DevOps and Security - DevSecOps

[monperrus]

Wikipedia references:

• https://en.wikipedia.org/wiki/Information_security
• https://en.wikipedia.org/wiki/Information_security_audit
• https://en.wikipedia.org/wiki/Attribute-based_access_control
• https://en.wikipedia.org/wiki/Penetration_test
• https://en.wikipedia.org/wiki/Intrusion_detection_system
• https://en.wikipedia.org/wiki/Runtime_application_self-protection
• https://en.wikipedia.org/wiki/Dynamic_application_security_testing
• https://en.wikipedia.org/wiki/Supply_chain_attack

[matsskoglund]

https://docs.gitlab.com/ee/user/application_security/dependency_list/

[monperrus]

What are the Practices for Secret Management in Software Artifacts?. (arXiv:2208.11280v1 [cs.SE])

[bbaudry]

The steady project addresses the OWASP Top 10 security risk A9, Using Components with Known Vulnerabilities https://projects.eclipse.org/projects/technology.

[monperrus]

Security support in continuous deployment pipeline

[monperrus]

Exploiting devops practices for dependable and secure continuous delivery pipelines

[monperrus]

Vulnerabilities in continuous delivery pipelines? A case study

[monperrus]

SpiceDB is a open source Zanzibar-inspired database that stores, computes, and validates fine grained permissions. https://authzed.com/spicedb/

[monperrus]

https://github.com/codenotary/cas

cas detects or acts on the following (but not limited to):

• Immutable tagging of source code, builds, and container images with version number, owner, timestamp, organization, trust level, and much more
• Simple and tamper-proof extraction of notarized tags like version number, owner, timestamp, organization, and trust level from any source code, build and container (based on the related image)
• Quickly discover and identify untrusted, revoked or obsolete libraries, builds, and containers in your application
• Detect the launch of an authorized or unknown container immediately
• Prevent untrusted or revoked containers from starting in production
• Verify the integrity and the publisher of all the data received over any channel

and more

• Enable application version checks and actions
• Buggy or rogue libraries can be traced by simple revoke or unsupport
• Revoke or unsupport your build or build version post-deployment (no complex certificate revocation that includes delivery of newly signed builds)
• Stop unwanted containers from being launched
• Make revocation part of the remediation process
• Use revocation without impairing customer environments
• Trace source code to build to deployment by integration into CI/CD or manual workflow
• Tag your applications for specific use cases (alpha, beta - non-commercial aso).

[monperrus]

Google Cloud Key Management https://cloud.google.com/security-key-management

[monperrus]

OWASP Top 10 CI/CD Security Risks https://owasp.org/www-project-top-10-ci-cd-security-risks/

[monperrus]

Robbery on DevOps: Understanding and Mitigating Illicit Cryptomining on Continuous Integration Service Platforms 43rd Ieee Symposium On Security And Privacy (Sp 2022) https://www.xiaojingliao.com/uploads/9/7/0/2/97024238/sp22-devops.pdf

[monperrus]

• SPIFFE – Secure Production Identity Framework for Everyone
• SPIRE is the Runtime Environment https://spiffe.io

[bbaudry]

fuzzing curl cli https://blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-line-interface/

[monperrus]

SoK: run-time security for cloud microservices. Are we there yet?.

[bbaudry]

A Static Analysis Platform for Investigating Security Trends in Repositories. http://arxiv.org/abs/2304.01725

[monperrus]

securing the software supply chain with optimized containers specific to your application needs, while automatically reducing vulnerabilities in the process.

https://slim.ai

[monperrus]

Reverse Engineering the Tesla Firmware Update Process https://www.pentestpartners.com/security-blog/reverse-engineering-the-tesla-firmware-update-process/

[bbaudry]

Scan (skæn) is an open-source security audit tool for modern DevOps teams https://appthreat.com/en/latest/

[monperrus]

Bitwarden Secrets Manager enables developers, DevOps, and cybersecurity teams to centrally store, manage, and deploy secrets at scale.

https://bitwarden.com/help/secrets-manager-overview/

[bbaudry]

GitGuardian is a developer-first solution scanning GitHub activity in real-time for API secret tokens, database credentials https://github.com/GitGuardian

[monperrus]

Detecting intrusion with canary tokens A canary token is a resource that is monitored for access or tampering. Usually, canary tokens come in the form of a URL, file, API key, or email, etc., and trigger alerts whenever someone (presumably an attacker) trips over them.

https://github.com/GitGuardian/ggcanary

[monperrus]

µDetector: Automated Intrusion Detection for Microservices. SANER 23

[bbaudry]

Securing the Supply Chain for Your Java Applications By Thomas Vitale. Devoxx 2023 https://www.youtube.com/watch?v=ftPFxK8JPNM

[bbaudry]

Where does your software (really) come from? https://github.blog/2024-04-30-where-does-your-software-really-come-from/

[monperrus]

Azure Sentinel Security analytics for Azure https://github.com/Azure/Azure-Sentinel

[monperrus]

poutine is a security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository https://github.com/boostsecurityio/poutine/

[monperrus]

docker-bench: checks for dozens of common best-practices around deploying Docker containers in production https://github.com/docker/docker-bench-security

[sofiabobadilla]

Coana https://www.coana.tech/

Coana's SCA with Reachability Analysis allows you to safely disregard unreachable vulnerabilities and easily patch the ones that matter.