In the last two weeks, I was working on releasing the first OSS release of Kamus, a secret management solution for Kubernetes. To release Kamus, I had to publish a few docker images to Docker Hub and the CLI – which is deployed as an NPM package. This was the first time I had to deal with deploying packages to a repository. Doing this process thought made me thinks a lot about the (in)security of this process, and I want to share these thoughts with you. It’s all sums up to one small question – what’s inside the box? Do you know what you install when you download a package from a repository?
A lot of application security defence mitigation fall into validation and sanitization. Many nasty bugs like XSS, SQLi, command injection etc can be avoided by just doing good input validation. Problem is – input validation is boring, and also – sometimes pretty complex. But it doesn’t have to be that way – and this is where using a language like Scala can help us out. Let’s see how! Continue reading “Killing Classes of Bugs with Refined Types”
The field of SRE (site reliability engineering) – is relatively matured, and there is a lot written about it. Especially, Google released a really good book discussing how SRE works at Google. What can we, AppSec engineers (ASE?), can learn from SRE principles to improve our field? Today I want to focus on one aspect: metrics and measurements – something that is my personal focus right now. What metrics SRE define and measure and can we define something similar? Continue reading “AppSec Learning SRE principles: Metrics and Measurements”