security
Posts about security.
2023
Team Autonomy vs Enterprise Alignment
Tooling is an important aspect of DevSecOps - but culture dramatically influences how organization scale. In this post I’ll talk about a key cultural concept: Team Autonomy vs Enterprise Alignment. Continue reading Team Autonomy vs Enterprise Alignment
Spicy Takes 🌶️🌶️🌶️ on RSA 2023
I was recently at RSA for the first time. I have some spicy takes from the week. Continue reading Spicy Takes 🌶️🌶️🌶️ on RSA 2023
Allowing Bypass of Secret Scanning Push Detections is a Good Thing
Secret Scanning Push Protection allows you to block pushes that contain secrets. These blocks can by bypassed, which may be surprising. However, allowing bypasses is actually a good thing! Continue reading Allowing Bypass of Secret Scanning Push Detections is a Good Thing
2022
Fine Tuning CodeQL Scans using Query Filters
CodeQL is a fantastic Static Analysis Scanning Tool (SAST). It can be enabled quickly using Actions, but it can be hard to figure out how to fine-tune which queries are run. In this post I’ll cover using Query Filters to fine-tune your CodeQL scans. Continue reading Fine Tuning CodeQL Scans using Query Filters
Shift Left - How far is too far?
We’ve all heard the mantra to “shift left” - mainly for testing but also for security. Security scanning earlier (lefter 😸) in the process makes sense, but can you shift left too far? Continue reading Shift Left - How far is too far?
Using OIDC with Terraform in GitHub Actions
I’ve posted before about how to authenticate to Azure in GitHub Actions using OIDC. It should follow that Terraform templates would be easy to use - but there are some gotchas. Continue reading Using OIDC with Terraform in GitHub Actions
GHAS Will Win the AppSec Wars
GitHub Advanced Security is positioned to win the “AppSec Wars”. In this post I go over why I think this is the case. Continue reading GHAS Will Win the AppSec Wars
2021
Displaying Help for Custom CodeQL Queries
The latest release of CodeQL CLI now includes the ability to display help files for custom queries. In this post I walk through how to get your custom help files to display. Continue reading Displaying Help for Custom CodeQL Queries
GitHub Actions: Authenticate to Azure Without a Secret using OIDC
Authenticating to Azure in GitHub Actions requires a secret for a Service Principal. However, at Universe, GitHub released a new OIDC-based authentication mechanism that eliminates the need for secrets in secure deployments. Continue reading GitHub Actions: Authenticate to Azure Without a Secret using OIDC
Enforcing Reusable Workflows for Standardization
Reusable workflows are great, but how do you ensure that teams are using your reusable workflows? In this post I show how you can structure repos, teams and environments to ensure standardization for your workflows. Continue reading Enforcing Reusable Workflows for Standardization
Comparing Code Quality Metrics with Code Security
Code security is becoming more important for modern software development. What about code quality metrics? How do code quality metrics and code security compare and contrast? I’ll discuss some thoughts in this post. Continue reading Comparing Code Quality Metrics with Code Security
Custom CodeQL
CodeQL is a powerful code scanning tool that can be integrated into your pipelines. In this post I show you some basics, as well as how to develop and integrate custom queries into your pipelines. Continue reading Custom CodeQL