How to Share a Secret (Key), on AWS

AWS Secrets Manager was launched by Amazon Web Services in April 2018. Secrets Manager is an application that you can use with AWS cloud accounts to store, retrieve and retrieve credentials – all via API or AWS Command Line Interface. There is no risk in manually rotating your encryption keys or using hand-code processes to control them automatically.
Before AWS Secrets Manager you had very few options if you lost control over your authentication service. Perhaps you had the password written in an address book and kept in the safe of a trusted agent. Or you had a backdoor that could be used to turn your keys into a preset. People have been thinking about keeping secrets safe for decades.
AWS Secrets Manager is charged with the massive task of distributing something that is supposedly “secret” to the right people. There are many secrets that need to be shared, and there are many ways to do it securely.
It is crucial to manage your secrets
AWS Security admins know the challenges that come with managing different secrets and credentials. Most accounts are secured by rotating and requesting credentials for the service and Amazon databases.
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Get started training. There is no 100% reliable way to extract the credentials and transfer them while still maintaining security. You can’t forget to implement security measures such as rotating keys and passwords regularly.
Managers and users tend to be resentful of security measures. Let’s face facts. They can be a pain. Your security professionals are constantly concerned about potential vulnerabilities. They see the potential solutions as risky. Your company is at risk when you ask database administrators for credentials, embed them in environment variables, or make them available to the application.
Secrets Manager is a pretty darn effective program
Amazon’s entry in the secret-sharing market is fully managed and managed by the giant. The security of stored secrets and credentials can be tied directly to your Identity and Access Management access (IAM) on your AWS account. Secrets Manager can also be integrated with AWS Key Management Systems (KMS). This allows you to further encrypt all your cloud-stored data.
Secrets Manager also includes a secret rotation feature that allows you to rotate passwords and API keys automatically. This can be wired with a Lambda Function for assistance with the rotation.
Secrets Manager is a cost-based decision. It will cost $0.40 per secret per month and $0.05 for 10,000 API calls. AWS offers more cost-effective and even free options to protect sensitive data. Your organization may need to pay premium.
You don’t want secrets to be shared? There are other options.
AWS Secrets Manager may not be exactly what you need for your AWS credentials and secret management, but there is always the tried-and true distribution of Access Keys. It is not a good idea to be arbitrary with your admin-level Access Keys. There are many resources that will help you distribute keys that won’t make your accounts vulnerable.
Amazon offers suggestions for best practices in managing access keys. The entire General Reference Document for AWS can be viewed. But the bottom line is to only grant accesses that you need. They emphasize that access keys should not be kept insecure and should only be created when absolutely necessary. The Temporary Security Credentials (IAM Rights) can also help to keep things safe by granting people the access they need, rather than long-term access.
IAM roles can be he

Posted in Uncategorized | Leave a comment

How to secure your PowerShell

PowerShell is an extremely powerful tool that can do incredible things in IT Infrastructure automation. It can also be misused for malicious purposes, which could lead to real damage to our environment. PowerShell security helps to minimize such risks, mainly through code signing and execution policy.
PowerShell’s default configuration is configured to prevent PowerShell scripts from being run by double-clicking. This is to protect your data. Scripts must be digitally signed by a certificate that is trusted on the client’s computer. Web browser-downloaded scripts are blocked by default by a mark in their meta data — the script will always run within the context of the user.
Here are some ways to make your PowerShell environment more secure and allow you to rest a little easier.
Are you new to PowerShell Our Windows 10 Training Courses will teach you everything about PowerShell and much more.
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Start trainingWhy implement PowerShell Secured scripts
PowerShell Secured Scripts can be a feature you don’t use until you actually need it. Unsigned scripts are a common scenario in small organizations where IT infrastructure management is delegated to a few employees. It is important to know who is doing what.
It can be difficult to control who is running which systems and what system in an enterprise environment where the management of such infrastructure will be delegated across different teams. It can be even more difficult to ensure that the right people are running the correct scripts.
This opens up to potential issues like command hijack, control of execution, identity and integrity, and command hijack.
Execution control is a term that refers to the order in which a program runs statements. It refers to the order in which a program runs scripts. PowerShell has four types: AllSigned (Restricted), RemoteSigned (Restricted), and Unrestricted.
Restricted refers to the most restrictive policy. It prohibits any type of script from being run — remote, local, or downloaded.
AllSigned requires that all scripts be digitally signed using certificates. Otherwise, the system will not allow them to run.
RemoteSigned allows remote UNCs and downloaded scripts only to run if they have been digitally signed. Local scripts can still be run.
Most companies will have unrestricted access, especially small ones that only one system administrator needs to implement a script execution strategy. All scripts are executed regardless of whether they have been digitally signed.
In order to run PowerShell scripts, code signing, identity, or integrity, are all subsets of certificate usage. We can use certificates to authenticate scripts to distinguish which scripts were developed, tested, and run by specific individuals and which scripts were downloaded from the internet. This allows us to determine which scripts are more privileged or less trusted.
To give an example, users can search for PowerShell scripts that automate Microsoft Office tasks or other Windows Client OS components. They don’t know how to make sure that the script isn’t malicious, doesn’t contain bad code, and does the job it was intended to do.
We can ensure that 99 percent of scripts in an enterprise are legitimate and not malicious by requiring them to run only signed scripts.
How to Implement Security
We have two options: either we can use ADCS or purchase a code signing certificate from a certification agency like VeriSign or GoDaddy.
If we use ADCS (Active Directory Certificate Services), then we will need to add code-signing templates and allow only certain users to request them. Once the authorization has been granted,

