-
Notifications
You must be signed in to change notification settings - Fork 427
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
51 changed files
with
1,175 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| # Assignment Proposal | ||
|
|
||
| ## Title | ||
|
|
||
| Kubernetes secrets with Sealed Secrets | ||
|
|
||
| ## Names and KTH ID | ||
|
|
||
| - Amin Nouiser (anouiser@kth.se) | ||
|
|
||
| ## Deadline | ||
|
|
||
| - Week 6 | ||
|
|
||
| ## Category | ||
|
|
||
| - Demo | ||
|
|
||
| ## Description | ||
|
|
||
| Managing Kubernetes secrets can be challenging, especially when the infrastructure is defined in code in a public git repository. By default, Kubernetes secrets are only base64 encoded but not encrypted which is not sufficiently secure. Sealed Secrets is a tool that allows secrets to be encrypted by the developer and remain so until they reach the cluster. | ||
|
|
||
| In this demo, I will begin by demonstrating how secrets can be distributed without Sealed Secrets to illustrate the security risk. I will then introduce Sealed Secrets and demonstrate how it solves this problem and makes the distribution more secure. | ||
|
|
||
| **Relevance** | ||
|
|
||
| This demo is relevant to DevOps as it addresses secure secret management in Kubernetes which is a key principle in DevSecOps. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| # Assignment Proposal | ||
| ## Title | ||
| Automating Private Dependency Management and Version Integration | ||
| ## Names and KTH ID | ||
| - Chandni Rakhashiya (cnra@ug.kth.se) | ||
| - Emir Catir (catir@kth.se) | ||
| ## Deadline | ||
| - Week 6 | ||
| ## Category | ||
| - Demo | ||
| ## Description | ||
| In this demo, we will explore how to effectively manage private dependencies in web applications using Azure Artifacts. We will display how to store, publish, and manage packages securely within Azure Artifacts and automate its integration into applications. Additionally, we will demonstrate how to streamline version updates by integrating new version of dependency across multiple applications or environments. | ||
|
|
||
| Relevance | ||
|
|
||
| This topic directly addresses key aspects of dependency management by demonstrating how to securely manage private packages. This approach enhances control and efficiency in managing dependencies. By leveraging CI/CD, the process of handling version updates is automated and this ensures faster, more reliable updates. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| # Assignment Proposal | ||
|
|
||
| ## Title | ||
|
|
||
| Integrate RetireJS into Github workflow | ||
|
|
||
| ## Names and KTH ID | ||
|
|
||
| - Olle Gunnemyr (ollegu@kth.se) | ||
| - Sam Maltin (smhanna@kth.se) | ||
|
|
||
| ## Deadline | ||
|
|
||
| - Week 6 | ||
|
|
||
| ## Category | ||
|
|
||
| - Demo | ||
|
|
||
| ## Description | ||
|
|
||
| RetireJS is an open-source tool that can detect the use of JavaScript library versions with known vulnerabilities when developing a web application. By integrating the scan into a Github CI/CD pipeline via Github Actions, it would mitigate the risks from vulnerable libraries early in the Software Development Life Cycle (SDLC). Modifications/uses of RetireJS within Github for further security measures will also be demonstrated. | ||
|
|
||
| _Relevance | ||
| With the growing number of Javascript libraries on the web and Node.js applications, it is easier to unknowingly choose insecure libraries during development. Automating the vulnerability detection in the CI/CD pipeline by integrating RetireJS, would earlier mitigate the risks of security breaches from these vulnerable libraries, such as Cross-Site Scripting or Remote Code Execution attacks, and thus would be a relevant aspect within DevSecOps. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| # Assignment Proposal | ||
|
|
||
| ## Title | ||
|
|
||
| Using static analysis with SonarCloud to identify security flaws. | ||
|
|
||
| ## Names and KTH ID | ||
|
|
||
| - Daniel Lai Wikström (daniellw@kth.se) | ||
| - Rafael Bechara (raeef@kth.se) | ||
|
|
||
| ## Deadline | ||
|
|
||
| - Week 6 | ||
|
|
||
| ## Category | ||
|
|
||
| - Demo | ||
|
|
||
| ## Description | ||
|
|
||
| We'll be showing how integrating SonarCloud with GitHub Actions can help developers automatically discover potential security flaws in their applications. Before the demo we'll set up a repo with GitHub Actions that automatically run a sonar scan upon pushing new code. | ||
|
|
||
| During the demo we'll push some code with a security flaw such as not sanitizing user input which makes us vulnerable to XSS attack. We'll then show how this vulnerability fails the quality gate check. We’ll then show the analysis page that gives us information of where in the code the vulnerabilities are, how the vulnerabilities work and suggestions about how we can fix them. | ||
