Rafael Eyng, on March 01, 2017
This is the second part of a series of posts on Nexus 3 and how to use it as repository for several technologies. Also available is “Part 1, Maven Artifacts” by Rafael Eyng.
Matt Howard, on February 28, 2017
The niche market for Software Composition Analysis (SCA) tools has died. The culprit: DevOps.
In today's world, developers are king. Innovation is the throne upon which they sit. Anything seen as an inhibitor to DevOps agility is the enemy, and therefore, must be terminated.
SCA tools are waterfall-native by design. Thus, it is impossible to integrate SCA security controls into DevOps-native work flows in an automated and scalable way.
We all know the story: a farm, a kid, a Commodore 64, and a modem maxing out at 300 bps. A few unexpected phone bills later, and young Ian Allison is figuring out how to game the system so he can keep using his newfound gateway to the world of tech. According to Ian, that is where he began building the foundation of skills for his career in computer security.
Rafael Eyng, on February 21, 2017
This article is the first in a three part series by one of our community advocates, Rafael Eyng. You can follow his work at CodeHeaven.io
The DevOps pipeline is constantly changing. Therefore relevant security controls must be applied contextually.
We want to be secure, but I think all of us would rather spend our time developing and deploying software. Keeping up with server updates and all of the other security tasks is like cleaning your home - you know it has to be done, but you really just want to enjoy your clean home. The good news is you can hire a “service” to keep your application security up-to-date, giving you more time to develop.
At the recent All Day DevOps conference, Akash Mahajan (@makash), a Founder/Director at Appsecco, discussed how to harden your system’s security with Ansible. In addition to his role at Appsecco, Akash is also involved as a local leader with the Open Web Application Security Project (OWASP).
Misconfiguration. During his presentation, Akash mentioned the OWASP Top 10 Security Vulnerabilities list, zeroing in on #5 - Security Misconfiguration. To determine if you comply with the guidelines, #5 on the list asks:
I am sure no one reading this article still uses the default administrator password, but can we say the same of your peers? Have you gotten around to installing the latest software patches on your server?
Automation. If a task can be automated, developers automate it. So we should automate our security tasks too, where we can. OWASP provides guidance here, suggesting you should:
This is all part of security hardening, which is, “the process where we identify default configuration present on a system and apply changes that will change the configuration to secure values.” This can be applied to your network, transport, application, and kernel networking parameters.
Ansible Playbooks. Ansible is one of the solutions Akash likes to work with, but there are others solutions on the market that provide similar value. Without trying to endorse or evaluate one solution over another, let me share perspectives from Akash’s experience with his tool set.
Why does he like it? It boils down to playbooks. An Ansible playbook is a codified security document, allowing you to describe the desired state of a system, rather than the specific steps of how to get to that state. As Akash points out, things change - it is better to have the end state described rather than have to change commands when the system changes.
Other advantages of playbooks include:
The bottom line is you can, and you should, automate your security hardening process. Your users and other stakeholders will thank you, and, most of all, you will thank yourself because you can spend more time on the things you love to do.
Ansible is just one example of a solution that can be used to automate your security tasks. If you want to know more, Akash goes into further detail on getting started with Ansible in his full All Day DevOps conference session (just 30 minutes). The other 56 presentations from the All Day DevOps Conference are also available online, free-of-charge here.
This blog series is reviewing sessions from the All Day DevOps conference from November which hosted over 13,500 registered attendees. Last week I discussed, “DevOps at Massive Scale”. Next week, look for “Operationalizing a Red Team for Fun and Profit”, delivered by Intuit’s own Ian Allison.
Hola amigos !!(In English – Hello Friends !!) Hope you are having a jolly good day ! Continuous Integration/Delivery is best said in terms of Martin Fowler, according to him it can be defined as, “Continuous Integration is a software development practice where members of a team integrate their work frequently, usually each person integrates at least daily – leading to multiple integrations per day. Each integration is verified by an automated build (including test) to detect integration errors as quickly as possible. Many teams find that this approach leads to significantly reduced integration problems and allows a team to develop cohesive software more rapidly.”