1 minute read

Several infrastructure as code posts and new tools this week, plus several posts on this last week’s OpenSSL vulnerability disclosure and more.

StackHawk sponsors Devops Weekly

Upcoming Webinar: Security Testing in GitHub PR Workflows. Learn how to add automated security testing to existing developer workflows as a standard pull request check, enabling teams to ship secure software faster.
https://sthwk.com/GitHub-PR-Checks-Webinar

News

A post calling on people to “stop testing infrastructure as code”. The details are a bit more nuanced. It’s less about testing the code itself, and more about conflating testing with other activities around drift and application of IaC.
https://medium.com/devoops-discourse/stop-testing-infrastructure-as-code-ad0171c35b6f

A post on maturing use of infrastructure as code, discussing how to stagger rollout across a Kafka cluster.
https://medium.com/riskified-technology/how-to-roll-your-kafka-cluster-with-zero-downtime-and-no-data-loss-770fd0a35971

Persistent credentials for production access pose a risk, one that can be mitigated by just-in-time access provisioning.
https://blog.symops.com/2022/10/28/just-in-time-access-least-privilege-cloud/

A useful summary of last week’s OpenSSL vulnerability disclosure. Originally considered critical, this was downgraded at the time of release, but it’s still important to update if you’re using OpenSSL 3.x.
https://www.darkreading.com/risk/disclosed-openssl-bugs-serious-not-critical

Another post on the OpenSSL vulnerability, this one focused on how it occurred, and how to go about safe cryptography engineering.
https://words.filippo.io/dispatches/openssl-punycode/

Running haproxy? This post covers everything you wanted to know about configuring and using haproxy logs.
https://sematext.com/blog/haproxy-logs/

Events

The WTF Team at Container Solutions are proud to present another free WTFinar: join internationally recognised product leader, author, and consultant Matt LeMay to get world-class, pragmatic insights that will galvanise any product strategy you’re developing. Wednesday 16th November, 1pm GMT. Register here:
https://bit.ly/3UmXtzB

Tools

A couple of new open source tools, cnquery and cnspec. The first provide a query tool atop cloud infrastructure, handy for asset inventory. The second provides testing and policy based tools on top of that inventory.
https://blog.mondoo.com/cnquery-cnspec
https://github.com/mondoohq/cnquery
https://github.com/mondoohq/cnspec

Devtron is an integrated Kubernetes distribution which bundles Argo, Grafana, Helm, Keda, Prometheus and more, saving you the effort of integrating yourself.
https://github.com/devtron-labs/devtron

A CLI utility for working with SBOM documents. An early project, with the initial set of tools mainly focused on extracting and using licence information from SBOM components, but with some more general plans ahead.
https://github.com/IBM/sbom-utility

Updated:

You May Also Enjoy

DEVOPS WEEKLY ISSUE #694 - 21st April 2024

less than 1 minute read

A theme of architecture this week, with posts on the development of large systems, infrastructure evolution at scale, internal developer toolchains and more.

DEVOPS WEEKLY ISSUE #693 - 14th April 2024

2 minute read

I’ve been crazy busy this week and travelling today, and with it being the start of a new quarter I thought a highlights issue, with some of the top posts fr...