|
|
||
| **Relevance** | ||
|
|
||
| Using GitHub Actions for static code analysis upon pushing to a repo is a pretty textbook example of DevOps by facilitating Continous Integration through automatic testing upon source code changes. Since we're adding the capability of identifying security flaws to our DevOps workflow it's also relevant to DevSecOps. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| # Assignment Proposal | ||
|
|
||
| ## Title | ||
|
|
||
| Secure your git and CD pipeline with SOPS. | ||
|
|
||
| ## Names and KTH ID | ||
|
|
||
| - Sina Khoraman (sinakh@kth.se) | ||
| - Robin Eggestig (eggestig@kth.se) | ||
|
|
||
| ## Deadline | ||
|
|
||
| - Week 6 | ||
|
|
||
| ## Category | ||
|
|
||
| - Demo | ||
|
|
||
| ## Description | ||
|
|
||
| In this assignment we will demonstrate how to securely store sentitive files in git using SOPS: an open-source tool specially created for encrypting and decrypting the values in the configuration files of the software application that is being developed. We will first quickly showcase how passwords stored in configuration files can be a vulnerability. Then, we will quickly deploy SOPS and secure our CD pipeline. Our goal is to showcase how a simple script can greatly improve the security of the delivery process. | ||
|
|
||
| In this demo we aim to demonstrate that the gap between "proper security" (e.g. using Vault and dynamic keys) and "no security" (storing passwords in files) can be filled with minimal effort. | ||
|
|
||
| **Relevance** | ||
|
|
||
| Implementing security mechanisms is itself an entire task. Especially in the starting phase, the focus is always put on functionality and features, and thus, security has a tendency to be left behind. That is at least until the application reaches a certain level of maturity where proper security becomes less of a feature and more of a requirement. But, until that happens, a lot of software is left defenseless in the face of potential attackers. Thus, even minimal security, such as encrypting the passwords in configuration files, can make a huge difference. It is then important that developers are at least aware of the potential solutions that could be implemented "in the meantime". |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| # Assignment Proposal | ||
|
|
||
| ## Title | ||
|
|
||
| Using Semgrep to find vulnerabilities | ||
|
|
||
| ## Names and KTH ID | ||
|
|
||
| - Viktor Fornstad (vikfor@kth.se) | ||
| - Gustav Henningsson (ghenn@kth.se) | ||
|
|
||
| ## Deadline | ||
|
|
||
| - Week 6 | ||
|
|
||
| ## Category | ||
|
|
||
| - Demo | ||
|
|
||
| ## Description | ||
|
|
||
| We want to demo the static analysis tool called Semgrep. In the demo we will: | ||
| - Connect Semgrep to a Github repo | ||
| - Run Semgrep, with the basic rule-set, on the repo | ||
| - Show and explain the information given by Semgrep | ||
| - Create a custom rule that can be used with Semgrep | ||
| We will also explain why it is important to use static analysis tools for DevSecOps. | ||
|
|
||
| **Relevance** | ||
|
|
||
| There are hundreds of different vulnerabilities that exist and it's therefor difficult for your average developer to know of and remember all of them. To know why and how to use static analysis tools to identify vulnerabilities is important to combat this problem. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| # Assignment Proposal | ||
|
|
||
| ## Title | ||
|
|
||
| Creating security obervability with Wazuh | ||
|
|
||
| ## Names and KTH ID | ||
|
|
||
| - Jonas Liley (liley@kth.se) | ||
|
|
||
| ## Deadline | ||
|
|
||
| - Week 7 | ||
|
|
||
| ## Category | ||
|
|
||
| - Demo | ||
|
|
||
| ## Description | ||
|
|
||
| The demonstration will involve setting up a Wazuh server alongside an additional server that will simulate a production environment. I will walk through the process of adding a new server to be monitored by Wazuh, enabling Wazuh to collect and analyze logs, detect vulnerabilities, and monitor system integrity. The demo will also include real-time detection of suspicious activities and automated alerting on potential security incidents. | ||
|
|
||
| **Relevance** | ||
|
|
||
| With the increasing complexity of modern infrastructure, gaining deep security observability across all systems is essential for proactive threat detection and mitigation. Wazuh, as an open-source security monitoring platform, addresses these needs. This demo highlights Wazuh’s capability to centralize security data, helping organizations detect vulnerabilities, track incidents, and ensure compliance, all within a one dashboard. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| # Assignment Proposal | ||
|
|
||
