security
Browse all articles, tutorials, and guides about security
Guides
Security Gates
Implement automated security gates that block deployments on critical vulnerabilities, policy violations, and security failures. Shift security left in your CI/CD pipeline.
Cryptography Essentials
Master the cryptographic fundamentals every DevOps engineer needs: symmetric and asymmetric encryption, hashing algorithms, TLS/SSL certificates, and Public Key Infrastructure (PKI).
Static Application Security Testing (SAST)
Master Static Application Security Testing (SAST) with SonarQube, Semgrep, and CodeQL. Learn to detect vulnerabilities in source code before they reach production.
Threat Modeling
Master threat modeling methodologies including STRIDE, DREAD, and attack trees. Learn to identify, analyze, and prioritize security threats in your systems with practical exercises.
OWASP Top 10
Learn about the OWASP Top 10 web application security risks. Understand each vulnerability, see real-world examples, and learn how to prevent them in your applications.
Security Principles
Master the fundamental security principles every DevSecOps engineer needs to know. Learn CIA Triad, Defense in Depth, Least Privilege, and Zero Trust concepts with practical examples.
Posts
The MCP Design Flaw That Exposes 150M Downloads to RCE
Researchers at OX Security disclosed an architectural vulnerability in Anthropic MCP that enables remote code execution across Python, TypeScript, Java, and Rust SDKs. Anthropic calls it "by design." Here is how the flaw works, which tools are affected, and what to do if you use Cursor, Claude Code, LangChain, or anything with an MCP server.
The Vercel April 2026 Security Incident: What Happened and What to Do About It
Vercel disclosed a security incident that started with a compromised OAuth app at Context.ai, escalated through a Vercel employee Google Workspace account, and reached internal systems plus customer environment variables not marked sensitive. Here is the attack chain, what was exposed, and what to change in your deployments.
Two Composer Command Injection Flaws Let Attackers Run Arbitrary Code - Even Without Perforce
CVE-2026-40176 and CVE-2026-40261 affect all Composer 2.x versions. A malicious composer.json or crafted package metadata can execute OS commands on your machine. Upgrade to 2.9.6 now.
The Ory Ecosystem Explained: Identity, OAuth2, and SSO for Kubernetes
A practical breakdown of the Ory ecosystem - Kratos, Hydra, Polis, Oathkeeper, and Keto - what each one does, how they connect, and how to pick the right components for your auth stack.
CVE-2025-55182 React2Shell: 766 Next.js Hosts Breached in 24 Hours
A CVSS 10.0 RCE in React Server Components let attackers breach 766 Next.js hosts in a single day, stealing database credentials, SSH keys, and cloud secrets. Here is how it works, who is affected, and what to do right now.
Claude Code Source Leaked via npm Source Maps: Lessons for Every DevOps Team
Anthropic accidentally shipped source maps in their npm package, exposing 512,000 lines of Claude Code source. Here is what went wrong and how to prevent it in your own CI/CD pipeline.
The Axios Supply Chain Attack: What DevOps Teams Need to Know
A compromised npm maintainer account led to malicious axios versions deploying a RAT across macOS, Windows, and Linux. Here is what happened, how to check if you are affected, and how to prevent this in your pipeline.
5 Advanced Docker Features Worth Knowing
Go beyond Docker basics with BuildKit, multi-stage builds, health checks, init processes, and build secrets. Learn practical techniques that improve security, performance, and reliability.
Docker Image Optimization: Best Practices for Smaller, Faster Images
Learn proven strategies to optimize Docker images: multi-stage builds, layer caching, base image selection, and security hardening. Reduce image size by up to 90% while improving build times and security.
How to Get a List of All Valid IP Addresses in a Local Network?
Discover active devices on your local network using tools like nmap, arp-scan, and native OS commands. Learn network scanning techniques for inventory management, security audits, and troubleshooting.
Terraform: Failed to install provider, does not match checksums from dependency lock file
Troubleshoot the Terraform error about provider checksums not matching the dependency lock file and learn safe fixes and best practices.
Using SSH Keys Inside a Docker Container
Need to use SSH keys in your Docker container for git, automation, or remote access? Learn secure ways to provide SSH keys, best practices for builds, and how to avoid common pitfalls.
Connecting to PostgreSQL in a Docker Container from Outside
Expose PostgreSQL safely and connect from your host or another machine using Docker and Docker Compose. Covers port publishing, listen addresses, pg_hba.conf basics, and common troubleshooting.
How to create an SSH key in Terraform?
Learn how to generate and manage SSH keys in Terraform for secure access to your infrastructure.
How to Add SSH Keys to GCP Instances Using Terraform
Learn how to configure SSH key access for Google Cloud Platform compute instances with Terraform, including project-wide and instance-specific keys.
