brainfck.org
Topics Books Journal Tags
2022-12-05

05 Dec 2022 | tags: [ journal ]

  • 2022-12-05 ◦ Preparing for the Systems Design and Coding Interview - The Pragmatic Engineer

  • 2022-12-05 ◦ Hell’s Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential unauthorized database access | Wiz Blog

  • 2022-12-05 ◦ Book recommendation : softwarearchitecture

    • Ousterhaut’s “a philosophy of software design”
    • Software Architecture: The Hard Parts
    • Continuous Architecture in Practice - Software Architecture in the Age of Agility and DevOps
    • Software Architecture in Practice
    • “Patterns of Enterprise Application Architecture” , kind of old but still relevant
    • Staff Engineer: Leadership beyond the management track
    • An Elegant Puzzle: Systems of Eng Management
    • The Staff Engineer’s Path: A Guide for Individual Contributors Navigating Growth and Change
  • 2022-12-05 ◦ OWASP Top 10 CI/CD Security Risks | OWASP Foundation

    • CICD-SEC-1: Insufficient Flow Control Mechanisms

    • CICD-SEC-2: Inadequate Identity and Access Management

    • CICD-SEC-3: Dependency Chain Abuse

    • CICD-SEC-4: Poisoned Pipeline Execution (PPE)

    • CICD-SEC-5: Insufficient PBAC (Pipeline-Based Access Controls)

    • CICD-SEC-6: Insufficient Credential Hygiene

    • CICD-SEC-7: Insecure System Configuration

    • CICD-SEC-8: Ungoverned Usage of 3rd Party Services

    • CICD-SEC-9: Improper Artifact Integrity Validation

    • CICD-SEC-10: Insufficient Logging and Visibility

    • About the importance

      The industry is witnessing a significant rise in the amount, frequency and magnitude of incidents and attack vectors focusing on abusing flaws in the CI/CD ecosystem, including -

      • The compromise of the SolarWinds build system, used to spread malware through to 18,000 customers.
      • The Codecov breach, that led to exfiltration of secrets stored within environment variables in thousands of build pipelines across numerous enterprises.
      • The PHP breach, resulting in publication of a malicious version of PHP containing a backdoor.
      • The Dependency Confusion flaw, which affected dozens of giant enterprises, and abuses flaws in the way external dependencies are fetched to run malicious code on developer workstations and build environments.
      • The compromises of the ua-parser-js, coa and rc NPM packages, with millions of weekly downloads each, resulting in malicious code running on millions of build environments and developer workstations.
back to top

prev post next post



Powered by Hugo, based on the Er theme. 2009-2023 Victor Dorneanu - All rights reserved