New AppSec training platform. Thoughts welcome.

So, a short background about me. I am working my way into pentesting bit by bit (already an IT pro) through online courses, just for the sake of it. For the time being, and until I have sufficient knowledge and experience, I do not plan of focusing on a cybersec career, so I am just enjoying the ride of up-skilling.

That being said, I bumped into this platform on another channel: [https://application.security/](https://application.security/) and even though they do not offer pentesting courses, they do offer secure development training. I was aware of some more well known and established companies, but not of this one.

They seem to be aiming for group registrations but they do have a free section where anyone can practice OWASP best practices.

Just thought it might prove useful to someone here.

\- I am in no way affiliated with the specific platform/company

https://redd.it/g8y83t
@r_devops

[Article] So You Inherited an AWS Account

I've found that many AWS security resources tend to be oriented towards developers who are deploying new services or launching new accounts. They tout a variety of best practices and security controls that should (rightfully) be used.

But what happens if the previous account owner leaves, your company acquires another company, or you are somehow given responsibility for a production AWS account that has been running for years and need to quickly secure it? Many of those same security controls become the goal, but not the reality. This is especially true if the previous owners did not have a strong security posture and you're now responsible for implementing security controls while simultaneously keeping production infrastructure running.

This is a guide for developers who find themselves in this position. It covers the immediate must-dos, along with a roadmap for monitoring and migrating the account to a more secure standard.

[https://medium.com/@matthewdf10/so-you-inherited-an-aws-account-e5fe6550607d?sk=138a8800de70d07e158e918d503ff69a](https://medium.com/@matthewdf10/so-you-inherited-an-aws-account-e5fe6550607d?sk=138a8800de70d07e158e918d503ff69a)

https://redd.it/g9nkqh
@r_devops

Good literatur for getting started with microservices?

I'm a Junior Developer with solid experience in Docker and some first experiences with Swarm who wants to design and develop scalable high-availability microservice applications. Do you have some book recommandations for me?

https://redd.it/g9ml53
@r_devops

Creating a DigitalOcean Droplet with Terraform

I wrote up a three part starter post series on creating a DigitalOcean droplet using Terraform. I went through creating a droplet, attaching a volume, and using cloud-init to customize the droplet.

Would enjoy any wonderful comments from the glorious reddit community.

[https://bitleaf.io/blog/creating-a-digitalocean-droplet-with-terraform-part-1-of-3/](https://bitleaf.io/blog/creating-a-digitalocean-droplet-with-terraform-part-1-of-3/)

https://redd.it/g9o84o
@r_devops

Deploy and Manage Azure Infrastructure Using Terraform, Remote State, and Azure DevOps Pipelines (YAML)

While I found a ton of articles to achieve this, I did not find many that were not only a complete step-by-step guide but used YAML pipelines instead of the classic GUI pipelines. So just wanted to share if anyone else was looking to do the same.

[**link**](HTTPS://WWW.THELAZYADMINISTRATOR.COM/2020/04/28/DEPLOY-AND-MANAGE-AZURE-INFRASTRUCTURE-USING-TERRAFORM-REMOTE-STATE-AND-AZURE-DEVOPS-PIPELINES-YAML/)

https://redd.it/g9na34
@r_devops

Getting started with GitHub Actions: concepts and tutorial

If you heard about GitHub Actions, you already know it is a task automation system. The question is when and how to use it? [Here is a handy tutorial to learn how to use GitHub Actions](https://www.padok.fr/en/blog/github-actions).

https://redd.it/g9mex0
@r_devops

AWS Guide: Operating within the AWS Shared Responsibility Model (Lambda, S3, RDS, IAM)

AWS Guide: Operating within the AWS Shared Responsibility Model (Lambda, S3, RDS, IAM)

[https://www.cybercoastal.com/aws-guide-operating-within-the-aws-shared-responsibility-model/](https://www.cybercoastal.com/aws-guide-operating-within-the-aws-shared-responsibility-model/)

https://redd.it/g9nlm7
@r_devops

mtk-dump - sanitize and minify your sql dumps


At work we built a replacement for mysqldump so we could:

- sanitize sensitive data
- exclude table data that was not useful for local dev
- specify rules for what rows were exported to reduce the size of the dumps

Im pretty stoked with what were able to come up with. I wrote a blog with some examples to show off what it is capable of.

https://www.nicksantamaria.net/post/faster-dumps-smaller-files/

On our worst offending app (a Drupal 8 app) we were able to reduce our sql dump size from:

- 4.5GB with raw mysqldump
- 2.1GB using the --no-data flag on tables we could exclude entirely
- 654MB using mtk-dump, excluding some tables entirely, and also excluding rows that contained unpublished revisions

https://redd.it/g9mwc6
@r_devops

Inspiring to achieve..

I am a 19 year old college drop out with no qualifications but a level 3 apprenticeship, currently working full time as a 1st line service desk analyst. I got into this apprenticeship to proceed further with a degree level cyber security apprenticeship which were advertised through providers etc 2 years ago before I even got into IT; now that I am in IT and completed my level 3 foundation apprenticeship the whole concept of a degree level apprenticeship for cyber security is just a myth and false hope as I have only just discovered that there was never any vacancies just an option for companies looking to develop their EXISTING staff which my company cannot do because they just can’t facilitate enough experience for a cyber security degree. Now I’m stuck on the service desk, not where I want to be but have developed an open mind, not just for cyber security but DevOps and DevSecOps etc..

I have just ordered the raspberry pi 4 and follow the likes of “NetworkChuck” on YouTube Whos also a CBT nuggets trainer and find really informative and intellectual and will be following his guide to transform the raspberry pi into a learning desktop for linux x hacking which I have zero knowledge or experience in, hence I was wondering if the amazing community of Reddit could point me to the right direction such as forums, other communities who love to share experience and knowledge, websites to develop my skills and knowledge.
I’m aware of comptia and Cisco certified exams and will be looking into doing a CCNA after a comptia Linux + as soon as I can start to afford it!

Any advise would be much appreciated, consider me a noob, I’m NOT the average IT kid who’s been coding half my life, I have only just started to grow immense interest in IT watching TED videos on Linus whatever his surname is, the guy who established Linux open source and Git, and even random hardware hacking videos picking up small things like transforming the shadow core rate in AMD gpus into radio frequencies making them hack-able from 50m away through a building which I have no resources at the moment to try but maybe will soon.

I have also posted this to the cyber security community (barley know how reddit works just joined few days ago)

https://redd.it/g9mofz
@r_devops

Do you run Django\Sqlalchemy\alembic migrations inside your docker?

I have a python application which relies on a RDBMS (PostgreSQL in my case),I am using alembic for data base migrations (table schema changes) that must be preformed before my application runs.

How would you handle such a situation? run the migration inside my main application docker before the app?

Or maybe have a different docker for migrations and have the application docker depend on the migration one?

I personally prefer the first option

https://redd.it/g9kn1e
@r_devops

Tutorial: Getting Started with Docker and Containers

Hey Everyone,

I created a tutorial for anyone looking to really understand Docker and Docker Compose basics. It shows you how to create a Dockerfile for a NodeJS app and then link it with a Postgres container using Docker Compose. It takes you through each directive and command and explains what it does.

I'm hoping this fills the gap for some people between using basic docker and beginning to understand how Docker networking works and how you can link more realistic apps together with Docker Compose. This is part of a larger mini series on DevOps but it can stand alone on it's own as well.

You'll need git to complete this as you need to clone the repository to your local machine: [https://github.com/opscentric/mini-series/tree/master/docker-and-containers](https://github.com/opscentric/mini-series/tree/master/docker-and-containers)

Feedback welcome and appreciated.

https://redd.it/g9ief3
@r_devops

Vault and K8s manifest secret references

I'm currently looking at Vault as a secrets management solution for K8s, and something I've noticed is that it only injects files into a pod. This seems like an issue because it doesn't support a manifest directly referencing a K8s secret (IE [Ingress TLS](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls)).

