Code Scanning a GitHub Repository using GitHub Advanced Security within an Azure DevOps

GitHub Advanced Security now supports the ability to analyze your code for semantic vulnerabilities from within your third-party CI pipelines. Previously, this capability was available exclusively with GitHub Actions. In this post, I will walk you through a simple implementation of GitHub Advanced Security Code Scanning in an Azure DevOps CI pipeline with a node application using the YAML editor. The Code Scanning results will resurface after the scan back in your GitHub repository under the Security tab for your developers to review and remediate.

If your organization does not have GitHub Advanced Security enabled, you will not see “Code scanning alerts” or “Detected secrets”.

Rather than leveraging the native GitHub Actions workflow with the standard “Set Up Workflow” experience we are going to use an Azure DevOps pipeline.

Navigate to your Azure DevOps pipeline to begin integrating CodeQL.

The Azure Pipelines Agent I am using is ephemeral so I install the CodeQl package on each pipeline execution. With a self hosted agent consider pre-installing the package to save time and compute resources.

Integrating GitHub Advanced Security for code scanning

Integration Steps:

Download the latest CodeQL dependencies on your agent.
Give CodeQL access to your repository.
Initialize the CodeQL executable and create a queryable DB.
Scan your application.
Upload results to GitHub.
Review your results.
Customize your scan further.

Downloading the latest CodeQL dependencies on my agent

Using wget and targeting the latest Linux release I can download all necessary files to a new codeql directory. I also change permissions for the downloaded file before I run it.

I added the following script to the bottom of my pipeline:

- script: |
   wget https://github.com/github/codeql-action/releases/latest/download/codeql-runner-linux
   chmod +x codeql-runner-linux
 displayName: 'Get latest CodeQL package. Install on Agent.'

Give the utility access to your repository

Create a Personal Access Token or use GitHub Apps for authentication. I am using a PAT and saving it as a pipeline variable as $GITHUB_PAT.

Initialize the CodeQ Executable and create a CodeQL database for the language detected.

I added the following script to the bottom of my pipeline:

- script: |
   ./codeql-runner-linux init --repository octodemo/ghas-azure-devops-code-scanning --github-url https://github.com --github-auth $GITHUB_PAT
 displayName: 'Initialize CodeQL Executable and create a CodeQL database'

Now I want to populate the CodeQL runner databases, analyze them, and upload the results to GitHub.

I added the following script to the bottom of my pipeline:

- script: |
   ./codeql-runner-linux analyze --repository octodemo/ghas-azure-devops-code-scanning --github-url https://github.com --github-auth $GITHUB_PAT --commit 92065de8b22bbfeda511d12571b66c9969ff593b --ref refs/heads/master
 displayName: 'Populate the CodeQL runner databases, analyze them, and upload the results to GitHub.'

#product #security

What is GEEK

Buddha Community

Code Scanning a GitHub Repository using GitHub Advanced Security within an Azure DevOps

Nabunya Jane

1624939448

A side-by-side comparison of Azure DevOps and GitHub

Collaboration is a crucial element in software development; having the right collaboration tools can make a difference and boost the entire team’s productivity. Microsoft introduced its Application Lifecycle Management product with Team Foundation Server (aka TFS) on March 16th, 2006. This software had to be installed on a server within your network and had a user-based license. To reduce the complexity of setting up and maintaining the server, Microsoft released Visual Studio Online–an Azure-based, server-hosted version of TFS. Microsoft manages and administers the servers as well as taking care of backups. To clarify its commitment to agile and DevOps, Microsoft rebranded Visual Studio Online in 2015 as Visual Studio Team Services and later as Azure DevOps in 2018.

Since its beginning, this platform has changed significantly. For example, it introduced a customizable, task-based build service, release gates, and much more. Many organizations across the world made a significant investment to run their businesses on Azure DevOps. For this reason, after Microsoft announced the acquisition of GitHub in mid-2018, GitHub announced its automated workflow system, which is much like Azure Pipelines. It’s called GitHub Actions. Due to the switch, some companies became afraid of having to migrate their practices again. In the past few months, I have gotten several questions about whether it is still worth starting new projects on Azure DevOps, especially after the release of features like GitHub Advanced Security and GitHub Codespaces (similar to Visual Studio Codespaces). In this article, I’ll clarify the differences between these two platforms, and I’ll give you some advice on how you should be using them to your advantage.

Data Residency

To meet the needs of companies that want to keep their data within their network, both GitHub and Azure DevOps provide a server version of their platform. GitHub version is called GitHub Enterprise Server, and the Azure DevOps version is called Azure DevOps Server. Both versions require the client to install and maintain both software and machine.

