Previous part https://medium.com/@ahmad.aabed/devsecops-stating-the-obvious-14b53a36b53f
I am still stating the obvious when it comes to DevSecOps 😄
Review your tools
Nowadays, it became super easy to add a new tool to your stack
Log in with Github and there you go, you have a tool for code quality coverage. Allow access to AWS and there you go you have a tool for billing analysis.
While those tools are really helpful, you should always ask yourself
- Who are the creators of a certain tool, what is their reputation
- What the minimal access the tools can get
- What if the creators are malicious
- What if the creators have a malicious internal…
I am not sure if it’s wise to use the term DevSecOps or not, but why not 😃
I will be sharing some of the very obvious practices to secure modern infrastructure, you know (AWS, CI servers, Kubernetes, Docker …etc)
all the new cool stuff 😃
Why I am stating the obvious? because people are forgetful, lazy, greedy and wishful in our industry
Let me start by one of my favorite quotes regarding threat modeling
“Threat modeling is really important, because if you’re not threat modeling and you’re making security decisions, you’re really throwing things at the wall and hoping for the best.” …
