Several infrastructure as code posts and new tools this week, plus several posts on this last week’s OpenSSL vulnerability disclosure and more.
StackHawk sponsors Devops Weekly
Upcoming Webinar: Security Testing in GitHub PR Workflows. Learn how to add automated security testing to existing developer workflows as a standard pull request check, enabling teams to ship secure software faster.
A post calling on people to “stop testing infrastructure as code”. The details are a bit more nuanced. It’s less about testing the code itself, and more about conflating testing with other activities around drift and application of IaC.
A post on maturing use of infrastructure as code, discussing how to stagger rollout across a Kafka cluster.
Persistent credentials for production access pose a risk, one that can be mitigated by just-in-time access provisioning.
A useful summary of last week’s OpenSSL vulnerability disclosure. Originally considered critical, this was downgraded at the time of release, but it’s still important to update if you’re using OpenSSL 3.x.
Another post on the OpenSSL vulnerability, this one focused on how it occurred, and how to go about safe cryptography engineering.
Running haproxy? This post covers everything you wanted to know about configuring and using haproxy logs.
The WTF Team at Container Solutions are proud to present another free WTFinar: join internationally recognised product leader, author, and consultant Matt LeMay to get world-class, pragmatic insights that will galvanise any product strategy you’re developing.
Wednesday 16th November, 1pm GMT. Register here:
A couple of new open source tools, cnquery and cnspec. The first provide a query tool atop cloud infrastructure, handy for asset inventory. The second provides testing and policy based tools on top of that inventory.
Devtron is an integrated Kubernetes distribution which bundles Argo, Grafana, Helm, Keda, Prometheus and more, saving you the effort of integrating yourself.
A CLI utility for working with SBOM documents. An early project, with the initial set of tools mainly focused on extracting and using licence information from SBOM components, but with some more general plans ahead.