed study into minimizing the attack surfaces found on today's Cloud Native infrastructure. Throughout the work hands-on examples walk through mitigating threats and the areas of concern that need to be addressed. The book contains the information that professionals need in order to build a diverse mix of the niche knowledge required to harden Cloud Native estates.\u003c\/p\u003e \u003cp\u003eThe book begins with more accessible content about understanding Linux containers and container runtime protection before moving on to more advanced subject matter like advanced attacks on Kubernetes. You'll also learn about:\u003c\/p\u003e \u003cul\u003e \u003cli\u003eInstalling and configuring multiple types of DevSecOps tooling in CI\/CD pipelines\u003c\/li\u003e \u003cli\u003eBuilding a forensic logging system that can provide exceptional levels of detail, suited to busy containerized estates\u003c\/li\u003e \u003cli\u003eSecuring the most popular container orchestrator, Kubernetes\u003c\/li\u003e \u003cli\u003eHardening cloud platforms and automating security enforcement in the cloud using sophisticated policies\u003c\/li\u003e \u003c\/ul\u003e \u003cp\u003ePerfect for DevOps engineers, platform engineers, security professionals and students, \u003ci\u003eCloud Native Security\u003c\/i\u003e will earn a place in the libraries of all professionals who wish to improve their understanding of modern security challenges.\u003c\/p\u003e \u003cp\u003eIntroduction xix\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart I Container and Orchestrator Security 1\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 1 What is a Container? 3\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eCommon Misconceptions 4\u003c\/p\u003e \u003cp\u003eContainer Components 6\u003c\/p\u003e \u003cp\u003eKernel Capabilities 7\u003c\/p\u003e \u003cp\u003eOther Containers 13\u003c\/p\u003e \u003cp\u003eSummary 14\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 2 Rootless Runtimes 17\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eDocker Rootless Mode 18\u003c\/p\u003e \u003cp\u003eInstalling Rootless Mode 20\u003c\/p\u003e \u003cp\u003eRunning Rootless Podman 25\u003c\/p\u003e \u003cp\u003eSetting Up Podman 26\u003c\/p\u003e \u003cp\u003eSummary 31\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 3 Container Runtime Protection 33\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRunning Falco 34\u003c\/p\u003e \u003cp\u003eConfiguring Rules 38\u003c\/p\u003e \u003cp\u003eChanging Rules 39\u003c\/p\u003e \u003cp\u003eMacros 41\u003c\/p\u003e \u003cp\u003eLists 41\u003c\/p\u003e \u003cp\u003eGetting Your Priorities Right 41\u003c\/p\u003e \u003cp\u003eTagging Rulesets 42\u003c\/p\u003e \u003cp\u003eOutputting Alerts 42\u003c\/p\u003e \u003cp\u003eSummary 43\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 4 Forensic Logging 45\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThings to Consider 46\u003c\/p\u003e \u003cp\u003eSalient Files 47\u003c\/p\u003e \u003cp\u003eBreaking the Rules 49\u003c\/p\u003e \u003cp\u003eKey Commands 52\u003c\/p\u003e \u003cp\u003eThe Rules 52\u003c\/p\u003e \u003cp\u003eParsing Rules 54\u003c\/p\u003e \u003cp\u003eMonitoring 58\u003c\/p\u003e \u003cp\u003eOrdering and Performance 62\u003c\/p\u003e \u003cp\u003eSummary 63\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 5 Kubernetes Vulnerabilities 65\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eMini Kubernetes 66\u003c\/p\u003e \u003cp\u003eOptions for Using \u003ci\u003ekube-hunter \u003c\/i\u003e68\u003c\/p\u003e \u003cp\u003eDeployment Methods 68\u003c\/p\u003e \u003cp\u003eScanning Approaches 69\u003c\/p\u003e \u003cp\u003eHunting Modes 69\u003c\/p\u003e \u003cp\u003eContainer Deployment 70\u003c\/p\u003e \u003cp\u003eInside Cluster Tests 71\u003c\/p\u003e \u003cp\u003eMinikube vs. \u003ci\u003ekube-hunter \u003c\/i\u003e74\u003c\/p\u003e \u003cp\u003eGetting a List of Tests 76\u003c\/p\u003e \u003cp\u003eSummary 77\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 6 Container Image CVEs 79\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eUnderstanding CVEs 80\u003c\/p\u003e \u003cp\u003eTrivy 82\u003c\/p\u003e \u003cp\u003eGetting Started 83\u003c\/p\u003e \u003cp\u003eExploring Anchore 