Posts on reliable systems, software supply chain security, infrastructure automation and more. Plus a quick correction.
Last week’s issue mentioned that ZAPCon was only a few days away. In reality you have a little longer to sign up to the security automation event. ZAPCon will be on March 8th.
StackHawk sponsors Devops Weekly
Automated security testing is critical for code quality. Find out how you can scale application security testing across your engineering org with open source tools.
Some observations about where we stand today with platform as a service, and the impact on operations and role specialisation.
A reliability manifesto, containing lots of formal rules and good advice for building and running reliable systems.
A good primer on using Terraform to build immutable infrastructure on Google Cloud Platform.
A good description of an increasingly common threat vector, compromising a CI pipeline in order to execute some code, whether to access internal information or resources or manipulate the results of a build.
GitBom is another software supply chain project, tracking every source code file incorporated into each built artifact and embedding a unique, content-addressable reference for that artifact tree into the artifact at build time.
Witness is a new tool designed to prevent tampering of build materials. It verifies the integrity of the build process from source to target, providing a plugable attestation system that can be integrated into CI pipelines.
ValidKube is a handy online tool for improving the quality of Kubernetes configuration files, wrapping other tools that provide validation, security guidance and more.