Capturing Mobile Phone Traffic on Wireshark
Learn how to capture and analyze network traffic from your mobile phone using Wireshark. Set up a proxy or WiFi hotspot to inspect HTTP/HTTPS requests, debug mobile apps, and understand what data your phone is sending.
CI/CD Pipeline Hardening: A Practical Guide to Securing Your Build Infrastructure
Your CI/CD pipeline has access to source code, secrets, and production environments. Here is how to harden it against supply chain attacks, secret exfiltration, and artifact tampering.
How to Integrate DAST Into Your CI/CD Pipeline (With OWASP ZAP Examples)
A practical guide to Dynamic Application Security Testing. Learn how DAST works, set up OWASP ZAP scans, compare it with Burp Suite, and automate security testing in your CI/CD pipeline with quality gates.
Dependency Scanning: Finding Vulnerabilities Before Attackers Do
A practical guide to dependency scanning with Snyk, Dependabot, and native package manager tools. Learn how to detect vulnerable dependencies, automate fixes, and integrate scanning into your CI/CD pipeline.
Pre-commit Hooks for Security: Stop Secrets Before They Hit Your Repository
Once a secret is committed to Git, it lives forever in the history. Pre-commit hooks with gitleaks, detect-secrets, and custom checks catch credentials before that happens.
Secrets Management Guide: Vault, AWS Secrets Manager, and Azure Key Vault
Stop storing secrets in .env files and environment variables. This guide covers secrets management fundamentals, HashiCorp Vault dynamic secrets, AWS Secrets Manager rotation, and Azure Key Vault with practical code examples.
Secure Coding Practices Every DevOps Engineer Should Know
A practical guide to writing secure code: input validation, output encoding, error handling, and authentication. With real examples in Python, JavaScript, and Go.
Security-Focused Code Reviews: Catching Vulnerabilities Before Production
Learn how to review code with a security mindset. This guide covers common vulnerability patterns, language-specific pitfalls, and practical checklists for finding injection flaws, auth bypass, and logic bugs that automated tools miss.
Software Supply Chain Security: SBOMs, Sigstore, and SLSA in Practice
Protect your software supply chain with practical steps for SBOM generation, artifact signing with Cosign, and SLSA provenance. Includes complete CI/CD pipeline examples for GitHub Actions and GitLab CI.
How to Fix Terraform Provider Checksum Mismatch Errors
Running into 'doesn't match checksums from dependency lock file' errors when installing Terraform providers? Learn what causes this issue and how to resolve it safely.
Docker Compose: Understanding Ports vs Expose
Learn the key differences between ports and expose in Docker Compose, when to use each one, and how they affect container networking and security in your applications.
How to Change File and Folder Permissions Recursively in Linux
Learn how to use chmod command to change permissions for directories and all their subdirectories and files efficiently and safely.
How to Find the IP Address of an SSH Client
Learn multiple ways to identify the IP address of clients connected to your SSH server, from environment variables to logs and active connection monitoring.
How to Close Specific Ports on Linux Systems
Learn how to close and block specific ports on Linux using iptables, ufw, firewalld, and by stopping services. Secure your system by controlling port access.
What Does AssumeRole: Service: ec2 Do?
Understand the role of AssumeRole with Service: ec2 in AWS IAM policies and how it integrates with Terraform.
How to Retrieve a Secret in Terraform from AWS Secret Manager
Learn how to securely retrieve secrets from AWS Secret Manager using Terraform in your infrastructure as code workflows.
How to Attach Multiple IAM Policies to IAM Roles Using Terraform
Learn how to attach multiple IAM policies to a single IAM role in Terraform to manage permissions effectively.
How to Display Sensitive Data Output Variables in Terraform
Learn how to handle and display sensitive data output variables in Terraform safely and effectively.
Determining Minimum AWS Permissions for Terraform Configurations
Learn how to identify the minimum AWS permissions required for your Terraform configurations to enhance security and compliance.
How to Update a Kubernetes Secret Generated from a File
Learn how to update an existing Kubernetes secret when its data comes from a file, with practical kubectl commands and tips for safe secret management.
How to Specify a Private SSH Key for Git Commands
Learn multiple methods to use specific SSH keys with Git operations, from command-line options to SSH config files and environment variables, making it easy to manage multiple keys for different repositories.
Docker Security Best Practices
Secure your Docker environment from development to production with practical techniques for image hardening, runtime protection, and vulnerability management.
How to Sign In to the Kubernetes Dashboard
Learn how to securely access and sign in to the Kubernetes Dashboard, including token generation, best practices, and troubleshooting common login issues.
At Least One Invalid Signature Was Encountered
Understand the causes of invalid signatures in Kubernetes and learn how to troubleshoot and resolve them.
How to Decode a Kubernetes Secret
Kubernetes secrets store sensitive data in base64-encoded form. Learn how to safely decode and inspect these secrets using kubectl and command-line tools.