Week 9 - Issue #68
In this repo, I aim to document a process for securing anything, whether it's a medieval castle, an art museum, or a computer network. Security engineering isn't about adding a bunch of controls to something. It's about coming up with security properties you'd like a system to have, choosing mechanisms that enforce these properties, and assuring yourself that your security properties hold. The process I like for securing things: We follow as many best practices as possible. We write down our security policies or high-level security goals and develop a security model or spec we follow to satisfy our policies. We can then turn our policy into a more detailed specification.
It breaks one of the core requirements of continuous delivery: reproducible, idempotent builds. It can cause problems when trying to build your project, and at worst, in a production failure. Just say no to :latest in your Dockerfile! Or anywhere else! Do you want to live in a van down by the river? Don't specify latest in a Kubernetes Pod manifest. At least if you use the latest in your Dockerfile to create a versioned image, you could roll back to your previous versioned image if something happened.
CDK-notifier is a small tool that helps you to improve the review process on GitHub pull requests. It gives more confidence to the changed resources of your AWS CDK stacks. It has been used for over five months successfully. We built the tool for CircleCI as this is our primary CI system. It will use the output of the CDK diff command to post the diff to pull a request as a comment. If there is no comment within one CDK stack, no comment will be sent.
Uber's architecture has grown to encompass thousands of interdependent microservices. As a result, we need to test our mission-critical components at max load to preserve reliability. We developed Ballast, an adaptive load test framework that leverages traffic capture using Berkeley Packet Filter (BPF) and replays the traffic using a PID Controller mechanism to adjust the number of requests per second (RPS) to each service. Ballast removes the toil of writing, running, and supervising load tests improves coverage.
Rootless Docker takes advantage of user namespaces. This subsystem provides both privilege isolation and user identification segregation across processes. Rootless Docker will not have access to privileged ports, which is any port below 1024. The only limitation is that limiting resources with options such as –CPUs, –memory, and –pids-limit are only supported when running with cgroup v2 and systemd v2. Rootless Docker can be downloaded and installed with a single command.