Navigation for each day

2023/day04.md

@@ -80,3 +80,4 @@ Also please add any additional resources.
 
 - [Introducing the InfoSec colour wheel — blending developers with red and blue security teams.](https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700)
 
+See you on [Day 5](day05.md).

2023/day05.md

@@ -53,3 +53,4 @@ The reason I am raising this is that security never stops, the growth of Open-So
 - [IBM - The 3 A's of Open Source Security](https://www.youtube.com/watch?v=baZH6CX6Zno)
 - [Log4j (CVE-2021-44228) RCE Vulnerability Explained](https://www.youtube.com/watch?v=0-abhd-CLwQ)
 
+See you on [Day 6](day06.md).

2023/day09.md

@@ -129,4 +129,4 @@ By default SonarCloud comes with a default quality gate “Sonar way”. You can
 - [How to create Quality gates on SonarQube](https://www.youtube.com/watch?v=8_Xt9vchlpY)
 - [Source Code of the repo I used for SAST implementation](https://github.com/prateekjaindev/nodejs-todo-app-demo)
 
-In the next part [Day 10](day10.md), we will discuss Software Composition Analysis (SCA).
+In the next part [Day 10](day10.md), we will discuss Software Composition Analysis (SCA).

2023/day16.md

@@ -92,3 +92,5 @@ It contains the example I used in this article + a fuzz test that triggers a fai
 - <https://en.wikipedia.org/wiki/Fuzzing>
 - [Fuzzing in Go by Valentin Deleplace, Devoxx Belgium 2022](https://www.youtube.com/watch?v=Zlf3s4EjnFU)
 - [Write applications faster and securely with Go by Cody Oss, Go Day 2022](https://www.youtube.com/watch?v=aw7lFSFGKZs)
+
+See you on [Day 17](day17.md).

2023/day17.md

@@ -240,3 +240,5 @@ There are many tools that can help us in fuzzy testing our web applications, bot
 [Fuzzing Session: Finding Bugs and Vulnerabilities Automatically](https://youtu.be/DSJePjhBN5E)
 
 [Fuzzing the CNCF Landscape](https://youtu.be/zIyIZxAZLzo)
+
+See you on [Day 18](day18.md).

2023/day18.md

@@ -24,3 +24,5 @@ As with all other tools part of DevSecOps pipeline DAST should not be the only s
 - https://github.com/zaproxy/zaproxy
 - https://www.arachni-scanner.com/
 - https://owasp.org/www-project-devsecops-guideline/latest/02b-Dynamic-Application-Security-Testing 
+
+See you on [Day 19](day19.md).

2023/day19.md

@@ -1,26 +1,31 @@
-# IAST (Interactive Application Security Testing) 
+# IAST (Interactive Application Security Testing)
 
 IAST is a type of security testing tool that is designed to identify vulnerabilities in web applications and help developers fix them. It works by injecting a small agent into the application's runtime environment and monitoring its behaviour in real-time. This allows IAST tools to identify vulnerabilities as they occur, rather than relying on static analysis or simulated attacks. 
 
-IAST works through software instrumentation, or the use of instruments to monitor an application as it runs and gather information about what it does and how it performs. IAST solutions instrument applications by deploying agents and sensors in running applications and continuously analyzing all application interactions initiated by manual tests, automated tests, or a combination of both to identify vulnerabilities in real time Instrumentation. 
-IAST agent is running inside the application and monitoring for known attack patterns. As it is part of the application, it can monitor traffic between different components (either as classic MVC deployments and in microservices deployment). 
+IAST works through software instrumentation, or the use of instruments to monitor an application as it runs and gather information about what it does and how it performs. IAST solutions instrument applications by deploying agents and sensors in running applications and continuously analyzing all application interactions initiated by manual tests, automated tests, or a combination of both to identify vulnerabilities in real time Instrumentation.
+IAST agent is running inside the application and monitoring for known attack patterns. As it is part of the application, it can monitor traffic between different components (either as classic MVC deployments and in microservices deployment).
+
+## For IAST to be used, there are few prerequisites.
 
-## For IAST to be used, there are few prerequisites. 
 - Application should be instrumented (inject the agent).
 - Traffic should be generated - via manual or automated tests. Another possible approach is via DAST tools (OWASP ZAP can be used for example).
 
-## Advantages 
+## Advantages
+
 One of the main advantages of IAST tools is that they can provide detailed and accurate information about vulnerabilities and how to fix them. This can save developers a lot of time and effort, as they don't have to manually search for vulnerabilities or try to reproduce them in a testing environment. IAST tools can also identify vulnerabilities that might be missed by other testing methods, such as those that require user interaction or are triggered under certain conditions. Testing time depends on the tests used (as IAST is not a standalone system) and with faster tests (automated tests) can be included into CI/CD pipelines. It can be used to detect different kind of vulnerabilities and due to the nature of the tools (it looks for “real traffic only) false positives/negatives findings are relatively rear compared to other testing types.
 IAST can be used in two flavours - as a typical testing tool and as real-time protection (it is called RAST in this case). Both work at the same principles and can be used together.
 
