Volker Wissing: Verkehrsminister wirbt für bundesweite ÖPNV-Tickets
Bundesverkehrsminister Volker Wissing (FDP) kündigt eine große ÖPNV-Reform an und wertet das 9-Euro-Ticket als “fulminanten Erfolg”. (Volker Wissing, Internet)
Quelle: Golem
Krypto: Web3-Projekte 2022 um 2 Milliarden US-Dollar bestohlen
2022 haben Web3-Projekte bereits mehr Geld in Kryptowährungen an Hacks und Exploits verloren als im gesamten Jahr 2021. (Kryptowährung, Phishing)
Quelle: Golem
Thömus Lightrider E Ultimate: Vollgefedertes E-Mountainbike soll nur 14,8 kg wiegen
Das Thömus Lightrider E Ultimate soll das leichteste Elektro-Fully der Welt sein. Das Elektrofahrrad wird aber recht teuer. (E-Bike, Technologie)
Quelle: Golem
Electricbrands XBus RV: Elektrisches Mini-Wohnmobil kostet 30.000 Euro
Electricbrands hat mit dem Xbus RV ein elektrisches Wohnmobil gebaut, das nur 3,95 Meter lang ist und Platz für zwei Personen bietet. (Elektroauto, Technologie)
Quelle: Golem
Ausstieg: Elon Musk sagt Twitter-Übernahme offiziell ab
Ein Elon-Musk-Anwalt teilte dem Chefjustiziar von Twitter mit, dass das Unternehmen selbst an dem Abbruch schuld sei. (Elon Musk, Spam)
Quelle: Golem
Wochenrückblick: Schnell und Smart
Das Apple Chromebook und Boschs smartes System: die Woche im Video. (Golem-Wochenrückblick, Spielestreaming)
Quelle: Golem
Garmin Edge 1040 Solar im Test: Fahrradnavigation mit Sonne im Herzen
Genug Energie für Hunderte von Kilometern auf dem Rad: Golem.de hat den Edge 1040 Solar ausprobiert, das aktuelle Spitzenmodell von Garmin. Von Peter Steinlechner (Garmin, Test)
Quelle: Golem
How Ocado Technology delivers smart, secure online grocery shopping with Security Command Center
Grocery shopping has changed for good and Ocado Group has played a major role in this transformation. We started as an online supermarket, applying technology and automation to revolutionise the online grocery space. Today, after two decades of innovation, we are a global technology company providing state-of-the-art software, robotics, and AI solutions for online grocery. We created the Ocado Smart Platform, which powers the online operations of some of the world’s most forward-thinking grocery retailers, from Kroger in the U.S. to Coles in Australia.Grocery shopping has changed for good and Ocado Group has played a major role in this transformation. We started as an online supermarket, applying technology and automation to revolutionise the online grocery space. Today, after two decades of innovation, we are a global technology company providing state-of-the-art software, robotics, and AI solutions for online grocery. We created the Ocado Smart Platform, which powers the online operations of some of the world’s most forward-thinking grocery retailers, from Kroger in the U.S. to Coles in Australia.With the global penetration of the Ocado Smart Platform and the increasing complexity of our operations, we’re paying close attention to our security estate. To proactively identify and tackle any security vulnerabilities, we decided to introduce Google Cloud’s Security Command Center (SCC) Premium as our centralized vulnerability and threat reporting service.Gaining consolidated visibility into Ocado’s cloud assetsFrom the start, we were impressed with the speed of deployment and security findings surfaced with SCC. Where it would take several weeks in the past with other software vendors, we were able to quickly set up SCC in our environment and we could immediately start identifying our most vulnerable assets.Today, we use SCC to detect misconfigurations and vulnerabilities across hundreds of projects throughout our organization and we use it to get an aggregated view of our security health findings. We filter the findings and then use Pub/Sub or Cloud Functions to send alerts directly to the tools each division is working with, such as Splunk or JIRA. This way, each of our teams can discover and respond to the security findings in their own environment, with SCC acting as the single source of truth for our security-related issues.Driving autonomy by delegating security findingsAutonomy fuels innovation at Ocado Technology, which is why we want to make our teams as self-sufficient as possible. SCC helps to make our divisions more autonomous from the central organization. It delivers all the security insights technology teams need to make smart decisions on their own and at pace. Here’s where SCC’s delegation features providing folder and project level access control come in. The platform’s fine-grained access control capabilities enable us to delegate SCC findings to specific teams, without having to give them a view of the entire Ocado Technology organization. Business units no longer need to contact us in the security team to track down vulnerabilities, they can do it themselves in a compliant and secure manner. It makes our work more efficient and autonomous, allowing everyone to focus on their own areas of expertise and environments.Identifying and remediating multiple medium and high vulnerabilitiesSCC’s findings are very rich and don’t end with the identification of the potential misconfigurations and vulnerabilities. It goes beyond this, recommending solutions to resolve any issues and providing clear guidelines on next steps. That’s why the feedback from our users across the organization has been so good.SCC delivers on both quality and quantity. Since implementation, it has helped us identify and remove hundreds of medium and high vulnerabilities from our Google Cloud estate. The number of security related findings have also gone down each quarter, indicating real and tangible improvements in our security posture. SCC is so useful in maintaining our security posture as once we know where the issues are, tackling them is