I'm new to K8s, and am trying to gauge how big of a problem this is. I'm wondering if this pattern of referencing secrets in manifests is pretty common, and are there any workarounds to make Vault support it?

https://redd.it/g9xzao
@r_devops

Kubernetes is NOT the default answer.

No Medium article, Thought I would just comment here on something I see too often when I deal with new hires and others in the devops world.


Heres how it goes, A Dev team requests a one of the devops people to come and uplift their product, usually we are talking something that consists of less than 10 apps and a DB attached, The devs are very often in these cases manually deploying to servers and completely in the dark when it comes to cloud or containers... A golden opportunity for devops transformation.



In comes a devops guy and reccomends they move their app to kubernetes.....



**Good job buddy**, now a bunch of dev's who barely understand docker are going to waste 3 months learning about containers, refactoring their apps, getting their systems working in kubernetes. Now we have to maintain a kubernetes cluster for this team and did we even check if their apps were suitable for this in the first place and werent gonna have state issues ?



I run a bunch of kube clusters in prod right now, I know kubernetes benefits and why its great however its not the default answer, It dosent help either that kube being the new hotness means that once you namedrop kube everyone in the room latches onto it.


The default plan from any cloud engineer should be getting systems to be easily deployable and buildable with minimal change to whatever the devs are used to right now just improve their ability to test and release, once you have that down and working then you can consider more advanced options.

https://redd.it/g9wthw
@r_devops

github-actions: Is there any way to build docker-compose from cache?

I have a docker-compose file and I don't want to build it from scratch, every time I send a PR or make a pull request.Instead, I want it should build from the cache.

here is my action.yml file, in case you need it.

name: Github Action
on: push: branches:
staging jobs: test: runs-on: ubuntu-18.04
steps:
uses: actions/checkout@v1
name: Bootstrap app on Ubuntu uses: actions/setup-node@v1 with: node-version: '12'
uses: whoan/docker-build-with-cache-action@v5 with: image_name: whoan/node
name: Install global packages run: npm install -g yarn prisma
name: Install project deps if: steps.cache-yarn.outputs.cache-hit != 'true' run: yarn
name: Build docker-compose run: docker-compose -f docker-compose.test.prisma.yml up --build -d

​

https://redd.it/ga0q8d
@r_devops

Hot to setup HTTPS on AWS EC2

I'm running into problems while trying to run my API that's hosted on AWS EC2 through a HTTPS protocol.

The API runs normally **without** the ELB setup, however, after trying to configure (I follow the recommended steps), I get the **502 Bad Gateway** message.

Here's my configuration:

* AWS EC2 (t3a.small) running a docker container of my ExpressJS app listening on port 3000;
* Security group with http:80 and https:443 open;
* ACM that covers the following domains (mydomain.com, \*.mydomain.com);
* ELB listening to ports: http:80, https:443, https:3000;
* Route 53 with my hosted zone containing the A-type record with the ELB DNS value;

I'm running into problems while trying to run my API that's hosted on AWS EC2 through an HTTPS protocol.

https://ec2-ip-address.zone.compute.amazonaws.com:3000/api/

**Now**

https://api.mydomain.com:443/api/{resourceName}

Please, I will appreciate any insight on how to properly set up in case I missed something let me know.

https://redd.it/ga01ym
@r_devops

Self-hosting a cloud-native microservice project

I'm planning to create a large-ish cloud-native microservice project as a learning experience and playground to test various technologies that I don't get to use at work. Usually I would go with AWS but for cost reasons I have to self-host most of the infrastructure on a home-server.

