MindByte Issue #86: Secrets, Security, and the Magic of 42: What’s New in DevOps

Author

Michiel van Oudheusden
August 27, 2024

In partnership with

Hi there, and welcome back, and for all the new subscribers, welcome aboard!

To ensure you keep getting these updates seamlessly, please move this email to your primary inbox or mark it as important. A quick reply like "got it" also helps boost visibility. This edition covers exciting topics such as:

  • Scan your GitHub artifacts for leaked secrets

  • Find out how GitHub is using Azure Functions Flex Consumption plan

  • Another vulnerability in dependabot

  • Why is 42 the magic number even ChatGPT knows about?

  • Do we really need AI in our phone photo apps?

  • Type Unions and Discriminator Unions?

New here? Subscribe to stay updated. Let's dive in.

Sending out this newsletter to 5,509 subscribers is something I do with love, but does cost money as well. It would really help me if you visit my sponsor:

Want SOC 2 compliance without the Security Theater?

Question 🤔 does your SOC 2 program feel like Security Theater? Just checking pointless boxes, not actually building security?

In an industry filled with security theater vendors, Oneleet is the only security-first compliance platform that provides an “all in one” solution for SOC 2.

We’ll build you a real-world Security Program, perform the Penetration Test, integrate with a 3rd Party Auditor, and provide the Compliance Software … all within one platform.

GitHub Digest

My colleague, Jesse Houwing, created a Powershell script to scan workflow artifacts in your organization for any secrets.

It uses trufflehog to perform the scan and heavily depends on the GitHub CLI to fetch the data. A great example of how to scan existing code. Do make sure that secrets never make it into your commits, by e.g. using Secret Scanning.

Scan all workflow artifacts for leaked secrets

Major GitHub repos leak access tokens putting code and clouds at riskBuild artifacts generated by GitHub Actions often contain access tokens that can be abused by attackers to push malicious code into projects or compromise cloud infrastructure.

jessehouwing.net/github-actions-scan-all-workflow-artifacts-for-leaked-secrets

When you collect 700 TB of data each day, you do need to process this efficiently. One way of doing this is with Azure Functions, where an event hub is processed by a scalable set of functions.

The GitHub team started to use the newly introduced Azure Functions Flex Consumption plan, which gives you network isolation, more instance options, and better scalability while still being a serverless platform.

Read more on how the team got an impressive throughput of event processing.

GitHub scales on demand with Azure Functions

“We had a scalability problem, currently, we collect about 700 terabytes a day of data, which is heavily used for detecting malicious behavior against our infrastructure and for troubleshooting. This internal system was limiting our growth.”

azure.microsoft.com/en-us/blog/github-scales-on-demand-with-azure-functions

Another interesting attack vector; Dependabot. You use Dependabot to keep dependencies up to date. When enabled, it will scan your dependencies for any outdated ones and raise a PR with the updated version.

The below article describes that you can actually get access to the internal keys used in this (hidden) workflow, and in the end, also inject vulnerable code.

GitHub Actions exploitation: Dependabot

GitHub Apps The definition of a GitHub app from the GitHub documentation is quite explicit: GitHub Apps are tools that extend GitHub's functionality. GitHub Apps can do things on GitHub like open i

www.synacktiv.com/en/publications/github-actions-exploitation-dependabot

Coding Corner

Starting a long-running task directly from a call to an endpoint is never a good idea. It will be slow, tend to time out, and make the server less responsive. Plus, it is very hard to recover when it is interrupted as the sender does not know what the state is.

Within Azure Container Apps, you have Apps and Jobs. Apps are for services to respond to HTTP calls, while jobs are used to run when triggered and stop when completed. So they make an excellent match for long-running task execution.

So good reasons to use the async request-reply pattern and Anthony Chu details how to implement this using Azure Container Apps jobs.

Asynchronous HTTP APIs with Azure Container Apps jobs

Build robust, long-running APIs using the Asynchronous Request-Reply pattern and Azure Container Apps.

techcommunity.microsoft.com/t5/apps-on-azure-blog/asynchronous-http-apis-with-azure-container-apps-jobs/ba-p/4217431

We all know that 42 is the answer to the Ultimate Question of Life, the Universe, and Everything. So it might be not that strange that services like chatgpt have a favor for picking 42 when asked for a random number.

Dennis Vroegop provides some interesting insights into this magical number.

Why ChatGPT Might Always Pick 42: Uncovering the Hidden Bias in AI.

Ever wondered why ChatGPT loves the number 42? It’s not just a quirky coincidence. Discover how cultural references can create hidden biases in AI—and why it matters for the future of technology.…

dennisvroegop.com/2024/08/22/why-chatgpt-might-always-pick-42-uncovering-the-hidden-bias-in-ai

API keys are great, as they provide a fast way to TTFHW. But they are not the most secure solution as they are not always made inactive when no longer needed. So what would be the safer alternative…

Let's move away from API keys!

35% of all exposed API keys are still active That's a pretty scary statement, that means services are being misused most likely, data is actively being..

techcommunity.microsoft.com/t5/apps-on-azure-blog/let-s-move-away-from-api-keys/ba-p/4217697

Not sure I like where this is heading; Google is releasing phones with AI software that on the fly can alter photos you just took. When used correctly it can be a benefit; enhance the photo, remove some blurs etc.

But it also allows people to do more creative things and ask the AI to add things in the photo that are not there. You can imagine what the effect can be; how trustworthy are pictures anymore?

The article warns us about the drawbacks of these kinds of innovations:

No one’s ready for this

The photograph is now meaningless as evidence. We are not prepared.

www.theverge.com/2024/8/22/24225972/ai-photo-era-what-is-reality-google-pixel-9

Azure Updates & Insights

I have seen it so many times; you are about the launch something new into production and management is asking how confident we are if it will hold up.

Most of the time it won’t really be a big deal as we do not expect a surge of users, but doing a proper performance test is not a simple task.

The below guide contains extensive steps and background on what makes a good test and how to get sensible numbers.

Benchmark Testing puts you on the path to peak API Performance

A guide to the best practices you need to know with a full sample from @ibersano to get you started

techcommunity.microsoft.com/t5/apps-on-azure-blog/benchmark-testing-puts-you-on-the-path-to-peak-api-performance/ba-p/4216776

.NET Nook

Any clue what unions are, or even discriminated unions? Or even that is might change with new C# versions? If not, then this can help you understand why you might want to use them.

Peter Ritchie's Blog - What Are the Proposed C# Type Unions and How Do They Relate to Discriminated Unions?

Peter Ritchie

blog.peterritchie.com/posts/what-are-the-proposed-csharp-type-unions-and-how-do-they-relate-to-discriminated-unions

Closing Thoughts

Thank you for reading this week’s edition!

Your feedback is invaluable, so if you have any thoughts, questions, or suggestions, please don't hesitate to reach out by simply replying to this mail.

If you enjoyed this update and want to continue receiving more, make sure to subscribe here.

I appreciate your time and look forward to hearing from you!

Did you like this edition?

Login or Subscribe to participate in polls.

Reply

or to participate.