<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

System Hardening with Ansible

The DevOps pipeline is constantly changing.  Therefore relevant security controls must be applied contextually.

We want to be secure, but I think all of us would rather spend our time developing and deploying software. Keeping up with server updates and all of the other security tasks is like cleaning your home - you know it has to be done, but you really just want to enjoy your clean home. The good news is you can hire a “service” to keep your application security up-to-date, giving you more time to develop.

At the recent All Day DevOps conference, Akash Mahajan (@makash), a Founder/Director at Appsecco, discussed how to harden your system’s security with Ansible.  In addition to his role at Appsecco, Akash is also involved as a local leader with the Open Web Application Security Project (OWASP).

Misconfiguration.  During his presentation, Akash mentioned the OWASP Top 10 Security Vulnerabilities list, zeroing in on #5 - Security Misconfiguration. To determine if you comply with the guidelines, #5 on the list asks:

  • Is any of your software out of date?
  • Are there any unnecessary features enabled/installed including ports, services, accounts, pages, or privileges?
  • Are default accounts and their passwords enabled/unchanged?
  • Are security settings and libraries not set to secure values?

I am sure no one reading this article still uses the default administrator password, but can we say the same of your peers? Have you gotten around to installing the latest software patches on your server?

 

Automation.  If a task can be automated, developers automate it. So we should automate our security tasks too, where we can. OWASP provides guidance here, suggesting you should:

  • Have a repeatable security hardening process
  • Ensure your development, QA, and production servers are configured identically but with different passwords
  • Automate the process to minimize the effort required to setup a new secure environment
  • Implement a process for deploying all new software updates and patches in a timely manner to each deployed environment
  • Run scans and audits periodically to help detect future misconfigurations or missing patches.

This is all part of security hardening, which is, “the process where we identify default configuration present on a system and apply changes that will change the configuration to secure values.” This can be applied to your network, transport, application, and kernel networking parameters.

Ansible Playbooks.  Ansible is one of the solutions Akash likes to work with, but there are others solutions on the market that provide similar value.  Without trying to endorse or evaluate one solution over another, let me share perspectives from Akash’s experience with his tool set.

Why does he like it? It boils down to playbooks. An Ansible playbook is a codified security document, allowing you to describe the desired state of a system, rather than the specific steps of how to get to that state. As Akash points out, things change - it is better to have the end state described rather than have to change commands when the system changes.

Other advantages of playbooks include:

  • Playbooks are written in YAML providing us with structure that we can learn and train on
  • Playbooks are text files, so we can use Git for version control
  • Managing playbooks is just like managing any software project
  • Playbooks are infrastructure as code but for security
  • Playbooks consist of roles, a key aspect of security
  • Numerous playbooks are available as open source

The bottom line is you can, and you should, automate your security hardening process. Your users and other stakeholders will thank you, and, most of all, you will thank yourself because you can spend more time on the things you love to do.

Ansible is just one example of a solution that can be used to automate your security tasks. If you want to know more, Akash goes into further detail on getting started with Ansible in his  full All Day DevOps conference session (just 30 minutes). The other 56 presentations from the All Day DevOps Conference are also available online, free-of-charge here.

This blog series is reviewing sessions from the All Day DevOps conference from November which hosted over 13,500 registered attendees. Last week I discussed, “DevOps at Massive Scale”. Next week, look for “Operationalizing a Red Team for Fun and Profit”, delivered by Intuit’s own Ian Allison.

Achieving CI/CD with Kubernetes

Hola amigos !!(In English – Hello Friends !!) Hope you are having a jolly good day ! Continuous Integration/Delivery is best said in terms of Martin Fowler, according to him it can be defined as, “Continuous Integration is a software development practice where members of a team integrate their work frequently, usually each person integrates at least daily – leading to multiple integrations per day. Each integration is verified by an automated build (including test) to detect integration errors as quickly as possible. Many teams find that this approach leads to significantly reduced integration problems and allows a team to develop cohesive software more rapidly.”

DevOps at Massive Scale

When you have a billion users, people notice.  That’s where our story about DevOps and Yahoo! starts.  For Kishore Jalleda and Gopal Mor, both engineers at Yahoo!, when something goes wrong on a Yahoo! page, people will notice.  Correction: a lot of people will notice.

Sonatype Nexus Installation Using Docker

1. Download the Docker image using following commands..
# docker pull sonatype/nexus

 

2. Build an image from a Nexus Dockerfile# docker build –rm –tag sonatype/nexus oss/

# docker build –rm –tag sonatype/nexus-pro pro/ (For Pro)

 

Paul Volkman: Why is Sonatype the best solution?

When Paul Volkman was asked "Why is Sonatype the best solution?," he didn't hesitate. Watch and listen as he gives the best, most succinct explanation you'll find anywhere.

DevOps and Opportunities in Software Supply Chain Governance

Governance has been an evil word for software developers but new approaches unlock massive gains in productivity, reductions in cost, and improvements in quality.

DevSecOps: Better Software, Faster

“The big problems are where people don't realize they have one in the first place.” - W. Edwards Deming, patron saint of DevOps.