Not rendering correctly? View this email as a web page here.
Codecov Breach Lessons; 2021 Aqua Cloud Security Report; MITRE ATT&CK Container Matrix; KubeCon EU Takeaways; CNCF Paper Software Supply Chain Security Best Practices

Last month, the Codecov breach has again raised concerns about the security of the software supply chain. On our blog, we share the lessons from this incident and explore how you can start protecting your development pipeline against CI poisoning and supply chain attacks. On the cloud threat front, our latest research reveals 90% of companies are vulnerable to security breaches due to cloud misconfigurations. And in case you missed KubeCon EU this year, check out an excellent summary of the event for key takeaways and discussions.

News You Can Use
Supply Chain Attacks and Cloud Native: What You Need to Know Dev environments have become a lucrative target for attackers looking to embed malicious code into the supply chain. With supply chain attacks on the rise, Aqua’s Rani Osnat explores the threats to the cloud native supply chain and measures that DevOps and security teams can take to reduce the risk. Find the article on TheNewStack ›
KubeCon EU 2021: Developers, Developers, Developers (and Control Planes) This blog post provides a great summary of the most recent Virtual KubeCon + CloudNativeCon EU. Key takeaways include the growing importance of developer experience, evolving networking in the cloud, eBPF technology drawing a lot of attention, and more. Read all about it ›
ATT&CK® for Containers Now Available! MITRE released the official ATT&CK matrix for Containers, which adds container-related tactics and techniques, covering both orchestration-level and container-level adversary behaviors. Having extensive research findings from attacks observed in the wild, Aqua was proud to take part and contribute to this matrix. Learn more on Medium ›
A Practical Guide to Writing Secure Dockerfiles Docker has been instrumental in streamlining and improving the workflows of developers, operations, and engineering teams. This blog gives a nice overview of tools, techniques, and best practices to write secure Dockerfiles and also touches on leveraging OPA (Open Policy Agent) to write custom policies.
Check it out on Medium ›
CNCF Paper Defines Best Practices for Supply Chain Security CNCF published a new paper designed to provide a holistic approach to supply chain security by highlighting the importance of layered defensive practices. The paper evaluates many of the available tools and defines four key principles for supply chain security and steps for each.
Learn all about it on CNCF’s site ›
No One Wants to Manage Kubernetes Anymore Managing Kubernetes is hard, and many organizations shift away from managing their own clusters to managed service providers. The article provides the latest trends in managed Kubernetes options and reasons to choose a managed service over open source Kubernetes. Read more on InfoWorld ›
2021 Cloud Security Report: Cloud Configuration Risks Exposed
Cloud Native Threat Report
The latest research from Team Nautilus finds majority of organizations fail to fix cloud misconfiguration issues in a timely manner. Based on anonymized cloud infrastructure data from hundreds of organizations, the report points to important cloud security gaps and provides recommendations on the best practices to mitigate the risk.

Explore the full report here
Aqua News

Codecov Breach: Lessons Learned from the CI Poisoning Attack A recent Codecov breach has again placed the spotlight on supply chain attacks. In this blog, we explore how an attacker was able to get access to credentials from within the CI/CD pipeline and what organizations can do to reduce the risk of this occurring. Read all about it ›

Detecting Malicious Activity in CI/CD Pipeline with Tracee To prevent supply chain attacks like Codecov, organizations need to shift left and secure their development lifecycle from the start. Using our open source tool Tracee can help you embed security into the SDLC by detecting malicious activity in your CI/CD pipeline. Check out the blog ›

Why You Shouldn’t Use Config Maps to Store Sensitive Data in K8s One of the challenges of managing containerized environments is how to store sensitive information that’s needed for the operation of the applications. This post looks at the reasons why Kubernetes secrets (and not configmaps or other object types) should be used for storing sensitive information.
Learn all about it ›

Automating CIS Kubernetes Benchmark Compliance with Starboard Operator To help establish a secure configuration posture of your Kubernetes cluster, the new release of Starboard Operator (v0.10) adds CIS Kubernetes Benchmark testing using kube-bench. The operator automatically discovers nodes and runs kube-bench on each node to get the benchmark score. Learn more in the blog ›

The Challenges of Uniquely Identifying Your Images From a security perspective, it’s important to ensure that the image you’re getting is exactly what you expect it to be. Docker image tags can’t always be relied on to point to a specific image, and using SHA-256 hashes isn’t as easy as it might seem. This post explores why that’s the case and provides practical advice on how to address it. Read more ›

Vulnerability Management in Container Images from Build to Runtime Resolving the underlying image's vulnerabilities is critical to ensuring the safety of your environment. Integrating the Aqua Scanner into the CI pipeline, configuring Postee to handle daily scan result notifications, and monitoring runtime events can greatly improve your security posture.
Find out more in the blog ›

Risk-based Vulnerability Management for Cloud Native Apps
Live Webinar May 19th
Brinqa
Aqua Security and Brinqa will host a live use case webinar where we unify premier vulnerability management technologies with unparalleled analytics and insight to help secure the cloud native technologies that will drive your business forward.

Register here

Go cloud native with the experts!
See the Aqua Platform in action
Schedule a Demo
Aqua Cloud Native Security