Weekly Newsletter #18

Resources

Newsletters

Jul 12, 2019

Weekly Newsletter

#

18

Secrets exposed & packages exploited (again), 9 kinds of people who resist DevOps, and more

In the news this week: a security breach on Canonical's GitHub account, and another malicious NPM package. The malicious package attack follows a familiar but not necessarily easy to prevent pattern: 1) publish a “useful” package to npm, 2) wait till the target uses it, then 3) update it to include a malicious payload. It took NPM's internal code scanning tool to catch this. The GitHub account breach on the other hand, could simply be due to secret credentials accidentally left in git config files. PSA: You can use Datree to easily find out if you have any secrets inadvertently exposed to the public. When you install Datree, it will automatically scan your repos and create a status report that lists all deviations from default policies, including any exposed secrets.

Install and find exposed secrets now

‍

Is GitHub Package Registry the npm killer?

Novel concept 💡 What if you leverage the identity and authorization of repositories to apply the same level of security to packages and artifacts? While we're on this topic, also check out this talk from JS Nation 2019 on the anatomy of exploited NPM packages.

DevOps for doubters: how to deal with people who push back

If you're starting your DevOps journey - or have stalled somewhere along the way - get these 9 kinds of people in your organization onboard.

Design patterns in Node.js: a practical guide

We like practical guides - that's all we write here at Datree 😉 In this article, Fernando Doglio shares not only the code patterns but the use cases for each.

The agile manifesto from a software architect's perspective

"Sometimes people on the team might prefer to "make it work now. Make it prettier later," at the risk of degrading internal quality and increasing the technical debt. This makes sense in the light of agile, however, it can contradict a good architectural standpoint."

An inconvenient truth of the cloud native world

"Software development in the cloud-native space is slowly moving away from an engineering discipline (where developers have a very deep technical understanding of the code flow of their application) to something that feels much more like a trade where developers simply follow patterns."

Use GitHub from the command line

Yass I can now submit pull requests from the command line 👍

Datree's Weekly Newsletter is a weekly roundup of interesting and useful Git, DevOps, and architecture articles and tutorials from around the Web.