On the other hand, there is a critical difference between their cloud-hosted version. While Azure DevOps Service allows you to choose the Azure region, which is closes to your organization’s location, to decrease the eventuality of networking latency during the creation of your organization (collection of projects). GitHub doesn’t provide this feature.

Project management and bug tracking

GitHub

At the core of GitHub project management, we can find the issues. This task can be used to track any work item, from feature to bugs, and can be sorted into a Kanban-style board for easy consultation. The issue’s description also supports markdown syntax. Adding a specific keyword #issue-number (ex: #3) can associate the issue with another one. Each issue can be assigned to multiple developers, be linked to pull requests, and have various labels assigned to it. One can link a pull request to an issue to show that a fix is in progress and automatically close the issue when someone merges the pull request.

GitHub Kanban board

Lastly, multiple issues can be grouped into milestones that will give immediate feedback about the completion percentage. Milestones can also include a due date.

#azure-devops #microsoft #azure #github #azure devops #azure devops and github

Christa Stehr

1602964260

50+ Useful Kubernetes Tools for 2020 - Part 2

Introduction

Last year, we provided a list of Kubernetes tools that proved so popular we have decided to curate another list of some useful additions for working with the platform—among which are many tools that we personally use here at Caylent. Check out the original tools list here in case you missed it.

According to a recent survey done by Stackrox, the dominance Kubernetes enjoys in the market continues to be reinforced, with 86% of respondents using it for container orchestration.

(State of Kubernetes and Container Security, 2020)

And as you can see below, more and more companies are jumping into containerization for their apps. If you’re among them, here are some tools to aid you going forward as Kubernetes continues its rapid growth.

(State of Kubernetes and Container Security, 2020)

#blog #tools #amazon elastic kubernetes service #application security #aws kms #botkube #caylent #cli #container monitoring #container orchestration tools #container security #containers #continuous delivery #continuous deployment #continuous integration #contour #developers #development #developments #draft #eksctl #firewall #gcp #github #harbor #helm #helm charts #helm-2to3 #helm-aws-secret-plugin #helm-docs #helm-operator-get-started #helm-secrets #iam #json #k-rail #k3s #k3sup #k8s #keel.sh #keycloak #kiali #kiam #klum #knative #krew #ksniff #kube #kube-prod-runtime #kube-ps1 #kube-scan #kube-state-metrics #kube2iam #kubeapps #kubebuilder #kubeconfig #kubectl #kubectl-aws-secrets #kubefwd #kubernetes #kubernetes command line tool #kubernetes configuration #kubernetes deployment #kubernetes in development #kubernetes in production #kubernetes ingress #kubernetes interfaces #kubernetes monitoring #kubernetes networking #kubernetes observability #kubernetes plugins #kubernetes secrets #kubernetes security #kubernetes security best practices #kubernetes security vendors #kubernetes service discovery #kubernetic #kubesec #kubeterminal #kubeval #kudo #kuma #microsoft azure key vault #mozilla sops #octant #octarine #open source #palo alto kubernetes security #permission-manager #pgp #rafay #rakess #rancher #rook #secrets operations #serverless function #service mesh #shell-operator #snyk #snyk container #sonobuoy #strongdm #tcpdump #tenkai #testing #tigera #tilt #vert.x #wireshark #yaml

Oral Brekke

1618019280

GitHub Advanced Security from Azure DevOps

GitHub Advanced Security has recently started supporting the ability to analyze your code for security vulnerabilities and coding errors from third-party CI pipelines. This article will teach you how to configure the code scanning feature in your GitHub repository and scan your code for any vulnerabilities from Azure DevOps pipelines.

To integrate the GitHub advanced security feature with Azure DevOps, you must perform the following actions:

Download the latest CodeQL dependencies in your agent.
Give CodeQL access to your repository.
Initialize CodeQL executable and create a QueryableDB.

Once you have completed these operations, you will be able to scan your application. The results will be uploaded to GitHub, and you will be able to review them from the GitHub interface.

IMPORTANT: Remember that the hosted agents used in azure pipelines are ephemeral, this means that you must install the CodeQL package every time your pipeline is run. This operation won’t be necessary if you have a self-hosted agent because you can pre-install the package and re-use it for each execution.

#azure #security #devops #microsoft #github

Wilford Pagac

1596789120

Best Custom Web & Mobile App Development Company

Everything around us has become smart, like smart infrastructures, smart cities, autonomous vehicles, to name a few. The innovation of smart devices makes it possible to achieve these heights in science and technology. But, data is vulnerable, there is a risk of attack by cybercriminals. To get started, let’s know about IoT devices.

