diff --git a/contributions/README.md b/contributions/README.md index ac31bfa5c4..8644d9e014 100644 --- a/contributions/README.md +++ b/contributions/README.md @@ -61,3 +61,56 @@ General Intro about the course. 1. [Quality Assurance in MLOps Setting: An Industrial Perspective](https://github.com/KTH/devops-course/pull/2479) 1. [The importance of reliable testing methods](https://github.com/KTH/devops-course/pull/2397) +### Week 5 + +1. [Comparing the differential mechanisms of declarative Terraform and imperative AWS infrastructure as code.](https://github.com/KTH/devops-course/pull/2387) +1. [Ensuring Terraform environment stability with Github Actions](https://github.com/KTH/devops-course/pull/2380) +1. [Using Serverless and Terraform to automate the deployment of a web application to AWS](https://github.com/KTH/devops-course/pull/2391) +1. [_AWS Cloud Development Kit - Define your cloud application resources using familiar programming languages_](https://github.com/KTH/devops-course/pull/2392) +1. [Declarative and reproducible deployments with NixOS](https://github.com/KTH/devops-course/pull/2400) +1. [_AIAC: An AI Infrastructure-as-code Generator_](https://github.com/KTH/devops-course/pull/2395) +1. [_Saltstack: Grains, States and Pillars_](https://github.com/KTH/devops-course/pull/2394) +1. [Dockerfile Compliance Scanning with Docker Bench and Trivy](https://github.com/KTH/devops-course/pull/2432) +1. [Using Bicep to edit Azure resources as code](https://github.com/KTH/devops-course/pull/2398) +1. [Vagrant - How a group of students can experience IaC at home](https://github.com/KTH/devops-course/pull/2440) +1. [Comparing Pulumi and Terraform: Imperative Language vs. Declaritive Language](https://github.com/KTH/devops-course/pull/2444) +1. [Terraform - Using infrastructre as code in DevOps](https://github.com/KTH/devops-course/pull/2458) +1. [The do’s and don’ts of infrastructure code: A systematic gray literature review](https://github.com/KTH/devops-course/pull/2499) +1. [Cost Optimization with Infrastructure as Code](https://github.com/KTH/devops-course/pull/2484) +1. [BlueBuild: The Cloud-Native Desktop Paradigm](https://github.com/KTH/devops-course/pull/2508) +1. [Check-mate: Keep your OpenTofu configurations problem-free](https://github.com/KTH/devops-course/pull/2511) +1. [_TruffleHog - Identifying vulnerable management of secrets for IaC_](https://github.com/KTH/devops-course/pull/2510) +1. [Using Pulumi Policy as Code to enforce rules on IaC managed cloud resources.](https://github.com/KTH/devops-course/pull/2489) +1. [Strimzi - Easy Apache Kafka on Kubernetes](https://github.com/KTH/devops-course/pull/2514) +1. [Infrastructure as code for dynamic deployments](https://github.com/KTH/devops-course/pull/2515) +1. [Creating Spotify playlist using Terraform](https://github.com/KTH/devops-course/pull/2531) +1. [Disaster Recovery using Terraform](https://github.com/KTH/devops-course/pull/2544) + +### Week 6 + +1. [GitGuardian: Preventing Data Leaks Through Automated Security](https://github.com/KTH/devops-course/pull/2396) +1. [Yet another cybersecurity risk assessment framework](https://github.com/KTH/devops-course/pull/2402) +1. [Using Bitwarden Secret Manager to centrally store, manage, and deploy secrets at scale.](https://github.com/KTH/devops-course/pull/2409) +1. [Making your NPM security wishes come true.](https://github.com/KTH/devops-course/pull/2421) +1. [Continuous Information Flow Control](https://github.com/KTH/devops-course/pull/2439) +1. [Comparing pnpm, npm and yarn](https://github.com/KTH/devops-course/pull/2443) +1. [Dynamic Secrets in HashiCorp Vault](https://github.com/KTH/devops-course/pull/2447) +1. [_Streamlining Python Dependency Management with Poetry_](https://github.com/KTH/devops-course/pull/2449) +1. [_Hardening GitHub Actions for increased security_](https://github.com/KTH/devops-course/pull/2468) +1. [Ensuring the integrity and source of software packages](https://github.com/KTH/devops-course/pull/2477) +1. [Detecting vulnerabilities in Python code using static code analysis with Bandit](https://github.com/KTH/devops-course/pull/2507) +1. [Integrating Organizational Policies Using Open Policy Agent](https://github.com/KTH/devops-course/pull/2512) +1. [Using dependabot to automatically detect vulnerabilities in imported packages](https://github.com/KTH/devops-course/pull/2513) +1. [Arc Browser's impotant security breach and why SecDevOps is important](https://github.com/KTH/devops-course/pull/2545) +1. [The event stream incident - vulnerabilities of open source dependencies and possible mitigations. ](https://github.com/KTH/devops-course/pull/2525) +1. [NixOS: Reproducibility with Flakes and Secrets](https://github.com/KTH/devops-course/pull/2546) +1. [Secure your git and CD pipeline with SOPS.](https://github.com/KTH/devops-course/pull/2526) +1. [Challenges and solutions when adopting DevSecOps: A systematic review](https://github.com/KTH/devops-course/pull/2550) +1. [Using Semgrep to find vulnerabilities](https://github.com/KTH/devops-course/pull/2551) +1. [Machine Learning-Based Run-Time DevSecOps: ChatGPT Against Traditional Approach](https://github.com/KTH/devops-course/pull/2556) +1. [Implementing and Automating Security Scanning to](https://github.com/KTH/devops-course/pull/2547) +1. [Integrate RetireJS into Github workflow](https://github.com/KTH/devops-course/pull/2553) +1. [The Seven Sins: Security Smells in Infrastructure as Code Scripts](https://github.com/KTH/devops-course/pull/2552) +1. [Using static analysis with SonarCloud to identify security flaws.](https://github.com/KTH/devops-course/pull/2558) +1. [Automating Private Dependency Management and Version Integration](https://github.com/KTH/devops-course/pull/2569) + diff --git a/contributions/demo/week5/aleliu-jakstrom b/contributions/demo/week5/aleliu-jakstrom deleted file mode 100644 index 8b13789179..0000000000 --- a/contributions/demo/week5/aleliu-jakstrom +++ /dev/null @@ -1 +0,0 @@ - diff --git a/contributions/demo/week5/aleliu-jakstrom/README.md b/contributions/demo/week5/aleliu-jakstrom/README.md new file mode 100644 index 0000000000..1ecab0bdf6 --- /dev/null +++ b/contributions/demo/week5/aleliu-jakstrom/README.md @@ -0,0 +1,27 @@ +# Assignment Proposal + +## Title + +Infrastructure as Code Using Salt + +## Names and KTH ID + + - Alexander Liu (aleliu@kth.se) + - Jakob Ström (jakstrom@kth.se) + +## Deadline + +- Week 5 + +## Category + +- Demo + + +## Description +Our demo will be of the CMT Saltstack. Our Demo will first introduce a brief overhead of some common configuration management tools and Saltstack's place among these. After this we will show Saltstacks flexibility in its features and its Event features. + + +**Relevance** +Our demo will showcase one of the alternatives to scalable configuration management tools, Saltstack (Salt), and how it shines in terms of customizability and flexibility. +SaltStack has significant relevance to DevOps practices, as it provides tools that directly align with the core principles of DevOps: automation, collaboration, continuous delivery, and infrastructure management. diff --git a/contributions/demo/week5/linussve-mnem/README.md b/contributions/demo/week5/linussve-mnem/README.md new file mode 100644 index 0000000000..f75246bb55 --- /dev/null +++ b/contributions/demo/week5/linussve-mnem/README.md @@ -0,0 +1,30 @@ + +# Assignment Proposal + +## Title + +Disaster Recovery using Terraform + +## Names and KTH ID + + - Linus Svensson (linussve@kth.se) + - Muhammadsodiq Nematjanov (mnem@kth.se) + +## Deadline + +Week 5 + +## Category + +- Demo + + + +## Description + +This demo will demonstrate mainly how terraform can be used as a strong tool for disaster recovery and creating Virtual Machines on Google Cloud Services, as well as how to create an infrastructure as desired using terraform. + +**Relevance** + +By automating recovery processes, organizations can improve resilience, efficiency, reliability, compliance, and customer experience. This is essential in today's fast-paced, technology-driven world, where downtime can have severe + diff --git a/contributions/demo/week5/prerna-immig/README.md b/contributions/demo/week5/prerna-immig/README.md new file mode 100644 index 0000000000..f48c15b0ce --- /dev/null +++ b/contributions/demo/week5/prerna-immig/README.md @@ -0,0 +1,27 @@ +# Assignment Proposal + +## Title + +Creating Spotify playlist using Terraform + +## Names and KTH ID + + - Prerna Gupta (prerna@kth.se) + - Florian Jerome Immig (immig@kth.se) + +## Deadline + +- Week 5 + +## Category + +- Demo + +## Description + +Using Terraform to create a Spotify playlist as an application of Infrastructure as Code (IaC) demonstrates how we can automate the management of infrastructure through code. This can then be transitioned to OpenTofu, an open-source Terraform fork, to highlight flexibility in tool choice within a DevOps pipeline. + +**Relevance** + +OpenTofu is a fork of Terraform that was created after HashiCorp, the company behind Terraform changed the licensing model. OpenTofu retains the same core functionality as Terraform but is community-driven and free from licensing restrictions. Transitioning from Terraform to OpenTofu for managing the Spotify playlist highlights the ability to switch tools without drastically changing the overall workflow. The configuration files remain largely the same, demonstrating tooling flexibility and the importance of open-source alternatives in DevOps environments. Using Terraform/OpenTofu to manage a Spotify playlist makes the process more collaborative. Anyone with access to the codebase can propose changes to the playlist, enabling more structured and transparent change management between teams. + diff --git a/contributions/demo/week5/rmfseo/README.md b/contributions/demo/week5/rmfseo/README.md new file mode 100644 index 0000000000..490dec51e6 --- /dev/null +++ b/contributions/demo/week5/rmfseo/README.md @@ -0,0 +1,29 @@ +# Assignment Proposal + +## Title + +Declarative Infrastructure with Terraform, NixOS, and Nomad + +## Names and KTH ID + +- Rafael Oliveira (rmfseo@kth.se) + +## Deadline + +- Week 5 + +## Category + +- Demo + +## Description + +As an organization's systems grow in breadth and complexity, it becomes paramount to have a single source of truth which can accurately document how the organization's infrastructure is organized, what services should be running where, and what state exists to be kept under consideration for, e.g., backups. Additionally, it is important that this information is sufficient to rebuild the entire network (or parts thereof), ideally in an automated manner and with the least friction possible. + +I intend to present a solution to this problem, which comprises a tight integration of three different tools, each of which specializing in declarative definitions at different levels: Terraform is used to provision machines and configure them, NixOS ensures their reproducibility and of the environment they provide, and Nomad handles runtime orchestration of jobs according to concrete specifications. + +This is the solution currently in use by KTH's Computer Science Chapter (Datasektionen), where I am responsible for all systems and overarching IT infrastructure. My plan for this demo is to showcase how one might introduce a new host running a new service (e.g., Vaultwarden), highlighting the different steps and considerations involved. The goal is not to explain how to set up the base declarative structure, but rather to demonstrate an incremental change that would be realistic in day-to-day operations and thus exemplify the benefits and quirks of using Infrastructure-as-Code. + +**Relevance** + +Reproducibility and centralized self-documentation are very attractive core tenets to a growing number of organizations, given the immense benefits they usually imply - this makes Infrastructure-as-Code (IaC) a very important concept to understand and keep in mind when considering different solutions and architectures. However, IaC is difficult to explain due to the multitude of parts involved, so one may sometimes find it hard to understand concretely how it works and what normal usage looks like. My demo strives to show a realistic example of how a professional might make use of IaC to assist them in their normal operations. diff --git a/contributions/demo/week6/anouiser/README.md b/contributions/demo/week6/anouiser/README.md new file mode 100644 index 0000000000..f593d77c0b --- /dev/null +++ b/contributions/demo/week6/anouiser/README.md @@ -0,0 +1,27 @@ +# Assignment Proposal + +## Title + +Kubernetes secrets with Sealed Secrets + +## Names and KTH ID + + - Amin Nouiser (anouiser@kth.se) + +## Deadline + +- Week 6 + +## Category + +- Demo + +## Description + +Managing Kubernetes secrets can be challenging, especially when the infrastructure is defined in code in a public git repository. By default, Kubernetes secrets are only base64 encoded but not encrypted which is not sufficiently secure. Sealed Secrets is a tool that allows secrets to be encrypted by the developer and remain so until they reach the cluster. + +In this demo, I will begin by demonstrating how secrets can be distributed without Sealed Secrets to illustrate the security risk. I will then introduce Sealed Secrets and demonstrate how it solves this problem and makes the distribution more secure. + +**Relevance** + +This demo is relevant to DevOps as it addresses secure secret management in Kubernetes which is a key principle in DevSecOps. \ No newline at end of file diff --git a/contributions/demo/week6/cnra-catir/README.md b/contributions/demo/week6/cnra-catir/README.md new file mode 100644 index 0000000000..ec21dd7ff9 --- /dev/null +++ b/contributions/demo/week6/cnra-catir/README.md @@ -0,0 +1,16 @@ +# Assignment Proposal +## Title +Automating Private Dependency Management and Version Integration +## Names and KTH ID +- Chandni Rakhashiya (cnra@ug.kth.se) +- Emir Catir (catir@kth.se) +## Deadline +- Week 6 +## Category +- Demo +## Description +In this demo, we will explore how to effectively manage private dependencies in web applications using Azure Artifacts. We will display how to store, publish, and manage packages securely within Azure Artifacts and automate its integration into applications. Additionally, we will demonstrate how to streamline version updates by integrating new version of dependency across multiple applications or environments. + +Relevance + +This topic directly addresses key aspects of dependency management by demonstrating how to securely manage private packages. This approach enhances control and efficiency in managing dependencies. By leveraging CI/CD, the process of handling version updates is automated and this ensures faster, more reliable updates. diff --git a/contributions/demo/week6/ollegu-smhanna/README.md b/contributions/demo/week6/ollegu-smhanna/README.md new file mode 100644 index 0000000000..ce2a9066e4 --- /dev/null +++ b/contributions/demo/week6/ollegu-smhanna/README.md @@ -0,0 +1,25 @@ +# Assignment Proposal + +## Title + +Integrate RetireJS into Github workflow + +## Names and KTH ID + +- Olle Gunnemyr (ollegu@kth.se) +- Sam Maltin (smhanna@kth.se) + +## Deadline + +- Week 6 + +## Category + +- Demo + +## Description + +RetireJS is an open-source tool that can detect the use of JavaScript library versions with known vulnerabilities when developing a web application. By integrating the scan into a Github CI/CD pipeline via Github Actions, it would mitigate the risks from vulnerable libraries early in the Software Development Life Cycle (SDLC). Modifications/uses of RetireJS within Github for further security measures will also be demonstrated. + +_Relevance +With the growing number of Javascript libraries on the web and Node.js applications, it is easier to unknowingly choose insecure libraries during development. Automating the vulnerability detection in the CI/CD pipeline by integrating RetireJS, would earlier mitigate the risks of security breaches from these vulnerable libraries, such as Cross-Site Scripting or Remote Code Execution attacks, and thus would be a relevant aspect within DevSecOps. diff --git a/contributions/demo/week6/raeef-daniellw/README.md b/contributions/demo/week6/raeef-daniellw/README.md new file mode 100644 index 0000000000..dbba64b980 --- /dev/null +++ b/contributions/demo/week6/raeef-daniellw/README.md @@ -0,0 +1,28 @@ +# Assignment Proposal + +## Title + +Using static analysis with SonarCloud to identify security flaws. + +## Names and KTH ID + + - Daniel Lai Wikström (daniellw@kth.se) + - Rafael Bechara (raeef@kth.se) + +## Deadline + +- Week 6 + +## Category + +- Demo + +## Description + +We'll be showing how integrating SonarCloud with GitHub Actions can help developers automatically discover potential security flaws in their applications. Before the demo we'll set up a repo with GitHub Actions that automatically run a sonar scan upon pushing new code. + +During the demo we'll push some code with a security flaw such as not sanitizing user input which makes us vulnerable to XSS attack. We'll then show how this vulnerability fails the quality gate check. We’ll then show the analysis page that gives us information of where in the code the vulnerabilities are, how the vulnerabilities work and suggestions about how we can fix them. + +**Relevance** + +Using GitHub Actions for static code analysis upon pushing to a repo is a pretty textbook example of DevOps by facilitating Continous Integration through automatic testing upon source code changes. Since we're adding the capability of identifying security flaws to our DevOps workflow it's also relevant to DevSecOps. diff --git a/contributions/demo/week6/sinakh-eggestig/README.md b/contributions/demo/week6/sinakh-eggestig/README.md new file mode 100644 index 0000000000..eda0021bdd --- /dev/null +++ b/contributions/demo/week6/sinakh-eggestig/README.md @@ -0,0 +1,28 @@ +# Assignment Proposal + +## Title + +Secure your git and CD pipeline with SOPS. + +## Names and KTH ID + +- Sina Khoraman (sinakh@kth.se) +- Robin Eggestig (eggestig@kth.se) + +## Deadline + +- Week 6 + +## Category + +- Demo + +## Description + +In this assignment we will demonstrate how to securely store sentitive files in git using SOPS: an open-source tool specially created for encrypting and decrypting the values in the configuration files of the software application that is being developed. We will first quickly showcase how passwords stored in configuration files can be a vulnerability. Then, we will quickly deploy SOPS and secure our CD pipeline. Our goal is to showcase how a simple script can greatly improve the security of the delivery process. + +In this demo we aim to demonstrate that the gap between "proper security" (e.g. using Vault and dynamic keys) and "no security" (storing passwords in files) can be filled with minimal effort. + +**Relevance** + +Implementing security mechanisms is itself an entire task. Especially in the starting phase, the focus is always put on functionality and features, and thus, security has a tendency to be left behind. That is at least until the application reaches a certain level of maturity where proper security becomes less of a feature and more of a requirement. But, until that happens, a lot of software is left defenseless in the face of potential attackers. Thus, even minimal security, such as encrypting the passwords in configuration files, can make a huge difference. It is then important that developers are at least aware of the potential solutions that could be implemented "in the meantime". diff --git a/contributions/demo/week6/vikfor-ghenn/README.md b/contributions/demo/week6/vikfor-ghenn/README.md new file mode 100644 index 0000000000..3a66e3457e --- /dev/null +++ b/contributions/demo/week6/vikfor-ghenn/README.md @@ -0,0 +1,31 @@ +# Assignment Proposal + +## Title + +Using Semgrep to find vulnerabilities + +## Names and KTH ID + + - Viktor Fornstad (vikfor@kth.se) + - Gustav Henningsson (ghenn@kth.se) + +## Deadline + +- Week 6 + +## Category + +- Demo + +## Description + +We want to demo the static analysis tool called Semgrep. In the demo we will: +- Connect Semgrep to a Github repo +- Run Semgrep, with the basic rule-set, on the repo +- Show and explain the information given by Semgrep +- Create a custom rule that can be used with Semgrep +We will also explain why it is important to use static analysis tools for DevSecOps. + +**Relevance** + +There are hundreds of different vulnerabilities that exist and it's therefor difficult for your average developer to know of and remember all of them. To know why and how to use static analysis tools to identify vulnerabilities is important to combat this problem. diff --git a/contributions/demo/week5/arberl-sorger/README.md b/contributions/demo/week7/arberl-sorger/README.md similarity index 100% rename from contributions/demo/week5/arberl-sorger/README.md rename to contributions/demo/week7/arberl-sorger/README.md diff --git a/contributions/demo/week7/streuli-wenqic/README.md b/contributions/demo/week7/streuli-wenqic/README.md new file mode 100644 index 0000000000..bdc275d104 --- /dev/null +++ b/contributions/demo/week7/streuli-wenqic/README.md @@ -0,0 +1,27 @@ +# Assignment Proposal + +## Title + +Data Version Control for MLOps with DVC + +## Names and KTH ID + +- David Streuli (streuli@kth.se) +- Wenqi Cao (wenqic@kth.se) + +## Deadline + +- Week 7 + +## Category + +- Demo + +## Description + +In this demo, we will explore the importance of Data Version Control (DVC) in the context of Machine Learning operations (MLOps). We'll start by discussing the challenges associated with managing and versioning large datasets and ML models, especially when these assets need to evolve alongside the codebase to maintain project coherence and reproducibility. We'll introduce DVC, a powerful tool designed to handle data and model versioning seamlessly alongside code changes. We will demonstrate how to integrate DVC into the Continuous Integration/Continuous Deployment (CI/CD) pipeline, ensuring that changes in data and models are as traceable and manageable as changes in the application code. + +**Relevance** + +Data versioning is indispensable in the sphere of MLOps as it guarantees that changes to datasets and models are consistently applied across all stages of the development lifecycle. This approach enhances collaboration between data scientists and engineers, while also minimizing risks like data drift and model drift. By incorporating DVC