Blog Posts

My 2019 RSA Guide

With the 2019 RSA Conference fastly approaching I thought I would take a few minutes and put together a quick list of what I am excited to see this year.

Sunday

Monday

Tuesday

Wednesday

Thursday


Did I miss something cool? If so, let me know Twitter at @jgamblin.

Run Bundle Audit Against A Github Org

Bundle Audit is a great tool to check if the Ruby Gems used in your project have any known vulnerabilities. Most DevOps teams I know run this tool against their builds in their CI/CD process when deploying. This can mean that code that is not updated often can have vulnerable gems unless you have a way to continually monitor your projects.

I spent some time looking at a few solutions this week and I thought I might be able to do this with a crappy shell script™ and the GitHub API. So, this morning while watching cartoons (The new Carmen San Deigo series is excellent.) I wrote this:

After you grab a github token and update the scirpt, running it is as simple as:

./bundleauditgithub.sh OrgToTest

Since I was watching Netflix while writing this tool I decided to use them since they run a great bounty program on bugcrowd.

Their ruby repos where all up to date outside of Workflowable which they have archived but it makes a good example. Here are complete findings for that repo.

Overall this turned out to be a fairly simple project that I will get a lot of use out of.
If you have any questions let me know twitter at @jgamblin.

Host Websites On Github

I have developed a bad habit of picking up vanity domain names and not really doing much with them. Last month at AWS Re:Invent I picked up ServerlessSecurity.org and really wanted to do something with it but didn’t feel like maintaining, or paying for, a VPS so after doing some looking around I found that is was possible to point a custom domain to Github pages.

The documentation they provide is a little lacking, so I figured I would put together a small how to for anyone who wants to do this for themselves.

Configure Your Github Repo

  • Select Your Theme:
  • Decide What Branch You Want To Host The Page In:
  • Enter Your Domain Name:
  • Enforce HTTPS
  • Finally, Edit Your Index.md file With Your Content.

Configure DNS

DNS configuration is pretty straightforward. You want to add the following IP addresses to your custom resource records.

185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153
This is what my records look like.

You Now Have A Website

After you configure your repo and update you DNS settings within 15 minutes or so your website should be live.

Conclusion

This is a really such simple method of hosting a website I parked the rest of my vanity websites:

I hope this is helpful for other people looking to host a website quickly.

Favorite Security Books Of 2018

Here is a list of my favorite security books from 2018 if you are looking for that last minute gift or have some extra time around the holidays to catch up on some reading.  

The GCHQ Puzzle Book 2

I just got The GCHQ Puzzle Book 2, and like the original, it has quickly become the book that I always have in my bag.  It is full of amazingly challenging and thought-provoking problems.  It is easily the best gift you can give the security geek in your life this year. 

Cracking Codes with Python

Cracking Codes with Python: An Introduction to Building and Breaking Ciphers was a great (re)introduction to python development and cryptography concepts. While fairly basic in some places this book will be one I give out to people for years to come. 

Hands-On Security in DevOps

Hands-On Security in DevOps: Ensure continuous security, deployment, and delivery is a great book that covers at a high level what goes into succesfull starting and running a security program.  

Agile Application Security

Agile Application Security: Enabling Security in a Continuous Delivery Pipeline is a book that clearly explains how to make security work in an agile development environment.  This book will be a must-read for security professionals for years to come. 

Dawn of the Code War

Dawn of the Code War: America’s Battle Against Russia, China, and the Rising is a book by John Carlin that shows both how far the US Federal government has come and how far behind the rest of the world they are.  

Re:Invent Re:Cap & Re:ading

I spent this last week in Las Vegas attending AWS Re:Invent

This event is mind-numbingly massive with classes happening at 4 or 5 hotels all over the strip. I personally spent over an hour every day on their (nice but extremely slow) shuttle buses between the MGM Grand, Aria and the Sands Expo Center.

It would be impossible to see everything at this conference so throughout the week I compiled a list of services I wanted to investigate more, and I thought I would share them below.

Security

Serverless

Cloudless(?)

ML/AI

Devops

Grab Bag

Closing Thoughts

I had a great time this year and learned a ton. I am looking forward to playing with Security Hub and to finish reading the AWS Well-Architected Framework PDF soon.

I am disappointed that DeepRacer seems to be AWS just taking the DonkeyCar model and close sourcing it without mentioning the original project, even after they have had DonekyCars at the last 2 re:invents.

Lastly, I interested to see if security is deemphasized next year with the announcement of a security-focused conference called re:inforce.

Site Footer