Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DevOps and Security - DevSecOps #18

Open
monperrus opened this issue Oct 24, 2018 · 78 comments
Open

DevOps and Security - DevSecOps #18

monperrus opened this issue Oct 24, 2018 · 78 comments
Labels
topic DevOps relevant topics

Comments

@monperrus
Copy link
Member Author

Principles:

  • Complete Mediation Principle (useful for APIs)
  • Least privileged

@monperrus
Copy link
Member Author

Intrusion detection: https://en.wikipedia.org/wiki/Intrusion_detection_system

(signature based, anomaly detection)

@monperrus
Copy link
Member Author

Very good set of pointers: https://www.sqreen.io/checklists/devops-security-checklist

@sbuc
Copy link

sbuc commented Nov 5, 2018

Mapping security design principles to devops on one axis, mapping security concepts/mechanisms to devops on another.

@lsc
Copy link

lsc commented Nov 8, 2018

Dynamic and short lived secrets for authorisation, see for example AWS IAM Roles are implemented or Hashicorp Vault.

@monperrus
Copy link
Member Author

@bbaudry
Copy link
Collaborator

bbaudry commented Nov 14, 2018

@monperrus
Copy link
Member Author

CI/CD enables automated program hardening:

Operating system protection through program evolution, Fred Cohen, 1993

@monperrus
Copy link
Member Author

Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)
https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

@monperrus
Copy link
Member Author

7 Tips for Container and Kubernetes Security
http://lxer.com/module/newswire/ext_link.php?rid=264809

@gluckzhang
Copy link

Microservices Hierarchy of Needs
KUBERNETES: AN OVERVIEW (This is a nice introduction to Kubernetes architecture and advantages)

@monperrus
Copy link
Member Author

On The Relation Between Outdated Docker Containers, Severity Vulnerabilities and Bugs.
http://arxiv.org/abs/1811.12874

@bbaudry
Copy link
Collaborator

bbaudry commented Mar 4, 2019

Reproducible builds
https://reproducible-builds.org/

@monperrus
Copy link
Member Author

added wikipedia references in the top post of this thread.

@monperrus
Copy link
Member Author

Security standards: NIST800 53, ISO27000

@monperrus
Copy link
Member Author

Super Secret Dynamic Secrets with Vault
https://tech.gogoair.com/super-secret-dynamic-secrets-with-vault-cf6f29fefc8f

@monperrus
Copy link
Member Author

Vault
http://vaultproject.io

@monperrus
Copy link
Member Author

InSpec
https://www.inspec.io

@gluckzhang gluckzhang added the topic DevOps relevant topics label Mar 25, 2019
@monperrus
Copy link
Member Author

On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs.
https://arxiv.org/pdf/1811.12874

@monperrus
Copy link
Member Author

On the Impact of Outdated and Vulnerable Javascript Packages in Docker Images.
https://ieeexplore.ieee.org/abstract/document/8667984/

@monperrus
Copy link
Member Author

Kubernetes security: 5 mistakes to avoid
https://enterprisersproject.com/article/2019/5/kubernetes-security-5-mistakes

@bbaudry
Copy link
Collaborator

bbaudry commented Sep 18, 2019

security for containers
https://github.com/coreos/clair

@gluckzhang
Copy link

gluckzhang commented Sep 18, 2019

@monperrus
Copy link
Member Author

The Three Rs of Enterprise Security: Rotate, Repave, and Repair
https://builttoadapt.io/the-three-r-s-of-enterprise-security-rotate-repave-and-repair-f64f6d6ba29d

@bbaudry
Copy link
Collaborator

bbaudry commented Oct 17, 2019

A framework to secure the integrity of software supply chains
https://in-toto.io/
https://github.com/in-toto/in-toto/

@bbaudry
Copy link
Collaborator

bbaudry commented Oct 22, 2019

@bbaudry
Copy link
Collaborator

bbaudry commented Jul 6, 2022

It’s Time to Get Hip to the SBOM
https://jfrog.com/blog/its-time-to-get-hip-to-the-sbom/

@bbaudry
Copy link
Collaborator

bbaudry commented Jul 6, 2022

@matsskoglund
Copy link

@monperrus
Copy link
Member Author

@bbaudry
Copy link
Collaborator

bbaudry commented Sep 20, 2022

The steady project addresses the OWASP Top 10 security risk A9, Using Components with Known Vulnerabilities
https://projects.eclipse.org/projects/technology.

