devops-course icon indicating copy to clipboard operation
devops-course copied to clipboard

Published 20 hours ago verified publisher icon KTH

DevOps and Security - DevSecOps

Open monperrus opened this issue 6 years ago • 78 comments

Wikipedia references:

  • https://en.wikipedia.org/wiki/Information_security
  • https://en.wikipedia.org/wiki/Information_security_audit
  • https://en.wikipedia.org/wiki/Attribute-based_access_control
  • https://en.wikipedia.org/wiki/Penetration_test
  • https://en.wikipedia.org/wiki/Intrusion_detection_system
  • https://en.wikipedia.org/wiki/Runtime_application_self-protection
  • https://en.wikipedia.org/wiki/Dynamic_application_security_testing
  • https://en.wikipedia.org/wiki/Supply_chain_attack

monperrus avatar Oct 24 '18 07:10 monperrus

Principles:

  • Complete Mediation Principle (useful for APIs)
  • Least privileged

monperrus avatar Nov 05 '18 14:11 monperrus

Intrusion detection: https://en.wikipedia.org/wiki/Intrusion_detection_system

(signature based, anomaly detection)

monperrus avatar Nov 05 '18 14:11 monperrus

Very good set of pointers: https://www.sqreen.io/checklists/devops-security-checklist

monperrus avatar Nov 05 '18 14:11 monperrus

Mapping security design principles to devops on one axis, mapping security concepts/mechanisms to devops on another.

sbuc avatar Nov 05 '18 14:11 sbuc

Dynamic and short lived secrets for authorisation, see for example AWS IAM Roles are implemented or Hashicorp Vault.

lsc avatar Nov 08 '18 10:11 lsc

Open Source: Simplifying Serverless Secrets https://open.nytimes.com/open-source-simplifying-serverless-secrets-in-google-cloud-a95451e545b1

monperrus avatar Nov 11 '18 08:11 monperrus

Vault and kubernetes https://github.com/kelseyhightower/vault-on-google-kubernetes-engine

bbaudry avatar Nov 14 '18 16:11 bbaudry

CI/CD enables automated program hardening:

Operating system protection through program evolution, Fred Cohen, 1993

monperrus avatar Dec 05 '18 14:12 monperrus

Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week) https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

monperrus avatar Dec 10 '18 14:12 monperrus

7 Tips for Container and Kubernetes Security http://lxer.com/module/newswire/ext_link.php?rid=264809

monperrus avatar Jan 11 '19 21:01 monperrus

Microservices Hierarchy of Needs KUBERNETES: AN OVERVIEW (This is a nice introduction to Kubernetes architecture and advantages)

gluckzhang avatar Feb 22 '19 16:02 gluckzhang

On The Relation Between Outdated Docker Containers, Severity Vulnerabilities and Bugs. http://arxiv.org/abs/1811.12874

monperrus avatar Mar 01 '19 06:03 monperrus

Reproducible builds https://reproducible-builds.org/

bbaudry avatar Mar 04 '19 18:03 bbaudry

added wikipedia references in the top post of this thread.

monperrus avatar Mar 05 '19 10:03 monperrus

Security standards: NIST800 53, ISO27000

monperrus avatar Mar 05 '19 10:03 monperrus

Super Secret Dynamic Secrets with Vault https://tech.gogoair.com/super-secret-dynamic-secrets-with-vault-cf6f29fefc8f

monperrus avatar Mar 05 '19 10:03 monperrus

Vault http://vaultproject.io

monperrus avatar Mar 05 '19 10:03 monperrus

InSpec https://www.inspec.io

monperrus avatar Mar 05 '19 10:03 monperrus

On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs. https://arxiv.org/pdf/1811.12874

monperrus avatar Apr 01 '19 21:04 monperrus

On the Impact of Outdated and Vulnerable Javascript Packages in Docker Images. https://ieeexplore.ieee.org/abstract/document/8667984/

monperrus avatar Apr 01 '19 21:04 monperrus

Kubernetes security: 5 mistakes to avoid https://enterprisersproject.com/article/2019/5/kubernetes-security-5-mistakes

monperrus avatar May 23 '19 06:05 monperrus

security for containers https://github.com/coreos/clair

bbaudry avatar Sep 18 '19 12:09 bbaudry

Two interesting papers on container security / vulnerabilities analysis:

gluckzhang avatar Sep 18 '19 12:09 gluckzhang

The Three Rs of Enterprise Security: Rotate, Repave, and Repair https://builttoadapt.io/the-three-r-s-of-enterprise-security-rotate-repave-and-repair-f64f6d6ba29d

monperrus avatar Oct 15 '19 09:10 monperrus

A framework to secure the integrity of software supply chains https://in-toto.io/ https://github.com/in-toto/in-toto/

bbaudry avatar Oct 17 '19 06:10 bbaudry

DoD Enterprise DevSecOps Reference Design

bbaudry avatar Oct 22 '19 05:10 bbaudry

Attack graph generation for microservice architecture https://www.researchgate.net/profile/Amjad_Ibrahim/publication/332814067_Attack_graph_generation_for_microservice_architecture/links/5ccd8a30299bf14d9576f2f5/Attack-graph-generation-for-microservice-architecture.pdf

monperrus avatar Nov 04 '19 13:11 monperrus

Everything You Ever Wanted To Know About Test-Case Reduction, But Didn’t Know to Ask https://blog.trailofbits.com/2019/11/11/test-case-reduction/

bbaudry avatar Nov 13 '19 05:11 bbaudry

Netflix's repulsive grizzly for Application Layer DoS Testing https://github.com/netflix-skunkworks/repulsive-grizzly

bbaudry avatar Dec 05 '19 18:12 bbaudry

OWASP https://www.owasp.org/

JFrog Xray is an application security SCA tool that integrates security directly into your DevOps workflows, https://jfrog.com/xray/

matsskoglunds avatar Jan 14 '20 13:01 matsskoglunds