Tag: Security

Scanning Infrastructure as Code (IaC) for vulnerabilities

In the modern world where it feels like every sentence has a Dev⭐Ops word in it, 1 that is probably used more than most is DevSecOps. 
When teams focus on DevSecOps they make sure to integrate security into every phase of development, this includes scanning for vulnerabilities as soon as possible.

This videos shows you briefly how you can use Snyk to scan your terraform templates for vulnerabilities from your CLI as well as part of every commit pushed to GitHub. 

 
Managing GitHub secrets using terraform

In this video we'll take a look at Managing GitHub secrets using terraform as well as federated identities from GitHub into Azure.

You should only be storing secrets if you absolutely need to, in this demo although we are only accessing storage accounts the change from a storage connection string to Azure Federated Identity means that we can access any of resource the identity has access too using RBAC which is a much better overall approach.

 
Setting up commit signature verification for GitHub

Ever wondered why some commits show verified and others don't? Take a look at how you can make sure all your commits are verified. Commands from this video are available in this gist https://gist.github.com/DevStarOps/6c88482ecd632ba04d68d9e15590b4a2

 
Allow project users to manage Permissions Groups in Azure DevOps

In this video I'm going to show you... How to allow project users to manage Permissions Groups in Azure DevOps that aren't project administrators

 
Create pfx certificate file for Azure Web Apps from Cloudflare origin cert using openssl

Every time I create a new project using Azure Web Apps or even IIS and I need to add a pfx file for end to end https, Cloudflare gives you a private key and certificate but you can't use those directly with Azure Web Apps and I keep forgetting how to do this exactly so as I do sometimes I'm going to post the steps so that it's helpful to others as well as future me.

 
The importance of regression testing and real world security consequences

Organizations often put a lot of effort around testing their products, they'll put tons of effort in unit testing, integration testing across their UI and API layers but sometimes have a strategy of covering everything. This doesn't always add value to their pipelines because the metric that is being chased is not value which agreeably is a hard thing to measure but rather it's a coverage metric.

To start with I don't know if testing strategy is what was happening for TicTocTrack but is something that is definitely highlighted as something that would have been valuable for them. A security vulnerability discovered around a year ago from a fellow MVP and security expert Troy Hunt was patched and then earlier this year I re-discovered it

 
Setting up 2 factor authentication and email verification with .net core 2.0

Today I played with a new .net core template just to see what the authentication options were out the box and was surprised to see just how easy it is to go from nothing to having a base project that has authentication fully baked in with 2 factor authentication and email verification.

 
Connecting agents to TFS using integrated security on http from external domain

If you have TFS on the domain but you are trying to connect agents to it from outside the domain and TFS is not running on https then this post is for you.