Zeno DevSecOps Weekly Newsletter is part of FAUN Developer Community. We help developers learn and grow by keeping them up with what matters.

⭐ Sponsors

The all-in-one monitoring solution for IT admins, DevOps and SREs

Get deep visibility into the performance of your complex enterprise applications and cloud native workloads. Identify potential issues, improve productivity, and ensure that your business and end users are unaffected by downtime and substandard performance.

Download a 30-day free trial .

👉 Spread the word and help developers find you by promoting your projects on FAUN. Get in touch for more information.

🔗 From the web

✅ What to Look for When Selecting a Static Application Security Testing (SAST) Solution

Discover how to choose the right vulnerability scanning product for your business and get started with vulnerability scanning.

Exploring Firecracker MicroVMs for Multi-Tenant Dagger CI/CD Pipelines

The author experimented with running isolated CI/CD pipelines using Firecracker microVMs for improved Security. They set up the infrastructure, compiled a custom kernel, built a rootfs, enabled internet access, launched the microVM, and ran a sample pipeline using the Dagger engine.

The Dark Side of DevSecOps and the case for Governance Engineering

DevSecOps pipelines and golden paths secure the software delivery pipeline but not the entire development lifecycle. Monitoring production and implementing Governance Engineering can detect unauthorized changes, ensure compliance, and mitigate risks for a more secure DevOps environment.

What is SaaS Security? — Types, Challenges, Threats & Protection Guide

SaaS security protects data and applications in cloud environments. It includes data protection, access controls, infrastructure security, application security, incident response, and compliance.

Organizations should choose reputable providers, implement encryption and strong authentication, monitor for threats, and follow best practices.

Common security challenges include data breaches, lack of control, insider threats, compliance, integration vulnerabilities, account hijacking, data loss, and shadow IT.

Fingerprinting pfSense using GitHub analysis

Penetration testers use GitHub repositories to find vulnerabilities in open source applications. They analyzed the pfSense repository to determine the version of the target application. They wrote scripts to retrieve directory contents and compare files across different versions, saving the results in CSV and JSON files. By analyzing the differences, they narrowed down the target’s version.

How to Perform a Network Security Risk Assessment

Ensuring network security: The importance of conducting a comprehensive network security risk assessment to safeguard against cyberattacks, address vulnerabilities, and build trust with stakeholders and customers.

Integrating DAST Into Your CI/CD Pipeline: Benefits and Implementation

Integrating Dynamic Application Security Testing (DAST) into your CI/CD pipeline helps detect web application vulnerabilities early, improves security, speeds up time-to-market, and reduces costs. Choose the right DAST tool, start early in the development process, schedule regular scans, prioritize results, and establish feedback loops. Follow the tutorial to integrate DAST into Jenkins for automated security scanning.

✅ Vulnerability in GCP CloudSQL Leads to Data Exposure

Researchers discovered a critical vulnerability in Google Cloud Platform’s CloudSQL service for SQL Server. The vulnerability allowed privilege escalation, granting access to sensitive data and the underlying operating system. The issue was reported to Google, who mitigated it, and no customers were affected. The researchers were rewarded by Google’s vulnerability reward program. Dig Security offers a data security platform to protect sensitive data and prevent breaches.

Intelligence Insights: April 2023

CrowdStrike’s recent report reveals that the Labyrinth Chollima threat moved up in rank, with a significant increase in activity. The report also highlights a supply chain compromise involving malicious code in a softphone application. Defender preparation, detection, and response are key to reducing the risk of supply chain attacks.

✅ AWS KMS Threat Model

AWS KMS offers different options for key management; letting AWS manage the key is a common query, however. AWS offers three options for encryption: their own manage key (transparently), AWS key management with limited control or customer-managed key (CMK).

⭐ Supporters

Cloud Native Microservices With Kubernetes

“Cloud Native Microservices With Kubernetes” is a hands-on, example-rich guide focused on real-world examples and practical learning that covers everything needed from the basics to the most advanced concepts.

OpenAI GPT For Python Developers

Explore the fascinating world of Artificial Intelligence and solve real-world problems!

