I didn't quite have time to write a blog post today, so in this post are several mostly security related links I was, er, thinking(?) about reading today. Interestingly things you don't think might be related to "security" really are, such as creating policy in code.
I've never written a post quite like this one, and I've come to realize that there is an insane amount of stuff happening in technology, and it's borderline overwhelming. This is one day of clicking around.
Security Engineering at Nebula in the Wake of Heartbleed, Shellshock, and POODLE - Uh, essentially Nebula provides an OpenStack appliance and distro geared towards the enterprise which means they are pretty serious about security and use a lot of open source in their product
...the core issues seem to be that security is expensive and difficult, and that what is a security best practice today may not be in ten years. Because security is costly and requires specialized expertise, many projects just don't make it a focus. For a small open source project just getting started, this is often a reasonable decision. But some of those small open source projects will grow to be the critical infrastructure of tomorrow, and then we will have problems if the security aspects are not addressed. More work is clearly needed to reduce the cost of entry for high quality security engineering.
OpenStack Juno released - Even though I don't think OpenStack is the end-all-be-all of open source virtualization/IaaS, it is still pretty darn cool stuff (sysadmin level: final boss!, giant ball of python!)
Cloudscaling was recently bought by EMC for an estimated $50 million, which depending on your perspective is either a lot or very little (for me, a lot, for EMC, very, very little...rounding error even)
... there's this misconception that if you're not writing your own code, and if you don't have your own developers on site, then you can't do DevOps, and this is also not true. You need to be able to collaborate, even if all of your code is coming pre-packaged and shrink-wrapped, because to turn that into an operational system, you need empathy for the entire chain of events.
The Practice of Cloud System Administration: Designing and Operating Large Distributed Systems, Volume 2 - A book by the above Tom Limoncelli
Scrum for operations - just add DevOps - This is a super long post on how a large team split up and implemented scrum for operations, lots to think about and good examples of implenting scrum which is actually fairly difficult, and, I think, can take a few iterations to get right in any organization...also I don't think the title is quite accurate
"DevOps came into being to solve a legacy problem, not to present a golden utopia to the masses. Just because we can’t get a handle on what feels like hand-waving doesn’t necessarily mean it’s empty of content or value."
In 'appsec', fast is everything - This includes brakeman which is pretty cool
Notes on POODLE - Requires man in the middle (MITM), doesn't hack rather is used to crack encryption, the protocol itself is wrong, not the code, solution is to disable sslv3 which is 15 years old anyways...all good stuff to know
Drupal 7 SA-CORE-2014-005 SQL Injection Protection - Seems like a pretty bad exploit, though no examples. Wasn't too sure how useful Cloudflare's security apps are, but then realized some sites won't be able to upgrade their Drupal version, so maybe not such a bad thing after all
Containers: What’s New, What Isn’t, What Matters? - by @littleidea who has some pretty thought provoking tweets, and by that I don't just mean controversial, actually thought provoking. I love containers even though they don't really contain yet (to be fair I'm talking linux containers/docker/lxc, I know there are other types of container technologies that are more mature).
ReThinkDB - A mongodb like distributed database that everyone likes? (Love that their latest release is "Lawrence of Arabia"). I always feel bad for mongodb because it seemss like they have one of the worst reputations in open source software and nothing can be that bloody awful
mod_security - The Cloudflare WAF made me want to lookup what's new in mod_security
Continously testing infrastructure (with puppet) - slides..."talking about policy as code might help communicate intent"
digitalocean-expect - Using clojure to create IaaS policies (eg. only have nodes in San Francisco and New York), cool stuff
clj-openstack - Pure clojure bindings for OpenStack clouds...to perhaps use like the Digital Ocean expect example above?
Simple Testing Can Prevent Most Critical Failures: An Analysis of Production Failures in Distributed Data-Intensive Systems - An academic paper I haven't quite made my way through yet
Security Trade-Offs (in cloud backups) - As is often the case, the percieved tradeoffs are not always inline with reality