apolloclark

AWS CLI Cheatsheet

http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html https://www.youtube.com/watch?v=_wiGpBQGCjU

Setup

apolloclark

HTTP Security Headers

Overview

HTTP Security Headers do not prevent server-side attacks, but they do help mitigate some client-side attacks, within browsers that support the headers.

• https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
• https://geekflare.com/http-header-implementation/

apolloclark

Recon tutorial

get your local ip address

ifconfig -a

verify you are connected to the internet

ping google.com

apolloclark

Postgres Cheatsheet

This is a collection of the most common commands I run while administering Postgres databases. The variables shown between the open and closed tags, "<" and ">", should be replaced with a name you choose. Postgres has multiple shortcut functions, starting with a forward slash, "". Any SQL command that is not a shortcut, must end with a semicolon, ";". You can use the keyboard UP and DOWN keys to scroll the history of previous commands you've run.

Setup

installation, Ubuntu

http://www.postgresql.org/download/linux/ubuntu/ https://help.ubuntu.com/community/PostgreSQL

apolloclark

DevSecOps Maturity Model

DevSecOps has finally become popular within the wider IT industry in 2019. I started as a web developer in 2001, learned about testing automation, system deployment automation, and "infrastructure as code" in 2012, when DevOps was becoming a popular term. DevOps became common after the release of The Phoenix Project in Jan 2013. It has taken 7+ years for security to become integrated within the DevOps methodology. The following is a list of concepts I go through with project owners, project managers, operations, developers, and security teams, to help establish how mature their DevOps and security automation is, and to help them increase that maturity over time. This model is based on experience consulting with a variety of US Financial, Healthcare, and Department of Defense, organizations, and combines:

• PCI DSS
• NYDFS
• [HITRUST CSF](https://hitrustalliance.net/product-tool/hitrus

apolloclark

Build Tools and Testing

Build Manager

Goal - centralized UI, and scheduler, for managing automated builds

• Terraform Enterprise - HashiCorp
  
• Jenkins - Cloudbees
  
• TravisCI
  
• CircleCI
  
• Bamboo - Atlassian

apolloclark

Cloud Environment Questionnaire

1. IT Security Regulations?

ex: SOC2, NIST 800-53, ISO 27001, PCI DSS (credit cards), HITRUST / HIPAA (healthcare), FIPS / FedRAMP (US Gov), GDPR (EU)

2. Cloud Provider(s)?

ex: AWS, Microsoft Azure, Google GCP, on-prem VMware

3. Compute Environment(s)?

ex: AWS EC2 VMs, AWS ECS (Docker), AWS EKS (Kubernetes K8S), Azure VM, Azure AKS (K8S), GCP VM, GCP GKE (K8S)

apolloclark

# list repos
sudo apt-cache policy

# add repo
sudo add-apt-repository "deb http://us.archive.ubuntu.com/ubuntu/ saucy universe multiverse"

# remove repo
sudo add-apt-repository --remove <ppa:whatever/ppa>

apolloclark

# create an account, create an app
# @see https://apps.twitter.com/

# retrieve the access tokens
# @see https://dev.twitter.com/oauth/reference/post/oauth2/token

# create the file ~/twitter_api
nano ~/twitter_api
Authorization: OAuth oauth_consumer_key="XXXXXX", oauth_nonce="11111111", oauth_signature="XXXXXX", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1450728725", oauth_token="99999-XXXXXX", oauth_version="1.0"

apolloclark

List all of the AWS Resources available to AWS CloudFormation

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html

curl -sSL https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/toc-contents.json \
  | jq '.contents[10].contents[0].contents[].include_contents' --raw-output \
  | grep -v "null" \
  | xargs -I % curl -sSL https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/% \
  | jq '.contents[].contents[] | [.title, (select(.contents != null) | .title + "::" + .contents[].title)]' --raw-output \