The everyday work of IT infrastructure guys all around the world become more complex as we speak. It’s not enough to just learn how to set up and maintain IT networks, Virtual Machines, and some scripting skills to handle basic automation tasks. As of today, you need a lot more knowledge to operate cloud-based workloads, run containers in advanced clustered setups and be keen on security-related aspects as well. Luckily, enthusiastic professionals put their time and effort to craft so-called “cheat sheets”. Those sheets help you to find the most common topics and solutions in a certain area. These cheat-sheets are a must-have for every IT infrastructure specialist.
In the IT software industry, there is a popular phrase called “think big, start small”, but I would like to start big to give your search for cheat sheets a massive boost. Be sure to start visiting the website of OWASP to download their full bundle of cheat sheets for a huge number of relevant topics.
This bundle gives you everything you need to know about Application Security. In its list you will find topics such as Authentication & Authorization related topics, File-upload tips & tricks as well as less common topics like the Laravel cheat sheet and the XSS filter evasion cheat sheet.
Every sheet has the same structure which includes the following: Introduction, Context, Objective, and Recommendations. Many of the cheat sheets use practical examples. The visuals (schemas) which are used in a lot of cheat sheets are wonderful.
For example, the ones being used in the network segmentation cheat sheet. Network elements are explained as well as the context of the application related to the networks which are in and out of scope. Besides this, also the services and their interaction with each other are explained. It goes all the way toward more advanced topics such as the implications of multiple applications running in the same network, secure logging as well as the impact of CI/CD pipelines on the target environment.
One of the most interesting features of these cheat sheet series is the option to subscribe to their RSS Feed. This really helps to get updates instantly on the device and application of your choice. No more polling, downloading en searching for updates of your favorite cheat sheet. Being informed proactively really helps to stay on top of every aspect which is relevant to your work.
Docker remains one of the most popular container technologies which is heavily in use in nearly all organizations. Containers and the images from which they are created are not secure by default. GitGuardian has a cheat sheet to help you improve your container security skills to make them more secure.
On its page, you will find a complete list of categories that all focus on subtopics and three main components: the supporting infrastructure (OS and platform), the embedded software components which exist in your containers and images, and the runtime configuration of your systems and containers. Their cheat sheet is compact but contains plenty of examples to get you started. The main categories of their best practices are as follows:
- Build configuration – everything you need to know to actually build your images.
- Shared resources, privileges, and (new) capabilities including tips to avoid your host from becoming vulnerable.
- Filesystem: best practices on how to leverage the underlying filesystem for persistent storage as well as volumes being mounted inside your containers.
- Network security: a big emphasis on Docker networking capabilities and recommendations.
- Logging: redirection of logs as well as proper use of the available log levels.
- Secret scanning and vulnerability scanning. A list of free- and commercial tools to help you detect vulnerabilities and secrets which should not be present in your images and in your runtime systems.
Besides this list, GitGuardian also offers a one-pager that shows clear Do’s en Dont’s in a visual representation of a Docker image (the Dockerfile itself) as well as the runtime environment itself. This visual helps to distinguish what might be the responsibility of the application development team as well as the infrastructure team.
Besides standalone containers, it’s vital to understand Kubernetes security-related topics and how to use and apply measures to keep your data, applications, and network security. The OWASP group created a very extensive list of security tips and tricks to validate your Kubernetes systems.
Besides an excellent “Top 20” for Kubernetes security pages, their cheat sheet contains security-related information for all of the Kubernetes components like KubeAPI, KubeCTL, Kubelet, and Kube-proxy.
It then dives deeper into five distinct categories:
- Kubernetes host security
- Securing Kubernetes components
- Security best practices for the build, deploy, and runtime phase.
Various tables and schemes make this cheat sheet a powerful one. For example, the (default) port range and protocols being used for every Kubernetes service which runs on both the master and worker nodes.
I also like the detailed explanation of all of the topics. For example, the methods which you can use to authenticate the API server. You would get an overview of the non-production authentication methods as well as the ones which are suitable for production-grade clusters. This clearly helps as a simple checklist to flag what is appropriate for your situation.
Almost every tip has a “need to know” and “nice to know” section that outlines what you need to know (and implement) as a minimum requirement and what can be achieved later. All sections also come with clear warnings that help to catch tricky parts of the security aspect.
Recently, the people behind SignalScience.com published a great visual that highlighted the main organizational concerns about Cloud-native security. This presents a great overview to find common answers and statistics to security-related topics at companies worldwide. You can use this visual to support your internal stories to progress and expand all efforts related to Cloud-native security initiatives.
For example, you can argue about the fact that only 25% of the companies which were examined have runtime application protection in place. Or that the minority of the investigated companies has much confidence in the security solutions which detect vulnerabilities in production systems.
These are not typical topics that are part of a traditional cheat sheet but help to get your story going.
Infrastructure as Code – AWS
AWS remains the popular cloud provider for a long time now. IT infrastructure professionals need to pinpoint important security-related aspects in case they will support every (critical) workload in AWS. Vulcan has created a quick and efficient-to-use AWS security cheat sheet that includes the most common services. It offers a good overview of what to protect and how to achieve it.
Their cheat sheet is grouped around different categories such as AWS IAM, Layered Networking, Workload Security, and Data protection. It also handles third-party integrations as well as Account Management.
All of their tips and tricks include links to the AWS services which are the subject of it. It’s not just a collection of services, but their cheat sheet focuses on broader topics which include many services that work together to form a “conceptual building block”. This makes it much more useful than a flattened list of services and ways how to protect them.
Multiple groups of IT infrastructure professionals can use sections of the cheat sheet to focus their efforts on. This saves time and energy and also avoids overlap and security topics that span multiple teams.
Cheat sheets are beneficial to anyone working in the IT industry. Often they include practical tips and tricks as well as recommendations and (source code) examples to guide the reader. Since most of the cheat sheets are written and published by industry experts, the sources are reliable and trustworthy. It saves you time to dig into all of the documentation from the technology you’re working with. In addition to this, cheat sheets follow the original products and are being updated now and then. Sometimes, it’s even possible to get a notification when a cheat sheet is updated. In this article, we’ve explored several cheat sheets for IT industry specialists.