Best practices

A collection of 22 posts

Securing your SDLC (Software Development Life Cycle)

Securing your SDLC (Software Development Life Cycle)

In this post, we are going to break down the SDLC and look at how we can add security at each stage with helpful resources.

Investigating, prioritizing, and remediating thousands of hardcoded secrets incidents

Investigating, prioritizing, and remediating thousands of hardcoded secrets incidents

This article aims at providing application security teams with a guide to effectively prioritize, investigate and remediate hardcoded secrets incidents at scale.

9 Extraordinary Terraform Best Practices That Will Change Your Infra World

9 Extraordinary Terraform Best Practices That Will Change Your Infra World

This "best practices" article aims to tell you something you haven't read a hundred times. This article won't give you the answer to everything because there isn't one right answer that fits all. It aims to make you think about your unique situation and make the best decisions in accordance.

Securing Containers with Seccomp: Part 2

Securing Containers with Seccomp: Part 2

This tutorial will guide you through the setup of a GitHub Action generating a Seccomp filter for your application, a cutting-edge security feature for hardening containerized workloads.

Mackenzie Jackson, GitGuardian: “code security needs to be a layered approach”

Mackenzie Jackson, GitGuardian: “code security needs to be a layered approach”

Security should be something that companies implement into the software development lifecycle as early as possible. It should be a consideration at every step of development, from design and through to deployment and every incremental change made thereafter.

Data Breach: a 5 Steps Response Plan

Data Breach: a 5 Steps Response Plan

A data breach is one of the worst scenarios in today’s enterprise security. What’s your plan to remediate this kind of situation, minimize the impact, and ensure business continuity? Although there is no such thing as a one-size-fits-all tactic, the following steps are crucial to a positive outcome.

CI Pipelines: 5 Risks to Assess

CI Pipelines: 5 Risks to Assess

More and more parts of the software development process can occur without human intervention. However, this is not without its drawbacks. To keep your code and secrets safe, you should add the following security practices to your CI pipeline.

10 Rules for Better Cloud Security

10 Rules for Better Cloud Security

Cloud security is a shared responsibility and a big challenge. Here are the basic rules to have in mind to set up efficient guardrails.

Supply Chain Attacks: 6 Steps to protect your software supply chain

Supply Chain Attacks: 6 Steps to protect your software supply chain

This article looks at software supply chain attacks, exactly what they are and 6 steps you can follow to protect your software supply chain and limit the impact of a supply chain attack.

Improving the Nation's Cybersecurity — Minimum Testing Standards for Software Vendors (part 2)

Improving the Nation's Cybersecurity — Minimum Testing Standards for Software Vendors (part 2)

Continuing our coverage of the Executive Order on Cybersecurity, let's figure out what are the minimum testing standards for software vendors as depicted by the NIST.

Hardening Your Kubernetes Cluster - Guidelines (Pt. 2)

Hardening Your Kubernetes Cluster - Guidelines (Pt. 2)

In this second episode, we will go through the NSA/CISA security recommendations and explain every piece of the guidelines.

Hardening Your Kubernetes Cluster - Threat Model (Pt. 1)

Hardening Your Kubernetes Cluster - Threat Model (Pt. 1)

The NSA and CISA recently released a guide on Kubernetes hardening. We'll cover this guide in a three part series. First, let's explore the Threat Model and how it maps to K8s components.

Improving the Nation’s Cybersecurity — What is 'Critical Software' and how should it be secured? (part 1)

Improving the Nation’s Cybersecurity — What is 'Critical Software' and how should it be secured? (part 1)

The National Institute of Standards and Technology (NIST) under Executive Order (EO) 14028 has launched an initiative to improve the United States Cybersecurity on May 12th, 2021.

Security in Infrastructure as Code with Terraform — Everything You Need to Know

Security in Infrastructure as Code with Terraform — Everything You Need to Know

With DevOps, we try to manage our infrastructure using pure code. Since all our infrastructure is managed by code, the security of the code that actually manages the infrastructure is crucial. This article looks at how we can keep our infrastructure as code secure.

Data Security — an Introduction to AWS KMS and HashiCorp Vault

Data Security — an Introduction to AWS KMS and HashiCorp Vault

While Vault and KMS share some similarities, for example, they both support encryption, but in general, KMS is more on the app data encryption / infra encryption side, and Vault is more on the secrets management / identity-based access side.

How to safely open-source internal software — Some best practices

How to safely open-source internal software — Some best practices

On this post we’ll be focusing on a few essentials that should be done before making your project open-source.

File types that most commonly contain sensitive information

File types that most commonly contain sensitive information

As outlined in the State of Secrets Sprawl report, 5 million credentials and other secrets get leaked on Github every year. This is an in-depth look into what file extensions most commonly contain secrets.

How to scan local files for secrets in python using the GitGuardian API

How to scan local files for secrets in python using the GitGuardian API

How to scan local files for secrets like API keys and security certificates in python using the GitGuardian API.

Best practices for managing and storing secrets including API keys and other credentials  [cheat sheet included]

Best practices for managing and storing secrets including API keys and other credentials [cheat sheet included]

Storing and managing secrets like API keys and other credentials can be challenging, even the most careful policies can sometimes be circumvented in exchange for convenience. We have compiled a list of some of the best practices to help keep secrets and credentials safe.

8 free security tools every developer should know and use to Shift Left

8 free security tools every developer should know and use to Shift Left

A list of 8 free must use security tools every developer should know about to help them secure their code and Shift Left.

8 steps to keep remote development teams secure

8 steps to keep remote development teams secure

There is no doubt that the world's workforce is becoming more remote, particularly in tech as developers can now work from any location in the world. But there are a large number of new obstacles that come with this. The most pressing is security.

Exposing secrets on GitHub: What to do after leaking credentials and API keys

Exposing secrets on GitHub: What to do after leaking credentials and API keys

If you have discovered that you have just exposed a sensitive file or secrets to a public git repository, there are some very important steps to follow.

arrow-down