Operations and compliance, a few posts on helping to justify investment, and see the results of, improvements to your CI and CD pipelines, collected Kubernetes security resources and more this week.

StackHawk sponsors Devops Weekly

You can utilize Swagger Docs in security testing to drive more thorough and accurate vulnerability scans of your APIs. Learn how:
http://sthwk.com/api-testing-with-swagger

News

A great discussion on the importance of risk management and compliance in technical operations.
https://medium.com/boldstart-ventures/technical-ops-and-compliance-from-bootstrap-to-scale-with-richard-crowley-acc11bb52ec8

A presentation on CI/CD pipeline analytics, measuring flow and other metrics as part of software delivery.
https://www.hashicorp.com/resources/measuring-devops-success-with-pipeline-analytics

A survey from researchers at the Technical University of Darmstadt and the University of St.Gallen on the adoption of devops practices and tooling.
https://forms.gle/WFedDB83iQTioQ9t7

A curated collection of security resources for Kubernetes. Everything from the basics to tools, video recordings and papers.
https://github.com/magnologan/awesome-k8s-security

A brief introduction to the concept of service mesh, and a comparison including Linkerd, Consul Connect, Istio and Kuma.
https://www.toptal.com/kubernetes/service-mesh-comparison

A spreadsheet for modelling savings from improvements to CI/CD.
https://docs.google.com/spreadsheets/d/1g9C10s5EBPN1TtB5JHDYhJV1Qz_Rc6sHXxl9PCIGlSg/htmlview

A quick introduction to some of the software supply chain security issues mitigated by sigstore.
https://www.i-programmer.info/news/90-tools/14436-sigstore-to-mitigate-most-supply-chain-hazards-but-not-all.html

A post on understanding some of the OAuth flows that can result in authentication and authorization security issues, and planned changes to the specification to avoid them.
https://medium.com/cloud-security/do-you-know-your-oauth-flows-137fb01b45f8