What are IoT devices?

The Internet Of Things(IoT) is a system that interrelates computer devices like sensors, software, and actuators, digital machines, etc. They are linked together with particular objects that work through the internet and transfer data over devices without humans interference.

Famous examples are Amazon Alexa, Apple SIRI, Interconnected baby monitors, video doorbells, and smart thermostats.

How could your IoT devices be vulnerable?

When technologies grow and evolve, risks are also on the high stakes. Ransomware attacks are on the continuous increase; securing data has become the top priority.

When you think your smart home won’t fudge a thing against cybercriminals, you should also know that they are vulnerable. When cybercriminals access our smart voice speakers like Amazon Alexa or Apple Siri, it becomes easy for them to steal your data.

Cybersecurity report 2020 says popular hacking forums expose 770 million email addresses and 21 million unique passwords, 620 million accounts have been compromised from 16 hacked websites.

The attacks are likely to increase every year. To help you secure your data of IoT devices, here are some best tips you can implement.

Tips to secure your IoT devices

1. Change Default Router Name

Your router has the default name of make and model. When we stick with the manufacturer name, attackers can quickly identify our make and model. So give the router name different from your addresses, without giving away personal information.

2. Know your connected network and connected devices

If your devices are connected to the internet, these connections are vulnerable to cyber attacks when your devices don’t have the proper security. Almost every web interface is equipped with multiple devices, so it’s hard to track the device. But, it’s crucial to stay aware of them.

3. Change default usernames and passwords

When we use the default usernames and passwords, it is attackable. Because the cybercriminals possibly know the default passwords come with IoT devices. So use strong passwords to access our IoT devices.

4. Manage strong, Unique passwords for your IoT devices and accounts

Use strong or unique passwords that are easily assumed, such as ‘123456’ or ‘password1234’ to protect your accounts. Give strong and complex passwords formed by combinations of alphabets, numeric, and not easily bypassed symbols.

Also, change passwords for multiple accounts and change them regularly to avoid attacks. We can also set several attempts to wrong passwords to set locking the account to safeguard from the hackers.

5. Do not use Public WI-FI Networks

Are you try to keep an eye on your IoT devices through your mobile devices in different locations. I recommend you not to use the public WI-FI network to access them. Because they are easily accessible through for everyone, you are still in a hurry to access, use VPN that gives them protection against cyber-attacks, giving them privacy and security features, for example, using Express VPN.

6. Establish firewalls to discover the vulnerabilities

There are software and firewalls like intrusion detection system/intrusion prevention system in the market. This will be useful to screen and analyze the wire traffic of a network. You can identify the security weakness by the firewall scanners within the network structure. Use these firewalls to get rid of unwanted security issues and vulnerabilities.

7. Reconfigure your device settings

Every smart device comes with the insecure default settings, and sometimes we are not able to change these default settings configurations. These conditions need to be assessed and need to reconfigure the default settings.

8. Authenticate the IoT applications

Nowadays, every smart app offers authentication to secure the accounts. There are many types of authentication methods like single-factor authentication, two-step authentication, and multi-factor authentication. Use any one of these to send a one time password (OTP) to verify the user who logs in the smart device to keep our accounts from falling into the wrong hands.

9. Update the device software up to date

Every smart device manufacturer releases updates to fix bugs in their software. These security patches help us to improve our protection of the device. Also, update the software on the smartphone, which we are used to monitoring the IoT devices to avoid vulnerabilities.

10. Track the smartphones and keep them safe

When we connect the smart home to the smartphone and control them via smartphone, you need to keep them safe. If you miss the phone almost, every personal information is at risk to the cybercriminals. But sometimes it happens by accident, makes sure that you can clear all the data remotely.

However, securing smart devices is essential in the world of data. There are still cybercriminals bypassing the securities. So make sure to do the safety measures to avoid our accounts falling out into the wrong hands. I hope these steps will help you all to secure your IoT devices.

If you have any, feel free to share them in the comments! I’d love to know them.

Are you looking for more? Subscribe to weekly newsletters that can help your stay updated IoT application developments.

#iot #enterprise iot security #how iot can be used to enhance security #how to improve iot security #how to protect iot devices from hackers #how to secure iot devices #iot security #iot security devices #iot security offerings #iot security technologies iot security plus #iot vulnerable devices #risk based iot security program

Tyrique Littel

1603915200