With Nginx Can a .pem file replace a .crt and/or a .key File?

0 Comments

Problem scenario
You know .crt and .key files can pair as ssl_certificates and SSL certificate keys respectively. In Nginx, can .pem files replace .crt files? Can .pem files potentially replace .key files? Can a .pem file be a substitute?

Solution
Yes to some extent, for the nginx.conf file, a .pem file can replace a .crt file and potentially a .key file too.

Continue reading “With Nginx Can a .pem file replace a .crt and/or a .key File?”

Is It a Best/Recommended Practice to Use AWS VPC Peering Connections?

0 Comments

Problem scenario
You have heard about AWS VPC Peering Connections. Should you use them?

Solution
The short answer is “yes.”

Some “best practices” for VPCs are merely step-by-step directions for setting it up while describing options that you may or may not want to take. This posting, on a technical blog of a large reputable company,

Continue reading “Is It a Best/Recommended Practice to Use AWS VPC Peering Connections?”

Amazing Growth for I.T. Jobs in Security

0 Comments

In November of 2017 Continualintegration.com posted What is DevSecOps (or DevOpsSec, SecDevOps, or rugged DevOps)?. At the time, Indeed found 192 jobs with a search for “devsecops”. Today, 2/10/22, in four years and three months later, Indeed returns 19,002 jobs for a search of “devsecops.” There are roughly 100x as many jobs now that include the word “devsecops” on Indeed. The website has grown, but this is still an amazing finding.

Continue reading “Amazing Growth for I.T. Jobs in Security”

Is It a Best/Recommended Practice to Use Log4j?

0 Comments

Problem scenario
You are not sure if Log4j is acceptable to use. It is a best/recommended practice to use Log4j?

Answer
Maybe.

Log4j has been well-adopted by many of the most trusted companies in the I.T. industry. According to cybersecuritydive.com “Fortinet, IBM, Microsoft, Red Hat, Salesforce, and Siemens” use(d) Log4j. Log4j has been vulnerable since 2013 (according to this external website).

Continue reading “Is It a Best/Recommended Practice to Use Log4j?”

How Do You Rotate Certificates?

0 Comments

Problem scenario
You have load balancers, web servers, and other HTTP technologies that rely on SSL or TLS certificates. Some certificates will be revoked for security reasons. How do you provision new certificates to update them (because they will expire or you want to harden your environment by refreshing the certs as aged certs are more likely to be compromised than young ones)?

Solution
You may want to plan for having lower capacity than normal and therefore schedule the time to do this in production during an off-peak time.

Continue reading “How Do You Rotate Certificates?”

How Do You Configure Snyk’s Threshold Level in Azure DevOps Pipelines?

0 Comments

Problem scenario
You are troubleshooting a pipeline in Azure DevOps. You look at the task’s log output. You see a security-threshold flag in a CLI with the value of “low”, “medium”, “high” or “critical” that you think is incorrect or discrepant with another setting. How do you get the flag to be set to the security threshold level of your choice?

Background
The ultimate Snyk command that is run (or commands that are run) is (or are) created from various underlying settings,

Continue reading “How Do You Configure Snyk’s Threshold Level in Azure DevOps Pipelines?”

How Do You Troubleshoot SSH Connection Timed Out?

0 Comments

Problem scenario
You are trying to use SSH, but you get a “connection timed out” error. What should you do?

Possible solution #1
Can you try to ping the hostname or IP address? Are you connected to a necessary VPN? Perhaps the endpoint is down or not reachable from the network you are on.

Possible solution #2
Is there a router that was recently configured?

Continue reading “How Do You Troubleshoot SSH Connection Timed Out?”

How Do You Run Snyk Scans as Part of Azure DevOps Pipelines?

0 Comments

Problem scenario
You know that many sources recommend you scan IaC code as part of modern security recommended practices. (Page 293 of Terraform: Up & Running, 2nd Edition by Yevgeniy Brikman (O’Reilly), Copyright 2019, 978-1-492-04690-5 recommends using Snyk.) You tried to create a new pipeline in Azure DevOps. You tried to add a Snyk task. But you were not able to. Why in Azure DevOps do you not see a Snyk option for a task to add to a pipeline?

Continue reading “How Do You Run Snyk Scans as Part of Azure DevOps Pipelines?”

How Do You Troubleshoot Adding Red Hat Packages with Errors Like “Curl error (77): Problem with the SSL CA cert (path? access rights?)”?

0 Comments

Problem scenario
You try to run a DNF command, but you get stymied with errors like these:

Fedora 32 foobar (From SomeCompany) – x86_64 0.0 B/s | 0 B 00:00
Errors during downloading metadata for repository ‘fedora-somecompany-foobar’: – Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://mirrors.fedoraproject.org/metalink?repo=fedora-somecompany-foobar-32&arch=x86_64 [error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs]
Cannot prepare internal mirrorlist: Curl error (77): Problem with the SSL CA cert (path?

Continue reading “How Do You Troubleshoot Adding Red Hat Packages with Errors Like “Curl error (77): Problem with the SSL CA cert (path? access rights?)”?”

Is There a Difference between an IAM Role and an IAM Access Key?

0 Comments

Question
Is there a difference between an IAM role and an IAM access key?

Answer
Yes. To summarize this article, IAM users are for humans and IAM roles are for AWS components (such as S3 buckets and EC-2 instances). As a less significant difference, you do not rotate IAM roles (according to this medium.com post).

Continue reading “Is There a Difference between an IAM Role and an IAM Access Key?”