Episode 175 : Curiefense - Cloud Native Web Application Firewall

# Episode 175 : Curiefense - Cloud Native Web Application Firewall - Hosted by Ricardo Katz [@rpkatz](https://twitter.com/rpkatz) - Guests: Justin Dorfman - Curiefense [@jdorfman](https://twitter.com/jdorfman) - Recording date: 2021-11-19 1PM PST <a href="https://youtu.be/lDFnnvK43Cw" target="_blank"><img src="https://i.ytimg.com/vi/lDFnnvK43Cw/maxresdefault.jpg" border="10" /></a> Join Ricardo, as we explore Curiefense, a sandbox CNCF project that proposes to be the open source cloud native application security platform that protects all forms of web traffic. We will try to install it, simulate some scenarios and have some fun! ## Table of Contents ## Welcome back! Did you know we had a double header TGIK today? The first one happened at 9AM PST. Checkout the recording here in case you missed it: tgik.io/174 ## Week in Review * *Kubernetes v1.23* is almost there - Code freeze is now ongoing, so only patches and PRs that blocks releases will be accepted! * November Kubernetes patch releases are out! - https://twitter.com/puerco/status/1461176447742226440?s=20 * Go v1.18 is almost there, and this cool [Twitter thread](https://twitter.com/mvdan_/status/1456947756925399040?s=12) covers A LOT of the new stuff: fuzzing, generics, and even a new net/netip package and a new strings/bytes.Cut() * Gatekeeper 3.7.0 was [released](https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.7.0) with a bunch of new features: Mutation moved to Beta (yeey), and a new CLI (alpha) so you can test constraints and constrainttemplates without Kubernetes * Dockershim is deprecated and marked for removal in v1.24 and SIG-Node is collecting some feedback - https://kubernetes.io/blog/2021/11/12/are-you-ready-for-dockershim-removal/ * Pod Security Admission moving to Beta and will be enabled by default in v1.23. This tweet has some useful links: https://twitter.com/tallclair/status/1460386502555230216 * https://medium.com/@LachlanEvenson/hands-on-with-kubernetes-pod-security-admission-b6cac495cd11 is a good starting point for PSA ## Show Notes * Is Envoy the only component in DataPlane? * When using the IDS mode / rules, we should test only with POST methods right now * ### Curiefense interesting links - https://www.curiefense.io/ - ### Vulnerable applications to play with and test DON'T RUN IN PRODUCTION!!! - https://github.com/digininja/DVWA - https://github.com/rikatz/dvwa-container (Container version for our labs) - https://github.com/WebGoat/WebGoat - https://github.com/juice-shop/juice-shop