Best of DevSecOps — 2024
- 1
- 2
- 3
- 4
Auth0·2y
Secure Node.js Applications from Supply Chain Attacks
The post offers comprehensive strategies to secure Node.js applications against supply chain attacks. It emphasizes the significance of blocking installation scripts, dynamic scripts, and child processes while ensuring dependencies are constantly updated and audited. The article advocates for using lockfiles, enforcing unprivileged modes, and running applications in read-only filesystems. Additionally, network traffic filtering, distroless Docker images, and protecting developer environments are recommended practices to enhance security.
- 5
Laravel·2y
Improving Laravel Application Security with Aikido
Managing security in growing Laravel applications can be challenging, but integrating Aikido's security scanning with Laravel Forge simplifies this process. Aikido quickly scans for vulnerabilities, providing results within Forge in under a minute, making it easier for developers to maintain security standards effortlessly. The integration is valuable for teams of all sizes and helps comply with regulatory requirements like SOC2 and ISO 27001. The partnership brings together code and cloud security, aiming to streamline security management for Laravel developers.
- 6
Arcjet·2y
Whatever happened to DevSecOps?
The concept of DevSecOps aimed to integrate security throughout the development lifecycle, but it hasn't worked out as planned. The clash between development speed and security needs remains an issue. The future might resemble the rise of Site Reliability Engineering (SRE), where dedicated security teams build tools and provide guidance, allowing developers to handle application-specific security details. This approach mirrors platform engineering with a security focus.
- 7
GitLab·2y
FAQ: GitLab CI/CD Catalog
The GitLab CI/CD Catalog enhances software development by enabling users to discover, reuse, and contribute CI/CD components. Available starting from GitLab 17.0, the catalog supports version control, composite components, and multiple input types. It can be used both on GitLab.com and self-managed instances. Testing strategies include using $CI_COMMIT_SHA and child pipelines. Users can create private components, clone public repos, and prevent job name collisions using dynamic names. Documentation and best practices are essential for effective usage.
- 8
- 9
DevOps.com·2y
DevSecOps: Integrating Security Into the DevOps Lifecycle
DevSecOps integrates security into the DevOps process, ensuring protection at every step of software development. By embedding security within the workflow, it creates a more secure end product while speeding up development and ensuring regulatory compliance. Key principles include 'security as code' and a shared responsibility model, with the use of automated security testing tools across different stages. Challenges include the need for skill upgrades and balancing rapid deployment with security. Emerging trends like AI in security, increased compliance, and cloud-native practices are set to shape the future of DevSecOps.
- 10
- 11
CSO Online·2y
Top 5 security mistakes software developers make
Frequent security mistakes by software developers include improper input controls, bad authentication and permissions, poor API protection, inadequate tooling, and ineffective use of automation. These issues have led to increased attacks on applications and APIs. Recommendations to mitigate these risks involve implementing parameterized queries, enforcing role-based permissions, using API gateways, adopting comprehensive security tools, and incorporating automation with AI to reduce false positives and alert fatigue. Despite improvements, significant vulnerabilities persist in app development.
- 12
InfoWorld·2y
6 ways to apply automation in devsecops
Automation is crucial in devsecops to secure the software development life cycle comprehensively. It assists in reducing human errors, ensuring consistency, and enabling developers to focus on coding rather than manual security checks. Key areas benefitting from automation include code, image, infrastructure, process, and collaboration security. Implementing role-based access control (RBAC) and automating the creating and checking stages are essential practices for maintaining robust security. Overcoming myths about the cost and complexity of automation is key for businesses aiming to enhance productivity and secure their development processes.
- 13
Medium·2y
Advanced End-to-End DevSecOps Kubernetes Three-Tier Project using Azure AKS, fluxCD, Prometheus, Grafana, and GitLab
This post discusses the implementation of an advanced DevSecOps Kubernetes three-tier project using Azure AKS, fluxCD, Prometheus, Grafana, and GitLab. It covers the prerequisites, deployment of cloud infrastructure using Terraform and secure secret management with HashiCorp Vault, and automation of deployment and configuration tasks with GitLab CI/CD pipelines.
- 14
