Christopher Fago’s Post

This was a good webinar around code security in CI/CD. Having been in a highly audited and regulated organization, the things covered here are very applicable. It was dense with details, focusing on the overlap between InfoSec and DevOps where there is shared responsibility. Take a look!

Cloudanix understands, that new tools and processes are difficult to adopt in organizations and can cause friction. Our Zero Friction philosophy helps us build our platform so that Security teams, DevOps teams, and Engineering teams stay on the same page and align from Day 1 when it comes to Code-To-Cloud security. Comment "Interested" and we will get in touch with you! #codesecurity #cloud #securityengineering #devsecops #devops #engineering #cloudsecurity #zerofriction #platform #ycombinator #cloudanix Learn more about Cloudanix's code security: https://lnkd.in/dr2DgHjc

Check out my latest DevSecOps project!

Marking a variable or output "sensitive = true" in #terraform is closer to documentation than it is to any semblance of security. By marking a variable or output as sensitive, all you're doing is obfuscating it from any output during the Terraform runs. If anyone has access to Terraform CLI commands or, at worst, access to the entire state, this means nothing. Most of these options still require manual intervention or a variable to be defined in plaintext somewhere. One useful pattern to help minimize leakage is to set the variable definition as an environment variable on the configuring system, then reference that to populate the secrets manager using Terraform. Ways to secure your Terraform configuration data: 0. Encrypt your state! The latest versions of Terraform and OpenTofu have ways to do this. Unfortunately, you still have to pass in values that will not be encrypted until they are in the state. 1. Hashicorp Vault is a great way to encrypt your secrets, but requires a little legwork unless you sign up for Hashicorp Cloud Platform. 2. GitHub/Gitlab Secrets: Semantics and naming aside, most Git providers have a secrets engine that can drastically improve the security of your definitions. 3. Terraform Cloud: TFC has a secrets engine that works very well with Terraform and it will protect and manage your state file. 4. Other TACOS: Env0, Terrateam, Spacelift, and more all have secrets management solutions and will protect and manage your state file. Prices vary based on your needs. 5. Configuration Management platforms: Cloudtruth is one example of a platform that focuses on handling all of the aspects of your configuration. I haven't explored this much, but ConductorOne seems to be another alternative. It's a popular space growing quickly. Several others: There are many options coming out daily, it seems, that will help protect these sensitive attributes. Always be careful, inspect every step of your deployments in dev and make sure nothing is leaking. A great #DevSecOps policy is incredibly important for long-term stability.

In early 2023, GitHub asked more than 5,000 DevSecOps professionals to share their opinions on the current state of software development, operations, and security. Here’s what they discovered. #Digitalgates #Digitaltransformation #DevOps

Tony Bradley wrote about StackGen in Forbes: "What makes IfC particularly exciting is its ability to scale with ease. By embedding preset standards for consistency, security, and policy compliance, StackGen’s platform ensures that every deployment adheres to best practices, reducing the risk of errors or security vulnerabilities. This level of automation could be a game-changer for DevOps and SecOps teams who are often stretched thin by the demands of managing dynamic and growing cloud environments." https://lnkd.in/ezrcZpax #infrastructurefromcode #IaC #DevOps #DevSecOps

Handling secrets is always tricky, it is so easy to make a mistake and commit that decrypted plaintext file with all your secrets, either you are on a rush or just got distracted, it happens, I has happened to me, and I have seen it happening many times to others as well. Some tooling can prevent that of course, if you are on a private repo it wouldn't be so bad, but if you are using GitHub you still need to ask them to remove the cached views (after cleaning your repo history), and then just to be safe rotate all secrets, there are also multiple strategies to avoid this risk and exposure, however everything is a trade-off... what do you think? what do you use?

𝗞𝘂𝗯𝗲𝗿𝗻𝗲𝘁𝗲𝘀 𝗦𝗲𝗰𝗿𝗲𝘁𝘀 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗕𝗲𝘀𝘁 𝗣𝗿𝗮𝗰𝘁𝗶𝗰𝗲𝘀 Managing secrets like API keys, tokens, and database credentials in Kubernetes is crucial for security. Below are some best practices: ➜ Use external tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault. ➜ Restrict container access. ➜ Implement RBAC. ➜ Rotate secrets regularly. ➜ Audit frequently. ➜ Leverage namespaces. ➜ Use a key management system like KMS with a secrets manager. ➜ Consume secrets via volume mounts instead of environment variables. ➜ Avoid checking sensitive information into Git. These are some of the best practices we adopt at Ampity Infotech for our Kubernetes platform projects—please let me know in the comments if you have additional practices that you follow. Stay secure! #Kubernetes #CloudSecurity #DevOps

Friday night post : Kubernetes: The Future of Cloud-Native Infrastructure 🛠️ In the world of cloud-native applications, Kubernetes is one of the very reliable tools for managing scalable, resilient, and portable workloads. Lately, I’ve been exploring advanced Kubernetes features like Pod Security Policies, Network Policies, and Role-Based Access Control (RBAC). Understanding these layers has given me a new perspective on securing and managing containerized environments. Whether it’s configuring resource limits or setting up service mesh for observability and security, Kubernetes continues to redefine the way we approach modern infrastructure. Feel free to engage and discuss more about Kubernetes. #Kubernetes #CloudNative #DevOps #Containers #Infrastructure

Kubernetes has emerged as a leading platform for container orchestration, offering robust features for deploying, scaling, and managing containerized applications, and among its many capabilities, we found the management of sensitive information through Kubernetes Secrets. While Kubernetes Secrets provide a convenient way to store and access sensitive data, they also exhibit certain weaknesses that demand attention related with automatic rotation of secrets. Another critical issue associated with Kubernetes Secrets is the need to restart workloads after a secret object has changed. To mitigate the challenges posed by the lack of built-in rotation and the need to restart workloads after a secret change, organizations can help you explore several strategies. The secret management strategy proposed in the article is being used by the Container Management Service provided by Kyndryl in Spain and Europe supported by the Cloud-Unit Engineering team, where more than 20 clients are benefiting directly or indirectly from this solution. #kubernetes #security #containers #cloud #engineering #kyndryl David Montero Ramos Miguel Tablado León Sergio Vicente Ruiz Susana Peñafiel Pedrosa Rodrigo Ibañez Palacios Maria Angeles Ortega Cerdá https://lnkd.in/dDdpxQiv