easy.From 8-hour security scans to instant insightsOne particular issue we’ve been able to handle well with SCC are vulnerabilities targeting the Apache logging system Log4j. SCC informed us about attempted compromises, active compromises, or the vulnerability exposure of our Dataproc images. During Log4j response, all these would have been otherwise very hard to track down, especially with limited resources. With SCC, we were able to leverage the security expertise of Google Cloud to identify the latest vulnerabilities, based on the most up-to-date security trends, and act on them quickly.Obviously, speed is of the essence when it comes to threat mitigation and SCC has enabled us to fix issues faster, making us less exposed to outside threats. In the past, just scanning everything once could take up to eight hours. SCC sped things up from the start and findings have been nearly instantaneous since it rolled out real-time Security Health Analytics.Strengthening compliance and demonstrating standards to stakeholdersSCC helps us to achieve better compliance standards, and demonstrate these standards to our stakeholders. We recently ran an internal audit exercise across the Ocado Technology organization, for example, where we identified the projects with the most numerous and severe security-related findings. Without the reports from SCC, this would have been extremely hard or even impossible.We also use the Security Health Analytics information from SCC to visualize the data per project, creating a kind of heat map of security across the organization. This helps us assign our resources to the right projects and prioritize our efforts accordingly, informing our strategic decisions.From top-down to a developer-led securityThere’s been a paradigm shift in security operations, and things are moving from a top-down approach to a more developer-led and autonomous process. SCC helps drive that change at Ocado Technology. It enables us to place the responsibility for security-related issues closer to the resource owners. By making sure that the teams most impacted by a potential problem are the ones who get to fix it, we empower teams to resolve issues proactively and efficiently. Looking forward, we can’t wait to see SCC evolve further. One of the features we’re most excited about is the ability to create custom findings (currently in preview) and additional integration capabilities that enable automation. We’re still not using everything SCC has to offer, but it is already a vital tool for our security team.At Ocado Technology, we’re pioneering the future of online grocery shopping, and this future needs a strong security foundation. SCC helps us to strengthen and maintain that foundation, making profitable, scalable, and secure online grocery shopping possible for even more businesses around the world.Related ArticleProtecting customers against cryptomining threats with VM Threat Detection in Security Command CenterExtending threat detection in Security Command Center with Virtual Machine Threat Detection.Read Article
Quelle: Google Cloud Platform
Invest early, save later: Why shifting security left helps your bottom line
Shifting left on security with Google Cloud infrastructureThe concept of “shifting left” has been widely promoted in the software development lifecycle. The concept is that introducing security earlier, or leftwards, in the development process will lead to fewer software-related security defects later, or rightwards, in production.Shifting cloud security left can help identify potential misconfigurations earlier in the development cycle, which if unresolved can lead to security defects. Catching those misconfigurations early can improve the security posture of production deployments.Why shifting security left mattersGoogle’s DevOps Research and Assessment (DORA) highlights the importance of integrating security into DevOps in the 2016 State of DevOps Report. The report discussed the placement of security testing in the software development lifecycle. The survey found that most security testing and tool usage happened after the development of a release, rather than continuously throughout the development lifecycle. This led to increased costs and friction because remediating problems found in testing may involve big architectural changes and additional integration testing, as shown in Figure 1. For example, security defects in production can lead to GDPR violations, which can carry fines up to 4% of global annual revenue.Figure 1: Traditional Testing PatternBy inserting security testing into the development phase, we can identify security defects earlier and perform the appropriate remediation sooner. This results in fewer defects post-production and reduces remediation efforts and architectural changes. Figure 2 shows us that integrating security earlier in the SDLC results in overall decreases in security defects and associated remediation costs.Figure 2: Security Landscape After Shiting LeftThe 2021 State of DevOps Report expands the work of the 2016 report and advocates for integrating automated testing throughout the software development lifecycle. Automated testing is useful for continuously testing development code without the need for additional skills or intervention by the developer. Developers can continue to iterate quickly while other stakeholders can be confident that common defects are being identified and remediated.From code to cloudThe DORA findings with regard to code security can also be applied to cloud infrastructure security. As more organizations deploy their workloads to the cloud, it’s important to test the security and configurations of cloud infrastructure. Misconfigurations in cloud resources can lead toward security incidents that