This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Security for containers has evolved quite substantially over the past year, but there is still a lot of education that needs to be done. The key point being that the biggest difference in this new paradigm is that everything is based on continuously delivered, micro-service based, applications. The fact that the technology enabler for that paradigm is containers is really less of an issue.
When it comes to containerized applications, everyone seems to be in agreement – statically analyzing what an application can do inside a container and rejecting non-security compliant images and/or vulnerable images is a must. However, no matter how good a job you do with vulnerability scanning and container hardening, there are unknown bugs and vulnerabilities that may manifest in the runtime and cause intrusions or compromises. That is why it’s so important to outfit your system with real-time threat detection and incident response capabilities.
One might point out rightfully that there are good tools for limiting what an application can do in the form of SELinux and AppArmor. While these are really good tools for some tasks, and limit several aspects of what an application does at runtime, expecting your development team to create deep and thoughtful security manifests for all micro-services they create is not realistic and does not scale. I’ve yet to see a large development team adopt this type of security solution for containers at scale.
Here we find ourselves back at the core of the problem – as more and more critical applications move to the container environment, organizations need a scalable and proactive defense layer that allows them to get ahead of the threat curve. At the same time, this defense layer should enable innovation and the adoption of container technologies. The following six tips outline how runtime threat detection and response should be designed to detect real-time threats, anomalies, and active compromises, with a lower false-positive rate than what is seen with traditional anomaly detection:
* Use the declarative nature of the new stack. While developers don’t have the bandwidth to care much about security, they are now required to provide more information as part of the development process. They know which processes are going to run, they know which binaries are going to be used, and they implicitly tell the system about the interactions between containers. That information might exist in the Dockerfile, or it might be in the one of the YAML files that describes how the system is to be orchestrated. One should take that information and automatically translate that into a security profile of what the endpoint should and shouldn’t do.
* Identify the Lego pieces. Developing containers is fun and easy. While you do have more responsibilities, you can easily reuse layers of operating systems and services that are ready made for you, which require you to only tweak some of their configuration. For security baselining, this makes life much easier. If you recognize that 90% of the container is actually a known backend application, doing a relatively simple scan of the changes in the 10% that is left, you can easily see what these lego pieces are up to.
* Establish baseline behavior. You’ve likely heard about machine learning a lot recently, but the truth is, it’s a complicated business and hard to get right. Luckily, containers can actually help. With machine learning, you typically need to have a baseline from which you learn from, and containers are the perfect candidate. They are minimalistic in nature and involve a more limited set of actions then a virtual machine. Security solutions should baseline the application and make use of that.
* Immutability. Immutability means killing an unpatched container, and then pushing a new patched container into production instead of updating it ‘in the field’. While this might sound like a minor detail, this actually allows the endpoint security, for the first time, to treat any polymorphic change in the behavior of the containers as an indication of threat or an indication of a configuration drift.
* Automate runtime threat detection. Doing each of the preceding steps is no trivial matter, and one can not expect to do each one manually, so you must make sure that any process that qualifies to make it into production gets automatically secured. To emphasize the point, it is virtually impossible to ask an IT person to work with each owner of a micro-service and make sure the container is secure. You must adopt a system to automatically “wrap” the container at runtime with security.
* Don’t interfere with application logic. Unlike traditional endpoint detection, you can’t just install an endpoint detection mechanism on each container. Best practice is to have your solution look into running containers from the “outside”. The reason for that is, in order to play by the rules, you are not allowed to modify the containers that developers handed to production. If you change an image, you’re breaking the ability of developers to directly analyze problems with it and must quickly provide resolutions to any issues.
Organizations who implement container-based workflows or run containers in production must consider security from the very beginning or risk suffering security vulnerabilities. Luckily, better security tools exist today, and by leveraging the tips listed above, any business can make their container stacks secure.
Twistlock is the leading provider of security solutions for virtual containers.
More about

© Source: http://www.computerworld.com.au/article/613583/six-runtime-threat-detection-response-tips-container-security/?utm_medium=rss&utm_source=sectionfeed
All rights are reserved and belongs to a source media.

MIT’s latest robot looks a bit like one of those claw machines you find at the front of an arcade, only instead of metal, the claws are made of a clear, membranous substance. And instead of stuffed Minion dolls, they pick up live fish. But other than that, the principles are pretty similar.
The robot’s limbs are made from hydrogel, an extremely pliable material that’s composed primarily of water, formed into structures using 3D printing and laser cutting. When water is pumped into the limbs, they stretch or curl, opening and closing like a hand.
Using the eel-inspired robot, the researchers were able to make the claw close fast enough to grab a goldfish without harming it in the process, while a more traditional robotic hand would likely crush the fish in the process, and nobody wants that.
The team fully admits it hasn’t quite figured out a real world use for the odd fish-grabbing ‘bot, but the material does play along nicely with human tissue, meaning it could someday have some usual surgical applications.
“Hydrogels are soft, wet, biocompatible, and can form more friendly interfaces with human organs,” says lead researcher Xuanhe Zhao. “We are actively collaborating with medical groups to translate this system into soft manipulators such as hydrogel ‘hands,’ which could potentially apply more gentle manipulations to tissues and organs in surgical operations.”
The transparent fish grabber was created with funds from the Office of Naval Research, the MIT Institute for Soldier Nanotechnologies and the National Science Foundation.

© Source: http://feedproxy.google.com/~r/Techcrunch/~3/9BAFadw3zh0/
All rights are reserved and belongs to a source media.

Google is open-sourcing its Chrome browser on the Apple iOS platform, after making changes enabling the code to be part of Google’s Chromium browser project.
The code will be moved to the open source Chromium repository , which lets developers build their own Chrome-like browsers. It had been kept separate from Chromium because of Apple’s requirement that all iOS browsers be built on the Apple-controlled WebKit rendering engine.
But after years of refactoring to cleanly separate WebKit from the Chrome for iOS code, the Chrome for iOS code is rejoining Chromium, Google said in a bulletin. (Chrome on other operating systems uses Google’s own Blink browser engine.) Developers can compile the iOS version of Chromium like they can for other Chromium versions. Google said it had spent a lot of time during the past several years making changes required to move the code for Chrome for iOS into Chromium.
As a result, web app development should be faster, since all tests for Chrome for iOS have available for Chromium browsers. Chromium, providing the open source core of Chrome, has allowed spinoffs of the browser.
Instructions on building Chromium for iOS say the iOS build is more complicated than the desktop build. As part of the inclusion of Chrome for iOS in the Chromium project, Google is providing the ios/build/tools/setup-gn.py script to create four build directories for release and debug device simulator builds and for generating an Apple Xcode workspace.
Tags Google
More about Apple Google

© Source: http://www.computerworld.com.au/article/613571/google-open-sources-chrome-browser-ios/?utm_medium=rss&utm_source=sectionfeed
All rights are reserved and belongs to a source media.