BDBA (Blackduck Binary Analysis)

 BDBA (Blackduck Binary Analysis)

Black Duck Binary Analysis (previously known as Protecode) is an Open Source Vulnerability Scan tool which provides the composition of Open Source components in a product along with Security information (no license info is provided).

BDBA (Protecode) uses a combination of static binary analysis techniques to X-ray the provided software package to identify third-party software components and their exact versions with a high level of confidence. Methods range from simple string matching to proprietary patent-pending techniques.

When to use BDBA?

- BDBA should be used to analyze:

- 3rd party software supplied in binary form, for example, in a software supply chain scenario

- Software in binary form where you do not have access to the source used to build it

OWASP Top 10

 OWASP Top 10

1. Broken Access Control : Occurs when unauthorized access to resources is mistakenly allowed .
1. Common causes include human error such as 
1. unprotected sensitive data, 
2. lack of system isolation, 
3. Misconfigured systems
2. To avoid this risk, implement:
1. Formal threat modeling
2. Cover access control in use case testing
3. Use secure configuration for deployment 
4. Design for error by anticipating mistake and reducing their impact.
2. Cryptographic failures : Can compromise confidentiality and integrity of data.
1. Common Causes :
1. Misconfigured system
2. Use of insecure protocol
3. Leaking cryptographic secrets
4. Using outdated or weak cryptographic algorithms.
2. To prevent this:
1. Implement Threat modeling
2. Safeguard private keys
3. Use encryption for data at rest and in transit
4. Use only approved cryptographic libraries and configurations.
3. Injection: is the misuse of external inputs that manipulates the application to behave insecurely.
1. Causes :
1. Insufficient human input validation
2. Failure to identify potential injection sources
2. To avoid:
1. Perform threat modeling
2. Treat all external applications/inputs data as harmful.
3. Perform regular penitent including fuzzing techniques.

4. Insecure Design: is the failure to incorporate Security in all stages of a project.
1. Common Causes:
1. Neglecting security considerations at various point of development process.
2. Inadequate security awareness.
2. Risk
1. Inability to pass security standards and expensive rework
3. To avoid this
1. Implement formal threat modeling
2. Develop a security mindset
3. Continuously learning and apply security knowledge 
5. Security misconfiguration: occurs when security measures are rendered ineffective due to incorrect deployment.
1. Common causes:
1. Failing to use secure configuration
2. Not reviewing configuration defaults
3. Assuming hidden applications as secure.
2. To mitigate this:
1. Conduct authorized penetration test against production deployments
2. Follow a consistent security review process
3. Use only third party components that have independent security validations
6. Vulnerable and outdated Components : can expose systems to risk.
1. Common causes
1. Assuming someone else is taking security actions
2. Underestimating the risk of unpatched systems 
3. Lack of dependency and version management
2. To avoid:
1. Follow a continuous software update process
2. Use well documented management processes
3. Actively monitor for security vulnerabilities news bulletin 
4. Perform regular pen test
7. Identification and Authentication failure: occurs when system mis identifies an actor and grants improper privileges.
1. Common causes:
1. Misconfiguration
2. Insecure session management 
3. Using simple and spoofable authentication mechanisms 
2. To avoid :
1. Perform proper threat modeling
2. At least Two factor Authentication 
3. Use approved SSO integrations
8. Software and data integrity Failure : occurs when unverified data and software are deemed trustworthy
1. Common causes
1. Trusting unverified data
2. Failing to ensure limited access for personnel to change the data or code
3. Related cryptographic failures
2. To Prevent:
1. Verify the Authenticity of all code and data
2. Do not rely on implicit trust
3. Use trusted public key infrastructure for data and code signing
9. Security Logging and Monitoring Failures : can leave malicious attacks undetected 
1. Common causes:
1. Misunderstanding of sufficient details required for forensic investigations 
2. Selective logging
3. Insecure storage
4. Transport of logs
2. To avoid this:
1. Log all accessed resources
2. Map actions to data for better traceability 
10. Server side request forgery: manipulating remote resources to make requests on behalf of an attacker
1. Common causes:
1. Processing data from insecured resources
2. Misconfigured middleware
2. To avoid:
1. Sanitize all data inputs
2. Use Strong authentication and Authorization for all endpoints 
3. Scan middleware regularly for any mis configurations

Debug Qurkus App in VS code

 Debug Qurkus App in VS code

Debug Qurkus App in VS code

1. ./gradlew quarkusDev -Dsuspend=true -Ddebug=true

2. Go to Run --> add configuration --> select Attach to Remote Program

    use these deteils:

{

            "type": "java",

            "name": "Attach to Remote Program",

            "request": "attach",

            "hostName": "localhost",

            "port": "5005"

        },

3. Click on run.

arz kiya hai....

