Discover and read the best of Twitter Threads about #devsecops
Most recents (12)
Let's talk about security into the software development lifecycle.
#DevSecOps help you identify and mitigate #security risks early in the development process, reducing the chance of a breach and improving the overall security of their apps. 🔒
#DevSecOps help you identify and mitigate #security risks early in the development process, reducing the chance of a breach and improving the overall security of their apps. 🔒
This means designing security into the development process from the start. Here are some best practices for implementing #DevSecOps in your organization:⤵️
1) Shift left: Incorporate security early in the development process by integrating security testing, security-focused code review process and analysis tools into the continuous integration and continuous delivery (CI/CD) pipeline. Security from design to deployment.🔄
Are you taking advantage of Rego's policy language for your #cloudsecurity needs?
If you're not, you need to check out these amazing resources to help get you started 🧵👇
#CSPM #Coding #CNAPP #CISO #DevSecOps
If you're not, you need to check out these amazing resources to help get you started 🧵👇
#CSPM #Coding #CNAPP #CISO #DevSecOps
Gettting started with Open Policy Agent (OPA) to improve your #cloudsecurity!
💙 What is OPA and why should you use Rego
💙 How to write your first OPA policy
#CSPM #Coding #CNAPP #CISO #DevSecOps
🧵2/5
wiz.io/blog/getting-s…
💙 What is OPA and why should you use Rego
💙 How to write your first OPA policy
#CSPM #Coding #CNAPP #CISO #DevSecOps
🧵2/5
wiz.io/blog/getting-s…
Step 2: Learn the basics of Rego Wiz 👇
#CSPM #Coding #CNAPP #CISO #DevSecOps
🧵3/5
datocms-assets.com/75231/16745778…
#CSPM #Coding #CNAPP #CISO #DevSecOps
🧵3/5
datocms-assets.com/75231/16745778…
How a simple web-app assessment lead to complete #AzureAd tenant takeover 🤯
🧵 👇
#Azure #AzureKubernetesService #aks #Kubernetes #KubernetesSecurity #k8s #bugbounty #bugbountytips #bugbountytip #DevSecOps
🧵 👇
#Azure #AzureKubernetesService #aks #Kubernetes #KubernetesSecurity #k8s #bugbounty #bugbountytips #bugbountytip #DevSecOps
1. Poorly-designed file upload functionality lead to RCE
2. Turned out the app was running in a container managed by #AzureKubernetesService (#AKS)
3. #Container was mounting a service account with permissions to deploy #pods in the same namespace
2. Turned out the app was running in a container managed by #AzureKubernetesService (#AKS)
3. #Container was mounting a service account with permissions to deploy #pods in the same namespace
4. I deployed a new pod with hostPath root volume. Deployment was not blocked by any security policy. #Pod got deployed
5. I exec-ed into the pod's #container and escaped it through its hostPath volume. #privesc to the #AKS node succeeded!
5. I exec-ed into the pod's #container and escaped it through its hostPath volume. #privesc to the #AKS node succeeded!
Mounting a #Kubernetes service account to a pod with permissions to deploy other pods implies that if your app has RCE, a threat actor will be able to infect other Services in the cluster (yes, even if you use strict PSPs) #KubernetesSecurity #k8s #aks #gke #eks
#DevSecOps
🧵 👇
#DevSecOps
🧵 👇
Background:
▪︎ A Service in #k8s is an object that balances HTTP requests between pods belonging to that Service
▪︎ A Service identifies its pods through a set of labels (e.g. "fancy-app: prod", "db: users", etc)
▪︎ A Service in #k8s is an object that balances HTTP requests between pods belonging to that Service
▪︎ A Service identifies its pods through a set of labels (e.g. "fancy-app: prod", "db: users", etc)
▪︎ A pod with a label associated with a Service will become part of that Service automatically
Attack scenario:
1. A pod is mounting a service account with permissions to deploy other pods
2. A container in the pod is running a vulnerable app, providing RCE to an attacker
Attack scenario:
1. A pod is mounting a service account with permissions to deploy other pods
2. A container in the pod is running a vulnerable app, providing RCE to an attacker
Hello world! From my 10 yrs as a dev working at scale and talking to 300+ security engineers, I have been meaning to share some dos-and-don'ts of API Security. 🤠
This is my first time posting on Twitter. Shower some love 🕺 #apisecurity #securecodingpractice #devsecops
This is my first time posting on Twitter. Shower some love 🕺 #apisecurity #securecodingpractice #devsecops
Starting with the most common practice - API Keys 🔑. These are
- used for many 3rd party integrations
- given to clients to access data programatically
- for inter-service communications
It'd be awesome 😃 if you can add more or share any bitter experiences around API keys 🤐
- used for many 3rd party integrations
- given to clients to access data programatically
- for inter-service communications
It'd be awesome 😃 if you can add more or share any bitter experiences around API keys 🤐
0⃣/9⃣
API Keys aren't as secure as authentication tokens. Tokens like JWT are far stronger and have an expiration date by nature.
API Keys aren't as secure as authentication tokens. Tokens like JWT are far stronger and have an expiration date by nature.
This is the live tweet thread for the @DockerBangalore meetup celebrating Docker's 9th Birthday.