88\u003c\/p\u003e \u003cp\u003eClair 96\u003c\/p\u003e \u003cp\u003eSecure Registries 97\u003c\/p\u003e \u003cp\u003eSummary 101\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart II DevSecOps Tooling 103\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 7 Baseline Scanning (or, Zap Your Apps) 105\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWhere to Find ZAP 106\u003c\/p\u003e \u003cp\u003eBaseline Scanning 107\u003c\/p\u003e \u003cp\u003eScanning Nmap’s Host 113\u003c\/p\u003e \u003cp\u003eAdding Regular Expressions 114\u003c\/p\u003e \u003cp\u003eSummary 116\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 8 Codifying Security 117\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eSecurity Tooling 117\u003c\/p\u003e \u003cp\u003eInstallation 118\u003c\/p\u003e \u003cp\u003eSimple Tests 122\u003c\/p\u003e \u003cp\u003eExample Attack Files 124\u003c\/p\u003e \u003cp\u003eSummary 127\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 9 Kubernetes Compliance 129\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eMini Kubernetes 130\u003c\/p\u003e \u003cp\u003eUsing \u003ci\u003ekube-bench \u003c\/i\u003e133\u003c\/p\u003e \u003cp\u003eTroubleshooting 138\u003c\/p\u003e \u003cp\u003eAutomation 139\u003c\/p\u003e \u003cp\u003eSummary 140\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 10 Securing Your Git Repositories 141\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThings to Consider 142\u003c\/p\u003e \u003cp\u003eInstalling and Running Gitleaks 144\u003c\/p\u003e \u003cp\u003eInstalling and Running GitRob 149\u003c\/p\u003e \u003cp\u003eSummary 151\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 11 Automated Host Security 153\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eMachine Images 155\u003c\/p\u003e \u003cp\u003eIdempotency 156\u003c\/p\u003e \u003cp\u003eSecure Shell Example 158\u003c\/p\u003e \u003cp\u003eKernel Changes 162\u003c\/p\u003e \u003cp\u003eSummary 163\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 12 Server Scanning With Nikto 165\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThings to Consider 165\u003c\/p\u003e \u003cp\u003eInstallation 166\u003c\/p\u003e \u003cp\u003eScanning a Second Host 170\u003c\/p\u003e \u003cp\u003eRunning Options 171\u003c\/p\u003e \u003cp\u003eCommand-Line Options 172\u003c\/p\u003e \u003cp\u003eEvasion Techniques 172\u003c\/p\u003e \u003cp\u003eThe Main Nikto Configuration File 175\u003c\/p\u003e \u003cp\u003eSummary 176\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart III Cloud Security 177\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 13 Monitoring Cloud Operations 179\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eHost Dashboarding with NetData 180\u003c\/p\u003e \u003cp\u003eInstalling Netdata 180\u003c\/p\u003e \u003cp\u003eHost Installation 180\u003c\/p\u003e \u003cp\u003eContainer Installation 183\u003c\/p\u003e \u003cp\u003eCollectors 186\u003c\/p\u003e \u003cp\u003eUninstalling Host Packages 186\u003c\/p\u003e \u003cp\u003eCloud Platform Interrogation with Komiser 186\u003c\/p\u003e \u003cp\u003eInstallation Options 190\u003c\/p\u003e \u003cp\u003eSummary 191\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 14 Cloud Guardianship 193\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eInstalling Cloud Custodian 193\u003c\/p\u003e \u003cp\u003eWrapper Installation 194\u003c\/p\u003e \u003cp\u003ePython Installation 195\u003c\/p\u003e \u003cp\u003eEC2 Interaction 196\u003c\/p\u003e \u003cp\u003eMore Complex Policies 201\u003c\/p\u003e \u003cp\u003eIAM Policies 202\u003c\/p\u003e \u003cp\u003eS3 Data at Rest 202\u003c\/p\u003e \u003cp\u003eGenerating Alerts 203\u003c\/p\u003e \u003cp\u003eSummary 205\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 15 Cloud Auditing 207\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRuntime, Host, and Cloud Testing with Lunar 207\u003c\/p\u003e \u003cp\u003eInstalling to a Bash Default Shell 209\u003c\/p\u003e \u003cp\u003eExecution 209\u003c\/p\u003e \u003cp\u003eCloud Auditing Against Benchmarks 213\u003c\/p\u003e \u003cp\u003eAWS Auditing with Cloud Reports 215\u003c\/p\u003e \u003cp\u003eGenerating Reports 217\u003c\/p\u003e \u003cp\u003eEC2 Auditing 219\u003c\/p\u003e \u003cp\u003eCIS Benchmarks