1 minute read

Incident management, several posts on software supply chain security, a good introduction to fuzzing, config management and more this week.

StackHawk sponsors Devops Weekly

gRPC is the popular choice for building microservices and distributed systems. Ensuring these APIs are secure and protected against vulnerabilities is essential. StackHawk is rolling out a private beta for gRPC API security testing. Register here:
https://sthwk.com/gRPC-beta

News

Interesting post on the importance of fast initial response in incident management, introducing and explaining the concept of travel time.
https://www.bobbytables.io/p/incident-travel-time

Fosdem had a dedicated SBOM devroom this year, and the recordings of the sessions are now available. Case studies, tools, some legal discussion and more.
https://fosdem.org/2023/schedule/track/software_bill_of_materials/

I disagree with the central point of this article on AWS employees and the AWS community, but it does serve as a useful reminder. As employees of software vendors you have to be transparent and own your bias.
https://www.lastweekinaws.com/blog/the-aws-community-isnt-for-amazonians/

The SEMERU research lab from William and Mary is conducting a survey to understand issues, needs, and opportunities related to software supply chain management through Software Bill of Materials (SBOMs). Useful opportunity to contribute to research in this area.
https://wmsas.qualtrics.com/jfe/form/SV_cO4qm1gk3AFunJk

A nice detailed post on discovering vulnerabilities in libcurl using fuzzing. It’s a great introduction to fuzzing in general I think.
https://blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-line-interface/

Using the “supply chain” metaphor in the context of software is useful, but has some challenges when it comes to the open source community. This post (for transparency, from one of my colleagues) explores the problem a bit.
https://snyk.io/blog/when-software-isnt-a-supply/

One advantage (and I do think it’s an advantages) of publishing transparent information on uptime is it facilitates external analysis. This is a nice look at GitHub feature reliability for last year.
https://statusgator.com/blog/least-reliable-github-feature-2022/

Some quick thoughts on configuration languages, with a bias towards general purpose languages but some interesting points on the potential with embedded languages.
https://matt-rickard.com/advanced-configuration-languages-are-wrong

A handy summary of the main SBOM formats, CycloneDX and SPDX. and some related standards.
https://blog.sonatype.com/comparing-sbom-standards-spdx-vs.-cyclonedx-vs.-swid

Tools

Veraison is an umbrella project focused on components for building an Attestation Verification Service. Low level, but very important area of effort in building more trustworthy systems.
https://github.com/veraison/

OpenRewrite is a toolkit for refactoring and maintaining software, building up recipes for common refactoring operations (like upgrading Java, or a key dependency between major versions).
https://github.com/openrewrite
https://www.moderne.io/blog/overview-of-openrewrite-and-moderne

Updated: