Cleanstart Offers Secure Images for Developers

Hot take: Most "hardened container images" are a lie. 🔥 After reviewing countless container images brought to us by customers, I've seen some wild things: Node.JS images with mysteriously zero npm packages, SBOMs missing transitive dependencies, and opaque CVE processes that violate basic transparency principles. Container security isn't rocket science—but it requires radical honesty. In my latest blog, I break down the 5 non-negotiable pillars of real container security (spoiler: 98% CVE reduction, 100% complete SBOMs, SLSA Build Level 3, VEX, and cryptographic verification) and why 100% transparency is the only way forward. If you're buying hardened images, you need to verify vendor claims. The supply chain attacks are too sophisticated, and the stakes are too high. Read why we're flipping the table on container security: https://lnkd.in/e_stZAa2 #ContainerSecurity #DevSecOps #SupplyChainSecurity #Docker

🔐 Building a Safer Discord: My Security-Focused Bot Project 🚀 Hey everyone 👋 I’m excited to share my latest open-source project — a Security-Focused Discord Bot designed to make Discord servers safer and more resilient against common threats. 👉 GitHub: https://lnkd.in/gV246ea8 🧩 Why I built this Discord communities are thriving — from gaming to developer hubs. But with that growth comes spam, phishing, impersonation, and malicious links. So I decided to create a bot that goes beyond moderation — one that applies real security principles (signature validation, access control, event logging) to Discord automation. ⚙️ What it does Here’s what’s under the hood 👇 ✅ Signature Verification (Ed25519) — authenticates incoming requests to block spoofing ✅ Role-Based Access Control (RBAC) — least privilege and deny-by-default ✅ Threat Scanning — detects malicious links or attachments ✅ Message Quarantine — isolates suspicious content safely ✅ Secure Logging — maintains immutable audit trails ✅ Anti-Replay Protection — validates timestamps to stop message reuse …and more to come soon (like rate-limiting, encrypted config management, and container hardening). 🧠 Tech Stack & Design Built with Python + Discord.py, following modular, security-first architecture: Clean command structure Ephemeral responses for sensitive data Input validation & sanitization Exception-safe handling Future-ready for cloud or container deployments 🤝 Get Involved This is an open project — and I’d love your thoughts! 🌟 Star the repo 🍴 Fork and contribute 🧪 Suggest new features 💬 Share feedback 💡 Final Thought Security shouldn’t be an afterthought — even in community spaces. I hope this project inspires others to bring DevSecOps principles into the platforms we use every day. Let’s build safer online communities, one bot at a time 💪 #OpenSource #Python #CyberSecurity #Discord #DevSecOps #InfoSec #Automation #BotDevelopment #CommunitySecurity

Docker's container isolation completely failed. CVE-2025-9074 (CVSS 9.3) allows any malicious container to access Docker Engine API without authentication, bypassing Enhanced Container Isolation entirely. A simple HTTP POST request can now bind the host C:\ drive and execute arbitrary code. This undermines fundamental Docker security assumptions. When container breakouts become this trivial, security teams need coordinated response strategies and shared visibility into attack vectors. https://lnkd.in/g6zgwsXZ

Docker isn’t secure by default. Your containers might be carrying open doors for attackers without you knowing. I wrote a breakdown on how to harden Docker in real-world environments. It’s time to stop relying on luck and start building real security layers.

PoC Exploit Released for Sudo Vulnerability that Enables Attackers to Gain Root Access A publicly available proof-of-concept (PoC) exploit has been released for CVE-2025-32463, a local privilege escalation (LPE) flaw in the Sudo utility that can grant root access under specific configurations. Security researcher Rich Mirch is credited with identifying the weakness, while a functional PoC and usage guide have been published in an open GitHub repository, accelerating the urgency for patching across Linux environments that rely on Sudo’s chroot functionality. Stay connected for industry’s latest content – Follow Deepthi Talasila #DevSecOps #ApplicationSecurity #AgenticAI #CloudSecurity #CyberSecurity #AIinSecurity #SecureDevOps #AppSec #AIandSecurity #CloudComputing #SecurityEngineering #ZeroTrust #MLSecurity #AICompliance #SecurityAutomation #SecureCoding #linkedin #InfoSec #SecurityByDesign #AIThreatDetection #CloudNativeSecurity #ShiftLeftSecurity #SecureAI #AIinDevSecOps #SecurityOps #CyberResilience #DataSecurity #SecurityInnovation #SecurityArchitecture #TrustworthyAI #AIinCloudSecurity #NextGenSecurity https://lnkd.in/gnNqxUBZ

