Skip to main content

Posts

Understanding Supply-Chain Attacks and OWASP Dependency Check

In today's software development landscape, security is a paramount concern. As developers, we often rely on third-party libraries and frameworks to speed up our work and leverage the functionality that others have built. However, this reliance on external code introduces a significant risk: supply-chain attacks. In this blog post, we will provide an overview of supply-chain attacks, their impact, and how to protect your projects by using OWASP Dependency Check, a powerful tool designed to mitigate these risks, Understanding Supply-Chain Attacks A supply-chain attack targets the less secure elements within the supply chain network to compromise the final product. In software development, these attacks often involve injecting malicious code into widely-used libraries or compromising the infrastructure used to distribute software. There are multiple types of Supply-Chain Attacks: Dependency Confusion : Attackers publish malicious packages with names similar to legitimate in
Recent posts

Feedback loops in software development

Hello there! Would you be so kind to take another look at the Agile Manifesto ? For people who wants to avoid an extra click, I've added it below: We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value: Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan That is, while there is value in the items on the right, we value the items on the left more. While most development teams claim to be agile, I always wonder if they really have read the manifesto above. Let’s start the conversation by talking about element in the list: Customer collaboration over contract negotiation In most projects I still see a lack of collaboration. Stakeholders are way to busy to talk to the development team so there is little to no user in

XUnit–Improve type safety

While doing a code review, I discovered a feature in XUnit I didn't know it existed. Let me share what I discovered.  I've been used to specify data for my parameterised tests either using the [InlineData] attribute or through the [MemberData] or [ClassData] attributes. When using [MemberData] or [ClassData] , XUnit expects that you return an IEnumerable<object[]> as far I as I know. Here is an example: If I try to use a typed alternative, it results in a compiler error: However it turns out that there is a type safe alternative available through TheoryData<> . The TheoryData<> types provide a series of abstractions around the IEnumerable<object[]> required by theory tests. It consists of a TheoryData base class, and a number of generic derived classes TheoryData<> . It can be used in combination with both the [MemberData] or [ClassData] attributes while enforcing type safety. Here is our original example rewritten to use The

Podman–Pull images from Docker Hub

Docker Hub is a container registry provided by Docker, Inc. It serves as a central repository for finding and sharing container images.  Although it is not the only place where docker images can be found it remains a popular container registry where developers and open source contributors can store, discover, and distribute container images. Pull through Docker Desktop To pull an image through Docker Desktop, you can use the following command: docker pull <image-name> For example, if I want to fetch the masstransit/rabbitmq image, I should execute the following command: docker pull masstransit/rabbitmq Pull through Podman Desktop What if I try to do the same thing through Podman Desktop: podman pull masstransit/rabbitmq This seems to work: However it is important to understand what is going on. If you don’t specify a registry name like we did here it look through the list of unqualified-search-registries. This list can be found inside the podman-machine at /et

Bicep– what-if

One of the cool features that Bicep has to offer is the 'what-if' operation. This allows you to preview the changes that will happen when applying your bicep template. Let’s see this operation in action: Open a command prompt Let’s first check if we have a version of the Azure CLI installed that supports the ‘what-if’ operation: az version The output should look like this: {   "azure-cli": "2.54.0",   "azure-cli-core": "2.54.0",   "azure-cli-telemetry": "1.1.0",   "extensions": {     "connectedk8s": "1.2.0",     "customlocation": "0.1.3",     "k8s-configuration": "1.1.1",      "k8s-extension": "1.0.4"   } } This should return at least CLI version 2.14.0. If not first install the latest version of the Azure CLI. Now we can run the command that w

Azure Static Web App–Deploy using Bicep

As a follow-up on the presentation I did at CloudBrew about Azure Static Web Apps I want to write a series of blog posts. Part I - Using the VS Code Extension Part II - Using the Astro Static Site Generator Part III  – Deploying to multiple environments Part IV – Password protect your environments Part V – Traffic splitting Part VI – Authentication using pre-configured providers Part VII – Application configuration using staticwebapp.config.json Part VIII – API Configuration Part IX – Injecting snippets Part X – Custom authentication Part XI – Authorization Part XII -  Assign roles through an Azure function Part XIII -  API integration Part XIV – Bring your own API Part XV – Pass authentication info to your linked API Part XVI – Distributed Functions Part XVII – Data API Builder Part XVIII(this post) -  Deploy using Bicep So far I’ve deployed our Azure Static Web App using Github Actions. But if you prefer to

Kubernetes–Limit your environmental impact

Reducing the carbon footprint and CO2 emission of our (cloud) workloads, is a responsibility of all of us. If you are running a Kubernetes cluster, have a look at Kube-Green . kube-green is a simple Kubernetes operator that automatically shuts down (some of) your pods when you don't need them. A single pod produces about 11 Kg CO2eq per year( here the calculation). Reason enough to give it a try! Installing kube-green in your cluster The easiest way to install the operator in your cluster is through kubectl. We first need to install a cert-manager: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml Remark: Wait a minute before you continue as it can take some time before the cert-manager is up & running inside your cluster. Now we can install the kube-green operator: kubectl apply -f https://github.com/kube-green/kube-green/releases/latest/download/kube-green.yaml Now in the namespace where we want t