 ## There are several disadvantages of the technology as well:
+
 - It is relatively new technology so there is not a lot of knowledge and experience both for the security teams and for the tools builders (open-source or commercial).
 - The solution cannot be used alone - something (or someone) should generate traffic patterns. It is important that all possible endpoints are queried during the tests.
 - Findings are based on traffic. This is especially true if used for testing alone - if there is no traffic to a portion of the app / site it would not be tested so no findings are going to be generated.
 - Due to need of instrumentation of the app, it can be fairly complex, especially compared to the source scanning tools (SAST or SCA).
 
 There are several different IAST tools available, each with its own features and capabilities.
+
 ## Some common features of IAST tools include:
+
 - Real-time monitoring: IAST tools monitor the application's behaviour in real-time, allowing them to identify vulnerabilities as they occur.
 - Vulnerability identification: IAST tools can identify a wide range of vulnerabilities, including injection attacks, cross-site scripting (XSS), and cross-site request forgery (CSRF).
 - Remediation guidance: IAST tools often provide detailed information about how to fix identified vulnerabilities, including code snippets and recommendations for secure coding practices.
@@ -29,5 +34,8 @@ There are several different IAST tools available, each with its own features and
 IAST tools can be a valuable addition to a developer's toolkit, as they can help identify and fix vulnerabilities in real-time, saving time and effort. If you are a developer and are interested in using an IAST tool, there are many options available, so it is important to research and compare different tools to find the one that best fits your needs.
 
 ## Tool example
+
 There are almost no open-source tools on the market. Example is the commercial tool: Contrast Community Edition (CE) - Fully featured version for 1 app and up to 5 users (some Enterprise features disabled). Contrast CE supports Java and .NET only. 
 Can be found here - https://www.contrastsecurity.com/contrast-community-edition
+
+See you on [Day 20](day20.md).

2023/day20.md

@@ -151,3 +151,5 @@ Container Image Scanning can help us find vulnerabilities in our application bas
 
 Image Scanning and IAST/DAST are not mutually-exclusive.
 They both have their place in a Secure SDLC and can help us find different problems before the attackers do.
+
+See you on [Day 21](day21.md).

2023/day22.md

@@ -75,3 +75,4 @@ Another place is your container registry (as seen today).
 
 Both are good options, both have their pros and cons.
 It is up to the DevSecOps architect to decide which approach works better for them and their thread model.
+See you on [Day 23](day23.md).

2023/day23.md

@@ -159,3 +159,4 @@ A Secure SDLC would include scanning of all artifacts that end up in our product
 
 Today we learned how to scan non-container artifacts like Kubernetes manifests, Helm charts and Terraform code.
 The tools we looked at are free and open-source and can be integrated into any workflow or CI pipeline.
+See you on [Day 24](day24.md).

2023/day24.md

@@ -145,3 +145,4 @@ However, integrating signing into your workflow adds yet another layer of defenc
 Signing artifacts prevents supply-chain and man-in-the-middle attacks, by allowing you to verify the integrity of your artifacts.
 
 [Sigstore](https://sigstore.dev/) and [cosign](https://docs.sigstore.dev/cosign/overview/) are useful tools to sign your artifacts and they come with many integrations to choose from.
+See you on [Day 25](day25.md).

2023/day25.md

@@ -82,3 +82,4 @@ A scan can detect something that is vulnerability, but it cannot be actively exp
 This makes the vulnerability a low priority one, because why fix something that presents no danger to you.
 
 If an issue comes up in penetration testing then that means that this issue is exploitable, and probably a high priority - in the penetation testers managed to exploit it, so will the hackers.
+See you on [Day 26](day26.md).

2023/day26.md

@@ -126,4 +126,5 @@ More on VM security:
 
 <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security.html>
 
-<https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-60025A18-8FCF-42D4-8E7A-BB6E14708787.html>
+<https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-60025A18-8FCF-42D4-8E7A-BB6E14708787.html>
+See you on [Day 27](day27.md).

2023/day27.md

@@ -82,3 +82,5 @@ That will be done by either patching up the system, closing a hole that is not n
 <https://www.comparitech.com/net-admin/free-network-vulnerability-scanners/>
 
 <https://www.rapid7.com/solutions/network-vulnerability-scanner/>
+
+See you on [Day 28](day28.md).

2023/day28.md

@@ -1,6 +1,6 @@
 # Introduction to Runtime Defence & Monitoring
 
-Welcome to all the DevOps and DevSecOps enthusiasts! 🙌 
+Welcome to all the DevOps and DevSecOps enthusiasts! 🙌
 
 We are here to learn about "Runtime defence". This is a huge subject, but we are not deterred by it and will learn about it together in the next 7 days.
 
