As a security architect, you should insist on having good and clear visibility of the security status of your product/service.
While that sentence covers a wide range of topics, I want to raise a different approach to security visibility and enforcement. In this post, I’m going to discuss a concept I call GitSecOps, which is a kind of hybridization between GitOps and SecOps and is something we are currently experimenting with.

First, we’ll dive into the first use-case I found for GitSecOps— IAM.

Let’s talk about IAM

We all know AWS IAM, right? A really powerful AWS service to manage authorization for personas or…

IAM policies are a great way to enforce authorization for Groups / Users / Roles to specific services, under specific conditions. In high level, policies are a set of JSON statements which provide certain permissions to entities. Adding another security layer to that, there is an optional block under the policy statements. Like any condition in any programming languages, The condition block returns a boolean output — either true or false, which decides whether a policy grants or denies the request.

In this example, we will demonstrate how a policy can deny or allow access from specific IP address, and…

Working a-lot with Ansible lately, I was encountering in a real blocking problem. As we were working on deploying our software on Windows targets, We were constantly trying to find ways to test our roles, but we encountered some issues, mostly related to our development environments. Writing these lines, i’m using my personal Macbook Air so don’t be confused because of that.

The fact we were working on a Cyber Security company requires compromises on development environments. Always working in a virtual environment has it’s limitations, and therefore it was not possible to use a solution that deploys VirtualBox VM’s…

Until not long ago, I was using DuckDNS services to get my home webserver up and running. As my ISP is demanding a respectful amount of money to reserve a static IP address I was looking for dynamic dns solutions to point my home IP address to.

I chose an AWS service because I had an account there and I already have some services running over there. Some LightSail websites I’m running for personal use, Elastic IP’s etc. That’s why it was comfortable for me to use Route 53 and get consolidated billing instead of splitting it into another service…

During my work, I encountered several times in a need of architecting & developing internal systems, which requires access from specific people inside the company. In terms of visibility & security, you probably don’t want these systems to be available to the internet, and therefore you must find a solution.

On AWS, you have the option to create private subnets inside your VPC and access the application through VPN. That seems like a nice solution, right? but when you want to publish the application internally, you probably don’t want to deliver it with an internal IP address such as 10.0.0.79.

…

For a long period of time, I was using custom git hooks on my own ec2 instance that ran Gogs open source software as a git server. I was using these hooks to make sure that every push to the repository goes through and being deployed to our staging server.

Recently, I started to implement Atlassian products for our work platform. We’re using Confluence for shared work, Jira for agile deployment and customer service, and Bitbucket for source code management. I was looking for solutions to offload my old git server that was taking an ec2 machine. …

One of the obstacles I encountered during moving our whole server setup from Hosting services to AWS, is the Multi Availability Zones setup and the fact that it wasn’t redundant to other events, rather than shutdowns / unexpected falls.

When trying to save some $$ for my company, I decided to use multi-az t2.medium RDS cluster. This setup gave me, except for the redundancy and quick recovery during Layer-7 attacks, the ability to promote the replica database to master when I was running out of CPU credits for the instance I was using. …

So far, debugging React Native on a real iOS device is a mess: a developer needs to do the next steps:

1. Discover the local IP address of the machine running the React Native Packager.
2. Update the AppDelegate.m file with the IP address mentioned above.
3. Run the app on the real device.

The problem with this scenario, is that sometimes we want to switch environments without messing with the IP addresses. …