Here I would like to describe a model on how we organize storage of release metadata for technology products. This methodology is a part of new Reliza’s project (to be announced soon). This may refer to both software or hardware or a mix of the two. I Problem Statement Various regulator requirements are either mandating… Continue reading Release Metadata Organization Model
Category: Security
Some Security Risks of Using Push-Based CD
Surprisingly I’m recently not finding a strong majority of voices saying that Push-Based Continuous Delivery should never be used due to security concerns. So I feel there is a need to clarify risks more explicitly. First of all here is what I mean by Push-Based CD. Simply, this is the approach, where SSH-key or some… Continue reading Some Security Risks of Using Push-Based CD
Storing Arbitrary Values in Java Keystore
Java Keystore is a nice tool, but it has a very limited number of inputs it supports natively. Mainly those are pem certificates and corresponding keys. Fortunately, there is a way to store arbitrary data using keytool’s -importpass command and base64 encoding. Here is how to achieve that. Let’s imagine we have some secret.bin file,… Continue reading Storing Arbitrary Values in Java Keystore
No good way to verify public image sha256 in docker hub – security concern
This is a little crazy but apparently we don’t have a good way to verify sha256 digests of public images in docker hub. Related thread is here: https://github.com/docker/hub-feedback/issues/1925 and also this stackoverflow is useful: https://stackoverflow.com/questions/57316115/get-manifest-of-a-public-docker-image-hosted-on-docker-hub-using-the-docker-regi . Problems in the nutshell: Publicly displayed digests on docker hub UI do not match those seen when pulling images… Continue reading No good way to verify public image sha256 in docker hub – security concern
No-frills secret sharing with openssl
Motivation Sometimes we need to share a secret with a colleague, and frequently it’s a hassle to do so securely. Worst options include people simply sending plain-text secrets over email or slack. Better, if this is some sort of encrypted email service like ProtonMail, but still it’s a fairly brittle way if we’re dealing with… Continue reading No-frills secret sharing with openssl
YubiKey for SSH on Windows: Complete Walkthrough
Update: Watch my talk at OWASP Ottawa discussing SSH security (gives perspective to this walkthrough). Also if you are looking for a Linux or Chrome OS setup, look here. At Reliza we are switching to using YubiKeys for our SSH authentication which is possible via PGP encryption. This guide is for Windows and using SSH… Continue reading YubiKey for SSH on Windows: Complete Walkthrough