could lead to data theft. Examples of such misconfigurations include overly permissive firewall rules, public IP addresses for VMs, or excessive Identity and Access Management (IAM) permissions on service accounts and storage buckets. We can and should leverage different Google Cloud services to identify these misconfigurations early in the development process and prevent such errors from emerging in production to reduce the costs of future remediation, potential legal fines, and compromised customer trust.The key tools in our toolshed are Security Command Center and Cloud Build. Security Command Center provides visibility into misconfigurations, vulnerabilities, and threats within a Google Cloud organization. This information is critical when protecting your cloud infrastructure (such as virtual machines, containers, web applications) against threats, or identifying potential gaps from compliance frameworks (such as CIS Benchmarks, PCI-DSS, NIST 800-53, or ISO 27001. Security Command Center further supports shifting security left by allowing visibility of security findings at the cloud project level for individual developers, while still allowing global visibility for Security Operations. Cloud Build provides for the creation of cloud-native CI/CD pipelines. You can insert custom health checks into a pipeline to evaluate certain conditions (such as security metrics) and fail the pipeline when irregularities are detected. We will now explore two use cases that take advantage of these tools.Security Health CheckerSecurity Health Checker continuously monitors the security health of a Google Cloud project and promptly notifies project members of security findings. Figure 3 shows developers interacting with a Google Cloud environment with network, compute, and database components. Security Command Center is configured to monitor the health of the project.When Security Command Center identifies findings, it sends them to a Cloud Pub/Sub topic. A Cloud Function then takes the findings published to that topic and sends them to a Slack channel monitored by infrastructure developers. Just like a spell checker providing quick feedback on misspellings, Security Health Checker provides prompt feedback on security misconfigurations in a Google Cloud project that could lead to deployment failures or post-production compromises. No additional effort is required on the part of developers.Figure 3: Security Command Center in a Google Cloud EnvironmentSecurity Pipeline CheckerIn addition to using Security Command Center for timely notification of security concerns during the development process, we can also integrate security checks into the CI/CD pipeline by using Security Command Center along with Cloud Build as shown in Figure 4.Figure 4: Security Pipeline Checker ArchitectureThe pipeline begins with a developer checking code into a git repository. This repository is mirrored to Cloud Source Repositories. A build trigger will begin the build process. The build pipeline will include a short waiting period of a few minutes to give Security Command Center a chance to identify security vulnerabilities. A brief delay may appear undesirable at first, but the analysis that takes place during that interval can result in the reduction of security defects post-production. At the end of the waiting period, a Cloud Function serving as a Security Health Checker will evaluate the findings from Security Command Center (Connector 1 in Figure 4). If the validator determines that unacceptable security findings exist, the validator will inject a failure indication into the pipeline to terminate the build process (Connector 2 in Figure 4). Developers have visibility into the failure triggers and remediate them before successfully deploying code to production. This is in contrast to the findings in the 2016 State of DevOps Report wherein organizations that didn’t integrate security into their DevOps processes spent 50% more time remediating security issues than those who “shifted left” on security.Closing thoughtsDORA’s 2016 State of DevOps report called out the need for “shifting left” with security, introducing security earlier in the development process to identify security vulnerabilities early to reduce mitigation efforts post-production. The report also advocated for automated testing throughout the software development lifecycle. We looked at two ways of achieving these objectives in Google Cloud. The Security Health Checker provides feedback to developers using Security Command Center and Slack to notify developers of security findings as they pursue their development activities. The Security Pipeline Checker uses Security Command Center as part of a Cloud Build pipeline to terminate a build pipeline if vulnerabilities are identified during the build process. To implement the Security Heath Checker and the Security Pipeline Checker, check out the GitHub repository. We hope these examples will help you to “shift left” using Google Cloud services. Happy coding!This article was co-authored with Jason Bisson, Bakh Inamov, Jeff Levne, Lanre Ogunmola, Luis Urena, and Holly Willey, Security & Compliance Specialists at Google Cloud.Related ArticleShift security left with on-demand vulnerability scanningUse on-demand vulnerability scanning to detect issues early and help prevent downstream problemsRead Article
Quelle: Google Cloud Platform
Resources to Use Javascript, Python, Java, and Go with Docker
With so many programming and scripting languages out there, developers can tackle development projects any number of ways. However, some languages — like JavaScript, Python, and Java — have been perennial favorites. (We’ve previously touched on this while unpacking Stack Overflow’s 2022 Developer Survey results.)