If true, this just killed Rust. Someone demonstrated that adding a single line to cargo.toml to add a dependency, an almost necessary thing in Rust, causes a by-design, no-further-touch, remote arbitrary code execution. I am aware of projects that have hundreds of dependencies (think 500+) which point to existing packages (also known as “crates”) that reside somewhere on the Internet and are vulnerable to malicious patches that unsuspecting consumers may eventually download. This is a common (and somewhat understood) risk that requires a secure supply chain. However, how can you be sure? Some deliberate vulnerabilities injected in source form can be very subtle and escape all but expert eyes, but at least this one is not: it instantly runs whatever the attacker wants under your credentials without asking. If this feature happens to be real, it means that any crate could one day inject arbitrary code performing any arbitrary action on your secure build servers, injecting backdoors or anything else that no one has ever seen into your code, ending up straight in production-signed binaries, which will later run with a high level of trust on your secure production servers 🫣 This also means that any developer having ever worked on any project containing a compromised dependency, even simply built a Hello World of some random thing to test the water, just once someday, could be infected by effectively zero-click exploits that ran on their machine, real or virtual, with their corporate credentials and full access to the company’s source code tree, as well as whathever network resources they have access to. Cool 😎 CTOs and CISOs, let me know if you need help fathoming the potential consequences. Digging a little deeper into Rust’s build system’s by-design vulnerabilities, it appears that build.rs can also be used to run arbitrary code during ‘cargo build’ and ‘cargo run’, or that the supply chain can be compromised through hacks in cargo.lock, causing the build system to silently include the wrong package, i.e., a malicious dependency like the one described above. A savvy attacker can therefore inject backdoors or a data exfiltration facility in the code being built, that may end up dormant in production-signed binaries on your most secure server already, as well as on any of your developers’ machines. This is wild, if you think about it for a minute. It’s like playing Russian Roulette with six bullets in the cylinder, as it’s literally unlikely it wasn’t exploited already. The solutions are zero external dependencies, but then the RAD value-prop of a rich ecosystem dwindles as you’d have to write everything yourself, or an expertly reviewed secure supply chain that inspects every crate every time they are retrieved and ultra-strict discipline now and forever, a costly and risky liability if you ask me. The video (a live demo showing arbitrary remote code execution) is in French, but you’ll understand. https://lnkd.in/gnp7MTzh #rust

Hey guys! Is Your Docker Container Safe? 5 Must-Do Security Tips! «We all love Docker for making containers super light and fast, right? But let's be real: keeping them secure is the most critical part of the job. If they’re not safe, we're asking for trouble! Here are the key practices we have to follow to keep our containers locked down:   Stick to Trusted Images: Seriously, only use official or verified images from Docker Hub. Don't download random stuff from the internet!   Run Non-Root (Please!): Make sure your containers are running as non-root users. This is a huge, easy step to limit access if something goes wrong.   Reduce the Attack Surface: Ditch capabilities you don't need using --cap-drop and stop exposing ports you aren't actually using. Less open doors means fewer problems!   Scan for Issues (Always!): Use awesome tools like docker scan or Trivy to constantly check your images for known vulnerabilities. Find those issues before the bad guys do.   Manage Secrets Safely: Passwords and keys belong in Docker Secrets, not in environment variables. Let's not keep the keys to the castle under the doormat! Practical Example: For your web app, just running containers as non-root and regularly scanning images can shut down a ton of potential breaches. A Friendly Tip: Always keep your images updated and use super specific tags (like alpine:3.18, not just alpine:latest) to avoid getting hit by unexpected changes. Your Turn: What security practices do you swear by for Docker? What’s the biggest mistake you’ve seen? Share your best tips with the community below! #Docker #Security #DevOps #Containers»

Many engineering leaders live in the dark when it comes to code security. They don’t have the time to dig into the code themselves, so they rely on assurances from their teams. The problem? That leaves them without the detail they need to make confident decisions. After our Rezliant (free) audit, a customer said they finally had the data to engage with their engineers at a meaningful level — without spending days buried in research. It was just an audit. But it led to a clear security game plan, with priorities that matched their stage of growth. That’s the difference between a checkbox audit and an audit that creates clarity, alignment, and action. That's the difference between others and Rezliant. We started with GitHub, and now we’ve added support for GitLab and Azure teams! If the latter is where your code lives, you can grab a free audit from us as well: https://lnkd.in/gNiyJXfq #cybersecurity #growth #engineering

Our security team uncovered a malicious #PyPI package called #SoopSocks, which disguises itself as a SOCKS5 proxy but behaves like a backdoor. Our research revealed that it installs persistence via Windows services and scheduled tasks, modifies firewall rules, silently executes PowerShell with UAC bypass, and exfiltrates host and network data to a hardcoded Discord webhook every 30 seconds. It evolved from a #Python module to a Go executable with hidden deployment scripts, enabling attackers to proxy traffic, anonymize connections, and perform stealthy reconnaissance. SoopSocks was removed from PyPI on September 29 after our disclosure. Read our full technical deep dive, including dynamic analysis, IOCs, and remediation steps here: https://bit.ly/4gR2cWz

This is what unseen threats look like. Our security team uncovered #SoopSocks, a malicious #PyPI package that acted as a backdoor while appearing to be a simple SOCKS5 proxy. The deep dive reveals how it achieved Windows persistence, modified firewall rules, and secretly exfiltrated data every 30 seconds. A crucial read for #CyberSecurityAwarenessMonth on how attackers are becoming increasingly stealthy.