mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-01-04 22:00:34 +08:00
translated
This commit is contained in:
geekpi
parent
3005d594c1
commit
3ac333f92d
@ -1,35 +0,0 @@
|
||||
translating----geekpi
|
||||
|
||||
### Changes in Password Best Practices
|
||||
|
||||
NIST recently published its four-volume [_SP800-63b Digital Identity Guidelines_][3] . Among other things, it makes three important suggestions when it comes to passwords:
|
||||
|
||||
1. Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they [don't help][1] that much. It's better to allow people to use pass phrases.
|
||||
|
||||
2. Stop it with password expiration. That was an [old idea for an old way][2] we used computers. Today, don't make people change their passwords unless there's indication of compromise.
|
||||
|
||||
3. Let people use password managers. This is how we deal with all the passwords we need.
|
||||
|
||||
These password rules were failed attempts to [fix the user][4]. Better we fix the security systems.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
作者简介:
|
||||
|
||||
I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I write books, articles, and academic papers. Currently, I'm the Chief Technology Officer of IBM Resilient, a fellow at Harvard's Berkman Center, and a board member of EFF.
|
||||
|
||||
-----------------
|
||||
|
||||
via: https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html
|
||||
|
||||
作者:[Bruce Schneier][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.schneier.com/blog/about/
|
||||
[1]:https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118
|
||||
[2]:https://securingthehuman.sans.org/blog/2017/03/23/time-for-password-expiration-to-die
|
||||
[3]:http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
|
||||
[4]:http://ieeexplore.ieee.org/document/7676198/?reload=true
|
||||
@ -1,62 +0,0 @@
|
||||
translating---geekpi
|
||||
|
||||
What is Grafeas? Better auditing for containers
|
||||
============================================================
|
||||
|
||||
### Google's Grafeas provides a common API for metadata about containers, from image and build details to security vulnerabilities
|
||||
|
||||
|
||||
Thinkstock
|
||||
|
||||
The software we run has never been more difficult to vouchsafe than it is today. It is scattered between local deployments and cloud services, built with open source components that aren’t always a known quantity, and delivered on a fast-moving schedule, making it a challenge to guarantee safety or quality.
|
||||
|
||||
The end result is software that is hard to audit, reason about, secure, and manage. It is difficult not just to know what a VM or container was built with, but what has been added or removed or changed and by whom. [Grafeas][5], originally devised by Google, is intended to make these questions easier to answer.
|
||||
|
||||
|
||||
### What is Grafeas?
|
||||
|
||||
Grafeas is an open source project that defines a metadata API for software components. It is meant to provide a uniform metadata schema that allows VMs, containers, JAR files, and other software artifacts to describe themselves to the environments they run in and to the users that manage them. The goal is to allow processes like auditing the software used in a given environment, and auditing the changes made to that software, to be done in a consistent and reliable way.
|
||||
|
||||
Grafeas provides APIs for two kinds of metadata, notes and occurrences:
|
||||
|
||||
|
||||
* Notesare details about some aspect of the software artifact in question. This can be a description of a known software vulnerability, details about how the software was built (the builder version, its checksum, etc.), a history of its deployment, and so on.
|
||||
|
||||
* Occurrences are instances of notes, with details about where and how they were created. Details of a known software vulnerability, for instance, could have occurrence information describing which vulnerability scanner detected it, when it was detected, and whether or not the vulnerability has been addressed.
|
||||
|
||||
Both notes and occurrences are stored in a repository. Each note and occurrence is tracked using an identifier that distinguishes it and makes it unique.
|
||||
|
||||
The Grafeas spec includes several basic schemas for types of notes. The package vulnerability schema, for instance, describes how to store note information for a CVE or vulnerability description. Right now there is no formal process for accepting new schema types, but [plans are on the table][6] for creating such a process.
|
||||
|
||||
### Grafeas clients and third-party support
|
||||
|
||||
Right now, Grafeas exists mainly as a spec and a reference implementation, [available on GitHub][7]. Clients for [Go][8], [Python][9], and [Java ][10]are all available, [generated by Swagger][11], so clients for other languages shouldn’t be hard to produce.
|
||||
|
||||
One key way Google plans to allow Grafeas to be widely used is through Kubernetes. A policy engine for Kubernetes, called Kritis, allows actions to be taken on containers based on their Grafeas metadata.
|
||||
|
||||
Several companies in addition to Google have announced plans for adding Grafeas support to existing products. CoreOS, for instance, is looking at how Grafeas can be integrated with Tectonic, and both [Red Hat][12] and [IBM][13] are planning to add Grafeas integrations to their container products and services.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.infoworld.com/article/3230462/security/what-is-grafeas-better-auditing-for-containers.html
|
||||
|
||||
作者:[Serdar Yegulalp ][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.infoworld.com/author/Serdar-Yegulalp/
|
||||
[1]:https://www.infoworld.com/author/Serdar-Yegulalp/
|
||||
[2]:https://www.infoworld.com/author/Serdar-Yegulalp/
|
||||
[3]:https://www.infoworld.com/article/3207686/cloud-computing/how-to-get-started-with-kubernetes.html#tk.ifw-infsb
|
||||
[4]:https://www.infoworld.com/newsletters/signup.html#tk.ifw-infsb
|
||||
[5]:http://grafeas.io/
|
||||
[6]:https://github.com/Grafeas/Grafeas/issues/38
|
||||
[7]:https://github.com/grafeas/grafeas
|
||||
[8]:https://github.com/Grafeas/client-go
|
||||
[9]:https://github.com/Grafeas/client-python
|
||||
[10]:https://github.com/Grafeas/client-java
|
||||
[11]:https://www.infoworld.com/article/2902750/application-development/manage-apis-with-swagger.html
|
||||
[12]:https://www.redhat.com/en/blog/red-hat-google-cloud-and-other-industry-leaders-join-together-standardize-kubernetes-service-component-auditing-and-policy-enforcement
|
||||
[13]:https://developer.ibm.com/dwblog/2017/grafeas/
|
||||
Loading…
Reference in New Issue
Block a user