Added security answers and questions #229
Conversation
Added 15 questions (including answers) and 10 answers to existing questions.
bregman-arie
left a comment
bregman-arie
left a comment
There was a problem hiding this comment.
First of all, thank you both for the effort. You added quite a lot of questions and answers and personally, I really appreciate it and I'm sure the community appreciates it as well.
I do want to provide some constructive feedback, that you can use for future contributions, whether it's this project or another one:
-
Keep pull requests small. It took me quite a lot of time to review this PR. If you want to make sure that your contributions are easily reviewed in the future and you actually get attention from different reviewers, you have to try and keep them small and focused on one topic/issue/task.
-
Be consistent with the format: Some answers include a blank line under the question, and some don't. Some answers mention the source while some don't. It makes sense for an answer to not mention a source if it was written by you, but in this case I see answers from different sources, but without reference to these sources.
-
Be mindful of the content. It's easy to ask a question and copy-paste the answer from some site but always question the answer. See if it makes sense to you If you like it if you think it's something that will be clear to people or perhaps it's phrased in a too specific way or too obscure ...
Overall, as I said, I appreciate the effort. Look forward for the next revision :)
exercises/security/README.md
Outdated
| <details> | ||
| <summary>What is DevSecOps? What its core principals?</summary><br><b> | ||
|
|
||
| [Devopsonline definition](https://www.devopsonline.co.uk/how-to-put-the-sec-in-your-devsecops/): DevSecOps is the process of incorporating security into the development process. It includes the process of assessing and addressing potential threats and hardening attack surfaces, and commonly includes: penetration testing, code scanning and analysis, threat modeling and vulnerability assessments, compliance auditing, and all of the associated training that these require. The core principles are: |
There was a problem hiding this comment.
To be honest, I'm not a huge fan of this specific definition, for multiple reasons:
- The introduction is too specific: "DevSecOps is the process of incorporating security into the development process" - it could be better imho if it said development lifecycle and mentioned testing, release, ...
- Some of the core prinicpals mentioned here are not specifically about DevSecOps. For example "deliver small, frequent releases using agile methodologies". This is a DevOps core principal.
- "wherever possible, make use of automated testing". This alone actually introduces a lot of security risks if not handled correctly
What I propose is to perhaps have a couple of short definitions from different comapnies. I believe Snyk, Jfrog, Red Hat and others provide quite good definitions. Also for any quoted text, you might want to use quotes.
exercises/security/README.md
Outdated
|
|
||
| <details> | ||
| <summary>What it means to be "FIPS compliant"?</summary><br><b> | ||
| To be FIPS compliant means an organization adheres to the Federal Information Processing Standards (FIPS) in order to act in accordance with the Federal Information Security Management Act of 2002 (FISMA) and the Federal Information Security Modernization Act of 2014 (FISMA2014). |
There was a problem hiding this comment.
If this is a quote, mention the source. Also for consistency purposes, keep a blank line between the question/summary tag and the answer
exercises/security/README.md
Outdated
| [Idrnd](https://www.idrnd.ai/5-authentication-methods-that-can-prevent-the-next-breach/) | ||
| & [Sailpoint](https://www.sailpoint.com/identity-library/authentication-methods-used-for-network-security/): | ||
|
|
||
| * Password-based authentication. |
There was a problem hiding this comment.
a short description add to each one could be nice :)
exercises/security/README.md
Outdated
| <details> | ||
| <summary>Explain Token-based authentication</summary><br><b> | ||
|
|
||
| [Fortinet](https://www.fortinet.com/resources/cyberglossary/authentication-token#:~:text=Token%2Dbased%20authentication%20is%20a,a%20unique%20encrypted%20authentication%20token): |
exercises/security/README.md
Outdated
|
|
||
| [Digitalguardian](https://digitalguardian.com/blog/101-data-protection-tips-how-keep-your-passwords-financial-personal-information-safe): | ||
|
|
||
| * Encrpyt sensitive data |
There was a problem hiding this comment.
Same here. Short description for each one could be nice
exercises/security/README.md
Outdated
| </b></details> | ||
|
|
||
| <details> | ||
| <summary>Give examples of what a code solution could be. </summary><br><b> |
There was a problem hiding this comment.
To be honest I'm not even sure what's a "code solution" refers to exactly
exercises/security/README.md
Outdated
| </b></details> | ||
|
|
||
| <details> | ||
| <summary>What is a software supply chain attack? </summary><br><b> |
There was a problem hiding this comment.
This feels like asking in general "what is X attack?" and answering "It's attacking X". In other words, not sure what's the value of this one. It doesn't feel like you can learn anything valuable from it.
exercises/security/README.md
Outdated
| </b></details> | ||
|
|
||
| <details> | ||
| <summary> Briefly suggest some solutions related to those threats from a developer perspective. |
There was a problem hiding this comment.
If this is a follow up to another question (let's say the one above) I would explicitly rephrase it as "Following the examples for security threats on supply chain, briefly suggest some solutions related to those threats from a developer perspective"
exercises/security/README.md
Outdated
|
|
||
| * Carefully investigate the third party vendor’s security practices | ||
| * Conduct an incident response plan that should be followed if an attack occurs. | ||
| * Raise awareness among employees of potential threats and critical attributes of the product and/or organization. |
There was a problem hiding this comment.
It doesn't sound like something a developer would do, to be honest.
exercises/security/README.md
Outdated
| * Raise awareness among employees of potential threats and critical attributes of the product and/or organization. | ||
| </b></details> | ||
|
|
||
| <details> |
There was a problem hiding this comment.