In this practical guide, you will build intelligent real-world applications using GPT-3, DALL-E, Whisper, CLIP, and more tools from the OpenAI and ML ecosystem.

Rest assured, you don’t need to be a data scientist or machine learning engineer to follow this guide

Join FAUN’s Subreddit!

Step into the intersection of development, security, and operations at /r/DevSecOpsLinks , our subreddit.

This is the place to share and learn about the latest strategies, best practices, tools, and trends in DevSecOps. Ask questions, offer solutions, and engage in thoughtful conversations with DevOps and Security professionals.

Join us at /r/DevSecOpsLinks !

👉 Spread the word and help developers find you by promoting your projects on FAUN. Get in touch for more information.

ℹ️ News

Google Proposes Reducing TLS Cert Life Span to 90 Days

Google plans to limit the lifespan of digital certificates from a maximum of two years to just over one year, with the aim of reducing the window of opportunity for attackers to use fraudulent certificates to hijack HTTPS sites, according to a proposal it put forward last week. The policy change would make short validity periods a requirement in Chrome and set a de facto standard across the web.

Synopsys Extends Lead in Gartner MQ for App Security Testing

• Snyk has risen to the leader category in Gartner’s latest application security testing ranking, while HCL Software has fallen to a challenger.
• Synopsys still stands head and shoulders above the competition, emphasizing a strong execution ability, but Snyk’s strong vision in cloud, containers, and microservices sets them apart.
• Synopsys generates $523 million in revenue from its software integrity business.
• Veracode, Checkmarx, and OpenText join Synopsys and Snyk atop the Gartner Magic Quadrant.

Microsoft, GitHub announce application security testing tools for Azure DevOps

GitHub announces the widely available application security testing tool for subscribers of Microsoft’s Azure DevOps service — GitHub Advanced Security for Azure DevOps. The tool helps identify vulnerabilities and prevent exposure of secrets in Azure Repos while providing guidance to mitigate these issues across code written in various languages. The service is available for $4 per active committer per month.

CrowdStrike is the latest cybersecurity vendor to bring generative AI into its tools

CrowdStrike is set to roll out a generative AI assistant called Charlotte, which will answer users’ questions about vulnerable systems and recommend actions in real-time based on an analysis of threat intelligence. The company has trained Charlotte on its own information security events, telemetry across user devices and cloud workloads, and a dataset detailing how CrowdStrike employees stopped breaches. Charlotte is currently available in a limited private customer preview.

⚙️ Tools

prasadpanchbhai/CertifiedAppsecPractitioner

Certified Appsec Practitioner study notes.

jasona7/ChatCVE

ChatCVE is an app using the Langchain SQL Language Tool to give a LLM prompt experience to CVE and SBOM DevSecOps Triage Data

aswinnnn/pyscan

Python dependency vulnerability scanner, written in Rust.

👉 Spread the word and help developers find and follow your Open Source project by promoting it on FAUN. Get in touch for more information.

🛍️ Swag Store

The Orchestrate T-shirt

❤️ 20% exclusive discount for FAUNers on all products (+free shipping included) when you use the code “THANKSFAUN”.

🤔 Did you know?

The first version of the Linux operating system was released in 1991.

😂 Meme of the week

❤️ Thanks for reading

👉 Never miss an issue
Join FAUN Developer Community and subscribe to our newsletter here.

👋 Keep in touch and follow us on social media:
- 💼LinkedIn
- 📝Medium
- 🐦Twitter
- 👥Facebook
- 📰Reddit
- 📸Instagram

👌 Was this newsletter helpful?
We’d really appreciate it if you could share it with your friends! You can also donate to help us keep this newsletter going.

ℹ️ Have a question or feedback?
Feel free to reach out to us at [email protected]. We’d love to hear from you!

🤩 Want to sponsor our newsletter?
Reach out to us at [email protected] and we’ll get back to you as soon as possible.

🐯 DevSecOps Weekly #376: AWS KMS Threat Model was originally published in FAUN — Developer Community 🐾 on Medium, where people are continuing the conversation by highlighting and responding to this story.