If you're not interested, feel free to mute this thread 🔇
#docker #docker #meetup2022
If you're not interested, feel free to mute this thread 🔇
#docker #docker #meetup2022
Shilpa Kallaganad, Enterprise Solutions Lead at
@jfrog
kickstarts the meetup with her insights on DevSecOps Workflow in Modern DevOps Culture,
@DockerBangalore
#devops #devsecops
@jfrog
kickstarts the meetup with her insights on DevSecOps Workflow in Modern DevOps Culture,
@DockerBangalore
#devops #devsecops
@ajeetsraina, Docker Captain and Community Leader is here with his insightful overview and current state of Docker.
@DockerBangalore #docker #devops
@DockerBangalore #docker #devops
IMO #DevSecOps has a close-knit relationship with #ZeroTrust. Let's dive in with a 🧵
I've already tried to cover ZeroTrust as a summary here 👇2/
The way I see it, both the identity and policy aspects of ZeroTrust require/can do with a solid "shift left" approach of being able to incorporate identity and policy checks in the build/deployment flows. 3/
🗣 De qué hablamos cuando hablamos de POLP? El “Principio del Menor Privilegio” es, quizá, uno de los conceptos más complejos de abordar en términos prácticos. Sí, también es la idea de que cualquier usuario, programa o proceso debe tener los privilegios mínimos necesarios. Hilo.
🚨 Desde el punto de vista de plataformas (específicamente AWS), existen algunas herramientas destinadas a resolver la brecha entre complejidad de implementación y resultados, tema no menor teniendo en cuenta que adherir a dicho principio, ayuda a reducir superficies de ataque.
💡 Cloudsplaining: herramienta de evaluación y reporte de AWS IAM que identifica violaciones de privilegios mínimos 👉 github.com/salesforce/clo…
📚 tl;dr sec 105
* #DevSecOps - @NIST on microservices + service mesh
* @ErmeticSec Defending S3 from ransomware
* @falco_org labs
* Risk-Based Security Decision Making at @netflix
* @brutelogic XSS exercises
* @trailofbits osquery + macOS EndpointSec
tldrsec.com/blog/tldr-sec-…
* #DevSecOps - @NIST on microservices + service mesh
* @ErmeticSec Defending S3 from ransomware
* @falco_org labs
* Risk-Based Security Decision Making at @netflix
* @brutelogic XSS exercises
* @trailofbits osquery + macOS EndpointSec
tldrsec.com/blog/tldr-sec-…
@NIST @ErmeticSec @falco_org @netflix @brutelogic @trailofbits 📢 Sponsor: Learn how “Detection-as-Code” is changing how security teams write, test and harden detections. blog.runpanther.io/detections-as-…
@NIST @ErmeticSec @falco_org @netflix @brutelogic @trailofbits Risk-Based Security Decision Making at @netflix
eventbrite.com/e/risk-based-s…
@ztgrace A tool for detecting default and backdoor creds
github.com/ztgrace/change…
@omer_gil Bypassing required reviews using GitHub Actions
medium.com/cider-sec/bypa…
eventbrite.com/e/risk-based-s…
@ztgrace A tool for detecting default and backdoor creds
github.com/ztgrace/change…
@omer_gil Bypassing required reviews using GitHub Actions
medium.com/cider-sec/bypa…
D1 of #50daysofudacity
I finished up to Lesson 2.19
My notes can be found here for quick refernce
docs.google.com/document/u/1/d…
I finished up to Lesson 2.19
My notes can be found here for quick refernce
docs.google.com/document/u/1/d…
D2 of #50daysofUdacity
I finished up to Lesson 2.25
Also completed lab assignment for a linear regression model to predict the price of taxi in new york city
My notes can be found here for quick reference
docs.google.com/document/u/1/d…
I finished up to Lesson 2.25
Also completed lab assignment for a linear regression model to predict the price of taxi in new york city
My notes can be found here for quick reference
docs.google.com/document/u/1/d…
D3 of #50daysofudacity
I finished Lesson 2
Also completed lab assignment for linear regression model to predict the price of taxi in new york city
My notes can be found here for quick reference
docs.google.com/document/u/1/d…
I finished Lesson 2
Also completed lab assignment for linear regression model to predict the price of taxi in new york city
My notes can be found here for quick reference
docs.google.com/document/u/1/d…
#DevOps evolved to #DevSecOps to consider #security.
Same way we need to evolve #mlops to #mlsecops to consider issues of security considering #AI.
Same way we need to evolve #mlops to #mlsecops to consider issues of security considering #AI.
Over time for #iot also we need to ammend #DevOps to consider #IOTOps where we combine #hardware and #SoftwareEngineering together in #agile fashion.
Put a #cybersecurity flavor and it will evolve to #iotsecops.
Put a #cybersecurity flavor and it will evolve to #iotsecops.
Combine #iotsecops, #DevSecOps and #mlsecops together and we are looking first time at holistic and cross cutting #agile development paradigm encompassing #SoftwareEngineering, #hardware, #iot , #ml, #AI and #security.
I am still searching for a good name for it.
I am still searching for a good name for it.
Jihai Zhou is going to tell us about implementing DevSecOps in large banks. #DevOpsDays
In Jihai’s experience in London, a strong concept of DevOps has developed over the last 3-4 years. He just moved to HSBC’s Technology China office and finds the awareness of DevOps is less developed there (so far!). #DevOpsDays
Now he’s started to introduce DevSecOps there too. 💪 DevOps means better, faster cooperation between teams to deliver software... but rapid development conflicts with security. So let’s remove the barrier with security too! #DevOpsDays
