DevOps Stack Exchange
DevOps Stack Exchange

Questions tagged [devsecops]

Use this tag for questions about DevOps and Security

25 questions
48
votes
7 answers

What are best and comprehensive practices to consider when running docker in production?

Finally, you are so much in love with Docker that you want to move your online business-critical production systems with sensitive customer data to a Docker Swarm. Some might even already have done so. The other organization can't afford it by a…
Ta Mu
  • 6,792
  • 5
  • 43
  • 83
5
votes
1 answer

Why unable to find the exact path for grains storage in master?

I am trying to completely remove the grains from the system. I have one master and one minion setup(minion id= minion1). I am doing salt minion1 grains.ls that is listing me all the grains Now I removed data.p which is the cache memory for the…
Dheeraj Chelaramani
  • 121
  • 5
4
votes
1 answer

How to securely pass sensitive data to EC2 Spot instances?

Right now, we only use EC2 on-demand instances, and we provision sensitive data (credentials, private keys, etc.) on the instances' EBS which are encrypted with a KMS key. My understanding is that I have a few ways to pass those secret data to Spot…
Philippe
  • 155
  • 4
3
votes
4 answers

How to raise awareness about the security risk involved with running Docker?

I'm in the process of preparing a Docker course for students with little to no familiarities with containers, the underlying OS mechanisms involved, and their implied limitations. In many Docker tutorials, security concerns often go unmentioned. And…
Sylvain Leroux
  • 1,660
  • 2
  • 15
  • 27
3
votes
2 answers

Mitigating Maven Central risks as seen from the DevSecOps perspective

AFAIK there are two official primary repositories for Maven packages (Java language): search.maven.org offered by Sonatype Inc. mvnrepository.com offered by a private person @frodriguez Now obviously it makes sense to have a complete archive for…
Ta Mu
  • 6,792
  • 5
  • 43
  • 83
2
votes
3 answers

What are trusted providers that offer wildcard certificates and associated costs to be used in an Orchestration Platform like Kubernetes?

Currently, certbot and nginx are used to create a trusted webpage. Recently, an attempt was made to move the images to a kubernetes cluster on google cloud platform. A guide was found to configure an SSL loadbalancer. It was tried and it shows…
030
  • 13,383
  • 17
  • 76
  • 178
2
votes
1 answer

Issue integrating acunetix with jenkins

The first of all, thank you for reading my question, I really appreciate it! I am trying to integrate jenkins and acunetix (a vulnerability scanner software), but it seems to be near impossible...My situation is as follows: There are two machines, a…
4LB3R70
  • 21
  • 2
2
votes
1 answer

Continuous deployment strategies vs DevSecOps

How do you implement security requirements in CI/CD while taking care of security requirements? What are best practices here? Security requirements may differ, let's assume this simple level of security: Direct administrative access to target…
Ta Mu
  • 6,792
  • 5
  • 43
  • 83
1
vote
1 answer

Mitigating Docker Compliance Issues - Can I put everything in the `daemon.json`?

I am going through compliance tasks to harden our Docker setup and I am seeing many things like Favor using docker run with docker run --pids-limit 100 to prevent forkbombs Favor using docker run with docker run --security-opt=no-new-privileges to…
David West
  • 1,533
  • 3
  • 18
  • 25
1
vote
1 answer

Possibility of container breakout compared to VM (virtual machines)

What is exactly the (higher) vulnerability at least theoretically of a container compared to VM? given, all security recommendations are implemented (like, user context is root, no host sensitive volumes are mounted, tuned capabilities..). How…
Ta Mu
  • 6,792
  • 5
  • 43
  • 83
1
vote
2 answers

Need to understand the career path for DevOps

I am a frontend developer, planning to gain hands on experience in DevOps. However, I'm not sure of if only DevOps or DevSecOps. Recently I tried learning Jenkins while last year took an Udemy course on AWS. I am pretty much aware of Shared hosting…
meDeepakJain
  • 17
  • 7
1
vote
1 answer

How to avoid disclosing account ID in AWS ARN

I'm new to the AWS ecosystem and have what might be a naive question. While trying to create a GlueRunner Lambda stack with CloudFormation (using pynt), from the Cloud9 shell of an account with all the relevant permissions set up through IAM,…
strangeloop
  • 111
  • 1
1
vote
2 answers

How securely to keep google cloud service account key?

How securely to keep google cloud service account key? I want to ask about how we should securely keep service account key. The scenario looks like: Our product is connecting to BigQuery. We have project which is used only by developers as…
Mariusz
  • 131
  • 1
0
votes
2 answers

CIS Benchmark for Docker and Docker Bench for Security: why, how and when?

I just learned about Docker Bench for Security and CIS Benchmark for Docker Community Edition. Why, how and when am I supposed to use these tools?
Sylvain Leroux
  • 1,660
  • 2
  • 15
  • 27
0
votes
1 answer

What percentage of microservice architectures employ polyglot programming models?

One of the tenets of microservices is the polyglot, autonomous services (developed in different programming languages). In my experience (online reading and YouTube and discussions with developers) it seems this is not really applied in practice…
SyCode
  • 270
  • 1
  • 9
1
2