and AWS Auditing with Prowler 220\u003c\/p\u003e \u003cp\u003eSummary 223\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 16 AWS Cloud Storage 225\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eBuckets 226\u003c\/p\u003e \u003cp\u003eNative Security Settings 229\u003c\/p\u003e \u003cp\u003eAutomated S3 Attacks 231\u003c\/p\u003e \u003cp\u003eStorage Hunting 234\u003c\/p\u003e \u003cp\u003eSummary 236\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart IV Advanced Kubernetes and Runtime Security 239\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 17 Kubernetes External Attacks 241\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe Kubernetes Network Footprint 242\u003c\/p\u003e \u003cp\u003eAttacking the API Server 243\u003c\/p\u003e \u003cp\u003eAPI Server Information Discovery 243\u003c\/p\u003e \u003cp\u003eAvoiding API Server Information Disclosure 244\u003c\/p\u003e \u003cp\u003eExploiting Misconfigured API Servers 245\u003c\/p\u003e \u003cp\u003ePreventing Unauthenticated Access to the API Server 246\u003c\/p\u003e \u003cp\u003eAttacking etcd 246\u003c\/p\u003e \u003cp\u003eetcd Information Discovery 246\u003c\/p\u003e \u003cp\u003eExploiting Misconfigured etcd Servers 246\u003c\/p\u003e \u003cp\u003ePreventing Unauthorized etcd Access 247\u003c\/p\u003e \u003cp\u003eAttacking the Kubelet 248\u003c\/p\u003e \u003cp\u003eKubelet Information Discovery 248\u003c\/p\u003e \u003cp\u003eExploiting Misconfigured Kubelets 249\u003c\/p\u003e \u003cp\u003ePreventing Unauthenticated Kubelet Access 250\u003c\/p\u003e \u003cp\u003eSummary 250\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 18 Kubernetes Authorization with RBAC 251\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eKubernetes Authorization Mechanisms 251\u003c\/p\u003e \u003cp\u003eRBAC Overview 252\u003c\/p\u003e \u003cp\u003eRBAC Gotchas 253\u003c\/p\u003e \u003cp\u003eAvoid the \u003ci\u003ecluster-admin \u003c\/i\u003eRole 253\u003c\/p\u003e \u003cp\u003eBuilt-In Users and Groups Can Be Dangerous 254\u003c\/p\u003e \u003cp\u003eRead-Only Can Be Dangerous 254\u003c\/p\u003e \u003cp\u003eCreate Pod is Dangerous 256\u003c\/p\u003e \u003cp\u003eKubernetes Rights Can Be Transient 257\u003c\/p\u003e \u003cp\u003eOther Dangerous Objects 258\u003c\/p\u003e \u003cp\u003eAuditing RBAC 258\u003c\/p\u003e \u003cp\u003eUsing \u003ci\u003ekubectl \u003c\/i\u003e258\u003c\/p\u003e \u003cp\u003eAdditional Tooling 259\u003c\/p\u003e \u003cp\u003e\u003ci\u003eRakkess \u003c\/i\u003e259\u003c\/p\u003e \u003cp\u003e\u003ci\u003ekubectl-who-can \u003c\/i\u003e261\u003c\/p\u003e \u003cp\u003e\u003ci\u003eRback \u003c\/i\u003e261\u003c\/p\u003e \u003cp\u003eSummary 262\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 19 Network Hardening 265\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eContainer Network Overview 265\u003c\/p\u003e \u003cp\u003eNode IP Addresses 266\u003c\/p\u003e \u003cp\u003ePod IP Addresses 266\u003c\/p\u003e \u003cp\u003eService IP Addresses 267\u003c\/p\u003e \u003cp\u003eRestricting Traffic in Kubernetes Clusters 267\u003c\/p\u003e \u003cp\u003eSetting Up a Cluster with Network Policies 268\u003c\/p\u003e \u003cp\u003eGetting Started 268\u003c\/p\u003e \u003cp\u003eAllowing Access 271\u003c\/p\u003e \u003cp\u003eEgress Restrictions 273\u003c\/p\u003e \u003cp\u003eNetwork Policy Restrictions 274\u003c\/p\u003e \u003cp\u003eCNI Network Policy Extensions 275\u003c\/p\u003e \u003cp\u003eCilium 275\u003c\/p\u003e \u003cp\u003eCalico 276\u003c\/p\u003e \u003cp\u003eSummary 278\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 20 Workload Hardening 279\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eUsing Security Context in Manifests 279\u003c\/p\u003e \u003cp\u003eGeneral Approach 280\u003c\/p\u003e \u003cp\u003eallowPrivilegeEscalation 280\u003c\/p\u003e \u003cp\u003eCapabilities 281\u003c\/p\u003e \u003cp\u003eprivileged 283\u003c\/p\u003e \u003cp\u003ereadOnlyRootFilesystem 283\u003c\/p\u003e \u003cp\u003eseccompProfile 283\u003c\/p\u003e \u003cp\u003eMandatory Workload Security 285\u003c\/p\u003e \u003cp\u003ePod Security Standards 285\u003c\/p\u003e \u003cp\u003ePodSecurityPolicy 286\u003c\/p\u003e \u003cp\u003eSetting Up PSPs 286\u003c\/p\u003e \u003cp\u003eSetting Up PSPs 