DEVOPS WEEKLY ISSUE #619 - 6th November 2022
Several infrastructure as code posts and new tools this week, plus several posts on this last week’s OpenSSL vulnerability disclosure and more.
StackHawk sponsors Devops Weekly
Upcoming Webinar: Security Testing in GitHub PR Workflows. Learn how to add automated security testing to existing developer workflows as a standard pull request check, enabling teams to ship secure software faster.
https://sthwk.com/GitHub-PR-Checks-Webinar
News
A post calling on people to “stop testing infrastructure as code”. The details are a bit more nuanced. It’s less about testing the code itself, and more about conflating testing with other activities around drift and application of IaC.
https://medium.com/devoops-discourse/stop-testing-infrastructure-as-code-ad0171c35b6f
A post on maturing use of infrastructure as code, discussing how to stagger rollout across a Kafka cluster.
https://medium.com/riskified-technology/how-to-roll-your-kafka-cluster-with-zero-downtime-and-no-data-loss-770fd0a35971
Persistent credentials for production access pose a risk, one that can be mitigated by just-in-time access provisioning.
https://blog.symops.com/2022/10/28/just-in-time-access-least-privilege-cloud/
A useful summary of last week’s OpenSSL vulnerability disclosure. Originally considered critical, this was downgraded at the time of release, but it’s still important to update if you’re using OpenSSL 3.x.
https://www.darkreading.com/risk/disclosed-openssl-bugs-serious-not-critical
Another post on the OpenSSL vulnerability, this one focused on how it occurred, and how to go about safe cryptography engineering.
https://words.filippo.io/dispatches/openssl-punycode/
Running haproxy? This post covers everything you wanted to know about configuring and using haproxy logs.
https://sematext.com/blog/haproxy-logs/
Events
The WTF Team at Container Solutions are proud to present another free WTFinar: join internationally recognised product leader, author, and consultant Matt LeMay to get world-class, pragmatic insights that will galvanise any product strategy you’re developing.
Wednesday 16th November, 1pm GMT. Register here:
https://bit.ly/3UmXtzB
Tools
A couple of new open source tools, cnquery and cnspec. The first provide a query tool atop cloud infrastructure, handy for asset inventory. The second provides testing and policy based tools on top of that inventory.
https://blog.mondoo.com/cnquery-cnspec
https://github.com/mondoohq/cnquery
https://github.com/mondoohq/cnspec
Devtron is an integrated Kubernetes distribution which bundles Argo, Grafana, Helm, Keda, Prometheus and more, saving you the effort of integrating yourself.
https://github.com/devtron-labs/devtron
A CLI utility for working with SBOM documents. An early project, with the initial set of tools mainly focused on extracting and using licence information from SBOM components, but with some more general plans ahead.
https://github.com/IBM/sbom-utility