How To: Fast and Secure builds with Bazel Remote Cache

Omer Levi Hevroni
For the past few months, I’ve used mainly Scala programing language. Like any other language, I needed a toolchain to compile my code into something I could run. When I started with Scala, I chose to go with SBT. It went pretty well, but I wasn’t very happy with it – it is a bit slow, dependency management is not amazing, and some other issues.
So I started to look for alternatives, and I was surprised to learn how many alternatives are out there. Of course, I could use any Java tools, like Gradle or Maven – which both support Scala. Like SBT, each has its own downside. While I was looking for other alternatives, I wanted to find something with a good support monorepo development strategy (as we are slowly moving our code to monorepo). And at this point, I found Bazel, a build tool by Google.
Bazel is amazing and it can do a lot of things, including building Scala source code. One of the coolest Bazel features is the built-in support for remote caching, which aims to speed up build time. For lazy developers like me, the coolest thing here is the native support for Google Cloud Storage – so I could have “serverless” cache deployment. This all sounds simple, right? Until you ask: how secure it is? And this is where things become interesting! Continue reading “How To: Fast and Secure builds with Bazel Remote Cache”
Apple Tree

How To: Awesome CI / CD for macOS apps

Omer Levi Hevroni
In the past week, I was working on building a small utility macOS application. It was pretty fun – Swift is a really nice language. One of the challenges was setting up a CI / CD pipeline: I wanted to create an app everyone could download and use after each commit, automatically. It requires a lot of digging and googling, so I wanted to share what I did – in case you’ll encounter a similar problem… Continue reading “How To: Awesome CI / CD for macOS apps”
Building Tools

How To Build Go & C Code for Windows using Github Actions

Omer Levi Hevroni
A few weeks ago, a friend of mine needed a small program that accepts data in a CSV format and produces some reports. The code itself was very simple – I’ve chosen Go because I wanted to produce an executable that could run on any machine. No runtime dependencies are required.
The fun part started when he asked to generate the PDF reports. I’ve found a good C library, wkhtmltopdf, and a Go bindings library. I got it working and was able to produce PDF files on my Mac machines pretty fast. The problem: My friend needed a Windows binary! How can I set up a CI/CD pipeline to build the executable with support for the native C library? This is the story I am planning to tell today. If you’re just interested in the TL;DR, you can just check the workflow file on Github.
So, without further ado, let’s begin! Continue reading “How To Build Go & C Code for Windows using Github Actions”
Batman kid

Nginx Ingress: The Security Hero We Need!

Omer Levi Hevroni
I love Nginx Ingress! It is a very powerful Kubernetes Ingress, with so many capabilities. But I think it does not get enough appreciation in the AppSec world. Just by using Nginx Ingress, you could get so many security features for almost free. And even better, you can enable them once – and every workload in the cluster will have them! For example, you can monitor and chase after developers to enable security headers. Or just do it once, test it once, and forget. That’s it. An entire class of bugs doesn’t exist anymore. Isn’t that existing? Let’s see what else Nginx ingress can do for us! Continue reading “Nginx Ingress: The Security Hero We Need!”
beetle on green leaf

Killing Classes of Bugs with Refined Types

Omer Levi Hevroni
A lot of application security defence mitigation fall into validation and sanitization. Many nasty bugs like XSS, SQLi, command injection etc can be avoided by just doing good input validation. Problem is – input validation is boring, and also – sometimes pretty complex. But it doesn’t have to be that way – and this is where using a language like Scala can help us out. Let’s see how! Continue reading “Killing Classes of Bugs with Refined Types”
Cronus the Titan

Cron Job for Lazy Developers

Omer Levi Hevroni
I am a lazy developer who always prefers not to build things if I can avoid them. Recently I faced an interesting challenge (you can read more about it on Snyk Blog), which requires running a set of cron jobs, that depends on each other (e.g. job B depends on the output of job A). Let’s try to see what will be the laziest solution we can find for this problem! Continue reading “Cron Job for Lazy Developers”
image of a man pulling

Using GitHub PR Flow with Terraform

Omer Levi Hevroni
In the past week, I was working on enabling Google Kubernetes Engine Workload Identity on our clusters. Workload Identity is a solution for connecting Kubernetes Service Account to Google Cloud Service Account – and by this, granting specific permissions to a specific workload on the cluster. While enabling workload identity is relatively simple, the hard question is how we enable it in scale – how we let devs use it easily and securely. And this is where Terraform come handy: using it, I can easily build an abstraction (=module) that developers could use to create all the resource required for workload identity. Writing this module allows me to carefully choose what to expose, building a paved road to be used by the developers. Finally, there are very interesting developments in the are of SAST for Terraform (see this talk, as one example) – making it an even more interesting tool. So, I decided to try and use Terraform for this. Writing the module was pretty easy (there are even public modules that exist, like this one), but how devs will use it? This is where GitHub PR flow come handy: Using the pull request mechanism (PR), we let everyone to ask permissions (self-service) while ensuring those changes go through a defined process of reviewing and testing before applying them. Let’s see how we can build the same flow for terraform! Continue reading “Using GitHub PR Flow with Terraform”
measure

AppSec Learning SRE principles: Metrics and Measurements

Omer Levi Hevroni
The field of SRE (site reliability engineering) – is relatively matured, and there is a lot written about it. Especially, Google released a really good book discussing how SRE works at Google. What can we, AppSec engineers (ASE?), can learn from SRE principles to improve our field? Today I want to focus on one aspect: metrics and measurements – something that is my personal focus right now. What metrics SRE define and measure and can we define something similar? Continue reading “AppSec Learning SRE principles: Metrics and Measurements”
kid building in lego lego

Extending Kubernetes with CRDs – The Hard Way

Omer Levi Hevroni
This is a post I was planning to write a while ago when I worked on Kamus CRD feature. CRD, or Custom Resource Definition, is a way to extend Kubernetes with a new resource. In my case, I wanted to add a new resource, KamusSecret, which is very similar to a regular Secret, just encrypted. Let’s see how this can be easily done – using my beloved language, C# 🙂 Continue reading “Extending Kubernetes with CRDs – The Hard Way”
Thanos - a hero

A Production Thanos Deployment

Omer Levi Hevroni
Today I want to talk about Thanos, a hero, that will help us with an impossible mission: A production-grade Prometheus deployment. Prometheus is an amazing tool, that can do a lot of things – from metrics to alerting. But there is one problem that is a bit harder to solve – longer-term storage for Prometheus metrics. And, after all, having metrics only for a day or two, is not that useful. And this is where Thanos fit in. Continue reading “A Production Thanos Deployment”