• 2022-12-05 ◦ Preparing for the Systems Design and Coding Interview - The Pragmatic Engineer

  • 2022-12-05 ◦ Hell’s Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential unauthorized database access | Wiz Blog

  • 2022-12-05 ◦ Book recommendation : softwarearchitecture

    • Ousterhaut’s “a philosophy of software design”
    • Software Architecture: The Hard Parts
    • Continuous Architecture in Practice - Software Architecture in the Age of Agility and DevOps
    • Software Architecture in Practice
    • “Patterns of Enterprise Application Architecture” , kind of old but still relevant
    • Staff Engineer: Leadership beyond the management track
    • An Elegant Puzzle: Systems of Eng Management
    • The Staff Engineer’s Path: A Guide for Individual Contributors Navigating Growth and Change

  • 2022-12-05 ◦ OWASP Top 10 CI/CD Security Risks | OWASP Foundation

    • CICD-SEC-1: Insufficient Flow Control Mechanisms

    • CICD-SEC-2: Inadequate Identity and Access Management

    • CICD-SEC-3: Dependency Chain Abuse

    • CICD-SEC-4: Poisoned Pipeline Execution (PPE)

    • CICD-SEC-5: Insufficient PBAC (Pipeline-Based Access Controls)

    • CICD-SEC-6: Insufficient Credential Hygiene

    • CICD-SEC-7: Insecure System Configuration

    • CICD-SEC-8: Ungoverned Usage of 3rd Party Services

    • CICD-SEC-9: Improper Artifact Integrity Validation

    • CICD-SEC-10: Insufficient Logging and Visibility

    • About the importance

      The industry is witnessing a significant rise in the amount, frequency and magnitude of incidents and attack vectors focusing on abusing flaws in the CI/CD ecosystem, including -

      • The compromise of the SolarWinds build system, used to spread malware through to 18,000 customers.
      • The Codecov breach, that led to exfiltration of secrets stored within environment variables in thousands of build pipelines across numerous enterprises.
      • The PHP breach, resulting in publication of a malicious version of PHP containing a backdoor.
      • The Dependency Confusion flaw, which affected dozens of giant enterprises, and abuses flaws in the way external dependencies are fetched to run malicious code on developer workstations and build environments.
      • The compromises of the ua-parser-js, coa and rc NPM packages, with millions of weekly downloads each, resulting in malicious code running on millions of build environments and developer workstations.