This feels like a commercial :) Let's remove this one
* Deleted answers that we need to discuss further * Added and clarified questions and answers * Fixed formatation
|
Hi again @bregman-arie. Thanks a lot for the interesting feedback. We decided to have further discussion among the two of us regarding the answers of the questions that were already there. Therefore, we decided to delete those answers for now. On the contrary, we decided to focus on the questions we came up with regarding software supply chain and package management, and the feedback we received on it. Again, we are more than happy to address any issues with the latest commit if there are any. Thanks for the detailed answer and your time. Best regards, |
exercises/security/README.md
Outdated
|
|
||
| <details> | ||
| <summary>What is Hashing?</summary><br><b> | ||
| Hashing is the process of converting a given key into another value. A hash function is used to generate the new value according to a mathematical algorithm. The result of a hash function is known as a hash value or simply, a hash. |
exercises/security/README.md
Outdated
| #### Software Supply Chain & Security | ||
|
|
||
| <details> | ||
| <summary>Briefly describe software supply chain. </summary><br><b> |
There was a problem hiding this comment.
Briefly describe what's a software supply chain
exercises/security/README.md
Outdated
| </b></details> | ||
|
|
||
| <details> | ||
| <summary>Give examples of third-party and open source components. </summary><br><b> |
There was a problem hiding this comment.
How is this question relevant to the topic? Also, AWS is not open source nor third party
There was a problem hiding this comment.
Agree on AWS and the question's nature. We deleted the question and added an example to the question above. We think that having an example / few examples of what a component could be within the context of a software supply chain will contribute to clarifying this section for the reader. Especially for those who are very new to DevOps / DevSecOps and possibly tech.
exercises/security/README.md
Outdated
| </b></details> | ||
|
|
||
| <details> | ||
| <summary>What is a software supply chain attack? </summary><br><b> |
exercises/security/README.md
Outdated
| * Raise awareness among employees of potential threats and critical attributes of the product and/or organization. | ||
| </b></details> | ||
|
|
||
| <details> |
- Removed answer about hashing - Removed Q & A about a software supply chain attack (this one was basically a duplicate as well) - Removed the commercial-question and answers - Rephrased question about describing a software supply chain - Fixed minor formatings
exercises/security/README.md
Outdated
| </b></details> | ||
|
|
||
| <details> | ||
| <summary>What're some benefits with software supply chain? </summary><br><b> |
There was a problem hiding this comment.
Hi again sorry for the absence. Do you mean replace 'with' with 'of'?
exercises/security/README.md
Outdated
| * Third-party vendors’ code solutions might not provide sufficient cybersecurity and risk being a potential subject to data breaches. | ||
| </b></details> | ||
|
|
||
| <details> |
There was a problem hiding this comment.
Again., this feels like a commercial for a specific tool. Especially when Aquasec is not an open source or free project. I suggest removing this question.
exercises/security/README.md
Outdated
| <summary> What is a package manager? | ||
| </summary><br><b> | ||
|
|
||
| [Baudry et al.](https://arxiv.org/pdf/2001.07808.pdf): A tool that allows you to easily download, add and thus reuse programming libraries in your project. E.g. npm or yarn. |
exercises/security/README.md
Outdated
| <summary> What is a build tool? | ||
| </summary><br><b> | ||
|
|
||
| [Baudry et al.](https://arxiv.org/pdf/2001.07808.pdf): A tool that fetches the packages (dependencies) that are required to compile, test and deploy your application. |
exercises/security/README.md
Outdated
| </b></details> | ||
|
|
||
| <details> | ||
| <summary> Explain a few cons with bloated dependencies. |
exercises/security/README.md
Outdated
| </b></details> | ||
|
|
||
| <details> | ||
| <summary> Briefly explain how DepClean for Maven projects work. |
There was a problem hiding this comment.
Hmm, DepClean is one specific tool. Not sure it fits.
There was a problem hiding this comment.
yeah agree too specific tool.
exercises/security/README.md
Outdated
| </b></details> | ||
|
|
||
| <details> | ||
| <summary> Provide another solution to manage dependencies. |
There was a problem hiding this comment.
"another solution" assumes users go question by question in order, but that's not always the case. users might pick questions randomally. So I propose to ask "What solutions are there for managing project dependencies?"
- Removed question about DepClean - Added quoutes where needed - Changed grammar of requested questions - Changed formulation of a requested question
|
We are very happy with the feedback so far, let us know if there is more to be addressed. |
|
Hi @bregman-arie I hope u are doing well. We are just wondering whether you (or someone else) could have a check on the latest changes and potentially get it merged by Tuesday. All the best, Aksel and abdullah |
bregman-arie
left a comment
bregman-arie
left a comment
There was a problem hiding this comment.
Looks good. Thank you for the effort.
|
Thanks for the feedback process, we really appreciate your efforts in this PR and the entire repo. Have a good one! Aksel & Abdullah |
* Added questions and answers Added 15 questions (including answers) and 10 answers to existing questions. * Fixed links/formatation * fixed another typo * Fixed typo * Fixing answers, questions and formatation * Deleted answers that we need to discuss further * Added and clarified questions and answers * Fixed formatation * Removed and modified answers - Removed answer about hashing - Removed Q & A about a software supply chain attack (this one was basically a duplicate as well) - Removed the commercial-question and answers - Rephrased question about describing a software supply chain - Fixed minor formatings * Modified questions and answers - Removed question about DepClean - Added quoutes where needed - Changed grammar of requested questions - Changed formulation of a requested question
2 participants
Hello again @bregman-arie !
We added a few answers to already existing questions. Additionally, we created questions about software supply chain, package management and security concerns related to the topics. We are more than happy to hear your feedback and fix potential issues if there are any, and kudos to you and the other contributors in this repo!
Best regards,
@Akseluhr & @Abdullah1428