top | item 34244496

(no title)

Being only able to connect to declared dependencies.

So say the application is compromised, it can't connect to the internet, from there it could only connect to the declared database and webservice. So those would need to have vulnerabilities too that could be exploiting from that end, hence limiting the blast radius.

So not really worried about physical access, but more in the lines of a RCE(Spring4Shell) probing the rest of the network or a supply chain attack that tries to send out data...

discuss

withinboredom|3 years ago

In that case, I would recommend something like cilium (which can run standalone or part of k8s) where you can setup firewalls per application/node and be alerted whenever something attempts to do something against the rules.