into the MLOps pipeline, teams can then maintain reliable, reproducible workflows and safeguard the integrity of machine learning models as they scale. + diff --git a/contributions/executable-tutorial/carlwang-jrybak/README.md b/contributions/executable-tutorial/carlwang-jrybak/README.md new file mode 100644 index 0000000000..33c54d6d4e --- /dev/null +++ b/contributions/executable-tutorial/carlwang-jrybak/README.md @@ -0,0 +1,33 @@ +# Assignment Proposal + +## Title + +_Automated API testing using FastAPI, Startlette TestClient and Git Hooks_ + +## Names and KTH ID + +- Carl Wang (carlwang@kth.se) +- Jakub Rybak (jrybak@kth.se) + +## Deadline + +- Task 3 + +## Category + +- Executable Tutorial + +## Description + +The executable tutorial will provide a hands-on guide to implementing automated API testing using FastAPI, Starlette TestClient and Git Hooks. Consequently, the tutorial is going to cover the following topics: + +- Setting up the required tools in the environment and creating a git repository +- Initializing a sample FastAPI project and running the API with Uvicorn +- Reviewing provided test cases for the sample API. +- Configuring Git Hooks to run provided Starlette TestClient test cases in automatic manner. +- Updating source code of the API +- Automation and regression testing of the new changes to the API + +**Relevance** + +Automation of testing is essential in DevOps, since it largely reduces the time taken to manually find pre-existing bugs, as well as significantly lowers the risk of accidentally introducing new ones. Moreover, this is especially vital in the area of API testing, in order to avoid regression bugs and ensure consistent performance and reliability across different environments and versions. diff --git a/contributions/executable-tutorial/golman/README.md b/contributions/executable-tutorial/golman/README.md new file mode 100644 index 0000000000..252f4393ea --- /dev/null +++ b/contributions/executable-tutorial/golman/README.md @@ -0,0 +1,30 @@ +# Assignment Proposal + +## Title + +End-to-end training of a neural network to deployment in a live application + +## Names and KTH ID + + - Fredrik Gölman (golman@kth.se) + +## Deadline +- Task 2 + +## Category +- Executable tutorial + +## Description + +I'd like to make an executable tutorial that goes through the training of a neural network in a Jupyter notebook on Colab, handling the intermediary steps, and deployment to some live application, so the end-to-end process. I'd put limited focus on the ML aspects and greater focus on the DevOps aspects. I'd like to whip together my own functionality for the DevOps parts, if I may, as it's a fun learning experience and could be meaningful scripts for future usage. The deployment criteria for the model could be to exceed previous test data accuracy, but there could also be any other reasonable criteria. I haven't fully decided on the functionality for the MLops/DevOps part. The bare minimum is actually deploying the model live when fulfilling the criteria. Other things being considered are model storage/rollback, job scheduling/queue in running notebooks, monitoring of multiple notebooks, etc. + +Architecture wise there would be: +- The Colab notebook running the ML stuff (and some network connectivity). +- An MLops tool consisting of a backend and a corresponding GUI (web). +- A demo web application that uses the model on the backend. + +I asked TA about this briefly in a lab session (not previous, but one before that) and it sounded OK. I meant to register it earlier, but other coursework came in between. I think it's still OK to register an MLops task since it's asynchronous and there is no "week" folder structure in the directory tree. So if it is, and the proposal sounds OK, is all I have to do commit to a deadline and deliver? + +**Relevance** + +Jupyter Notebook/Lab is often used for processing, preparing, and visualizing data, as well as subsequently training machine learning models. The process of deriving a model is often an iterative process to determine suitable model architectures and optimal hyperparameters. Models may furthermore require continuous altering after deployment as more data becomes available or use cases change. This process is presumably often done manually, particularly as data scientists and conventional developers may be different teams, but there are clear benefits in automating the process. diff --git a/contributions/executable-tutorial/hallkvi-melvinj/README.md b/contributions/executable-tutorial/hallkvi-melvinj/README.md index adbda43df4..31aaf685a4 100644 --- a/contributions/executable-tutorial/hallkvi-melvinj/README.md +++ b/contributions/executable-tutorial/hallkvi-melvinj/README.md @@ -27,3 +27,9 @@ Elements of the tutorial: **Relevance** While cloud providers such as Google Cloud Platform, AWS, Azure etc provide great value, they come at a cost. Both in terms of the financials of running infrastructure on them but also in terms of security and privacy. Self-hosted continuous deployment is an option, but the setup can be complicated. The most important steps are the containerization of the application and integration of continuous delivery to a container registry, like the GitHub container registry. + +**Submission** + +The Git Repo of the tutorial: https://github.com/kth-cdate-courses/DD2482-executable-tutorial + +The tutorial: https://killercoda.com/hampushallkvist-melvinjakobsson diff --git a/contributions/executable-tutorial/lvainio-wenqic/README.md b/contributions/executable-tutorial/lvainio-wenqic/README.md new file mode 100644 index 0000000000..8dd0ba3bbc --- /dev/null +++ b/contributions/executable-tutorial/lvainio-wenqic/README.md @@ -0,0 +1,29 @@ +# Assignment Proposal + +## Title + +SAST in go using gosec + +## Names and KTH ID + +- Leo Vainio (lvainio@kth.se) +- Wenqi Cao (wenqic@kth.se) + +## Deadline + +- Task 2 + +## Category + +- Executable Tutorial + +## Description + +To make the tutorial I will use Killercoda. Gosec is a security scanner for the go language which identifies common vulnerabilities. My idea is to create a mock project in go that contains some vulnerabilities and then show in the tutorial how gosec can be used to identify these vulnerabilities. I will show how gosec is installed and will give some different examples on how to use it. I might also show how it can be integrated with GitHub Actions. + +**Relevance** + +Detecting vulnerabilities as soon as new code is commited to the code base is great since it is often easier and cheaper to fix these issues when they are found early. Scanning the source code for known vulnerabilities, which is what gosec does, is one way to detect security issues early on. Having security integrated in the DevOps workflow also alleviates the potential bottleneck of having a completely separate security team having to review each new update, which could delay deployment. + +- KillerCoda: [KillerCoda link](https://killercoda.com/lvainio/scenario/gosec) +- GitHub: [GitHub link](https://github.com/lvainio/executable-tutorial-dd2482) \ No newline at end of file diff --git a/contributions/executable-tutorial/mqnguyen/README.md b/contributions/executable-tutorial/mqnguyen/README.md new file mode 100644 index 0000000000..0c021b846e --- /dev/null +++ b/contributions/executable-tutorial/mqnguyen/README.md @@ -0,0 +1,27 @@ +# Assignment Proposal + +## Title + +Infrastructure as Code with Pulumi +## Names and KTH ID + +- Quang M Nguyen (mqnguyen@kth.se) + +## Deadline + +- Task 3 + +## Category + +- Executable tutorial + +## Description + +This tutorial provides a step-by-step guide on using Pulumi for Infrastructure as Code (IaC) to install, set up, and create/deploy an infrastructure consisting of an NGINX web server and multiple services such as NGINX and Redis using Docker containers. It covers the process of defining and managing infrastructure resources using Pulumi, enabling users to easily provision and manage their infrastructure in a declarative manner. By following this tutorial, users will gain hands-on experience in leveraging Pulumi for DevOps practices in managing their infrastructure. + +**Relevance** + +Infrastructure as Code (IaC) is a fundamental practice in DevOps that allows teams to automate the provisioning and management of infrastructure resources. Pulumi is a modern IaC tool that enables developers to define and manage infrastructure resources using familiar programming languages. By using Pulumi, teams can achieve greater flexibility, consistency, and scalability in managing their infrastructure, aligning with the DevOps goal of automating and streamlining the development and deployment processes. This tutorial aims to introduce users to Pulumi and demonstrate its capabilities in managing infrastructure resources effectively. + +Killercoda: https://killercoda.com/bepp-boop/scenario/pulumi +Github: https://github.com/bepp-boop/KillerCoda \ No newline at end of file diff --git a/contributions/executable-tutorial/noelt-atheers/README.md b/contributions/executable-tutorial/noelt-atheers/README.md new file mode 100644 index 0000000000..bbd3dabfa7 --- /dev/null +++ b/contributions/executable-tutorial/noelt-atheers/README.md @@ -0,0 +1,30 @@ +# Assignment Proposal + +## Title +Data access testing using Testcontainers + +## Names and KTH ID + + - Noel Tesfaldiet (noelt@kth.se) + - Atheer Salim (atheers@kth.se) + +## Deadline +- Task 3 + +## Category +- Executable tutorial + +## Description +We will create an executable tutorial in Killercoda that focus on using Testcontainers in python for testing a backend api. This api has a data +access layer which consist of Redis (cache) and PostgresSQL (long term storage), which we will test. +This tutorial will be using Testcontainers to manage containers for the backend testing. Some of the learning outcomes will be that the user gets an idea of what it is and +the benifits of using Testcontainers. In addition to this the user will gain some knowledge in how to use the library. + + **Relevance** + +Testcontainers can provide complex testing envronments that are repreducable and automate the process of creating these environments. The Testcontainers can also be used to +mock the production environments and makes it quite simple to test frontend,backend,database etc. Testcontainers makes sure that the containers +and services are up and runnig in a desired clean state. Furthermore it will perform cleanup of the containers for you. + + + diff --git a/contributions/executable-tutorial/oscols-hugomal/README.md b/contributions/executable-tutorial/oscols-hugomal/README.md new file mode 100644 index 0000000000..0ce29411b9 --- /dev/null +++ b/contributions/executable-tutorial/oscols-hugomal/README.md @@ -0,0 +1,24 @@ +# Assignment Proposal + +## Title + +Using Ansible for Disaster Recovery automation + +## Names and KTH ID + +- Oscar Olsson (oscols) +- Hugo Malmberg (hugomal) + +## Deadline + +- Task 3 + +## Category + +- Executable tutorial + +## Description +This tutorial will be made in KillerKoda. First there will be an introduction to Configuration Management (CM) and Ansible, as well as what it can be used for. Since CM is often used in the military, the theme of this tutorial will be military weapon systems. More specifically, the user will set up two servers for a missile launch system, one of them being a backup. Then, (totally unexpectedly) a missile launch will be activated and the user most act quickly to abort the launch. To achieve this, Disaster Recovery has to be activated, where the backup server will come to use. + +**Relevance** +CM tools are crucial for DevOps environments since they make it possible to configure the environments via scripts. CM can have great benefits, and is not that costly to implement. Therefore, it's important to have knowledge in how to set up CM tools. And Ansible is one of these tools. The benefits of CM becomes evident due to the fact that it enables Disaster Recovery to be implemented to a project, which can potentially save companies in case emergency strikes. And that is why Disaster Recovery is relevant to CM and DevOps as a whole. \ No newline at end of file diff --git a/contributions/executable-tutorial/peiyang-immig/README.md b/contributions/executable-tutorial/peiyang-immig/README.md new file mode 100644 index 0000000000..7109b4739e --- /dev/null +++ b/contributions/executable-tutorial/peiyang-immig/README.md @@ -0,0 +1,28 @@ +# Assignment Proposal + +## Title + +Database Visualization with Sampler +## Names and KTH ID + +- Peiyang Zheng (peiyang@kth.se) +- Florian Jerome Immig (immig@kth.se) + +## Deadline + +- Task 2 + +## Category + +- Executable tutorial + +## Description + +This tutorial provides a step-by-step guide on using Sampler to visualize data from databases including MySQL, PostgreSQL and MongoDB. The tutorial covers the installation and setup of Sampler, configuration of database, and creating a YAML configuration file to visualize various metrics such as the number of records, data insertion rate, and database size. By using Sampler, users can create real-time terminal-based dashboards that offer insights into their database's performance and status. + +The tutorial will demonstrate how to configure different visual components like barcharts, runcharts, sparklines, and textboxes to provide a comprehensive view of database metrics. This executable tutorial is designed to give users practical experience in setting up and using Sampler to monitor and visualize their databases effectively. + +**Relevance** + + Sampler is a lightweight, terminal-based visualization tool that can be easily set up without the complexity of traditional monitoring systems. This tutorial will show how to leverage Sampler to create a customizable and interactive dashboard that helps users gain insights into their database's performance, making it easier to identify and troubleshoot issues. This aligns with the DevOps principles of observability and monitoring, enabling teams to maintain high levels of service quality and system reliability. + diff --git a/contributions/executable-tutorial/samkh-miladsf/README.md b/contributions/executable-tutorial/samkh-miladsf/README.md new file mode 100644 index 0000000000..d227f33fe2 --- /dev/null +++ b/contributions/executable-tutorial/samkh-miladsf/README.md @@ -0,0 +1,27 @@ +# Assignment Proposal + +## Title +Monitoring ML Model Predictions with Prometheus + +## Names and KTH ID + + - Sam Khosravi (samkh@kth.se) + - Milad Farahani (miladsf@kth.se) + +## Deadline +- Task 3 + +## Category +- Executable tutorial + +## Description + +In this tutorial we will set up a python script that logs a ML models predictions. +This is integrated with Prometheus which will mointor them. +The goal is to learn how to integrate Prometheus with a Python application, which is then will be able to monitor the model to understand if it for example will work well when put into production. + + **Relevance** + +Monitoring ML model prediction with Prometheus is highly relevant