The nVisium Blog

AWS re:Invent reCap

Published on December 6, 2017 by John Poulin

As Jonn Callahan and I sat at AWS re:Invent this year, one thing kept coming up in our conversations: inspiration. Between the exciting new service releases, the innovative use cases, and the great networking events, it was hard to go to bed at night without compiling a list of all of the things we want to build, or how we can modify our current architecture to scale better at a lower cost point.

We wanted to share a list of the features and services we thought will have the most impact on our architectural designs, or help our clients best stay secure.

Read more...

OWASP Top 10 2007-2017: The Fall of CSRF

Published on November 30, 2017 by Jack Mannino

The final version of OWASP Top 10 2017 was recently released and it has changed significantly from the 2013 version. Within various release candidates of the 2017 list, there were significant changes as well. While the significant issues with the RC1 release were well-documented and analyzed, RC2 and the final Top 10 have been a course correction for the project and a net-positive overall. Of the major changes in the final version, one of the biggest debates has centered around the removal of Cross-Site Request Forgery (CSRF) and additions of Insecure Deserialization and XML External Entities (XXE). This post focuses on analyzing why we believe it made sense to demote CSRF and focus on lesser “fixed” areas in our code and frameworks.

Read more...

Migrating to Microservices: Securely & Safely

Published on November 16, 2017 by Jack Mannino

Microservices allow you to build your applications as services that are deployed and maintained independently. While many software organizations have been using microservices and containers for years, a considerable amount are still in the early phases of adopting and migrating their legacy architectures heading into 2018. Microservices have a lot in common with Service-Oriented Architectures (SOA), but have their own unique properties too. Compared to traditional monolithic software development, microservices speed up our deployments, let us iterate faster, and take full advantage of modern computing platforms. There are great benefits to using microservices, but there are also many architectural complexities to consider as well as cultural and procedural issues to solve. Keeping your architecture secure with decentralized governance can be challenging and requires us to think carefully upfront about how to scaffold security within our core design and habits. Read more...

Event-Driven Kubernetes Security: Bringing in the Brigade

Published on November 7, 2017 by Jack Mannino

Brigade provides event-based scripting for Kubernetes that allows you to build complex pipelines and workflows between your containers and other systems. An open-source project released by the Microsoft Azure team, Brigade itself is written in Go and scripts are written for Brigade in JavaScript with limited access to Node.js APIs. If you like serverless runtimes or Function as a Service (FaaS) technology, then you'll love Brigade. Servers run as native pods and services on your Kubernetes cluster. Using Brigade, you can chain together functions and sequences of logic triggered by events and executed across containers. The focus of this post is to demonstrate the use-cases for utilizing Brigade to perform basic event-driven tasks in your cluster. Read more...

Securing Kubernetes: Going from k8s to k8sec

Published on October 24, 2017 by Jack Mannino

Continuing our blog series on technologies we love and use internally at nVisium, let’s take a stroll through the park with Kubernetes. We’ve implemented Kubernetes to deploy and scale our containerized microservices, which allows us to magically easily spin up and manage new services and focus on new features rather than managing containers and infrastructure. However, the speed and simplicity of how you can deploy complex applications with a few strokes of the keyboard can also be our enemy if we don’t bake security into our design. This post is the first in an eight-part series that will explore the broad surface and internals of securely designing your systems as powered by Kubernetes. Read more...

Play 2.6 Security Analysis

Published on October 4, 2017 by Jack Mannino

Play 2.6 final was recently released and it includes a ton of awesome new features. Some of the most exciting features include: replacing Netty with Akka HTTP Server as the default backend as well as shipping with experimental HTTP/2 support (finally!). From a security perspective, Play 2.6 introduces new features and settings you want to take advantage of. Read more...