#security (2021-01)

Archive: https://archive.sweetops.com/security/

2021-01-27

2021-01-26

Steve Wade avatar
Steve Wade

can anyone recommend some good documentation on configuring terraform compliance?

we would like to run it against CI for our terraform modules monorepo as well as when we execute this modules from other repos as part of Atlantis

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we’ve started using using bridgecrew. makers of checkov.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

other tools frequently mentioned: tfsec, tflint

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
bridgecrewio/checkov

Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew. - bridgecrew…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Bridgecrew - Secure public cloud infrastructure attachment image

Built to be simple- Protecting infrastructure in the public cloud is a software engineering challenge. We solve it like one.

2021-01-19

2021-01-14

Davis Treybig avatar
Davis Treybig

Has anyone had any trouble managing noise in appsec scanners (think Snyk, OWASP ZAP, Bridgecrew, TFSec, Claire, and all the other SAST/DAST/SCA tools) in a modern DevOps environment? E.g. too many alerts, too hard to prioritize alerts, irrelevant alerts to the business, too hard to properly define policies for what scanners run where and when, etc? I’ve gotten the sense that a lot of cloud sec teams feel stuck figuring out how to get developers to actually fix appsec issues, and engineers/DevOps will often ignore the scan results sent over JIRA or in pull requests because there are too many. How do people solve this?

kskewes avatar
kskewes

We’re working towards eliminating high severity but it’s going to take work. Most seem largely irrelevant though which makes it feel like box ticking. Some don’t account for mitigations elsewhere. Upstream images have plenty of trivy findings, especially anything Debian based (ubuntu clean). Feel like try tighten down what can and schedule routine review of what accepting is only reasonable way. Ie ratchet.. Compared with implementing and stopping the world.. depends on ones risks?

kskewes avatar
kskewes

I haven’t been through soc2 etc before though.

Davis Treybig avatar
Davis Treybig

Interesting so sounds like you mostly have to just extensively manually triage this stuff in order to find the stuff that is actually relevant?

1
Davis Treybig avatar
Davis Treybig

It seems to me like there is an opportunity for better tooling here to improve actionability of findings based on various signals

2021-01-06

loren avatar
loren
Ditch 'The Great Suspender' Before It Becomes a Security Risk attachment image

I’ve been a fan of The Great Suspender extension for years. Even when Google would drop new features into its Chrome browser to reduce the resources inactivate browser tabs eat up, I still trusted The Great Suspender to “inactivate” them for me to lessen the load on my system. But The Great Suspender has recently proven untrustworthy, and it’s probably time to say goodbye.

1
    keyboard_arrow_up