DevOps 540 Flashcards
CALMS
Culture, automation, lean, measurement, Sharing
CI/CD Change frequency
How often are changed deployed to production. Measure the efficiency and the capability of the organisation to make changes
Change Failure Ratio
How often do changes introduce a failure. Opposite to Change Success Rate.
Change Success Ratio
How often a changes does NOT introduce a failure. Opposite to Change Failure Ratio
MTTR
Mean Time to Recovery or Repair from a failure
MTTD
Mean Time to Detect a failure
MTTF
Mean Time to Failure. Not used in DevOps a lot as expected to have a failure. MTTR/MTTD are the key ones.
Change Lead Time
The average time it takes to get a change or fix into production. Also known as Cycle Time.
Change Cycle Time
from a change is requested by business until when it is deployed. X = Change request + start dev + end dev + deployment
Development change lead time
From where the project starts until is fully deployed. X = start dev + end dev + deployment
Deployment Lead time
Development is finished until it is deployed == deployment time. X = end dev + deployment
IAST
Interactive Application Security Testing
DAST
Dynamic Analysis Security Testing
SAST
Static Analysis Security Testing
RASP
Runtime Application Security /Safe Protection
SDLC
Secure Deployment Life Cycle
CSPM
Cloud Security Posture Management
CWPP
Cloud Workload Protection Platform
CASB
Cloud Access Security Broker
CNAPP
Cloud Native Application Protection
IDOR
Insecure Direct Object Reference
CDN
Content Delivery Network
OAI
Origin Access Identity
SOP
Same Origin Policy: protocol, port, domain
CORS
Cross-Origin Resource Sharing
ZTA
Zero Trust Architecture
ZTMM
Zero Trust Maturity Model
OPA
Open Policy Agent. Language used to apply limitations in containers deployments.
OIDC
Open ID Connect
JWT
JSON Web Tokens
ADFS
Active Directory Federate Services
CNCF
Cloud Native Computing Foundation
SPIFFE
Secure Production Identify Framework For Everyone
CNI
Container Network Interface
RBAC
Role Base Access Control
CEL
Common Expression Language
SCA
Software component analysis. To identify code with known vulnerabilities.
Continuous Delivery
Code -> Unit Test -> Integrate -> Acceptance Test -(manual)-> Deploy. If auto it will be continuous deployment
Continuous Deployment
Code -> Unit Test -> Integrate -> Acceptance Test -(auto)-> Deploy. If manual will be continuous delivery
Acceptance tests
Ensure code can be joined with production. Achieved via stand-up test environments via Puppet/Chef/TF/Docker/etc and run post-deployment asserts/smoke tests
IdP
Identity Provider for Oauth/OIDC (against what we authenticate)
Service provider in OIDC
Service we try to access to.
RRA
Rapid Risk Assessment. 30 min review to understand if the new code will have issues or what level of review will require. Introduced by Firefox.
A/B testing
Experiments of a code for a subset of the population
SBOM
Software Bill of materials. This is needed to understand the dependencies of an application and hence their vulnerabilities.
OWASP: PPE
Poisoned pipeline Execution: manipulating the build process by injecting malicious code or commands into the build pipeline configuration
OWASP: PBAC
Pipeline based access control. An attacker could abuse insufficient PBAC to abuse the permissions granted to the pipeline and move laterally to systems services outside the CI/CD
SARIF
Static Analysis Results Integration Format. Created by MS, a JSON language of creating one universal format for static analysis tool.
SPDX
Software Package Data Exchanges: open source output language for software bills (SBOMs)
HCL
Hashicorp Configuration Language
Azure NSG
Azure Network Security Group
TDD
Test-Driven Development. Automated tests written before the code is changed to prove that changes are implemented correctly
DSL
Domain Specific Language. Used in configuration management tools like chef, puppet, ansible, etc
OPA
Software Provenance
An attestation (metadata) describing how the outputs were produced, including identification of the platform and external parameters
Software Attestation
An authenticate statement (metadata) about a software artifact or collection of software artifacts
DSSE
Dead Simple Signing Envelope. Store the envelope = statement and signature for the provenance statement to prevent supply chain attacks.
OCI
Open Container Initiative
SLSA
Supply-chain levels of Software artifacts. Level0 to Level 3: none, provenance showing how the packages were built, signed provenance and generated by a hosted build platform, hardened build platform
VEX
Vulnerability Exploitability Exchanged. machine readable attestations format for sharing vulnerability status information.
GUAC
Graph for Understanding Artifact Composition. Graph base system that organizes software supply chain security artifacts.
CRI
Container Runtime Interface
AWS ECR
Elastic Container Registry for container images
Google Cloud GCR
Google Container Registry for container images
Azure ACR
Azure Container Registry for container images
Image Poison Attack in containers
A certified image tag is overwritten with a malicious image using the same tag. This is prevented via Immutable tagging in Cloud container registry
Azure CMK
Customer Managed keys used for Azure storage encryption (EKS in Azure)
IRSA
AWS IAM Roles for Service Accounts
IMDS
AWS Instance Metadata Service
K8s CEL
Common Expression Language used for K8s policies
Azure OMS
Operational Management Suit. Azure log agent for Linux or EKS
Azure MMA
Microsoft Monitoring Agent. Azure log agent for Windows systems
