Security

Software rotting and why you need to change your approach to security

A new phenomenon stand out in recent years: security must pervade the entire software development lifecycle. Except it isn’t. Current generation of processes and tools is lacking crucial features to properly manage modern security risks. Think of the Log4J event. Were you able to identify all affected components? Were they internally developed, or you need a vendor support? How fast you were able to deliver a fix? In this talk we’ll explore the challenges, what you can do with current tools, and which gaps should be addressed by communities through better practices and new tools.

Episode

August 18, 2022
Find vulns in your code before they find you

In this session, Chris is joined by DeveloperSteve Coochin, a Developer Advocate at Snyk. In this episode, Chris and Steve talk about vulns in the wild for a bit (well and to geek out in general), especially on the back of some research that Steve did recently on the likes of PHP. Steve has recently been looking into the security vulns that get let in without developers even knowing (Teaser: He was really surprised at some of them!)

Episode

August 18, 2021
Why you should be using Azure Security Center

Whether you’re brand new to Azure or have been using it for some time, you have likely either heard of - or come across - Azure Security Center. It’s a service which can prove extremely valuable in baselining, measuring and improving your security posture. But, did you know there is additional functionality beyond the free tier? You may have previously known this as the standard tier, or now know this as Azure Defender, where you can opt in for those Azure Services that you particularly want to protect.

Blog

August 16, 2021
44 - AKS, AGIC and Kubenet - Tips and tricks to make it work

When using Azure Kubernetes Service (AKS), there’s a chance that kubenet might be the only possible choice due to your requirements. If so, you may still want to use Application Gateway Ingress Controller (AGIC) to leverage Azure Application Gateway’s Web Application Firewall (WAF) capabilities. In this session, we will make the journey together to have a working AGIC in an AKS cluster with kubenet and managed identities.

Episode

August 13, 2021
Azure role-based access control (RBAC) at the data plane level

Principal of least privilege is a commonly used phrase within the Technology Industry. The idea is that we’ll assign permissions of what the user needs to get the job done, rather than anything broader or more privileged. This helps reduce the blast radius in the event of a compromised account. This stretches to Azure resources at the management plane, but in some cases can also stretch to the data plane of those resources. We’ll be exploring these further in this blog post.

Blog

April 21, 2021
Optimise your site - Addressing recommendations from securityheaders.com

In my blog post earlier this week, I mentioned that I recently spoke at the Northern Azure User Group. The other speaker for the evening was Scott Hanselman, who talked about his journey moving a 17 year old .NET App into Azure. This was his blog. Along the way, he called out some of the tools that he used along the way. One was a tool called securityheaders.com. As any engaged listener does, I took note of the tools that he used, and added them to my cloudwithchris.com backlog during the talk. When I later investigated the initial rating of the site, I received a score of an F - which appears to be the lowest possible score that you can receive! Given that I only allow HTTPS traffic to my site, I was surprised by this - so I begun looking into the recommendations further.

Blog

April 14, 2021
33 - External Config and Claim Check Pattern - Easier Management and Externalising Payloads

How often do you think about the configuration of your applications across environments/regions/deployment boundaries? What if that configuration was stored somewhere externally but centralised, to make management easier? That’s the idea behind the external config pattern! How about another scenario - What about those times where you’ve wanted to use a messaging service, but your payload is too big? Thought about externalising that payload too? Well, that’s the Claim-check pattern! Join Peter and Chris as they talk about both of these patterns in this episode of Cloud with Chris!

Episode

April 2, 2021
Using GPG Keys to sign Git Commits - Part 4

Part 4 - The final part (at least for now, until I find somewhere else that we can expand on with this)! This part will focus on porting the keys that we have recently generated onto our YubiKey device. I own a YubiKey NEO, so i’ll be using that.

Blog

March 17, 2021
Using GPG Keys to sign Git Commits - Part 3

Okay, part 3! At this point, I’m assuming that you have already familiarised yourself with part 1 and part 2 of the series. As a quick recap, part 1 focused on why we would consider using GPG Keys in general. Part 2 focused on how to generate GPG keys along with some recommended practices on splitting out our master (Certification) key, from our specific purpose-driven keys. This post (part 3) focuses on using those keys as part of our usual development workflow using Git. We’ll be assuming that GitHub is our end target, as GitHub supports commit signature verification using GPG Keys.

Blog

March 10, 2021
29 - The Sidecar and Ambassador Patterns

Have a need to update a legacy application to use cloud concepts such as retry, circuit breaker or other features? Then the ambassador or sidecar patterns may be for you! Join Peter and Chris as they continue their journey exploring Cloud Design Patterns. In this session, they discuss the Sidecar and Ambassador Patterns.

Episode

March 5, 2021