Giters

KTH / devops-course

Repository of the DevOps course at KTH Royal Institute of Technology DD2482

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

DevOps and Security - DevSecOps

monperrus opened this issue · comments

commented

Principles:

  • Complete Mediation Principle (useful for APIs)
  • Least privileged
commented

Intrusion detection: https://en.wikipedia.org/wiki/Intrusion_detection_system

(signature based, anomaly detection)

commented

Mapping security design principles to devops on one axis, mapping security concepts/mechanisms to devops on another.

commented

Dynamic and short lived secrets for authorisation, see for example AWS IAM Roles are implemented or Hashicorp Vault.

commented

CI/CD enables automated program hardening:

Operating system protection through program evolution, Fred Cohen, 1993

commented

Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)
https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

commented

7 Tips for Container and Kubernetes Security
http://lxer.com/module/newswire/ext_link.php?rid=264809

commented

Microservices Hierarchy of Needs
KUBERNETES: AN OVERVIEW (This is a nice introduction to Kubernetes architecture and advantages)

commented

On The Relation Between Outdated Docker Containers, Severity Vulnerabilities and Bugs.
http://arxiv.org/abs/1811.12874

commented

added wikipedia references in the top post of this thread.

commented

Security standards: NIST800 53, ISO27000

commented

On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs.
https://arxiv.org/pdf/1811.12874

commented

On the Impact of Outdated and Vulnerable Javascript Packages in Docker Images.
https://ieeexplore.ieee.org/abstract/document/8667984/

commented

A framework to secure the integrity of software supply chains
https://in-toto.io/
https://github.com/in-toto/in-toto/

commented

Everything You Ever Wanted To Know About Test-Case Reduction, But Didn’t Know to Ask
https://blog.trailofbits.com/2019/11/11/test-case-reduction/

commented

Netflix's repulsive grizzly for Application Layer DoS Testing
https://github.com/netflix-skunkworks/repulsive-grizzly

commented

OWASP https://www.owasp.org/

JFrog Xray is an application security SCA tool that integrates security directly into your DevOps workflows, https://jfrog.com/xray/

commented

Hacking into Google's Network for $133,337 (keywords: Remote Code Execution / Google Cloud Deployment Manager )
https://www.ezequiel.tech/2020/05/rce-in-cloud-dm.html

commented

Nist DevSecOps Documents https://csrc.nist.gov/Projects/devsecops/publications

  • Zero Trust Architecture
  • Building Secure Microservices-based Applications Using Service-Mesh Architecture
  • Hardware-Enabled Security for Server Platforms: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases
  • Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF)
  • Developing Cyber Resilient Systems: A Systems Security Engineering Approach
  • Security Strategies for Microservices-based Application Systems
  • Security Recommendations for Server-based Hypervisor Platforms
  • Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
  • Application Container Security Guide
  • Secure Virtual Network Configuration for Virtual Machine (VM) Protection
  • Guide to Enterprise Patch Management Technologies
  • Guide to Security for Full Virtualization Technologies
commented

The Linux Foundation created Sigstore to provide free certificates and tools to automate and verify signatures of software components, to defend software supply chain attacks.
http://sigstore.dev

commented

The Dance Dance Authentication Scheme https://m.youtube.com/watch?v=VgC4b9K-gYU

commented

Mozilla Sops: Simple and flexible tool for managing secrets, encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.
https://github.com/mozilla/sops

commented

Securing your software supply chain, by Github
https://docs.github.com/en/code-security/supply-chain-security

commented

Open Source Security Foundation
https://openssf.org/

commented

OWASP ZAP zed attack proxy
https://www.zaproxy.org/

commented

FYI, added https://en.wikipedia.org/wiki/Dynamic_application_security_testing to the reference list of wikipedia pages at the top.

commented

signing, verifying and protecting software
https://www.sigstore.dev/

commented

The steady project addresses the OWASP Top 10 security risk A9, Using Components with Known Vulnerabilities
https://projects.eclipse.org/projects/technology.

commented

SpiceDB is a open source Zanzibar-inspired database that stores, computes, and validates fine grained permissions.
https://authzed.com/spicedb/

commented

https://github.com/codenotary/cas

cas detects or acts on the following (but not limited to):

  • Immutable tagging of source code, builds, and container images with version number, owner, timestamp, organization, trust level, and much more
  • Simple and tamper-proof extraction of notarized tags like version number, owner, timestamp, organization, and trust level from any source code, build and container (based on the related image)
  • Quickly discover and identify untrusted, revoked or obsolete libraries, builds, and containers in your application
  • Detect the launch of an authorized or unknown container immediately
  • Prevent untrusted or revoked containers from starting in production
  • Verify the integrity and the publisher of all the data received over any channel

and more

  • Enable application version checks and actions
  • Buggy or rogue libraries can be traced by simple revoke or unsupport
  • Revoke or unsupport your build or build version post-deployment (no complex certificate revocation that includes delivery of newly signed builds)
  • Stop unwanted containers from being launched
  • Make revocation part of the remediation process
  • Use revocation without impairing customer environments
  • Trace source code to build to deployment by integration into CI/CD or manual workflow
  • Tag your applications for specific use cases (alpha, beta - non-commercial aso).
commented

Robbery on DevOps: Understanding and Mitigating Illicit Cryptomining on Continuous Integration Service Platforms
43rd Ieee Symposium On Security And Privacy (Sp 2022)
https://www.xiaojingliao.com/uploads/9/7/0/2/97024238/sp22-devops.pdf

commented
  • SPIFFE – Secure Production Identity Framework for Everyone
  • SPIRE is the Runtime Environment
    https://spiffe.io
commented

A Static Analysis Platform for Investigating Security Trends in Repositories.
http://arxiv.org/abs/2304.01725

commented

securing the software supply chain with optimized containers specific to your application needs, while automatically reducing vulnerabilities in the process.

https://slim.ai

commented

Scan (skæn) is an open-source security audit tool for modern DevOps teams
https://appthreat.com/en/latest/

commented

Bitwarden Secrets Manager enables developers, DevOps, and cybersecurity teams to centrally store, manage, and deploy secrets at scale.

https://bitwarden.com/help/secrets-manager-overview/

commented

GitGuardian is a developer-first solution scanning GitHub activity in real-time for API secret tokens, database credentials
https://github.com/GitGuardian

commented

Detecting intrusion with canary tokens
A canary token is a resource that is monitored for access or tampering. Usually, canary tokens come in the form of a URL, file, API key, or email, etc., and trigger alerts whenever someone (presumably an attacker) trips over them.

https://github.com/GitGuardian/ggcanary

commented

Securing the Supply Chain for Your Java Applications By Thomas Vitale. Devoxx 2023
https://www.youtube.com/watch?v=ftPFxK8JPNM