to DevOps because it introduces automation and observability to the machine learning lifecycle. +In DevOps, ensuring that systems are continously monitored for performance and reliability is crucial and this extends to machine learning models in production. +By integrating Prometheus to track metrics like prediction accuracy or latency, teams can proactively identify issues to reduce downtime and improve model reliability. diff --git a/contributions/feedback/aleliu-gussvens/README.md b/contributions/feedback/aleliu-gussvens/README.md new file mode 100644 index 0000000000..a78f25ecc9 --- /dev/null +++ b/contributions/feedback/aleliu-gussvens/README.md @@ -0,0 +1,33 @@ +# Assignment Proposal + +Feedback on Executable tutorial: Security Linting in Python using Bandit + +## Title + +Feedback on executable tutorial: Security Linting in Python using Bandit + +## Names and KTH ID + + - Alexander Liu (aleliu@kth.se) + - Gustaf Svensson (gussvens@kth.se) + +## Deadline + +- Task 2 + + +## Category + +- Executable tutorial + + +## Description + +Feedback on #2453 +Security Linting in Python using Bandit +https://github.com/KTH/devops-course/tree/2024/contributions/executable-tutorial/ieinberg-emilsjol + + +**Relevance** + +Feedback and (code) review is important =) diff --git a/contributions/feedback/diogotc-rmfseo/README.md b/contributions/feedback/diogotc-rmfseo/README.md new file mode 100644 index 0000000000..e4f206ce5a --- /dev/null +++ b/contributions/feedback/diogotc-rmfseo/README.md @@ -0,0 +1,23 @@ +# Assignment Proposal + +## Title + +Feedback on Presentation +[NixOS: Reproducibility with Flakes and Secrets](https://github.com/KTH/devops-course/pull/2546) + +## Names and KTH ID + + - Diogo Correia (diogotc@kth.se) + - Rafael Oliveira (rmfseo@kth.se) + +## Deadline + +Task 2 + +## Category + +Feedback + +## Description + +We want to provide feedback to Tomás and Wenqi before their presentation on Wednesday. diff --git a/contributions/feedback/ieinberg/README.md b/contributions/feedback/ieinberg/README.md index 7c92d7123c..edb19a98e5 100644 --- a/contributions/feedback/ieinberg/README.md +++ b/contributions/feedback/ieinberg/README.md @@ -17,4 +17,7 @@ Task 2 ## Description -Feedback for [#2387](https://github.com/KTH/devops-course/pull/2387) by hallkvi@kth.se and lindefor@kth.se. \ No newline at end of file +Feedback for [#2387](https://github.com/KTH/devops-course/pull/2387) by hallkvi@kth.se and lindefor@kth.se. + +**Update** - The feedback can be viewed here: +https://github.com/KTH/devops-course/pull/2387#issuecomment-2371909023 \ No newline at end of file diff --git a/contributions/feedback/streuli-mqnguyen/README.md b/contributions/feedback/streuli-mqnguyen/README.md index db165c8c98..739bcc474f 100644 --- a/contributions/feedback/streuli-mqnguyen/README.md +++ b/contributions/feedback/streuli-mqnguyen/README.md @@ -19,4 +19,6 @@ Task 1 ## Description -We would like to submit feedback for [#2423](https://github.com/KTH/devops-course/pull/2423) \ No newline at end of file +We would like to submit feedback for [#2423](https://github.com/KTH/devops-course/pull/2423) + +The feedback has been added [here](https://github.com/KTH/devops-course/pull/2423#issuecomment-2389168718). diff --git a/contributions/feedback/tianning-yinanhu/README.md b/contributions/feedback/tianning-yinanhu/README.md new file mode 100755 index 0000000000..6eca400b09 --- /dev/null +++ b/contributions/feedback/tianning-yinanhu/README.md @@ -0,0 +1,34 @@ +# Assignment Proposal + + + +## Title + +Feedback on Scientific Paper [The Seven Sins: Security Smells in Infrastructure as Code Scripts](https://ieeexplore.ieee.org/document/8812041) + + + +## Names and KTH ID + +- Tianning Liang (tianning@kth.se) +- Yinan Hu (yinanhu@kth.se) + + + +## Deadline + +- Task 2 + + + +## Category + +- Feedback + + + +## Description + +We provided a feedback for the scientfic paper presentation The Seven Sins: Security Smells in Infrastructure as Code Scripts made by Peiyang Zheng and Florian Jerome Immig. ([#2552](https://github.com/KTH/devops-course/pull/2552)) + +The feedback is posted as a comment [here](https://github.com/KTH/devops-course/pull/2552#issuecomment-2386656661) diff --git a/contributions/feedback/uqqasha-lvainio/README.md b/contributions/feedback/uqqasha-lvainio/README.md new file mode 100644 index 0000000000..b51b894dd1 --- /dev/null +++ b/contributions/feedback/uqqasha-lvainio/README.md @@ -0,0 +1,21 @@ +# Assignment Proposal + +## Title + +Feedback on "Security Linting in Python using Bandit" + +## Names and KTH ID + + - Uqqasha Ijaz (uqqasha@kth.se) + - Leo Vainio (lvainio@kth.se) + +## Deadline + +- Task 1 + +## Category + +- Feedback + +## Description +We would like to give feedback to this [executable tutorial](https://github.com/KTH/devops-course/pull/2453). diff --git a/contributions/presentation/week6/jkuo-vanjav/README.md b/contributions/presentation/week6/jkuo-vanjav/README.md new file mode 100644 index 0000000000..f8649e5dc3 --- /dev/null +++ b/contributions/presentation/week6/jkuo-vanjav/README.md @@ -0,0 +1,30 @@ +# Assignment Proposal + +## Title +The event stream incident - vulnerabilities of open source dependencies and possible mitigations. + +## Names and KTH ID + + - Josephine Kuo (jkuo@kth.se) + - Vanja Vidmark (vanjav@kth.se) + +## Deadline + +- Week 6 + +## Category + +- Presentation + +## Description + +We are going to bring light to the topic of using third party libraries without caution, using the event stream incident as an example. We will highlight some key reasons for these attacks such as blind trust, handing over projects insecurely, non-present security checks and the tradeoff between security and openness. + +We will then go over three mitigations to resolve this issue. +- Dependency pinning. That is to require specific versions of libraries, rather than ranges to prevent auto-updates from pulling in malicious versions. +- Using lockfiles (such as package-lock.json in NPM) to record the exact versions of installed packages, minimizing the risk of unintended updates. +- Scanning for known vulnerabilities in the dependencies using npm audit. + +**Relevance** + +In DevOps, automation often relies on third-party libraries, and this incident demonstrates the vulnerability of open-source dependencies. Ensuring the security of external code is crucial, as compromised libraries can introduce security risks into the CI/CD pipeline without immediate detection. diff --git a/contributions/presentation/week6/tmbpe-wenqic/README.md b/contributions/presentation/week6/tmbpe-wenqic/README.md new file mode 100644 index 0000000000..2e4abbfd46 --- /dev/null +++ b/contributions/presentation/week6/tmbpe-wenqic/README.md @@ -0,0 +1,30 @@ +# Assignment Proposal + + +## Title + +NixOS: Reproducibility with Flakes and Secrets + +## Names and KTH ID + + - Tomás Esteves(tmbpe@kth.se) + - Wenqi Cao(wenqic@kth.se) + +## Deadline + +- Week 6 + +## Category + +- Presentation + +## Description + +NixOS is a Linux distribution that follows a declarative approach. This allows it to be reproducible. +However by itself NixOS does not allow to lock packages versions and store secrets securely. +In this presentation We will present the `nix flake` feature that permits us to have a config that does not depend on the time at which it was created +and some tools such as `sops-nix` and `agenix` that allow us to store safely secrets. + +**Relevance** + +These features and tools are crucial in DevOps, specially in Dependency Management and DevSecOps. diff --git a/contributions/presentation/week6/zyad-kankanit/README.md b/contributions/presentation/week6/zyad-kankanit/README.md new file mode 100644 index 0000000000..ec9cdcb692 --- /dev/null +++ b/contributions/presentation/week6/zyad-kankanit/README.md @@ -0,0 +1,27 @@ +# Assignment Proposal + +## Title + +Arc Browser's impotant security breach and why SecDevOps is important + + +## Names and KTH ID + +- Zyad Haddad (zyad@kth.se) +- Kankanit Suppataratarn (kankanit@kth.se) + +## Deadline + +- Week 6 + +## Category + +- Presentation + +## Description + +This presentation will analyze the Arc Browser Firebase vulnerability incident, where incorrect Firebase security rules resulted in a potential data breach. The presentation will begin with an overview of the incident, including how the incident was handled. Next, the development setup that led to the incident will be presented. Lastly, we will discuss the possible preventive measures, emphasizing the importance of a comprehensive SecDevOps strategy to integrate security into the development lifecycle and prevent future vulnerabilities. + +**Relevance** + +This presentation is related to SecDevOps as it emphasizes the importance of integrating security into the DevOps pipeline. This incident shows why continuous security integration is essential in fast-moving development cycles, and gives a study case of how ignoring this crucial aspect can lead to vulnerabilities. \ No newline at end of file diff --git a/contributions/presentation/week7/aleliu-jakstrom/README.md b/contributions/presentation/week7/aleliu-jakstrom/README.md new file mode 100644 index 0000000000..9ee7fa423f --- /dev/null +++ b/contributions/presentation/week7/aleliu-jakstrom/README.md @@ -0,0 +1,27 @@ +# Assignment Proposal + +## Title + +Understanding GDPR and its importance for DevOps + +## Names and KTH ID + + - Alexander Liu (aleliu@kth.se) + - Jakob Ström (jakstrom@kth.se) + +## Deadline + +- Week 7 + +## Category + +- Presentation + + +## Description + +In this presentation we will explain what GDPR is and how it impacts DevOps. In this presentation, we will go through how to follow GDPR with good DevOps practices. + +**Relevance** + +GDPR has had a great consequences on software engineering and how DevOps-developers must work in order to comply and minimize risks of unintentional compliance breaches. \ No newline at end of file diff --git a/contributions/presentation/week7/casperkr-nwijkman/README.md b/contributions/presentation/week7/casperkr-nwijkman/README.md new file mode 100644 index 0000000000..f354ab0872 --- /dev/null +++ b/contributions/presentation/week7/casperkr-nwijkman/README.md @@ -0,0 +1,26 @@ +# Assignment Proposal + +## Title + +DevOps at Scale: Managing Complex Service Architectures in Large Technical Companies + +## Names and KTH ID + +- Casper Kristiansson (casperk@kth.se) +- Niklas Wijkman (nwijkman@kth.se) + +## Deadline + +- Week 7 + +## Category + +- Presentation + +## Description + +In this presentation, we will explore how large technical companies manage DevOps practices in environments where thousands of independent services are deployed. We will discuss the complexities of scaling continuous integration and deployment (CI/CD) pipelines, service dependencies, and ensuring consistency across a vast number of services. The presentation will also touch on techniques like automation, standardization, and repository federation to handle the complexity of these architectures. + +**Relevance** + +This topic is highly relevant as modern enterprises increasingly adopt microservices architectures, resulting in many independent services that require robust DevOps processes. Managing these services at scale is a significant challenge, and understanding the strategies for automation and scaling can help improve the reliability and efficiency of DevOps practices in large, complex systems. diff --git a/contributions/presentation/week7/ttoma-emilsjol/README.md b/contributions/presentation/week7/ttoma-emilsjol/README.md new file mode 100644 index 0000000000..92ccbb1c80 --- /dev/null +++ b/contributions/presentation/week7/ttoma-emilsjol/README.md @@ -0,0 +1,25 @@ +# Assignment Proposal + +## Title +Chaos Engineering with Chaos Monkey + +## Names and KTH ID + + - Student Tomi Toma (ttoma@kth.se) + - Student Emil Sjölander (emilsjol@kth.se) + +## Deadline + +Week 7 + +## Category + +Presentation + +## Description + +In this presentation we will talk about Chaos Monkey which is a tool created by Netflix that intentionally disrupts system to test the systems overall resilience. We will talk about how Chaos Monkey fits in with Chaos Engineering and DevOps and its practical application to ensure system reliability. + +**Relevance** + +This is relevant to DevOps because it helps developers to identify weakness in production systems early and patch them and reaching the goals of continuous delivery, resilience and high up time for the users. By continously tsting failiures devops teams can confidently realse robust and fault tolerant systems. diff --git a/contributions/demo/week5/rikj-millear/README.md b/contributions/scientific-paper/week5/rikj-millear/README.md similarity index 100% rename from contributions/demo/week5/rikj-millear/README.md rename to contributions/scientific-paper/week5/rikj-millear/README.md diff --git a/contributions/scientific-paper/week6/hocker-nwijkman/README.md b/contributions/scientific-paper/week6/hocker-nwijkman/README.md new file mode 100644 index 0000000000..e93ddf3933 --- /dev/null +++ b/contributions/scientific-paper/week6/hocker-nwijkman/README.md @@ -0,0 +1,28 @@ +# Assignment Proposal + +## Title + +Machine Learning-Based Run-Time DevSecOps: ChatGPT Against Traditional Approach + +## Names and KTH ID + + - Simon Hocker (hocker@kth.se) + - Nicole Wijkman (nwijkman@kth.se) + +## Deadline + +- Week 6 + +## Category + +- Scientific paper + +## Description + +We will present a recent scientific paper from this year wherein they perform a comparative study between two different approaches to classifying suspicious server log activities and detecting potential threats. Specifically, it compares the classic, traditional machine learning approach of using Weka API for classification with a new proposed novel method of using ChatGPT for performing runtime log analysis. They explore the mechanics and potential of using ChatGPT in Python where context represents labelled data and the questions themselves contain the log records which are being evaluated. Beyond exploring the possibility of it, they also analyse the viability of the novel method, and examine its potential as well as its drawbacks and limitations, and then compares it with the tried and true Weka API method. + +Our presentation will begin by elaborating on why such research is important for the field of DevSecOps, as well as describing the scenario being analysed in the paper. From there, we will go on to detail the workings of both the new and the traditional approach in detail, followed by their respective strengths and weaknesses. Afterwards, we will end the presentation with an explanation of the paper's conclusions.([Machine Learning-Based Run-Time DevSecOps: ChatGPT Against Traditional Approach](https://ieeexplore.ieee.org/document/10192161)) + +**Relevance** + +Security integration in the DevOps pipeline is crucial for maintaining a secure development environment. This paper addresses this need by introducing AI-driven automated log analysis techniques to detect security threats during runtime. It also compares this approach with traditional machine learning practices, providing valuable insights for enhancing security and efficiency in agile development workflows. diff --git a/contributions/scientific-paper/week6/lllr-peremr/README.md b/contributions/scientific-paper/week6/lllr-peremr/README.md new file mode 100644 index 0000000000..3d2b36115a --- /dev/null +++ b/contributions/scientific-paper/week6/lllr-peremr/README.md @@ -0,0 +1,26 @@ +# Assignment Proposal + +## Title + +Challenges and solutions when adopting DevSecOps: A systematic review + +## Names and KTH ID + + - Lauren Llauradó (lllr@kth.se) + - Pere Mateu Raventós (peremr@kth.se) + +## Deadline + +- Week 6 + +## Category + +- Scientific paper + +## Description + +We plan to present the paper titled "[Challenges and solutions when adopting DevSecOps: A systematic review](https://doi.org/10.1016/j.infsof.2021.106700)", which provides a structured analysis of the key challenges developers encounter when implementing DevSecOps and outlines the solutions suggested in the literature to address these issues. + +**Relevance** + +It is important to know how to identify and solve challenges in DevSecOps in a systematized way in order to have better practices. \ No newline at end of file diff --git a/contributions/scientific-paper/week6/peiyang-immig/README.md b/contributions/scientific-paper/week6/peiyang-immig/README.md new file mode 100644 index 0000000000..496111346c --- /dev/null +++ b/contributions/scientific-paper/week6/peiyang-immig/README.md @@ -0,0 +1,28 @@ +# Assignment Proposal + +## Title + +The Seven Sins: Security Smells in Infrastructure as Code Scripts + +## Names and KTH ID + + - Peiyang Zheng (peiyang@kth.se) + - Florian Jerome Immig (immig@kth.se) + +## Deadline + +- Week 6 + +## Category + +- Scientific paper + +## Description + +We plan to present the paper titled "The Seven Sins: Security Smells in Infrastructure as Code Scripts", which provides an empirical study on security smells in infrastructure as code (IaC) scripts. The authors identify seven distinct security smells, such as hard-coded secrets and invalid IP address binding, which could lead to potential security breaches. They propose a static analysis tool, Security Linter for Infrastructure as Code scripts (SLIC), to detect these smells and highlight their prevalence and persistence in real-world IaC scripts. +Link: https://ieeexplore.ieee.org/document/8812041 + +**Relevance** + +Understanding and mitigating security smells in IaC scripts is crucial for ensuring the security and robustness of automated infrastructure management in DevOps practices such as Infrastructure as Code. + diff --git a/contributions/scientific-paper/week6/streuli-prerna/README.md b/contributions/scientific-paper/week6/streuli-prerna/README.md new file mode 100644 index 0000000000..5b8769d6b3 --- /dev/null +++ b/contributions/scientific-paper/week6/streuli-prerna/README.md @@ -0,0 +1,27 @@ +# Assignment Proposal + +## Title + +Implementing and Automating Security Scanning to +a DevSecOps CI/CD Pipeline + +## Names and KTH ID + + - Prerna Gupta (prerna@kth.se) + - David Streuli (streuli@kth.se) + +## Deadline + +- Week 6 + +## Category + +- Scientific paper + +## Description + +The paper explores the automation of security scanning focusing on containerised applications. The paper explores the application of Static Application Security Testing (SAST) and Dynmaic Application Security Testing (DAST) to enhance security. SAST is a static analysis technique while DAST tests the application at runtime and does not need to have access to the source code. We'll explain how integrating corresponding tools improves the security of containerized applications by finding vulnerabilities soon and automating their removal from the CI/CD process, the effectiveness of deploying and automating security scanning in DevSecOps pipeline with Snyk and StackHawk tools and methodologies used for detecting vulnerabilities.We conclude the presentation with future scope. The paper can be found here: https://ieeexplore.ieee.org/abstract/document/10235015 + +**Relevance** + +In this paper, a DevSecOps CI/CD pipeline integrated dynamic security testing strategy to address the special requirements of securing containerised applications. The model features early vulnerability detection and push left practices with automated remediation using tools such as Snyk for Static Application Security Testing (SAST) and StackHawk for Dynamic Application Security Testing (DAST), all during the software development lifecycle (SDLC). diff --git a/contributions/scientific-paper/week7/dgaspar-tmbpe/README.md b/contributions/scientific-paper/week7/dgaspar-tmbpe/README.md new file mode 100644 index 0000000000..6f824815e9 --- /dev/null +++ b/contributions/scientific-paper/week7/dgaspar-tmbpe/README.md @@ -0,0 +1,26 @@ +# Assignment Proposal + +## Title + +[A Case Study of Developer Bots: Motivations, Perceptions, and Challenges](https://dl.acm.org/doi/10.1145/3611643.3616248) + +## Names and KTH ID + +- Diogo Gaspar (dgaspar@kth.se) +- Tomás Esteves (tmbpe@kth.se) + +## Deadline + +- Week 7 + +## Category + +- Scientific Paper + +## Description + +The paper examines 23 developer bots used in Microsoft's CI/CD workflows, aiding thousands of developers across 13,000 repositories. These bots, categorized into configuration, security, data privacy, productivity, and code quality, help automate tasks and provide early feedback to developer actions; through interviews, surveys, as well as the analysis of hundreds of thousands of bot actions, the authors' study explores the motivations, benefits and challenges of using these bots, such as managing excessive feedback (noise), among others. + +**Relevance** + +The study in hand is highly relevant to DevOps, examining how developer bots automate tasks in CI/CD pipelines to improve code quality, productivity, among other key goals of the area. Besides delineating how these bots streamline workflows and support the "shift left" approach, the paper also highlights core challenges: managing multiple bots, and prioritizing feedback, critical for maintaining efficiency in large-scale environments. diff --git a/tools/schedule.py b/tools/schedule.py old mode 100644 new mode 100755 index 3b9875b097..be4f45cec8 --- a/tools/schedule.py +++ b/tools/schedule.py @@ -1,18 +1,21 @@ #!/usr/bin/python3 # automate the preparation of the schedule +# usage ./schedule.py week4 import subprocess # get current date and time import datetime import re +import sys # get output of command ls # get output of command ls # and store it in a variable -WEEK="week4" +WEEK=sys.argv[1] + output = subprocess.getoutput("git log --oneline contributions/presentation/"+WEEK+" contributions/demo/"+WEEK+"/ contributions/scientific-paper/"+WEEK+"/").split("\n") output.reverse() @@ -47,7 +50,7 @@ def get_title(content): # get commit hash commit_hash = i.split(" ")[0] # get list of files in the commit using git command - files = [x for x in subprocess.getoutput(f"git diff-tree --no-commit-id --name-only -r {commit_hash}").split("\n") if ".md" in x.lower() and ("presentation" in x or "demo" in x or "scientific-paper" in x )] + files = [x for x in subprocess.getoutput(f"git diff-tree --no-commit-id --name-only -r {commit_hash}").split("\n") if ".md" in x.lower() and ("presentation" in x or "demo" in x or "scientific-paper" in x ) and WEEK in x] # print the commit hash #print(commit_hash) # get content of first file