Posted in Uncategorized | Leave a comment

How to Prevent Credential Stuffing Attacks

Online, terms like data breaches, brute force attacks and cybersecurity are part of our everyday vocabulary. Credential stuffing is a term that may be less common outside the cybersecurity community.
Data breaches that are well-publicized quickly make the top news, highlighting the scale and extent of a successful cyberattack. After the big news stories are over, the news cycle doesn’t cover the story about the data stolen and how it is sometimes used.
There is a good chance that you or someone you know has been the victim of a data breach. Login credentials are one of the most popular data sets that can be stolen. Credential stuffing can cause serious damage if hackers get this information.
What is Credential Stuffing?
Imagine that you have been notified that your data was compromised. You are often given information about what happened, and then you are instructed to change your username or password. Sometimes, you are even promised that you will do better. It is becoming more common for stolen account login credentials to be used to login to many other websites and applications.
Credential stuffing is the act of a bad actor using stolen login credentials to gain access to your account. Credential stuffing is the act of stealing account information and trying to automate large-scale login requests across multiple web sites or web apps.
Credential stuffing sounds harmless until you think about the consequences and the scale of these attacks. Cybersecurity attacks and data breaches often expose large amounts of data in alarming numbers. Credential stuffing can have a huge impact on the number of stolen data.
Credential stuffing success rates vary, and can range from less than 1% to 3%. Credential stuffing might seem futile because of such low success rates. For example, a 0.1% success rate for one million attempts would yield 1000 accounts that have been compromised and personal data potentially stolen.
Credential stuffing is a growing cybersecurity risk due to the sheer number of login attempts and the amount of web applications that use account information. The stolen login credential can be used to inject data into web login forms across hundreds, if not thousands of websites and applications in order to match your account. They will literally insert your credentials into as many websites and applications as possible in an attempt to make a successful attempt.
If a bad actor has a valid login credentials, they can steal your personal information (including birthdates, credit card numbers, and possibly social security numbers). They can make purchases and even change your login information, locking your account out. They may even sell your login information or data to other criminal entities, often ending up on the dark web or black market.
In 2016, Uber, the world’s leader in ride-sharing, was hit hard by credential stuffing. Stolen login credentials from Uber employees were used to access a private GitHub repository by Uber application developers. Despite knowing better, developers used the same passwords and email addresses from other sites. They also did not enable multi-factor authentication, even though it was available, which allowed hackers to access the GitHub repository.
Hackers were able to access the repository’s credentials, giving them access to personal information and data of 32 million Uber members and 3.7million international drivers.
Another example is a data breach on a third-party racing website that allowed ha