DevOps in a Nutshell

As per Wiki , DevOps is a set of practices that combines software development (Dev) and information-technology operations (Ops) which aims to shorten the systems development life cycle and provide continuous delivery with high software quality.

DevOps is the response to the “us vs. them” culture of development.

The goal is to bridge the gap between IT operations and development to improve communication and collaboration, create more seamless processes, and align strategy and objectives for faster and more efficient delivery

Benefits of DevOps :

Principles :

Automation: Automate everything, such as workflows, testing new code, and how your infrastructure is provisioned to cut down on waste and overwork.

Iteration: Write small chunks of code during a time-box sprint to support releases and sub-releases that increases the speed and frequency of deployments.

Continuous improvement: Continuously test, learn from failures, and act on feedback in order to optimize performance, cost, and time to deployment.


Collaboration: Unite teams, foster communication and breakdown silos between development, IT operations, and quality assurance.

Process Flow :

ToolChain:

A DevOps toolchain is a set or combination of tools that aid in the delivery, development, and management of software applications throughout the systems development life cycle, as coordinated by an organisation that uses DevOps practices.

Kubernetes-know-how

Keywords

Node:

It is normal machine, it could be a physical computer or could be a computing instance like AWS EC2 instances.

Cluster:

The cluster is a collection of Nodes (computers) related to each other and work together.

Pod:

one or more docker containers, sharing the same network card .

you can think of them as two separate computers sharing the same network card, or two separate processes in one computer. The main goal of the pod is to separate processes and their dependencies while maintaining the same network identity.

pods are the basic unit of deployment in Kubernetes, they get deployed to the nodes of the cluster, and these nodes can have one or more pods on them, it’s up to Kubernetes to arrange the pods between the nodes.

Replica:

The replica is a clone of a pod, replicas are needed to distribute the load.

Service:

A service is a group of pods that running somewhere in the cluster and they provide the same functionality.

Deployment:

A Deployment provides declarative updates for Pods and ReplicaSets..

docker-commands-cheat-sheet

Docker Commands	Description
docker search searchterm	Search Docker Hub for images.
docker pull user/image	Downloads an image from Docker Hub.
docker login	Authenticate to Docker Hub (or other Docker registry).
docker push user/image	Uploads an image to Docker Hub. You must be authenticated to run this command.
docker ps	List all running containers.
docker ps -a	List all container instances, with their ID and status.
docker images	Lists all images on the local machine.
docker history user/image	Lists the history of an image.
docker logs [container name or ID]	Displays the logs from a running container.
docker port [container name or ID]	Displays the exposed port of a running container.
docker diff [container name or ID]	Lists the changes made to a container.
docker run -it user/image	Runs an image, creating a container and changing the terminal to the terminal within the container.
docker run -p $HOSTPORT:$CONTAINERPORT -d user/image	Run an image in detached mode with port forwarding.
ctrl+p then ctrl+q	From within the container’s command prompt, detach and return to the host’s prompt.
docker attach [container name or ID]	Changes the command prompt from the host to a running container.
docker start [container name or ID]	Start a container.
docker stop [container name or ID]	Stop a container.
docker rm -f [container name or ID]	Delete a container.
docker rmi	Delete an image.
docker tag user/image:tag user/image:newtag	Add a new tag to an image.
docker exec [container name or ID] shell command	Executes a command within a running container.
docker commit user/image	Save a container as an image.
docker save user/image	Save an image to a tar archive.
docker build -t sampleuser/ubuntu .	Builds a Docker image from a Dockerfile in the current directory.
docker load	Loads an image from file.
docker info	Get information about the docker infra.
docker images	Get all the images in local docker repo.
docker rm $(docker ps -a -q)	Delete all containers
docker rmi $(docker images -q)	Delete all images---- use -f is needed for force