@@ -39,7 +39,6 @@ Elaborating on this, here are the key reasons why monitoring is important for ru
 
 * Gaining visibility: Monitoring provides insight into system activity, which can be used to optimize performance, troubleshoot issues, and identify opportunities for improvement.
 
-
 ## What to monitor and record?
 
 In theory, the ideal solution would be to log everything that is happening in the system and keep the data forever.
@@ -63,6 +62,7 @@ Security configurations: Monitor security configurations, such as firewall rules
 Backup and disaster recovery systems: Monitor backup and disaster recovery systems to ensure that they are operating correctly and data can be recovered in the event of a failure or disaster.
 
 ## A practical implementation
+
 In this part, we move from theory to practice.
 
 There isn't a silver bullet here, every system has its tools. We will work on Kubernetes as infrastructure with [Microservices demo](https://github.com/GoogleCloudPlatform/microservices-demo) application.
@@ -145,3 +145,4 @@ Browse Grafana for more dashboards [here](https://grafana.com/grafana/dashboards
 # Next...
 
 Tomorrow we will continue to the application level. Application logs and behavior monitoring will be in focue. We will continue to use the same setup and go deeper into the rabbit hole 😄
+See you on [Day 29](day29.md).

2023/day29.md

@@ -129,6 +129,5 @@ Now you should see Falco events in your Grafana! 😎
 
 # Next... 
 
-Next day we will look into how to detect attacks in runtime. See you tomorrow 😃
-
-
+Next day we will look into how to detect attacks in runtime. 
+See you tomorrow 😃 [Day 30](day30.md).

2023/day30.md

@@ -113,4 +113,4 @@ I hope this part gave you an insight into how this system works.
 # Next 
 
 Tomorrow we will move away from the world of applications and go to the network layer, see you then!
-
+Unto [Day 31](day31.md).

2023/day31.md

@@ -89,3 +89,4 @@ There are several tools available to monitor network traffic in Kubernetes, each
 
 These are just a few examples of the many tools available for monitoring network traffic in Kubernetes. When selecting a tool, consider the specific needs of your application and infrastructure, and choose a tool that provides the features and capabilities that best fit your requirements.
 
+See you on [Day 32](day32.md).

2023/day32.md

@@ -102,3 +102,5 @@ After the installation you can access the vulnerabilities via CRD with kubectl:
 kubectl get vulnerabilityreports --all-namespaces -o wide
 ```
 ![](images/day32-2.png)
+
+[Day 33](day33.md).

2023/day33.md

@@ -295,5 +295,4 @@ status: {}
 ### Summary
 These were examples of how to turn behavior to policy! Good stuff 😃
 
-
-
+See you on [Day 34](day34.md).

2023/day34.md

@@ -216,4 +216,4 @@ no-privileged-containers:
 ```
 
 I hope this short intro gave a little taste of how admission controllers can help you to enforce runtime rules over a Kubernetes cluster!.
-
+See you on [Day 35](day35.md).

2023/day35.md

@@ -44,4 +44,6 @@ In a DevOps and automated world, secrets management solutions must be centered a
 * AWS Secrets Manager
 * Azure Key Vault
 * GCP Secret Manager
-* Thycotic Secret Server
+* Thycotic Secret Server
+
+See you on [Day 36](day36.md).

2023/day42.md

@@ -70,4 +70,6 @@ The print argument is a string, which is one of Python's basic data types for st
 
 - [Learn Python - Full course by freeCodeCamp](https://youtu.be/rfscVS0vtbw)
 - [Python tutorial for beginners by Nana](https://youtu.be/t8pPdKYpowI)
-- [Python Crash Course book](https://amzn.to/40NfY45)
+- [Python Crash Course book](https://amzn.to/40NfY45)
+
+See you on [Day 43](day43.md).

2023/day43.md

@@ -111,4 +111,4 @@ try:
 
 ## Conclusion
 
-That is it for today, I will see you tomorrow in Day 3 of Python!
+That is it for today, I will see you tomorrow in [Day 44 | Day 3 of Python!](day44.md).

