Several security-related posts this week, from incident reports to Kubernetes permissions and security architecture. Plus reliability, rising software complexity and interesting tools for Terraform, JSON parsing and SQLite.

StackHawk sponsors Devops Weekly

With StackHawk’s new GitHub Action, you can integrate AppSec testing directly into your GitHub CI/CD pipeline. See how:
http://sthwk.com/github-actions

News

A detailed writeup and timeline of a security incident. It’s important to learn from events like this, and the post finishes up with some concrete recommendations.
https://stackoverflow.blog/2021/01/25/a-deeper-dive-into-our-may-2019-security-incident/

A discussion of various facets of building reliable systems. From SLOs to runbooks, service catalogues to feature flags and more.
https://firehydrant.io/blog/2021-is-the-year-of-reliability/

A post describing the high-level security architecture for a web site. What makes it interesting is the focus on proportionality, being as secure as needed rather than as secure as possible,
https://www.ncsc.gov.uk/blog-post/securing-ncsc-platforms

A good post on the risks associated with permissive permissions and privilege escalation with Kubernetes pods.
https://labs.bishopfox.com/tech-blog/bad-pods-kubernetes-pod-privilege-escalation

Why does it take so long to build software? Lots of observations in this post, about accidental complexity, about increasing demands vs 10 or 20 years ago on several fronts, on the rise of frameworks and tools that solve problems you might not have and more.
https://www.simplethread.com/why-does-it-take-so-long-to-build-software/

Hex is the package manager for Erlang and Elixir. A new feature, called Hex Preview, allows for checking the contents of source files from specific versions of packages. An important use case that’s easy to miss with the growth of supply chain attacks.
https://hex.pm/blog/introducing-hex-preview

An example of writing unit tests for Helm charts using Go.
https://blog.heyal.co.uk/unit-testing-helm-charts/

Events

An event all about the low-level bits of containers. Container runtimes, image building, image scanning, container security and isolation, virtualization inside containers, etc. Taking place March 9th/10th, with the CFP submissions due by the 10th of February.
https://containerplumbing.org

Tools

Simdjson is a JSON parsing library that aims to make parsing gigabytes of JSON per second trivial. Interesting design and API, and bindings available in lots of languages.
https://github.com/simdjson/simdjson

Etok provides a nice user interface for running Terraform on Kubernetes. Avoid needing local credentials or access to APIs. Some handy integration with GCP as well.
https://github.com/leg100/etok

Litestream is a standalone streaming replication tool for SQLite. It runs as a background process and safely replicates changes incrementally to another file or S3.
https://github.com/benbjohnson/litestream