Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Essay: Modern DevSecOps Security #1347

Merged
merged 3 commits into from
Apr 27, 2021

Conversation

felix-seifert
Copy link

Essay: Modern DevSecOps Security

Needed Security Services for Security of Microservices-based Applications (MSAs)

Members

Felix Seifert (fseifert@kth.se)
GitHub: felix-seifert

Description

The proposal can be found under the #933 .

I did not describe the implementation details for the required security services. However, a table clearly states which
security services are needed, which security requirement they address and which MSA layer they deal with.

I am waiting for feedback from @amarhod .

With this essay, I aim for a distinction. I do not want to assess how good or bad I met the grading criteria. However,
I provide a list of how I think about the different aspects.

  • Format: The essay is in PDF format.
  • Title: I changed the initial title to show the relevance for DevOps/DevSecOps.
  • Well-structured: The structure of my essay is slightly similar to a research paper where I try to define everything before it is used.
  • Introduction: I show the relevancy of the topic of MSA security for our course topics. From the stated problems, I derive a research question which the essay then answers.
  • Conclusion: At the end of the essay, the research question is answered and it is shown how a DevSecOps engineer can benefit from the results.
  • Self-contained: The essay assumes that a computer science Master's student has the knowledge on what the eventual security services are and how they can be implemented.
  • Innovative: The essay does not show groundbreaking new ideas on how to implement MSA security. However, the essay clearly summarises which security services have to be implemented.
  • Figures: The two figures and the table are simple to understand and do not have any distracting elements. They complement the text and are not superfluous.
  • Sound: The essay is proofread and understandable by non-computer scientist.
  • References: The 15 references are mostly research papers which where also cited by other research papers. The non-research reference is a well known computer scientist. The number is more than the requested minimum but also shows a clear selection of references.
  • Elegant: The essay is built with LaTeX. It does not use a plain standard template and shows a clear association to KTH.
  • Relevant: The relevance is explained in the introduction.

The essay can be found in the file Modern DevSecOps Security - Needed Security Services for MSAs.pdf.

@felix-seifert
Copy link
Author

If I count the words locally with the suggested command from the lecture, the essay has 2082 words.

$ pdftotext "Modern DevSecOps Security - Needed Security Services for MSAs.pdf" - | tr -d '.' | wc -w
2082

What should I do?

@amarhod
Copy link

amarhod commented Apr 25, 2021

Feedback

Summary

Overall a great essay and introduction on the topic with good language, clear structure, and ample amount of references and figures/tables. Figure 1 could be modified slightly to make it visually clearer. The description of secondary requirements could be omitted if you feel that another section could benefit from the spare word count.
Since the essay exceeds the 2100 limit (word count of 2239) according to the action that uses the "pdftotext filename | wc -w", it will have to be shortened somewhat for the final submission.

1 Introduction

A great introduction that briefly but efficiently gives the reader an introduction to Microsevices-based applications (MSAs) and what connection it has to DevOps and more specifically DevSecOps. The section is well referenced and ends with a focused research question which prepares the reader for the contents in the coming sections.

2 Security

The section gives a great technical description of the term "security". It can require some parts to be re-read to fully grasp (e.g. primary and secondary requirements). However, considering the constraints that require the essay to be compact, it does the job well with the text, figure, and bullet points!

(Actionable)

The figure is compact and dense with information. A way to make it easier to comprehend visually could be to use color-coding. For instance, arrows related to the attacker terms (e.g. exploits, violates, causes) could be color-coded as red and the arrows related to the security terms (e.g. resolves, removes) could be color-coded as blue. There is also a small typo in the figure 1 legend ("adabapted").

3 Security in MSAs

This section could possibly be integrated with section 4 depending on the connection between them.
Giving a brief description (within the sentence) of the method "perimeter security" and the necessity (if there is one) of a layered approach for the "trust no one" paradigm would benefit the reader.