288\u003c\/p\u003e \u003cp\u003ePSPs and RBAC 289\u003c\/p\u003e \u003cp\u003ePSP Alternatives 291\u003c\/p\u003e \u003cp\u003eOpen Policy Agent 292\u003c\/p\u003e \u003cp\u003eInstallation 292\u003c\/p\u003e \u003cp\u003eEnforcement Actions 295\u003c\/p\u003e \u003cp\u003eKyverno 295\u003c\/p\u003e \u003cp\u003eInstallation 296\u003c\/p\u003e \u003cp\u003eOperation 296\u003c\/p\u003e \u003cp\u003eSummary 298\u003c\/p\u003e \u003cp\u003eIndex 299\u003c\/p\u003e \u003cp\u003e\u003cb\u003eCHRIS BINNIE\u003c\/b\u003e is a Technical Consultant who has worked for almost 25 years with critical Linux systems in banking and government, both on-premise and in the cloud. He has written two Linux books, has written for \u003ci\u003eLinux\u003c\/i\u003e and \u003ci\u003eADMIN\u003c\/i\u003e magazines and has five years of experience in DevOps security consultancy roles.\u003c\/p\u003e\u003cp\u003e\u003cb\u003eRORY MCCUNE\u003c\/b\u003e has over 20 years of experience in the Information and IT security arenas. His professional focus is on container, cloud, and application security and he is an author of the CIS Benchmarks for Docker and Kubernetes and has authored and delivered container security training at conferences around the world.\u003c\/p\u003e  \u003cp\u003e\u003cb\u003eDISCOVER A COMPREHENSIVE GUIDE TO SECURING YOUR CLOUD NATIVE TECH STACK\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eIn \u003ci\u003eCloud Native Security\u003c\/i\u003e, accomplished IT security professionals and authors Chris Binnie and Rory McCune deliver a detailed treatment of how to minimize the attack surfaces found on today’s Cloud Native infrastructure. Incorporating hands-on examples, the book teaches you to mitigate threats and eliminate areas of concern that tend to lead to security compromises. The book contains the information that security professionals need to know in order to operate secure, hardened and therefore reliable Cloud Native estates.\u003c\/p\u003e \u003cp\u003eBeginning with accessible and easy-to-understand content about Linux containers and container runtime protection, the book moves on to more advanced subjects, like complex attacks on Kubernetes. You’ll learn about forensic logging and Kubernetes vulnerabilities, Common Vulnerability and Exploit scanning tools (CVEs), baseline scans, how to codify security, and how to scan popular code repositories for vulnerabilities.\u003c\/p\u003e \u003cp\u003eYou’ll also discover how to use Configuration Management tools like Ansible to enforce security controls and help mitigate against attackers gaining a foothold and create predictable, reliable, and secure hosts. Finally, topics like network policies, pod hardening, and Kubernetes Role Based Access Control (RBAC) functionality are all covered in extensive depth.\u003c\/p\u003e \u003cp\u003ePerfect for DevOps engineers, platform engineers, security professionals, and students, \u003ci\u003eCloud Native Security\u003c\/i\u003e will earn a place in the libraries of all professionals who need to improve their understanding of modern security vulnerabilities and challenges.\u003c\/p\u003e \u003cp\u003e\u003cb\u003eThe book delivers thorough and comprehensive explanations of:\u003c\/b\u003e\u003c\/p\u003e \u003cul\u003e \u003cli\u003e\u003cb\u003eInstalling and configuring multiple types of DevSecOps tooling in CI\/CD pipelines\u003c\/b\u003e\u003c\/li\u003e \u003cli\u003e\u003cb\u003eBuilding forensic logging systems that provide exceptional levels of detail in busy containerized estates\u003c\/b\u003e\u003c\/li\u003e \u003cli\u003e\u003cb\u003eHow to secure Kubernetes, the most popular container orchestrator\u003c\/b\u003e\u003c\/li\u003e \u003cli\u003e\u003cb\u003eHardening cloud platforms and automating security enforcement in the cloud with sophisticated policies\u003c\/b\u003e\u003c\/li\u003e \u003c\/ul\u003e","brand":"Wiley","offers":[{"title":"Default Title","offer_id":47988937162981,"sku":"NP9781119782230","price":40.0,"currency_code":"USD","in_stock":false}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/1842\/7735\/files\/9781119782230.jpg?v=1761782124","url":"https:\/\/k12savings.com\/products\/cloud-native-security-isbn-9781119782230","provider":"K12savings","version":"1.0","type":"link"}