CodeIsGo.com

This tutorial will illustrate how you can integrate Lenses into your Jenkins CI/CD using the lenses-cli. The Lenses CLI allows you to manage your Apache Kafka environment using a single unified and secure API across all Kafka components (Kafka Brokers, Zookeepers, Kafka Connect, Schema Registry etc.). By Mihalis Tsoukalos.

Integrating Lenses with Jenkins will simplify automating the deployment of real time applications across your different Apache Kafka environments.

The tutorial then guides you via:

• Pre-requisites
• The Scenario
• GitHub Webhook
• Creating the Jenkins Job
• Pushing data to the GitHub repository
• Watching the results

There is also GitHub repository available with all the code. Now that you know how to use GitHub actions to communicate with Lenses, you should start automating as many things as possible. Learn how to apply GitOps to your real time pipelines in this blog post. Nice one!

Cloud Discovery, which is one of the Microsoft Cloud App Security (MCAS) features, helps organizations to identity applications and user activities, traffic volume, and typical usage hours for each cloud application. In a nutshell, it can help to detect “Shadow IT” applications and possible risky applications. By Joanna Harding @Microsoft.

The Cloud Discovery identifies cloud applications that the organization might not have visibility to, provides risk assessments and ongoing analytics and lifecycle management capabilities to control use. Cloud Discovery analyses the traffic logs and runs them against the cloud app catalog; to provide information on the discovered applications and the users accessing them.

You will also find in the article:

• Options for ingesting data
• Cloud App Security and Defender for endpoint integration - How it works?
• Scenarios - policy examples
• Cloud Discovery dashboard
• Cloud Discovery Policies
  • App Discovery policies
  • Discovery Anomaly detection policies
• Considerations

Source: https://techcommunity.microsoft.com/t5/microsoft-security-and/deep-dive-into-cloud-app-discovery-guest-blog/ba-p/2090715

Cloud Discovery analyzes traffic logs against Microsoft Cloud App Security’s cloud app catalog of over 16,000 cloud apps. The apps are ranked and scored based on more than 80 risk factors to provide insights and visibility into applications used in the cloud, and the risk Shadow IT poses to the organization. There are also links to further reading, charts, and screen grabs provided. Good read!

Many Amazon Web Services (AWS) customer workflows require ingesting sensitive and regulated data such as Payments Card Industry (PCI) data, personally identifiable information (PII), and protected health information (PHI). In this post, I’ll show you a method designed to protect sensitive data for its entire lifecycle in AWS. By Raj Jain.

An existing method for sensitive data protection in AWS is to use the field-level encryption feature offered by Amazon CloudFront. This CloudFront feature protects sensitive data fields in requests at the AWS network edge. The chosen fields are protected upon ingestion and remain protected throughout the entire application stack. The notion of protecting sensitive data early in its lifecycle in AWS is a highly desirable security architecture. However, CloudFront can protect a maximum of 10 fields and only within HTTP(S) POST requests that carry HTML form encoded payloads.

A complex part of any encryption solution is key management. To address that, author uses AWS Key Management Service (AWS KMS). AWS KMS simplifies the solution and offers improved security posture and operational benefits. Article sections go over it in detail:

• Solution overview
• Field-level encryption process
  • RSA key generation and inclusion in Lambda@Edge
  • HTTP API request handling by CloudFront
  • Lambda@Edge processing
  • Lambda@Edge response
  • Forward the request to the origin server
• Field-level decryption process

Source: https://aws.amazon.com/blogs/security/how-to-protect-sensitive-data-for-its-entire-lifecycle-in-aws/

in individual storage silos using volume encryption, object encryption or database table encryption. However, if you have sensitive workloads, you might need additional protection that can follow the data as it moves through the application stack. Fine-grained data protection techniques such as field-level encryption allow for the protection of sensitive data fields in larger application payloads while leaving non-sensitive fields in plaintext. Excellent read!

Prooph is an enterprise-ready PHP CQRS and Event Sourcing packages for PHP with support for the most famous PHP web frameworks. If you are not familiar with CQRS (Command Query Responsibility Segregation), it’s first described by Greg Young in 2010 and it’s basically a design pattern used in enterprise and microservices architecture to separate read and writes in your data layer. By Hatem Ben Yacoub.

Prooph come with awesome features, its components are a set of loosely coupled php packages that can be composed to a powerful toolbox. However you may find it a bit complex in the beginning.

Prooph PHP CQRS features

• Event Sourcing: It is different than what you’ve learned. Explore a fresh new way of designing and developing software with a clear focus on intent, behaviour and domain events.
• Event-Store: Turn your traditional database into a full-featured event store. No new technology stack required. No magic involved. Just another way to organize and manage data.
• Snapshot-Store: High-performance write operations without losing the simplicity and scalability of PHP’s Shared Nothing Architecture in an event centric system.
• Persistent Projections: With persistent projections you can feed event streams directly into read-optimized databases that serve your data at the speed of light.
• CQRS Service-Bus: Message-based communication between different parts of a system is the basic building block for scalable and maintainable enterprise software.
• Message Queue: Shift work to background jobs, manage long-running business processes and handle high traffic with seamless message queue integrations.
• Framework and Database supported: It support Zend Framework, Symfony and Laravel, in addition to the databases MySQL, PostgreSQL, MongoDB, ArangoDB, Redis, and finally the Messaging systems ZeroMQ, RabbitMQ and Bernard.

You will get code examples, link to youtube video witth Oliver Sturm talk at the International PHP conference about CQRS and Event Sourcing and more. Prooph is an open source software released under a BSD version 3 license. More information at http://getprooph.org/. Good read!

If you had to architect a multi-account security logging strategy, where should you start? This blog, part of the “Continuous Visibility into Ephemeral Cloud Environments” series, will describe a design for a state of the art multi-account security-related logging platform in AWS. By Marco Lancini.

One of the usual requirements for Security teams is to improve the visibility over (production) environments. In this regard, it is often necessary to design and rollout a strategy around security-related logging. This entails defining the scope for logging (resources, frequency, etc.), as well as providing an integration with existing monitoring and alerting systems.

The article then goes extensively over:

• Which Services Can We Leverage?
  • CloudTrail
  • CloudWatch
  • GuardDuty
  • Config
  • Access Logs State of the Art Security Logging Platform in AWS
  • Collection
  • Delivery
  • Long-Term Storage and Audit Trail
  • Monitoring and Alerting

AWS offers multiple services around logging and monitoring. For example, you have almost certainly heard of CloudTrail and CloudWatch, but they are just the tip of the iceberg. A dedicated and highly restricted AWS account should also be created for each project/customer for long term (immutable) storage of the logs. Goood read!

Learn how to create your first VuePress site and add Authentication with Auth0. By Fikayo Adepoju.

Vuepress is a static site generator that was initially developed privately for the documentation needs of the Vue.js framework. It was later made public for anyone to use and optimized for writing technical documentation. Vuepress is built on Vue.js and uses markdown for writing pages, so you have the simplicity of content writing with markdown combined with the powerful capabilities of the Vue.js framework. Vuepress also comes bundled with a Vue-powered theming system and a Plugin API for extending its capabilities. In this tutorial, you will learn and demonstrate how to authenticate Vuepress sites using Auth0.

The tutorial has this main bits:

• Prerequisites
• Creating the Auth0 Application
• Scaffolding the Vuepress Project
• Setting Up Authentication with Auth0
• Running the Application

Vuepress is an amazing tool for generating static sites with Vue.js, and in this tutorial, you have learned and demonstrated how to authenticate users on Vuepress sites. You will also find all the code needed to follow the article. Very useful!

Testcontainers offers several initialization strategies for our Docker containers when writing integration tests. Depending on the Docker image we use for our tests, we might have to perform additional setup steps. This includes adjusting the container configuration or populating data. With Testcontainers, we can tweak the container configuration either during runtime (executing commands inside the container) or before starting it. With this blog post, we’ll look at several of these strategies to configure the Docker container for our integration tests. By Philip.

When writing integration tests that involve a database, we need a solution to initialize our database container. With Testcontainers, we can define an init script that is executed as part of the container initialization: .withInitScript(). Using Spring Boot and Spring Data JPA with Flyway or Liquibase, the database schema migration tool can create the database schema for us.

