1 minute read

Posts on reliable systems, software supply chain security, infrastructure automation and more. Plus a quick correction.

Last week’s issue mentioned that ZAPCon was only a few days away. In reality you have a little longer to sign up to the security automation event. ZAPCon will be on March 8th.
https://sthwk.com/zapcon

StackHawk sponsors Devops Weekly

Automated security testing is critical for code quality. Find out how you can scale application security testing across your engineering org with open source tools.
https://sthwk.com/3HvxvUr

News

Some observations about where we stand today with platform as a service, and the impact on operations and role specialisation.
https://mumble.org.uk/blog/2022/02/02/infrastructure-in-this-post-devops-world/

A reliability manifesto, containing lots of formal rules and good advice for building and running reliable systems.
https://tech.deliveryhero.com/our-reliability-manifesto/

A good primer on using Terraform to build immutable infrastructure on Google Cloud Platform.
https://codersociety.com/blog/articles/terraform-gcp

A good description of an increasingly common threat vector, compromising a CI pipeline in order to execute some code, whether to access internal information or resources or manipulate the results of a build.
https://medium.com/cider-sec/ppe-poisoned-pipeline-execution-34f4e8d0d4e9

GitBom is another software supply chain project, tracking every source code file incorporated into each built artifact and embedding a unique, content-addressable reference for that artifact tree into the artifact at build time.
https://gitbom.dev/

Tools

Witness is a new tool designed to prevent tampering of build materials. It verifies the integrity of the build process from source to target, providing a plugable attestation system that can be integrated into CI pipelines.
https://github.com/testifysec/witness

A project working on building a new open protocol for resumable uploads over HTTP, along with clients in lots of language.
https://tus.io/
https://github.com/tus

ValidKube is a handy online tool for improving the quality of Kubernetes configuration files, wrapping other tools that provide validation, security guidance and more.
https://validkube.com/
https://github.com/komodorio/validkube

Updated: