MindByte Issue #86: Secrets, Security, and the Magic of 42: What’s New in DevOps

In partnership with

Hi there, and welcome back, and for all the new subscribers, welcome aboard!

To ensure you keep getting these updates seamlessly, please move this email to your primary inbox or mark it as important. A quick reply like "got it" also helps boost visibility. This edition covers exciting topics such as:

  • Scan your GitHub artifacts for leaked secrets

  • Find out how GitHub is using Azure Functions Flex Consumption plan

  • Another vulnerability in dependabot

  • Why is 42 the magic number even ChatGPT knows about?

  • Do we really need AI in our phone photo apps?

  • Type Unions and Discriminator Unions?

New here? Subscribe to stay updated. Let's dive in.

Sending out this newsletter to 5,768 subscribers is something I do with love, but does cost money as well. It would really help me if you visit my sponsor:

Want SOC 2 compliance without the Security Theater?

Question 🤔 does your SOC 2 program feel like Security Theater? Just checking pointless boxes, not actually building security?

In an industry filled with security theater vendors, Oneleet is the only security-first compliance platform that provides an “all in one” solution for SOC 2.

We’ll build you a real-world Security Program, perform the Penetration Test, integrate with a 3rd Party Auditor, and provide the Compliance Software … all within one platform.

GitHub Digest

My colleague, Jesse Houwing, created a Powershell script to scan workflow artifacts in your organization for any secrets.

It uses trufflehog to perform the scan and heavily depends on the GitHub CLI to fetch the data. A great example of how to scan existing code. Do make sure that secrets never make it into your commits, by e.g. using Secret Scanning.

When you collect 700 TB of data each day, you do need to process this efficiently. One way of doing this is with Azure Functions, where an event hub is processed by a scalable set of functions.

The GitHub team started to use the newly introduced Azure Functions Flex Consumption plan, which gives you network isolation, more instance options, and better scalability while still being a serverless platform.

Read more on how the team got an impressive throughput of event processing.

Another interesting attack vector; Dependabot. You use Dependabot to keep dependencies up to date. When enabled, it will scan your dependencies for any outdated ones and raise a PR with the updated version.

The below article describes that you can actually get access to the internal keys used in this (hidden) workflow, and in the end, also inject vulnerable code.

Coding Corner

Starting a long-running task directly from a call to an endpoint is never a good idea. It will be slow, tend to time out, and make the server less responsive. Plus, it is very hard to recover when it is interrupted as the sender does not know what the state is.

Within Azure Container Apps, you have Apps and Jobs. Apps are for services to respond to HTTP calls, while jobs are used to run when triggered and stop when completed. So they make an excellent match for long-running task execution.

So good reasons to use the async request-reply pattern and Anthony Chu details how to implement this using Azure Container Apps jobs.

We all know that 42 is the answer to the Ultimate Question of Life, the Universe, and Everything. So it might be not that strange that services like chatgpt have a favor for picking 42 when asked for a random number.

Dennis Vroegop provides some interesting insights into this magical number.

API keys are great, as they provide a fast way to TTFHW. But they are not the most secure solution as they are not always made inactive when no longer needed. So what would be the safer alternative…

Not sure I like where this is heading; Google is releasing phones with AI software that on the fly can alter photos you just took. When used correctly it can be a benefit; enhance the photo, remove some blurs etc.

But it also allows people to do more creative things and ask the AI to add things in the photo that are not there. You can imagine what the effect can be; how trustworthy are pictures anymore?

The article warns us about the drawbacks of these kinds of innovations:

Azure Updates & Insights

I have seen it so many times; you are about the launch something new into production and management is asking how confident we are if it will hold up.

Most of the time it won’t really be a big deal as we do not expect a surge of users, but doing a proper performance test is not a simple task.

The below guide contains extensive steps and background on what makes a good test and how to get sensible numbers.

.NET Nook

Any clue what unions are, or even discriminated unions? Or even that is might change with new C# versions? If not, then this can help you understand why you might want to use them.

Closing Thoughts

Thank you for reading this week’s edition!

Your feedback is invaluable, so if you have any thoughts, questions, or suggestions, please don't hesitate to reach out by simply replying to this mail.

If you enjoyed this update and want to continue receiving more, make sure to subscribe here.

I appreciate your time and look forward to hearing from you!

Did you like this edition?

Login or Subscribe to participate in polls.

Reply

or to participate.