DevOps is a culture, movement or practice that emphasizes the collaboration and communication of both software developers and other information-technology (IT) professionals while automating the process of software delivery and infrastructure changes.
Questions tagged [devops]
19 questions
25
votes
2 answers
Juggling bus factor & separation of duties on a small team?
I am lead dev on a team of five people. Only three are coders. And only the coders are really technical enough to do a roll-out of our application to a production server.
Our app is pretty successful and we have attained some high profile…
Neil N
- 359
- 2
- 6
6
votes
3 answers
Security Testing Methods for Enterprise Level
I have been asked to perform risk assessment for a company. The scope covers about 100 applications and in various business units. Major task is to assess currently implemented security controls and provided recommendations after the assessment.…
ray bash
- 61
- 1
5
votes
1 answer
Security in automated systems using Puppet and Chef
In an extremely interesting presentation at Puppet Camp London, Tomas Doran suggested a pretty radical approach for keeping everything automated by managing tons of Docker containers with Puppet.
As a security-conscious person, I like the idea of…
Naftuli Kay
- 6,715
- 9
- 47
- 75
4
votes
1 answer
Antivirus settings for developers and build machines?
I work in a company that has strict antivirus policy. Each computer must have an up-to date antivirus with all the bells and whistles turned on.
But as a developers, this is giving us problems.
Most noticeable is performance degradation. As…
Euphoric
- 143
- 3
4
votes
1 answer
Difference between AppSec Pipeline vs DevSecOps
There is thing about implementing security in the early phases. Owasp mention implementing through AppSec Pipeline. DevOps folks talk about DevSecOps. Looking at the diagrams and phases of implementation. Seems like they are both the same? Yet…
Lester T.
- 1,263
- 1
- 9
- 21
3
votes
0 answers
Secure a Jenkins node to only run approved scripts?
We have a series of Jenkins nodes that are used to deploy changes onto our SQL Servers, which works fine as long as everyone behaves and can be trusted.
The worry is that a rogue developer or hacker could simply add something like this into a…
Lobsterpants
- 131
- 2
1
vote
0 answers
Security Team and Security in a small-medium organization/startup
How should one structure and how should a Security Team work in an agile organization (100 devs).
Found this article:
https://kislayverma.com/organizations/independence-autonomy-and-too-many-small-teams/
Where I agree with it, for software dev, I am…
dev
- 937
- 1
- 8
- 23
1
vote
2 answers
Security implications of source code location
Were working towards implementing a SDLC for a company and as in any complex environment there are differences of opinion for the new process. Some of the developers want to make use of one directory others want to use another. Due to IT resource…
Joe
- 1,214
- 1
- 11
- 16
1
vote
0 answers
Secure API access with mobile apps in restricted environments
In our current project, IT rules prohibit anything that is not PROD to be publicly accessible from the Internet. Access to development and review environments must be severely restricted. That said, the project also includes mobile apps that are…
Ilya Ayzenshtok
- 143
- 4
1
vote
1 answer
Applying IT Sarbanes-Oxley (SOX) to a tool management application
Does an application that manages access controls to a suite of tools (Jenkins, Nexus, BitBucket) in a SOX environment need to be considered a SOX application?
The app itself only deals with data in transit and uses authentication to properly…
Adgezaza
- 125
- 5
1
vote
0 answers
Dev(Sec)Ops - Analysis and testing frameworks for developers
I work in a development team and we are looking at moving into DevOps with a "shift left" approach with regards to security to bring us inline with DevSecOps
What analysis and testing frameworks are available? How best approach the user stories…
pee2pee
- 277
- 3
- 18
1
vote
0 answers
Ideas for a security framework for DevOps
I am trying to put together a security control framework based on people process and technology for DevOps operating practices - what controls do you think must be included?
J1181
- 11
- 1
0
votes
0 answers
Is there much practical security value in using passwords/usernames for postgres instances used on development machines?
So say you are developing multiple different projects for different clients and want your developers to use postgres on their development machine (i.e. localhost connection in the development environment). Does one add much/anything, from a security…
Jack Kinsella
- 101
- 1
0
votes
0 answers
AWS IAM Access Issue
We previously had some AWS keys. The IAM interface show/showed no usage for it but the employee has been able to upload resources. Could anyone advise how to check if the interface is just erring or if they were perhaps not using these…
samtech 2021
- 1
- 1
0
votes
1 answer
What exploit is trying to be leveraged here? (Apache access.log)
I've just deployed a barebones Apache server on Digital Ocean, only hosting static files. No PHP et al.
I'm not too bothered to see random exploit attempts, but 99% of the requests are of this similar format and I'd like to know what they are trying…
Corey
- 1
- 1