Automated Vulnerability Scanning for Dependencies & Packages

Do we need to explain why?

🔥💥💣🚨⚡☠️🧨

That’s what I thought.

Configure your pipeline with Snyk

There is a plethora of tools available out there for security scans and/or vulnerable dependencies - Dependabot, Trivy, sonarQube/Lint, Anchore, etc. Most of which can be integrated into your IDE or CI/CD.

For this use case, Snyk has been selected. Snyk is able to scan code, open-source dependencies, container images, and infrastructure as code configurations to helps developers prioritize and fix security vulnerabilities. The free version comes with a max limit scans per month.

Kubernetes cert-manager for LetsEncrypt certificates

Digital Certificates raison d’être and usage

Certificates are exchanged as part of the TLS handshake. This allows the client to ensure the entity it is trying to establish a connection with is authentically the genuine server.

Note: see other posts under this tag for a few words on TLS handshakes and mentions of the attacks it protects against.

A certificate contains: the issuer details, its expiration date, the entity’s public key for asymmetric encryption and a signature (encrypted server’s public key).

The fast alternative to TCP+TLS

What is QUIC?

The Quick UDP Internet Connection (QUIC) protocol is an encrypted connection protocol operating on the Layer 4 - Transport Layer of the OSI model.

Developed at Google around 2012, it has only been adopted as a standard by IETF in 2021.

The current and widely used solution of HTTPS using TLS is built is on top of the TCP protocol. The TCP handshake and the TLS handshake need to be completed to establish a path to communicate between a server and a client. As a result, multiple rounds trips to initiate a connection and negotiate the encryption parameters are required - two at the very least, depending on the TLS version used.

A brief overview of HSTS protocol or why I chose the .dev domain

Quick intro

What happens when you’re back from a family weekend in a cabin in the woods with no internet?

I’d probably check my dog’s instagram account first. On the browser: instagram.com and … my browser is making a call to http://instagram.com

Exactly! I haven’t explicitly used https, so where does this leave me? Exposed to all sorts of man-in-the-middle attacks that wikipedia can list for us in a scary way - session hijacking, protocol downgrade attack, etc.