2023/day44.md

@@ -123,3 +123,4 @@ student = Student("John", "Canada", "Computer Science")
 person.speak()   # "Hello, my name is Rishab and I am from Canada."
 student.speak()  # "Hello, my name is John and I am a Computer Science major."
 ```
+ See you tomorrow in [Day 45](day45.md).

2023/day45.md

@@ -122,3 +122,6 @@ Output:
 - [pdb - The Python Debugger](https://docs.python.org/3/library/pdb.html)
 - [re - Regular expressions operations](https://docs.python.org/3/library/re.html)
 - [datetime - Basic date and time types](https://docs.python.org/3/library/datetime.html)
+
+ See you tomorrow in [Day 46](day46.md).
+

2023/day46.md

@@ -45,3 +45,4 @@ Having a good understanding of how these web apps work, will help you with autom
 You can dive deeper into how you can build APIs using Python and serverless technologies like AWS Lambda, Azure Functions etc.
 
 I have a demo on [how I built a serverless resume API](https://github.com/rishabkumar7/AzureResumeAPI).
+See you tomorrow in [Day 47](day47.md).

2023/day47.md

@@ -60,3 +60,5 @@ In this example, we're using the Pulumi Python SDK to define an EC2 instance on
 - [Learn more about Fabric](https://docs.fabfile.org/en/stable/index.html)
 - [PyWinRM](https://github.com/diyan/pywinrm)
 - [Pulumi - IaC Tool](https://www.pulumi.com/docs/reference/pkg/python/pulumi/)
+
+See you tomorrow in [Day 48](day48.md).

2023/day48.md

@@ -153,3 +153,5 @@ Here is how it would look, I have 2 blog posts and have some gifs in my blog pos
 If we click on the `hello` blog post:
 
 ![Hello blog post](/2023/images/day48-2.png)
+
+See you tomorrow in [Day 49](day49.md).

2023/day49.md

@@ -1,6 +1,7 @@
 # Day 49: AWS Cloud Overview
 
 Welcome to the AWS section of the 90 Days of DevOps! Picking 7 items to learn about is difficult for several reasons:
+
 1. At last count, there were 250+ AWS services
 2. Each service could get it's own multi-day deep dive 😅
 
@@ -16,7 +17,7 @@ AWS Cloud is a cloud computing platform provided by Amazon Web Services (AWS). I
 
 One of the main benefits of AWS Cloud is its flexibility. You can choose the services that best meet your needs and only pay for what you use. This makes it an ideal solution for small businesses, startups, and enterprises, as it allows them to access the resources they need without having to make a significant upfront investment in infrastructure.
 
-## Security 
+## Security
 
 Another benefit of AWS Cloud is its security. AWS has a number of security measures in place to protect your data and resources, including encryption, identity and access management, and network security. It also has a number of compliance programs in place, including HIPAA, PCI DSS, and GDPR, to ensure that your data is secure and compliant with relevant regulations.
 
@@ -28,13 +29,13 @@ One of the most popular services offered by AWS Cloud is Amazon Elastic Compute
 
 ![](images/day49-2.png)
 
-## S3 
+## S3
 
 Another popular service offered by AWS Cloud is Amazon Simple Storage Service (S3). S3 is an object storage service that allows you to store and retrieve large amounts of data from anywhere on the internet. It is highly scalable, durable, and secure, making it an ideal solution for storing and managing data in the cloud.
 
 ![](images/day49-3.png)
 
-## Databases 
+## Databases
 
 AWS Cloud also offers a range of other services, including Amazon Relational Database Service (RDS) for managing databases, Amazon Redshift for data warehousing and analytics, and Amazon Elasticsearch Service for search and analytics. These services make it easy to build and manage complex applications in the cloud, without having to worry about infrastructure or scaling.
 
@@ -44,3 +45,4 @@ Overall, AWS Cloud is a powerful and flexible cloud computing platform that offe
 
 ## Resources
 
+See you tomorrow in [Day 50](day50.md).

2023/day50.md

@@ -41,4 +41,5 @@ Once you have access to your free tier account, there are a few additional steps
 ## Resources
 [Create your free AWS account](https://youtu.be/uZT8dA3G-S4)
 
-[Generate credentials, budget, and billing alarms via CLI](https://youtu.be/OdUnNuKylHg)
+[Generate credentials, budget, and billing alarms via CLI](https://youtu.be/OdUnNuKylHg)
+See you in [Day 52](day52.md).

2023/day51.md

@@ -22,4 +22,6 @@ In addition to these benefits, CloudFormation also offers a range of other featu
 
 [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html)
 
-[AWS CloudFormation Getting Started step-by-step guides](https://aws.amazon.com/cloudformation/getting-started/) 
+[AWS CloudFormation Getting Started step-by-step guides](https://aws.amazon.com/cloudformation/getting-started/) 
+
+See you in [Day 52](day52.md).

2023/day52.md

@@ -54,3 +54,4 @@ After you've assigned permissions to the IAM group, you can test the IAM user to
 
 [IAM Tutorial: Delegate access across AWS accounts using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html)
 
+See you in [Day 53](day53.md).

2023/day53.md

@@ -47,3 +47,4 @@ Once you have created a resource group, you can view and manage your resources f
 
 [Getting started with AWS System Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-launch-managed-instance.html)
 
+See you in [Day 54](day54.md).