Happy devSecOps — Infrastructure as Code(IaC) Infrastructure-as-Code(IaC) is a practice of managing and provisioning of infrastructure through code instead of through manual processes. This infrastructure mostly involves cloud infrastructure and a bit of on-prem infrastructure. For an example hardware, software, Operating Systems and data storage. IaC allows for the definition, version control, and automation of infrastructure…

Happy devSecOps — Background In modern scalable systems designed as microservices-based distributed systems architecture. Typically these microservices deployed using Kubernetes-based container orchestration systems. The services in the systems interacts with different external and internal endpoints. For an example external endpoints would be third party web Services/APIs etc which the services interacts with. The internal…

Happy devSecOps — HashiCorp Vault Secrets are the tokens which used to Authenticate/Authorized systems such as Database credentials, SSL certificates, SSH keys, Usernames and Passwords, AWS IAM credentials, API tokens, Social Security Numbers etc. In a given system there could be various secrets available. Most of the time these secrets are managed in ad-hoc way…

Happy devSecOps — Risk Management Framework(RMF) The Risk Management Framework(RMF) is a set of guidelines deployed for a risk-based approach to information system security and information privacy. The framework is comprehensive and is used to design and embed risk management processes within the information system development and deployment lifecycle. It allows organizations to scale cybersecurity defenses…

Happy serverless — Background DynamoDB providers a document database that has high scalability. It is kind of a similar database to Apache Cassandra. The main querying capabilities of DynamoDB are centered around lookups using a primary key and not provides full-text search. We can index the DynamoDB data on Elasticsearch to achieve full-text search…

Happy devSecOps — STIG Security Technical Implementation Guide (STIG) is a list of configuration guideline for hardening systems(e.g networks, servers, router, firewalls, active directory, DNS, OS, workstations, whole environments, individual applications, equipments etc) to improve the security. These guidelines are developed by Defense Information System Agency (DISA) for the U.S. Department of Defense. Systems…

Happy devSecOps — Background In my previous post I have discussed detailed information about public key cryptography and X.509 certificates. In this post I’m gonna discuss about decoding PEM encoded X.509 type public keys which generated from Android/iOS applications(e.g Java, Swift programs) from the JVM-based backend applications(e.g Scala) and Golang-based backend applications. X.509 and ASN.1

Happy devSecOps — 1. Symmetric Key Cryptography 1.1. Overview In Symmetric Key Cryptography, an individual key is used for both encryption and decryption. The sender needs the key to encrypt the plaintext and sends the cipher document to the receiver. The receiver used the similar key (or ruleset) to decrypt the message and recover the plaintext. Because an individual…

Happy devSecOps — Container Security Containers(e.g Docker) use layered architecture. Most containers are built from third-party base images that are available on Docker Hub. These base images may contains vulnerable packages. Further the third party software libraries which install in the containers(e.g apt packages etc) may also contains vulnerable packages. So it’s important to scan…