Several posts on security this week, from the business side with managing a security team with KPIs,, hands on tops for threat modelling, and a technical presentation on Kubernetes insecure defaults.

From our sponsor, VictorOps

See why DevOps teams are more collaborative and transparent than traditional IT operations – helping them build highly efficient incident management and response systems:
http://try.victorops.com/devopsweekly/devops-incident-management-flowchart

News

An excellent presentation stepping through the various (insecure) defaults for Kubernetes configuration and how an attacker might exploit them.
https://speakerdeck.com/iancoldwater/the-path-less-traveled-abusing-kubernetes-defaults

A post on the importance and evolution of team structures, and in particular the nature of communications between teams.
https://itrevolution.com/beyond-team-structures/

How we measure outcomes or activities can often have an impact on those same activities. Knowing what to set as a key performance indicator is sometimes easy, but that’s often not the case for security. This post explores approaches to the problem.
https://medium.com/starting-up-security/a-key-performance-indicator-for-infosec-organizations-7f654b7cd256

An interesting post exploring software design and architecture as it happens today in tech companies and startups vs the general perception.
https://blog.pragmaticengineer.com/software-architecture-is-overrated/

A two part series on building a container platform. Covering why organisations are taking this approach as well as how to define the right abstraction for the consumers of the platform.
https://medium.com/@trevor00/building-container-platforms-part-one-introduction-4ee2338eb11
https://medium.com/@trevor00/building-container-platforms-part-two-abstractions-325b08a74e33

A nice short introduction to threat modelling and how it fits into the SDLC.
https://code.likeagirl.io/pushing-left-like-a-boss-part-6-threat-modelling-8607daf43b17

A walkthrough of the new Puppet provisioner in Terraform 0.12.x, demonstrating standing up a vSphere machine and configuring the host with Puppet.
https://www.greenreedtech.com/terraform-puppet-provisioner/

Events

KubeCon and CloudNativeCon North America are coming up in San Diego from the 18th until the 21st of November. The schedule is packed with talks on the CNCF projects like Kubernetes, Envoy, Helm as well as case studies, community meetings and more. The event is extended with separate focused events on the first day, each one on a single topic, including security, CI/CD and Observability. Hope to see a few readers in San Diego.
http://bit.ly/2ko9SrP

The O’Reilly Velocity Conference heads to Berlin, 4–7 November. Velocity is the best place on the planet for web ops and systems engineering professionals to get expert insight on building and maintaining cloud native systems. With 4 days of practical content on cloud native infrastructure, DevOps, Kubernetes, and more, there’s something for everyone. Passes start at €676 when you use the code DEVW20 (applies to Gold, Silver, and Bronze passes). Register today!
https://oreil.ly/99PIf

Tools

Kubepox looks a handy tool for anyone wanting to explore how network policies affet traffic in a Kubernetes cluster.
https://github.com/aporeto-inc/kubepox

Mimic is a tool for authoring configuration in Go. It uses a provider model to help generate specific config files and offer a typed interface so you can use it for, for instance, generating HCL for Terraform and YAML for Kubernetes at the same time.
https://github.com/bwplotka/mimic

See why DevOps teams are more collaborative and transparent than traditional IT operations – helping them build highly efficient incident management and response systems:
http://try.victorops.com/devopsweekly/devops-incident-management-flowchart