I find it hard to believe, but it is true: another year has wrapped up. With the conclusion of 2023, I’m looking back at some of my free and open-source software accomplishments over those 12 months. My contributions are, once again, all over the place: different languages, industries, technology stacks, and architectural layers. I made … Continue reading 2023 Free / Open Source Software Accomplishments
Tag: security
SCAP Security and Compliance Scanning of Docker Images in GitHub Actions and GitLab CI
GitHub Actions and GitLab CI code that you can drop in to your project to automatically, effortlessly use to SCAP scan docker images for compliance with benchmarks from CIS, PCI-DSS, STIG, and more.
Always Use Docker Image Digests
Docker image digests are unique, immutable identifiers for container images. This means that two images with different contents will have different digests, even if they have the same name and tag. When you pull an image by its digest, you are guaranteed to get the exact same image every time, regardless of when or by … Continue reading Always Use Docker Image Digests
Creating SBOMs with the Snyk CLI
The Snyk CLI is a great tool used to scan a project and report vulnerabilities discovered in it. The Snyk CLI supports a wide variety of languages and build systems, making it ideal as a generic, go-to solution for vulnerability reporting. However, it only outputs vulnerabilities discovered – it does not generate an SBOM, which … Continue reading Creating SBOMs with the Snyk CLI
Improving the Reproducibility of Spring Boot’s Docker Image Builder
Reproducible builds are big wins for security, maintainability, and sanity. If you don’t like it when nothing has changed, yet your build suddenly breaks or doesn’t produce the same output, then improving reproducibility is for you. By default, Spring Boot’s Docker/OCI image building solutions, bootBuildImage (in Gradle) and spring-boot:build-image (in Maven), do not operate reproducibly. … Continue reading Improving the Reproducibility of Spring Boot’s Docker Image Builder
Crafting Effective Announcements
The only constant in life is change. Heraclitus In this world of omnipresent change, effective communication is key to survival. Information that will impact others must be shared, and how that sharing is done will be the difference between success and failure. Will recipients of your message be confused, or will the message be clear? … Continue reading Crafting Effective Announcements
Identifying, Reporting, and Fixing CVE-2021-22119: DoS Vulnerability in Spring Security OAuth 2.0
In March 2021, I observed troubling behavior in multiple applications I supported that are built using Spring Boot: they would occasionally stop responding. Eventually, I tracked down the root cause to a DoS (Denial of Service) vulnerability in Spring Security OAuth 2.0: a simple shell script could take down any affected web application. Respecting the … Continue reading Identifying, Reporting, and Fixing CVE-2021-22119: DoS Vulnerability in Spring Security OAuth 2.0
Users and Client Secrets in Keycloak Realm Exports
Keycloak is an open source Identity and Access Management (IAM) solution that’s easy to run in Docker using a Configuration as Code (CAC) strategy enabling a workflow where a git source control repository can be cloned by a developer who can run one non-interactive script that starts Keycloak and gets it into a consistent state … Continue reading Users and Client Secrets in Keycloak Realm Exports
Contributing Improved Security to JavaMelody with Content Security Policy
JavaMelody is a web based monitoring tool frequently run in production environments, providing insights including CPU usage, hot spots in code, database connection pool utilization, and more. I’m always on the lookout for ways to improve security, so when a security scan pointed out that the JavaMelody web interface didn’t have a Content Security Policy … Continue reading Contributing Improved Security to JavaMelody with Content Security Policy
The How and Why Automating Dependency Updates
Organizations already automate running builds, executing tests, and performing deployments to free developers from tedium and improve reliability. The next step is to use automation to improve projects. Tools (bots) can submit pull requests that fix typos, optimize images, and more. I’ve had a great positive experience using a bot to perform the tedious task … Continue reading The How and Why Automating Dependency Updates