View profile

DevOps and Docker Updates - Issue #4

Here's my thoughts on three security related things you should check out this week.
DevOps and Docker Updates - Issue #4
By Bret Fisher • Issue #4 • View online
Here’s my thoughts on three security related things you should check out this week.

This week is about security. I’ve always considered security to be part of everyone’s job in IT. If you think “improving security” is someone else’s job, you’re doing it wrong.
I got SANS GIAC Certified back in 2005 (I wrote a white paper on SMTP gateway security techniques) and loved it, but never got the “security bug” so bad that I wanted to do only security engineering… so I stayed a sysadmin, but I always felt it was everyone’s job to keep learning security topics and implementing more of it in everything we do.
And then DevSecOps was born 🎉, and we finally had a single term we could rally around that pulls in the security staff as part of the DevOps teams and processes.
DevSecOps: Finally making friends with your security team
6 Traits That Define DevSecOps
From Agile to DevSecOps
Security scanning of code and container images should be on by default
Bret: There are so many tools in this space I won’t turn this into a list of them, but suffice to say, you should have in your DevOps workflow, at least two tools running on production commits and builds: 1) a code framework dependency scanner (Synk, GitHub, GitLab, etc.) and 2) a Docker image scanner (Aqua Microscanner, Docker Enterprise DTR, and more)
Note those aren’t about scanning the code you write, which has its own list, but rather the code you don’t write.
Also note, the above is just a start, but also easy to add to your workflow. A growing problem right now is that we don’t know what code we’re running, and the above dependency scanning will help reduce that risk. There are lots of other areas like security monitoring, logging all the things, firewalls, RBAC, etc. etc. but hey, you gotta start somewhere.
GitLab Expands Scope of DevOps Ambitions -
Start with a few resources to understand the topics and landscape
SANS Institute: Newsletters
GitHub - devsecops/awesome-devsecops: An authoritative list of awesome devsecops tools with the help from community experiments and contributions.
Thanks for reading, see you next week!
Did you enjoy this issue?
Bret Fisher

Frequent updates on my projects, videos, and opinions focused on the container ecosystem, including Docker, Kubernetes, Docker Swarm, CI/CD, and container DevOps.

If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Bret Fisher, Virginia Beach, Virginia, USA