- There will be two Kubernetes clusters for production and pre-production environments.
- Inside the clusters I will use Istio as the service mesh.
- Code will be hosted on gitlab.com (or self-hosted gitlab if necessary).
- I will follow a push-based GitOps workflow: When a PR is merged into master, the CI pipeline builds the docker image, publishes it and deploys to the production environment. I will keep the necessary credentials as environment variables for now, that means any deployment can only happen on protected branches or else someone from outside could make a PR and change the .gitlab-ci.yml to deploy whatever they want. I don't know yet how I could automate a deployment to the preproduction environment and running of integration tests. If I were to make a second "staging" branch besides master that deploys to preproduction then staging and master would quickly diverge and because "staging" branch is protected, it is not possible to overwrite commits there (which is necessary during testing/QA).
- In place of S3 I have to self-host a MinIO storage instance. Assets of the frontend-application will be uploaded there so that older assets are still available during incremental rollouts.
- Docker images will be published either to Gitlab.com's container registry (10GB free per repo) or to my own MinIO storage.
- I want to use Terraform as much as possible for creating all my infrastructure. There will be an infrastructure repository that applies changes on commit to master. Secrets in the Terraform files will be encrypted using git-crypt.
- I will use only open source products for observability: ELK for logging and OpenTelemetry for metrics+tracing. That means at the very least I have to self-host Kibana, Zipkin, Prometheus and Grafana instances.
- I suppose I will need a domain name and somehow link that to my server so that the web app will be available from outside. For development and access to the preproduction web app I can use ZeroTier instead of a corporate VPN.

To sum it up, my home-server will run at least: 2 Kubernetes clusters, Gitlab Runners, MinIO, ZeroTier, lots of databases for the microservices, Kibana, Zipkin, Prometheus, Grafana, an internal Maven repository, some kind of service to link my domain-name to the dynamic IP, and a personal NAS.

This foundational ops stuff is all new to me. Where do I even start setting this up? Should I host everything on bare metal or use VMs? If so how would I provision the VMs in a reproducable manner? Where do the databases for the microservices live?

Naturally this is completely overkill for a side-project, but the whole point is for me to learn how to do it, so I want to follow enterprise best practices as closely as is manageable.

https://redd.it/g9sqgf
@r_devops

MaaS Node reboots as soon as PXE loads initrd, Supermicro X11SSE-F

Using MaaS 2.6.2, and when trying to commissions blades with the Supermicro X11SSE-F blade motherboard, they PXEboot, load the kernel and initrd and immediatley reboot. Currently at a loss as to what may be the cause. Anyone else experience anything like this?

https://redd.it/g9tjkt
@r_devops

moving into leadership to start a new devops team from scratch - seeking advice

copy/paste from this thread: https://old.reddit.com/r/ITCareerQuestions/comments/g9s5ku/im_being_offered_a_position_for_a_title_that/

i'm currently a devops engineer, in discussions with another company to help start a brand new department and lead the "devops transformation" charge. it would be part engineering, part mentoring, part hiring and staffing a team...hence the question about moving into management, i'd be over these new people that i'd help hire.

i've been a team lead before, but never a manager. i've helped start new teams, but never as a leader, always as a peer advocate and consultant.

they're talking like this would be the equivalent to a director level position, reporting to a VP. i've never been in a leadership position, this would be a move to start a new team from scratch, so it's all foreign territory to me.

i'm asking for help on how to figure out what a salary for a position like this would be and how to research my market rate so that i'm asking for a realistic number, or able to evaluate their offer. is there a general step & column of what a salary increase should be going from a staff employee to a leadership position?

https://redd.it/g9tit8
@r_devops

Anyone here work for Oracle?

Just got approached by a internal employee for a devops position. I work for one of their competitors and my company would definitely sue. Is oracle good to work for?

https://redd.it/g9tdax
@r_devops

How do you deal with an automated job that modify a git repo?

How do you deal with automatic merging and potential conflicts?

Tips?

https://redd.it/g9szoz
@r_devops

Django HelloWorld Changes not showing up.

I created a HelloWorld starter app.

I pulled the code into my machine and started making changes, I can see the changes locally but not one AWS.

I can see my changes in CodeCommit's master branch. Project is builidng successfully.

What should I try?

​

Thank you.

https://redd.it/g9g0y0
@r_devops