Image courtesy of Joan Gamell, via Unsplash.
Many developers use Docker in tandem with these languages. We’ve seen our users create some amazing applications! Here are some resources and recommendations to level up your container game with these languages.
Getting Started with Docker
If you’ve never used Docker, you may want to familiarize yourself with some basic concepts first. You can learn the technical fundamentals of Docker and containerization via our “Orientation and Setup” guide and our introductory page. You’ll learn how containers work, and even how to harness tools like the Docker CLI or Docker Desktop.
Our Orientation page also serves as a foundation for many of our own official walkthroughs. This is a great resource if you’re completely new to Docker!
If you prefer hands-on learning, look no further than Shy Ruparel’s “Getting Started with Docker” video guide. Shy will introduce you to Docker’s architecture, essential CLI commands, Docker Desktop tips, and sample applications.
If you’re feeling comfortable with Docker, feel free to jump to your language-specific section using the links below. We’ve created language-specific workflows for each top language within our documentation (AKA “Our Language Modules” in this blog). These steps are linked below alongside some extra exploratory resources. We’ll also include some awesome-compose code samples to accelerate similar development projects — or to serve as inspiration.
Table of Contents
How to Use Docker with JavaScript
How to Use Docker with Python
How to Use Docker with Java
How to Use Docker with Go
How to Use Docker with JavaScript
JavaScript has been the programming world’s leading language for 10 years running. Luckily, there are also many ways to use JavaScript and Docker together. Check out these resources to harness JavaScript, Node.js, and other runtimes or frameworks with Docker.
Docker Node.js Modules
Before exploring further, it’s worth completing our learning modules for Node. These take you through the basics and set you up for increasingly-complex projects later on. We recommend completing these in order:
Overview for Node.js (covering learning objectives and containerization of your Node application)
Build your Node image
Run your image as a container
Use containers for development
Run your tests using Node.js and Mocha frameworks
Configure CI/CD for your application
Deploy your app
It’s also possible that you’ll want to explore more processes for building minimum viable products (MVPs) or pulling container images. You can read more by visiting the following links.
Other Essential Node Resources
Docker Docs: Building a Simple Todo List Manager with Node.js (creating a minimum viable product)
Docker Hub: The Node.js Official Image
Docker Hub: The docker/dev-environments-javascript image (contains Dockerfiles for building images used by the Docker Dev Environments feature)
GitHub: Official Docker and Node.js Best Practices (via the OpenJS Foundation)
GitHub: Awesome Compose sample #1 (building a Node.js application with an NGINX proxy and a Redis database)
GitHub: Awesome Compose samples #2 and #3 (building a React app with a Node backend and either a MySQL or MongoDB database)
How to Use Docker with Python
Python has consistently been one of our developer community’s favorite languages. From building simple sample apps to leveraging machine learning frameworks, the language supports a variety of workloads. You can learn more about the dynamic duo of Python and Docker via these links.
