A common scenario when integrating security in development activities, such as SAST scans covered in my previous blog post, is to create a reusable template that can be referenced from pipelines.
If you are new to templates I suggest you take a look at this article from Microsoft before reading further.
In this blog post we will explore how to create a basic reusable Azure DevOps template to automate code analysis, using a popular SAST tool from Veracode. You would ideally want all development teams to have a way to enable SAST scans with minimum configuration, so that they focus their efforts on remediation instead of configuring tooling in their pipelines. That is where Azure DevOps pipelines come in handy, as they cover the reusability part and thus making it a bit easier for developers.
In February 2023 Sweden suffered a series of Distributed Denial-of-Service attacks (DDoS) and several Swedish websites were knocked down. A DoS is a type of attack that the attacker uses to make victim services unavailable, usually by sending large number of malicious requests. The number of incoming requests becomes so high that legitimate requests end up not being handled by the victim's services, thus the denial-of-service. DoS is also usually distributed in the sense that multiple bots (or zombies) and attacker-controlled machines take part in the attack to increase the probability of a successful attack. As reference, Cloudflare stated that it stopped a DDoS peaking 71 million requests per second in February 2023!
Dependabot is the way Github alerts you about security vulnerabilities in open source dependencies. The Github Advisory Database is where Dependabot draws it's knowledge from, meaning it is the database used by Dependabot to identify vulnerabilities in dependencies.
This blog post describes how to collect information from a popular DAST platform, create a simple report and share it with development teams using a popular collaboration platform like Slack.
Software Composition Analysis (SCA) is the automated process of analyzing libraries and open source software with the aim of identifying publicly disclosed vulnerabilities, as well as license usage for compliance reasons.
Production passwords, tokens, AWS credentials and other types of secrets should be kept confidential and away from preying eyes of hackers or malicious insiders. In simple terms, no one should know production passwords for databases, admin passwords, AWS credentials etc unless there are legitimate business reasons that mandate to do so. Therefore, keeping these secrets hard-coded in Github repositories must be strictly prohibited.
(ISC)² is one of the biggest organizations in education and certifications tailored for cybersecurity professionals. Their Certified Software Security Lifecycle Professional, aka CSSLP is their certification for Application Security. According to (ISC)²:
It shows employers and peers you have the advanced technical skills and knowledge necessary for authentication, authorization and auditing throughout the SDLC using best practices, policies and procedures established by the cybersecurity experts at (ISC)².
GraphQL is a powerful way of interacting with an API to fetch a data object containing all, or at least most information that you need. It resembles REST in the way it works, but it's more powerful and faster. Instead of using multiple requests to query the server for different pieces of data that need to be stitched together, GraphQL allows to fetch a single custom defined object with a single call.
In this tutorial we will deploy our very own Django application to Amazon's Elastic Beanstalk, or else EBS. If you haven't head of AWS EBS yet go ahead and check this page. In a short summary EBS provides a fully managed environment to help you quickly deploy your web apps without working too much to get the underlying infrastructure in place. That's pretty cool!