@monperrus
Copy link
Member Author

@monperrus
Copy link
Member Author

@monperrus
Copy link
Member Author

@monperrus
Copy link
Member Author

SpiceDB is a open source Zanzibar-inspired database that stores, computes, and validates fine grained permissions.
https://authzed.com/spicedb/

@monperrus
Copy link
Member Author

https://github.com/codenotary/cas

cas detects or acts on the following (but not limited to):

  • Immutable tagging of source code, builds, and container images with version number, owner, timestamp, organization, trust level, and much more
  • Simple and tamper-proof extraction of notarized tags like version number, owner, timestamp, organization, and trust level from any source code, build and container (based on the related image)
  • Quickly discover and identify untrusted, revoked or obsolete libraries, builds, and containers in your application
  • Detect the launch of an authorized or unknown container immediately
  • Prevent untrusted or revoked containers from starting in production
  • Verify the integrity and the publisher of all the data received over any channel

and more

  • Enable application version checks and actions
  • Buggy or rogue libraries can be traced by simple revoke or unsupport
  • Revoke or unsupport your build or build version post-deployment (no complex certificate revocation that includes delivery of newly signed builds)
  • Stop unwanted containers from being launched
  • Make revocation part of the remediation process
  • Use revocation without impairing customer environments
  • Trace source code to build to deployment by integration into CI/CD or manual workflow
  • Tag your applications for specific use cases (alpha, beta - non-commercial aso).

@monperrus
Copy link
Member Author

Google Cloud Key Management
https://cloud.google.com/security-key-management

@monperrus
Copy link
Member Author

OWASP Top 10 CI/CD Security Risks
https://owasp.org/www-project-top-10-ci-cd-security-risks/

@monperrus
Copy link
Member Author

Robbery on DevOps: Understanding and Mitigating Illicit Cryptomining on Continuous Integration Service Platforms
43rd Ieee Symposium On Security And Privacy (Sp 2022)
https://www.xiaojingliao.com/uploads/9/7/0/2/97024238/sp22-devops.pdf

@monperrus
Copy link
Member Author

  • SPIFFE – Secure Production Identity Framework for Everyone
  • SPIRE is the Runtime Environment
    https://spiffe.io

@bbaudry
Copy link
Collaborator

bbaudry commented Feb 23, 2023

@monperrus
Copy link
Member Author

@bbaudry
Copy link
Collaborator

bbaudry commented Apr 7, 2023

A Static Analysis Platform for Investigating Security Trends in Repositories.
http://arxiv.org/abs/2304.01725

@monperrus
Copy link
Member Author

securing the software supply chain with optimized containers specific to your application needs, while automatically reducing vulnerabilities in the process.

https://slim.ai

@monperrus
Copy link
Member Author

Reverse Engineering the Tesla Firmware Update Process
https://www.pentestpartners.com/security-blog/reverse-engineering-the-tesla-firmware-update-process/

@bbaudry
Copy link
Collaborator

bbaudry commented Apr 21, 2023

Scan (skæn) is an open-source security audit tool for modern DevOps teams
https://appthreat.com/en/latest/

@monperrus
Copy link
Member Author

Bitwarden Secrets Manager enables developers, DevOps, and cybersecurity teams to centrally store, manage, and deploy secrets at scale.

https://bitwarden.com/help/secrets-manager-overview/

@bbaudry
Copy link
Collaborator

bbaudry commented May 2, 2023

GitGuardian is a developer-first solution scanning GitHub activity in real-time for API secret tokens, database credentials
https://github.com/GitGuardian

@monperrus
Copy link
Member Author

Detecting intrusion with canary tokens
A canary token is a resource that is monitored for access or tampering. Usually, canary tokens come in the form of a URL, file, API key, or email, etc., and trigger alerts whenever someone (presumably an attacker) trips over them.

https://github.com/GitGuardian/ggcanary

@monperrus
Copy link
Member Author

@bbaudry
Copy link
Collaborator

bbaudry commented Nov 24, 2023

Securing the Supply Chain for Your Java Applications By Thomas Vitale. Devoxx 2023
https://www.youtube.com/watch?v=ftPFxK8JPNM

@bbaudry
Copy link
Collaborator

bbaudry commented May 5, 2024

Where does your software (really) come from?
https://github.blog/2024-04-30-where-does-your-software-really-come-from/

@monperrus
Copy link
Member Author

Azure Sentinel
Security analytics for Azure
https://github.com/Azure/Azure-Sentinel

@monperrus
Copy link
Member Author

poutine is a security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository
https://github.com/boostsecurityio/poutine/

@monperrus
Copy link
Member Author

docker-bench: checks for dozens of common best-practices around deploying Docker containers in production
https://github.com/docker/docker-bench-security

@sofiabobadilla
Copy link
Collaborator

Coana
https://www.coana.tech/

Coana's SCA with Reachability Analysis allows you to safely disregard unreachable vulnerabilities and easily patch the ones that matter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
topic DevOps relevant topics
Projects
None yet
Development

No branches or pull requests

10 participants