In the news this week: a security breach on Canonical's GitHub account, and another malicious NPM package. The malicious package attack follows a familiar but not necessarily easy to prevent pattern: 1) publish a “useful” package to npm, 2) wait till the target uses it, then 3) update it to include a malicious payload. It took NPM's internal code scanning tool to catch this. The GitHub account breach on the other hand, could simply be due to secret credentials accidentally left in git config files. PSA: You can use Datree to easily find out if you have any secrets inadvertently exposed to the public. When you install Datree, it will automatically scan your repos and create a status report that lists all deviations from default policies, including any exposed secrets.
Novel concept 💡 What if you leverage the identity and authorization of repositories to apply the same level of security to packages and artifacts? While we're on this topic, also check out this talk from JS Nation 2019 on the anatomy of exploited NPM packages.
If you're starting your DevOps journey - or have stalled somewhere along the way - get these 9 kinds of people in your organization onboard.
We like practical guides - that's all we write here at Datree 😉 In this article, Fernando Doglio shares not only the code patterns but the use cases for each.
"Sometimes people on the team might prefer to "make it work now. Make it prettier later," at the risk of degrading internal quality and increasing the technical debt. This makes sense in the light of agile, however, it can contradict a good architectural standpoint."
"Software development in the cloud-native space is slowly moving away from an engineering discipline (where developers have a very deep technical understanding of the code flow of their application) to something that feels much more like a trade where developers simply follow patterns."
Yass I can now submit pull requests from the command line 👍