Questions tagged [security]

For questions related to IT Security, Information Security or DevSecOps.

Before posting a question about Software Quality Assurance and testing, consider if it would be more appropriate on Information Security Stack Exchange.

Security is a key element of any system that acts to protect information and infrastructure:

Information Security is the practice of preventing unauthorised access, use, disclosure, disruption, modification, inspection, recording or destruction of information.
IT Security is the practice of preventing unauthorised access, use, modification or destruction of IT Assets.
DevSecOps or DevOpsSec is the practice of integrating security into the deployment pipeline using automation and dynamic risk assessment processes.

Further Reading

98 questions

63

votes

7 answers

How can I manage secrets in .tf and .tfstate?

I would like to use the Terraform MySQL Provider to keep a list of mysql users and grants handy for creating new test environments. The .tf and .tfstate files both seem to want to store the MySQL passwords in plaintext. Concerning .tf: It is my…

terraform security

asked Feb 28 '17 at 18:14

Anthony Neace

1,494
1
12
17

48

votes

7 answers

What are best and comprehensive practices to consider when running docker in production?

Finally, you are so much in love with Docker that you want to move your online business-critical production systems with sensitive customer data to a Docker Swarm. Some might even already have done so. The other organization can't afford it by a…

docker security devsecops a2d

asked Sep 07 '17 at 05:16

Ta Mu

6,792
5
43
83

34

votes

5 answers

Where to put ansible-vault password

We are planning to use ansible vault in our project to prevent leaking passwords or keys in git. The idea is to put all our sensitive data into a plain file then encrypt this file with ansible-vault using a password before pushing to git. To…

ansible git security practices ansible-vault

asked Feb 07 '18 at 10:47

storm

1,759
3
16
34

26

votes

6 answers

How to prohibit access to internals of Docker container?

I want to deliver my app to customers in form of docker image. But it is crucial to ensure that end-user do not alter anything inside the container. User should only be able to run/stop the container and interact with the container via network. Is…

docker security

asked May 06 '17 at 09:45

Victor Mezrin

361
1
3
5

24

votes

2 answers

What Is SecOps?

First when I heard the word SecOps, I thought of it as a management approach that aims to connect security and operations teams, in much the same way that DevOps unifies developers and operations team. But isn't security just a piece of the DevOps…

terminology culture security

asked Mar 27 '17 at 13:15

storm

1,759
3
16
34

14

votes

4 answers

Open Ports on Google Cloud Load Balancer

It seems that by default, Google Cloud load balancers expose a number of ports unecessarily. I haven't found a way to expose only 80/443 and every time I make one of their load balancers, the following ports are seen in an nmap: PORT STATE …

security load-balance google-cloud-platform

asked Apr 10 '17 at 19:04

bootbeast

189
1
6

14

votes

2 answers

Is it bad to use sudo from Jenkins?

I use Publish Over SSH plugin to deploy my apps from Jenkins to different environments. Some deployment jobs do environment preps and things like stop and restart the app server system service. Some of those commands require sudo. I am just curious…

jenkins security

asked Oct 18 '17 at 19:03

amphibient

453
6
12

14

votes

2 answers

How to store credentials that are required by an application?

Everyone is saying that storing credentials in version control (git) is a bad thing. So there must be other ways to store credentials which are much better. An application must receive credentials from somewhere to use services it depends on. These…

deployment security credentials

asked Mar 01 '17 at 19:54

Evgeny Zislis

9,023
5
39
72

14

votes

2 answers

Does `npm audit` add any value when using `dependabot`

Context There are multiple ways to scan projects for vulnerabilities. Dependabot can be configured to check repositories for issues, and automatically submits pull requests to resolve. NPM Audit will scan the packages used in an NPM solution for…

security node.js dependency-management npm

asked Jul 17 '20 at 13:57

JohnLBevan

315
1
3
11

12

votes

2 answers

How to storing encrypted secrets in code for a serverless.com project?

With serverless.com, the easiest way to expose a secret to an AWS Lambda function is to store it in the serverless.yml file (encrypted with KMS, for example). But committing encrypted secrets to Git is not the best thing in the world. Requires code…

security aws-lambda serverless encryption

asked Mar 17 '17 at 09:11

Assaf Lavie

1,251
11
17

8

votes

1 answer

What are the best practices for anti-virus / anti-malware when using containers?

One of the SOC 2 controls is apparently around ensuring antivirus/anti-spam/anti-malware is running on production servers. I've been googling to see if there are any recommendation/best practices for this in the container world. I'm not sure if it's…

kubernetes containers security

asked Nov 07 '19 at 18:56

Roly

183
1
6

8

votes

3 answers

Running unmanaged Hardware Security Modules (HSMs) in the Cloud

I have to admit to never having asked, or been asked, the question if it is possible to have a Hardware Security Module in a public cloud, by which I mean Google, Amazon or Azure. Has anyone found any techniques for enabling organizations to use…

security cloud key-management

asked Dec 01 '17 at 12:36

Richard Slater

11,747
7
43
82

8

votes

1 answer

Running the docker daemon without root

Inspired by What are best and comprehensive practices to consider when running docker in production? , I stumbled over Why we don't let non-root users run Docker... They came up with docker run -ti --privileged -v /:/host fedora chroot /host ,…

security

asked Sep 07 '17 at 21:47

AnoE

4,936
14
26

7

votes

2 answers

What strategies can be employed to secure sensitive data in log files?

Working in highly regulated environments data is classified in different ways depending on the sensitivity. In some cases, this is legally enforced and must be treated differently. Examples of a data classification policy are: Highly Restricted…

security logging data financial-services data-protection

asked Mar 18 '17 at 10:59

Richard Slater

11,747
7
43
82

7

votes

3 answers

When your micro service in production needs a secret, where is the secret stored and retrieved from?

The context of the question is Secrets management. How do you manage storing and retrieving secrets for your micro service which is in production?

amazon-web-services security microservices github encryption

asked Mar 18 '18 at 09:14

Zvika Nadav

113
2

1

2 3 4 5 6 7 Next