4 Layers for MSA Security

This section gives a solid understanding of the different layers, to consider from a security perspective, with good examples. However, the layers that are not specific to MSAs and the essay could be omitted to allow other parts to be articulated more if the author thinks it is needed. I personally appreciate the summary on each layer even if all of them are not relevant to the research question.

(Actionable)

The sub-sections could be ordered in the same order as they are mentioned in the first paragraph. Both for consistency and logical order of the abstraction levels.

5 Needed Security Services

Great representation of the mappings with the figure and table!

(Actionable)

Might be preferable to have the table legend above the table.

6 Conclusion

A short but adequate conclusion that answers the research question posed in the introduction.

References

The author does a great job supporting claims with references wherever applicable. The references also hold a very high quality with the majority of them being recent (written after 2010) and coming from scientific papers.

(Actionable)

There is an issue with the clickable link for reference number 2. The hyperref does not include the complete domain and path, only consisting of "https://martinfowler/".

@felix-seifert felix-seifert changed the title Add Essay and Description Essay: Modern DevSecOps Security Apr 26, 2021
@khaes-kth
Copy link

Hi @felix-seifert

If I count the words locally with the suggested command from the lecture, the essay has 2082 words.

$ pdftotext "Modern DevSecOps Security - Needed Security Services for MSAs.pdf" - | tr -d '.' | wc -w
2082

What should I do?

Our script runs this command pdftotext | wc -w, as suggested in the google doc. I think your tr -d '.' is causing the difference.

@felix-seifert
Copy link
Author

felix-seifert commented Apr 26, 2021

Hi @khaes-kth

I realised this just now. However, I am afraid whether the counter implemented by you is always correct.

I inserted the whole text from the PDF document into Libre Office Writer. The word number was indeed to high (2241 words). I then removed the period signs which seperate titles and page numbers in the content table because I assumed that they are counted as words. After removing the period signs, I got a word count of 2084.

By removing the periods from the text before counting the words with tr -d '.', I get a word count of 2082 (not exactly like Libre Office but seems to be more exact). I submitted a PR for a change of the GH Action: #1364.

Before merging the PR with the essay, please let me implement the feedback.

* Add color coding to figure 1 for `offense` and `defense` (red and green, suggested CD colors of KTH)
* Add legend for `offense` and `defense` to figure 1
* Fixed typo in image caption
* No intention to omit secondary security requirements as they are important and their description is not long
* Merge sections `Security in MSAs` and `Layers for MSA Security`
* Change order of first mentioning of layers
* Change position of caption of table 1
* No intention to change ordering of figure 2 and table 1 because table gives final results and is more detailed than figure
@felix-seifert
Copy link
Author

@amarhod, I am thankful for this feedback. Even though the suggested changes were not the biggest, they helped a lot and implementing the changes was very straight forward.

This is how I implemented the changes (link to associated commit):

  • Add color coding to figure 1 for offense and defense (red and green, suggested CD colors of KTH)
  • Add legend for offense and defense to figure 1
  • Fixed typo in image caption
  • No intention to omit secondary security requirements as they are important and their description is not long
  • Merge sections Security in MSAs and Layers for MSA Security
  • Change order of first mentioning of layers
  • Change position of caption of table 1
  • No intention to change ordering of figure 2 and table 1 because table gives final results and is more detailed than figure

The reference section does not include and never included any clickable links. The mentioned link to the website of Martin Fowler has a linebreak after the first dot of the domain; the URL continues in the next line and is complete. The reference list gets generated automatically by the LaTeX compiler.

@khaes-kth, the PR can be merged now.

Add date of submission to titlepage
@khaes-kth khaes-kth merged commit c4f42a7 into KTH:2021 Apr 27, 2021
@khaes-kth
Copy link

Thanks @felix-seifert

@khaes-kth khaes-kth self-assigned this Apr 27, 2021
@khaes-kth khaes-kth added essay One of the task categories listed in README.md final_submission The final submission of a task labels Apr 27, 2021
@felix-seifert felix-seifert deleted the add-msa-security-essay branch May 23, 2021 06:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
essay One of the task categories listed in README.md final_submission The final submission of a task
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants