Book/Release-It

OWASP Using Components with Known Vulnerabilities

Components with Known Vulnerabilities Most developers don't even know what all is in their dependency tree. Sadly, most successful attacks are not the exciting "zero day, rush to patch before they get it" kind of thing. Most attacks are mundane. pattern: use your build tool to extract a report of ALL the artifacts that went into your build (including build tool’s plugins) pattern: check CVE manually weekly or automatically (src:...

OWASP XML External Entities (XXE)

XML external entity (XXE) injection <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY xxe SYSTEM "<file:///etc/passwd>"> ]> <foo>&xxe;</foo> Most xml parsers are vulnerable to XXE injection by default. You need to configure them to be safe (src: Book_ release it! - Michael Nygard)

Heuristic: when software load balancing becomes insufficient

Heuristic: when software load balancing becomes insufficient :) scale :( require network access :( specific skill once you start contemplating a load balancer in front of your reverse proxy servers, it's time to look at other options (src: Book_ release it! - Michael Nygard)

Architecture pattern: global dns + regional load balancers

Global server load balancing (GSLB) with DNS regional Load Balancers (src: Book_ release it! - Michael Nygard)

Book: release it! - Michael Nygard

(Book_ Release It! - Michael Nygard) Part 1 - Create Stability Ch2 case study Ch3 Stabilize your system Ch04 Stability Anti-patterns Ch05 Stability Patterns Part 2 - Design for production Ch06 case study Ch07 Foundations Ch08 Processes on Machines Ch09 Interconnect Ch10 Control plane Ch11 Security Part 3 - Deliver your system Ch12 Ch13 Ch14 Part 4 - Solve Systemic Problems Ch15 Ch16 Ch17 Model: cap theorem Model_ OSI model...

Heuristic: log level INFO for interesting state transitions

(src: Book_ release it! - Michael Nygard)

Heuristic: log levels ERROR & SEVERE should require action of the by the operators

ERROR & SEVERE should require action of the by the operators eg. ERROR circuit breaker tripped to open (probably needs fixing ont he other side of the connection) eg. ERROR failure to connect to database (src: Book_ release it! - Michael Nygard)

Heuristic: nominal values for continuous metrics

Heuristic: Alerts for continuous metrics (src: Book_ release it! - Michael Nygard)

Heuristic: production software vs control plane

If production user data passes through it, it is production software. If it's main job is to manage other software, it is the control plane (src: Book_ release it! - Michael Nygard)

Heuristic: useful controls for Control Plane - live control

Which controls (src: Book_ release it! - Michael Nygard)