| ## Title | ||
|
|
||
| Data Version Control for MLOps with DVC | ||
|
|
||
| ## Names and KTH ID | ||
|
|
||
| - David Streuli (streuli@kth.se) | ||
| - Wenqi Cao (wenqic@kth.se) | ||
|
|
||
| ## Deadline | ||
|
|
||
| - Week 7 | ||
|
|
||
| ## Category | ||
|
|
||
| - Demo | ||
|
|
||
| ## Description | ||
|
|
||
| In this demo, we will explore the importance of Data Version Control (DVC) in the context of Machine Learning operations (MLOps). We'll start by discussing the challenges associated with managing and versioning large datasets and ML models, especially when these assets need to evolve alongside the codebase to maintain project coherence and reproducibility. We'll introduce DVC, a powerful tool designed to handle data and model versioning seamlessly alongside code changes. We will demonstrate how to integrate DVC into the Continuous Integration/Continuous Deployment (CI/CD) pipeline, ensuring that changes in data and models are as traceable and manageable as changes in the application code. | ||
|
|
||
| **Relevance** | ||
|
|
||
| Data versioning is indispensable in the sphere of MLOps as it guarantees that changes to datasets and models are consistently applied across all stages of the development lifecycle. This approach enhances collaboration between data scientists and engineers, while also minimizing risks like data drift and model drift. By incorporating DVC into the MLOps pipeline, teams can then maintain reliable, reproducible workflows and safeguard the integrity of machine learning models as they scale. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| # Assignment Proposal | ||
|
|
||
| ## Title | ||
|
|
||
| Using Skaffold for Local Kubernetes Development and CI/CD. | ||
|
|
||
| ## Names and KTH ID | ||
|
|
||
| - Hexu Li (hexu@kth.se) | ||
| - Tianning Liang (tianning@kth.se) | ||
|
|
||
| ## Deadline | ||
|
|
||
| - Task 3 | ||
|
|
||
| ## Category | ||
|
|
||
| - Executable Tutorial | ||
|
|
||
| ## Description | ||
|
|
||
| We will introduce how to use Skaffold for automating build, push, and deployment in a local Kubernetes cluster (Minikube). We plan to create a simple application, write its Dockerfile and Kubernetes manifest, and use Skaffold to streamline development. | ||
|
|
||
| **Relevance** | ||
|
|
||
| Skaffold can simplify the CI/CD process and speed up deployment, making it easier to modify and debug configurations. |
30 changes: 30 additions & 0 deletions
30
contributions/executable-tutorial/jmatsso-oschel/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| # Assignment Proposal | ||
|
|
||
| ## Title | ||
|
|
||
| Profiling Python Applications Without Modifying Code With Py-Spy | ||
|
|
||
| ## Names and KTH ID | ||
|
|
||
| - Johannes Matsson (jmatsso@kth.se) | ||
| - Oscar Hellgren (oschel@kth.se) | ||
|
|
||
| ## Deadline | ||
|
|
||
| - Task 3 | ||
|
|
||
| ## Category | ||
|
|
||
| - Executable tutorial | ||
|
|
||
| ## Description | ||
|
|
||
| We will be using this tutorial to show how to use py-spy, a python sampling profiler, to quickly improve performance. The tool tracks how much time is spent executing various parts of the program which helps the developer narrow down problematic areas of code faster. It can be attached to running python process, without code change or restarts required. All with a low overhead that makes it suitable to be used even in production | ||
|
|
||
| **Relevance** | ||
|
|
||
| The flexibility and automation of the tool makes it suitable in fast moving environments where it helps developers save time performance tuning, reducing time from coding to user. It can then be used in production to monitor performance so elusive bugs can be stopped easier. Identifying bottlenecks is not always easy in production code and using tools such as py-spy that can help with profiling and tracing makes it much easier for developers to do their job, therefore it is om importance to DevOps. | ||
|
|
||
| The insights gained from local profiling with py-spy can directly inform what to monitor in production. For example, if local profiling highlights specific functions or parts of the code that are resource-intensive, these areas can become key monitoring metrics in production | ||
| Py-spy works well in production environments, where it can be attached to running Python applications without restarting or modifying the code. This non-intrusive capability is critical in production monitoring, as downtime or code changes are often not acceptable. | ||
| Some other features except that it can attach to running processes is that it has low overhead and also can produce flame-graphs for visualisation. Also py-spy can be used both for pre-deployment testing and post-deployment monitoring for example in canary or blue-green deployments |
Oops, something went wrong.