Docker Python Modules
Similar to Node.js, these pages from our documentation are a great starting point for harnessing Python and Docker:
Overview for Python
Build your Python image
Run your image as a container
Use containers for development (featuring Python and MySQL)
Configure CI/CD for your application
Deploy your app
Other Essential Python Resources
Docker Hub: The Python Official Image
Docker Hub: The PyPy Official Image (a fast, compliant alternative implementation of the Python language)
Docker Hub: The Hylang Official Image (for converting expressions and data structures into Python’s abstract syntax tree (AST))
Docker Blog: How to “Dockerize” Your Python Applications (tips for using CLI commands, Docker Desktop, and third-party libraries to containerize your app)
Docker Blog: Tracking Global Vaccination Rates with Docker, Python, and IoT (an informative, beginner-friendly tutorial for running Python containers atop Raspberry Pis)
GitHub: Awesome Compose sample #1 (building a sample app using both Python/Flask and a Redis database)
GitHub: Awesome Compose samples #2 and #3 (building a Python/Flask app with an NGINX proxy and either a MongoDB or MySQL database)
How to Use Docker with Java
Both its maturity and the popularity of Spring Boot have contributed to Java’s growth over the years. It’s easy to pair Java with Docker! Here are some resources to help you do it.
Docker Java Modules
Like with Python, these modules can help you hit the ground running with Java and Docker:
Overview for Java
Build your Java image
Run your image as a container
Use containers for development
Run your tests
Configure CI/CD for your application
Deploy your app
Other Essential Java Resources
Docker Hub: The openjdk Official Image (use this instead of the Java Official Image, which is now deprecated)
Docker Hub: The Apache Tomcat Official Image (an open source web server that implements both the Java Servlet and JavaServer Pages (JSP)
Docker Hub: The ibmjava Official Image (implementing IBM’s SDK, Java Technology Edition Docker Image)
Docker Hub: The Apache Groovy Official Image (an optionally-typed, dynamic language for statically compiling Java applications and boosting productivity)
Docker Hub: The eclipse-temurin Official Image (provides code and processes for building runtime binaries or associated technologies, featured in the following “9 Tips” blog post)
Docker Blog: 9 Tips for Containerizing Your Spring Boot Code
Docker Blog: Kickstart Your Spring Boot Application Development
GitHub: Awesome Compose sample #1 (building a React app with a Spring backend and a MySQL database)
GitHub: Awesome Compose sample #2 (building a Java Spark application with a MySQL database)
GitHub: Awesome Compose sample #3 (building a simple Spark Java application)
GitHub: Awesome Compose sample #4 (building a Java app with the Spring Framework and a Postgres database)
How to Use Docker with Go
Last, but not least, Go has become a popular language for Docker users. According to Stack Overflow’s 2022 Developer Survey, over 10,000 JavaScript users (of roughly 46,000) want to start or continue developing in Go or Rust. It’s often positioned as an alternative to C++, yet many Go users originally transition over from Python and Ruby.
There’s tremendous overlap there. Go’s ecosystem is growing, and it’s become increasingly useful for scaling workloads. Check out these links to jumpstart your Go and Docker development.
Docker Go Modules
Overview for Go
Build your Go image
Run your image as a container
Use containers for development
Run your tests using Go test
Configure CI/CD for your application
Deploy your app
Other Essential Go Resources
Docker Hub: The Golang Official Image
Docker Hub: The Caddy Official Image (for building enterprise-ready web servers with automatic HTTPS)
Docker Hub: The circleci/golang image (for extending the Golang Official Image to work better with CircleCI)
Docker Blog: Deploying Web Applications Quicker and Easier with Caddy 2 (creating a Caddy 2 web server and Dockerizing any associated applications)
GitHub: Awesome Compose samples #1 and #2 (building a Go server with an NGINX proxy and either a Postgres or MySQL database)
GitHub: Awesome Compose sample #3 (building an NGINX proxy with a Go backend)
GitHub: Awesome Compose sample #4 (building a TRAEFIK proxy with a Go backend)
Build in the Language You Want with Docker
Docker supports all of today’s leading languages. It’s easy to containerize your application and deploy cross-platform without having to make concessions. You can bring your workflows, your workloads, and, ultimately, your users along.
And that’s just the tip of the iceberg. We welcome developers who develop in other languages like Rust, TypeScript, C#, and many more. Docker images make it easy to create these applications from scratch.
We hope these resources have helped you discover and explore how Docker works with your preferred language. Visit our language-specific guides page to learn key best practices and image management tips for using these languages with Docker Desktop.
Quelle: https://blog.docker.com/feed/
