DEVOPS WEEKLY ISSUE #577 - 16th January 2022
Lots of interesting posts this week, with a general theme of security. From securing GitHub organisations, research on developer education, an SBOM primer and recent software supply chain issues. Plus posts on WHOIS, service operations and team building to round things out.
StackHawk sponsors Devops Weekly
StackHawk just made it even easier to get started with automated security testing with the new StackHawk CLI. Watch the technical demo and get started with just a few commands from your terminal.
https://sthwk.com/cli-demo
News
An interesting presentation with lots of collected research on helping developers adopt secure development practices.
https://speakerdeck.com/auxesis/footguns-and-factorisation-how-to-make-users-of-your-cryptographic-library-successful
Building teams is a big part of operating complex systems. This post looks at the cost of attrition, focusing on the often hidden communication cost.
https://benjiweber.co.uk/blog/2022/01/12/cost-of-attrition/
A quick take on the issue this last week with NPM around the malicious release of a popular package, with some recommendations relevant to other package ecosystems and those releasing software.
https://research.swtch.com/npm-colors
“The WHOIS protocol is one of the older internet protocols around. It’s infuriatingly simple, by and large considered obsolete, and the data provided by it is unpredictable, unreliable, incomplete, and, of course, still one of the cornerstones of internet operations.”
https://www.netmeister.org/blog/whois.html
A nice primer on SBOMs (Software Bill of Materials), explaining why the recent interest and most interestingly looking at wider ecosystem integrations coming.
https://blog.chainguard.dev/what-an-sbom-can-do-for-you/
A handy post on securing a GitHub organisation, from configuring with code to permissions, authentication, external users, audit logs and more.
https://alsmola.medium.com/securing-github-organizations-9c33c850638
CI pipelines are critical systems, but can be fragile without any form of testing in place. Here’s a handy post on testing and linting GitHub Actions to catch common mistakes.
https://cipherstash.com/blog/2021-11-25-linting-your-github-actions
A discussion of some of the pros and cons of centralised and decentralised responsibility for service operations.My experience is that what works changes over time, so being explicit and conscious of the approach is the important part.
https://medium.com/@crossbizz/let-service-teams-own-the-service-operations-instead-of-the-sre-4ff7bcbd53e0
Tools
A toolchain for keeping a set of container images for upstream software automatically updated using GitHub Actions.
https://github.com/cybersecsi/RAUDI