Package Managers

Dev, DevOps, Security, Testing
I’ve wondered why Npm seems to have so many security fires compared to e.g. the Python package system. They shouldn’t be that different. Anyway, there are reasons: https://blog.acolyer.org/2019/09/30/small-world-with-high-risks/ I'm amused that new Pip is basically adopting the lockfile from Npm, for exactly the same reason: nailing down transitive dependency versions. If package A wants package B, and B doesn't specify exactly what its dependencies are, then installing package A at various times will have unpredictable results. Example As a developer you use package A, and specify its exact version. You create lots of awesome code and tests, and everything is wonderful. Then you send your code to CI... The CI system of course rebuilds everything from scratch. It installs package A, and dependent package B. Package B has been updated since the time you…
Read More
Security for Humans

Security for Humans

Security
Security for Humans: How to Be Secure but Stay Sane Featuring me exercising (perish the thought!), cats, and the ISO-27001 certification. Here's the => googledoc I gave this talk at the TestableLA Meetup in 7/2019. The point was to show how big-S Security (aka Risk Management) is actually a concrete logical process, not something to freak out about. Just like Devs and QA have a feedback cycle with code and tests, in Risk Management the business has a feedback cycle. The business has certain assets (people, information, servers), and certain risks to those assets (person leaves, information leaks). Risk Management is a process to estimate the cost to the business, and either fix the problems or remediate them. It makes a lot of sense, actually. Resources: https://www.iso27001security.com/html/toolkit.htmlTons of documents and…
Read More

CI Tip: block insecure changes to your source code

Dev, DevOps, Security
As a dev or devops person, it's pretty easy to accidentally expose AWS or other secrets by putting them into "temporary" code or environment files. Once a secret appears in version control, it should no longer be trusted, go ahead and rotate the key.Here's how to write a checker, so that secrets won't make it into source code!  This is perfect for a Git commit hook. The important feature to use is Perl-style regular expressions, which allow you to say "match this exactly N number of times". Also, the "-w" flag to Ack lets us match word boundaries. Thus, if something is a word, and exactly some number of characters long, we flag it.Example:$ echo 'I love gin' | ack -w '[a-z]{3}'I love ginThis example finds words of exactly three…
Read More