The article contents is split:

• Execute commands inside the container with Testcontainers
• Mount files into our container for the integration test
• Use an InitScript to initialize our container
• Use a prepopulated container with Testcontainers

You can find further Testcontainers-related tips & tricks in the linked articles. Nice one!

Adtech is an industry built on latency at scale. At OpenX this means that during peak traffic periods our exchange processes more than one million requests for ads every second, most of which require a response in under 300 milliseconds. By Larry Price, OpenX.

To accomplish this, we’ve leveraged several products in the TensorFlow ecosystem & Google Cloud including TensorFlow Extended (TFX), TF Serving, and Kubeflow Pipelines - to build a service that prioritizes traffic to our buyers (demand side platforms, or DSPs in adtech lingo) and more specifically to brands, and agencies within those DSPs.

The OpenX marketplace is not completely unlike an equities market or stock exchange. And much like high volume financial markets, to ensure the buyers fulfill their campaign goals and simultaneously help publishers monetize appropriately on their inventory, there’s a need to prioritize traffic. Fundamentally, this means we need a model that can accurately value and hence rank every single request that hits the exchange.

Further in the article:

• About OpenX
• Cloud Transformation: A rare opportunity
• Why TensorFlow
• Training Terabytes of Data Every Day
• Serving Over a Million Queries Per Second (QPS)
• Building on Success

We liked: All of these out of the box features in TensorFlow Serving were a massive win for us and helped us achieve our goals, but scaling it to millions of requests a second was not without challenges. By using large virtual machines with many CPUs we were able to hit our target goal of 15 millisecond predictions, but it did not scale very cost effectively and we knew we could do better. Good read!

In the Operating Lambda series, I cover important topics for developers, architects, and systems administrators who are managing AWS Lambda-based applications. This three-part series discusses application design for Lambda-based applications. By James Beswick.

Lambda natively supports a variety of common runtimes, including Python, Node.js, Java, .NET, and others. If you prefer to use any other runtime, such as PHP or Perl, you can use a custom runtime. There are lists of community-maintained runtimes for a wide range of programming languages or you can build your own. As a result, Lambda customers can run Erlang, COBOL, Haskell, and almost any other runtime needed to support their workloads.

The article then does a great job explaining:

• Choosing and managing runtimes in Lambda functions
• Runtimes and performance
• Multiple runtimes in single applications
• Managing AWS SDKs in Lambda functions
• Networking and VPC configurations
• Comparing Lambda invocation modes

This post discusses choosing and managing runtimes, the effect on performance, and how you can use multiple runtimes within a single serverless application. It explains the networking model and whether a Lambda function must have access to a customer VPC or can run with the default VPC configuration. It also compares the different invocation modes for Lambda functions. This is a part in 3 parts series of articles with links to further reading. Nice one!

Having used Containers, Kubernetes and Serverless (a lot!) over the last few years, I catch myself wondering ‘What next?’ when it comes to more efficient, faster and secure units of computing. By Nithin Jois.

Unikernels – single purpose compute environments packaged with necessary dependencies, runtime, libraries, kernel capabilities and everything else required boot and run Application code, and System code in a single address space with No Operating System, No Users and No Shell resulting in smaller, faster and a more secure system.

The author will also walk you through steps he took to use Nanos unikernel by NanoVMs and their CLI tool ops to build, and deploy. It seems like the simplest option out there, and the documentation is fairly straight-forward as well.

The article then reads about:

• What are Unikernels?
• Types of Unikernels
  • Clean Slate
  • Legacy
• VMs vs. Containers vs. Lightweight VMs vs. Unikernels
• Comparison of High-level Architectures
• Why isn’t everyone using this already!?
• Implementing Unikernels
  • Prerequisites
  • IAM Permissions
  • Create Instance
  • Delete Instance
  • Security Considerations

One major security issue is the fact that unikernels run the application, and the kernel together as a single process allowing applications(or attackers) to potentially call kernel-level functions. Supply chain attacks, which are a very likely threat can make this a reality. The article provides the links to further reading, references and other similarly interesting projects. Well done!