Another recap of a week’s worth of links, news, and discussion around technical leadership and technology; as usual, follow me of Linkedin if you want to receive a notification when I share a new link.
Where I’ve been this week (last Friday, actually)
Last Friday I attended DevSecOps days in London for a good day of discussions all about “shifting left” security. The conference was organized by Mark Miller, the host of the DevSecOps podcast (recommended).
I had a good debate there on the idea, which I haven’t been able to put to practice yet, to introduce threat modeling in the agile process; watch Irene Michelin talk about Incremental Threat Modeling to get more details, but the basic concept is to treat threat modeling as a non-functional requirement during the sprint planning, write the use cases (abuse cases), and design tests with a tool like OWASP ZAP or Burp Suite to run at the end of the sprint. I’ve taken many notes and collected suggestions from various people on the subject, I hope to be able to write more about it soon.
None of the talks is available online yet, however, here some topics/tools that were discussed
- Chris Swan of DXC Technology showed how to use interactive labs to educate developers about security (the Yellow Belt Devops Dojo)
- Simon Maple of Snyk showed how to use didactic applications like Goof to demonstrate how to hack into web application; he also briefly talked how code examples in Stackoverflow are always insecure (watch is colleague give the same talk)
Topics I talked about this week
Elsevier left one of its Kibana server exposed to the Internet and without authentication; and, by the way, there were clear-text passwords recorded that. Remind me of Zcall, where again ELK was left exposed. Facebook, by the way, did something similar albeit in the internal network. As I wrote at the beginning of the week, it’s easy to ridicule these companies but logging sensitive information in internal tools is just a small coding mistake away.
Streaming Data out of the Monolith: Building a Highly Reliable CDC Stack: I’m getting more and more into CDC (Change Data Capture) propagation as a way to build even streaming applications. It’s really a simple and pragmatic way to create events out of normal database updates, and there are several tools to help with that.
6 Lessons I learned while implementing technical RFCs as a management tool: I’m trying to push RFCs as a tool to make proposals emerge from developers; it promotes visible and open communication, and it’s ideal in distributed teams.
API Gateways are going through an identity crisis has been one of the most interesting articles of the week; it talks about the evolution of API Gateways in a container and serverless world.
- CD Foundation, a vendor-neutral initiative for continuous delivery projects
- Amazon Aurora ascendant: How we designed a cloud-native relational database
- My arsenal of AWS security tools
- The State of Open Source security report 2019
- The main stories from QCon London ’19