Posted in Uncategorized | Leave a comment

How to Prepare for the OSCP

The information security market is still volatile. We’ve heard about a disturbing trend for years, with survey after survey reporting the exact same thing: a severe shortage of qualified, skilled talent to fill mission-critical roles.
This should make your ears prick up. Anybody looking to make a move in the cybersecurity market, or even pivot into infosec from an existing IT area, is in a great position. It’s worth looking into the various positions in infosec and the types of training that you will need to make that move.
Although most infosec positions are focused on the defensive side of the job, such as Security Engineers or SOC Analysts, we believe the real fun lies in the offensive.
Look at the Penetration Tester!
There are few other jobs that require you to hack into systems, find network weaknesses, exploit vulnerable applications, break through sloppy code, or go for the ROOT (or ADMINISTRATOR, in Windows). Pentesters are professionals hackers. However, they must be allowed to do so as part of a carefully crafted engagement to remain legally compliant.
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Start trainingGot your attention? Great. Go back to the first paragraph and notice two key words: “a severe shortage of skilled, qualified talent.” How can one acquire the necessary skills and qualifications in a field where the FBI will not grant you a visit if you do it wrong?
Offensive Security Certified Professionals, of course! There are many options when it comes to pentesting certs. But we’re here for the best: the Offensive Security Certified Professional (OSCP).
The OSCP is a well-respected and widely accepted pentesting certification. It teaches core pentesting skills. There are many to learn. It is also known for its toughness. There is not much hand-holding. This should be evident in their “try harder” motto.
How to Get Started in the PWK Courseware
The Pentesting With Kali Linux course (or PWK) is the first requirement for the OSCP. The course consists of a written PDF and video that introduces you to Kali Linux. This is a special Linux distribution preloaded with nearly every open-source pentesting tool.
The course is extremely comprehensive and covers everything you need to know about reverse shelling with Metasploit, running port scans with Nmap, cracking password hashes using John the Ripper, and exploiting vulnerable apps with Metasploit.
You must carefully list your targets
However, it goes beyond just knowing how to use tools. Pentesters need to have a certain mindset in order to succeed. It is important to be meticulous and methodical when identifying a target from the outside. If you don’t know how to get through the perimeter fence, it’s useless knowing which Fort Knox room holds the gold.
Pentesting is the same. You must find all open ports, find the version of each running service, and then research carefully to find your way. You will need to absorb large amounts of information, digest it, and think like an administrator, relying on your knowledge about networking, OSes and network services, as well as scripting languages.
You’ll hit more brick walls than open ones if you are stubborn. The PWK will test you in all these areas and make you stronger or worse.
Do Your Exercises
You will also find a series of exercises in the course that will allow you to get your hands dirty with basic shell scripts, running tools, and probing ports. These exercises are great learning opportunities. Sometimes they are very straightforward, but sometimes you will need to do some research on your own.
This is the approach that a lot of OSCP members take.

Posted in Uncategorized | Leave a comment

How to Prepare for the OSCP With the OWASP

Injections are a crucial vulnerability that every student of the OSCP must be aware of. We covered this vulnerability in a previous article. This category of vulns can be used by hackers in many ways, including SQL injections, command injections, and cross-site scripting.
The OWASP Top 10 is a list of the most critical web vulnerabilities that is regularly updated and ranked by information security professionals. It teaches us about injections. These are the most exploited vulnerabilities so there is a lot of overlap between the Top 10 list and the content that you will encounter when you take the OSCP course.
Injections are just one example of items that can be grouped together. It is worth your time as both a pre-OSCP course preparation and as an informed infosec professional to be familiar with all items on the list. Today we will discuss the three other vulnerabilities in the OWASP Top 10, which you will be most likely to encounter during OSCP studies: security misconfigurations, vulnerability and outdated components.
Broken Access Control
This vulnerability has moved up to the top spot in the Top 10 revision 2021, so it is a serious issue for internet security. It’s so bad, OWASP claims that nearly 4% of sites tested had broken access control.
Although it may seem low, this means that one in 25 web apps was vulnerable. Do you use 25 web apps regularly? This number could be higher. You should remember that almost everything, from email to banking to social networking to project planning to online education, is a web application these days.
Let’s look at the bigger picture and ask what broken access control is and why it is so important. Perhaps a better question is: What is access control? Consider the AAA framework and how it applies for access. The first A is authentication. This is basically a login. It can be done via single sign-on, password, or OAuth. The next A is authorization. This refers to whether the authenticated user has access to the requested resource. The access controls determine whether the authenticated user has the required read permissions to open the file.
Broken access control is when an authenticated user can access information they shouldn’t. You can view sensitive information, such as bank details or orders, or open files you shouldn’t have access to. For example, you log in to view the details of your order. The URL of the page is:
www.mywebstore.com/orders?order_number=123.
What happens if you change the URL to 124? The app will return an error if it’s not your order. You can try it with Amazon right now, for example; Amazon’s order details page URLs look very much like an orderID query string. Changing the orderID returns “There is a problem loading that order,” or, in other words, “Nice try hackerman, but no dice!”
Broken access control on a less secure website would however allow you to see the order of another person, modify or cancel it, their name and address, and if security is really bad with mywebstore.com, their credit card information. These attacks are also known horizontal access control attacks. You gain access to the stuff of another user, but not necessarily elevated permissions within the app.
Role-based attacks are another way to play with access controls. This can lead to vertical access control problems. Vertical refers to moving up in the app and increasing your permissions to a higher level.
Commonly, web apps will use role-based access control (RBAC). Users are created and assigned roles with certain permissions. These roles will include admin and user. How the app verifies authenticated user’s role

Posted in Uncategorized | Leave a comment

How to prepare for a Capture the Flag Hacking Competition

Hacking is not like the movies. Your motley crew is there to support you when you face off against a worthy adversary.
Most security jobs are boring, and you probably want them that way. Audit. Find vulnerabilities. Patch. Rinse and Repeat. Many security professionals, both new and experienced, participate in Capture the Flag competitions or use CTF challenges to keep their skills sharp.
CTF challenges are an excellent way to learn hacking skills, improve your problem-solving skills and get practical experience. CTF competitions provide the right amount of pressure to keep things exciting and help you sharpen your skills.
CTF competitions are a great way to test your skills, challenge yourself and perhaps even win bragging rights.
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Start training
What are capture-the-flag competitions?
Capture the Flag hacking contests are very similar to the first-person shooter mode. One team of players tries to capture the flag of an opposing team and defend their flag. CTF competitions usually involve a small piece of code, hardware, or a file. In other cases, the competition might progress through a series questions, such as a race.
They can be either one-off or ongoing challenges and fall under three main categories: Jeopardy and Attack-Defense.
Attack-Defense
This type of competition is closer to the backyard capture-the-flag game than the Jeopardy format. These events allow teams to defend their host PC and attack the target PCs of opposing teams. Each team is given a time limit to patch and secure the PC. The goal is to find as many vulnerabilities as possible so that the enemy attacking teams don’t strike. Each team receives points for successfully infiltrating other groups and preventing attacks from opposing teams. The team with more points wins.
Jeopardy CTF
Jeopardy-style CTFs provide contestants with a series of questions that reveal clues that will help them solve complex tasks in a certain order. Contestants can learn the best techniques and methods by revealing clues. Each task is awarded points to the team. You can earn more points for completing more difficult tasks.
Online CTF competitions will continue to be Jeopardy-style. It is easier to play alone and requires less coordination than an Attack and Defense competition.
Mixed Events
Mixed competitions, as the name implies, are a combination of Jeopardy or Attack-Defend formats. Sometimes organizers will break down the competition into separate events. Sometimes organizers will split teams into events so that they can compete in concurrent events of different types.
What is the difference between these hackathons and others?
Hackathons and CTF competitions allow teams to work together in a coordinated fashion within a set time limit. This is not the end of the comparison.
CTF competitions allow teams to bypass security systems and gain points by using known-or competitor-created exploits. It’s a game.
Hackathons are a more collaborative event that allows programmers and developers to show their creativity by creating a working program or application within a given time frame while adhering to specific criteria. Hackathons can be security-related but they are a general term.
Hackathon is the term for how an end product is “hacked together,” which is a popular phrase among homebrew and DIY enthusiasts circles and not as in “computer hacking.”
How to prepare for Capture the Flag contests
This is a different technology from other technics

Posted in Uncategorized | Leave a comment

How to plan your Microsoft Exchange 2016 Setup

Despite the rise of collaboration services, video conferencing, and social media, email remains the most important communication tool for organizations. Imagine what happens if email service is interrupted. Customers don’t receive order confirmation emails, sales can’t send proposals to prospects or quote them, and suppliers’ shipping requests are delayed. Even if your continuity plan is tested, it’s not possible to avoid outages. However, business suffers.
Cloud email services are being adopted by many organizations — Office 365, Gmail and others — for cost, reliability and the availability of new features. These services may not be the best option for all situations. Many organizations prefer to keep control of their email system on servers located in their own data centers, or virtual data centers.
In these cases, you will need to set-up, secure, manage, and maintain a Microsoft Exchange email account. You might also consider Ubuntu or Kerio Connect. Let’s face the facts, Exchange Server is the 800-pound gorilla. Microsoft Exchange had a 64 percent share in the on-premises messaging market and collaboration market as recently as 2014. An estimated 61% of all Microsoft Exchange Server deployments in 2018 were on-premises.
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Start trainingSetting up Exchange 2016 — You Are Not on Your Own
You have been assigned to set up Microsoft Exchange 2016 servers for your organization. This is a huge responsibility, given the mission-critical nature email. You’re also dealing with a complex system that has many parts, not to mention a user base with high expectations.
This task is not something you have to do all the time. Migration to Exchange Server 2016 has been a long-standing process. There are many resources, best practices, and tools that will help you make this process easier. Let’s take a look at the steps you should follow when setting up Exchange 2016.
Start Point
It is unlikely that you will be starting from scratch. You might have an existing email server, or an older version of Microsoft Exchange. You might be charged with unifying different email systems in the event of a merger.
Start by identifying your users and the devices they use for email. Are they using Windows laptops or desktops? Are they part of the mobile workforce that is becoming increasingly popular? Are they working from home and require a web client that can be used on their own computer? You get the idea.
The migration should be seamless for them. However, you will need to understand how Exchange 2016 supports their email client as well as what changes may be required. You will need to have a plan in place for announcing and rolling out a new client if there is a change of client.
You may need to migrate from an older version of Exchange (2007, 2010 or 2013), or vice versa. Are you using Exchange Public Folders They will need to be transferred — and how you do this depends on which Exchange editions you have. It’s a good idea to plan ahead. It is best to plan before you go.
Capacity and Feature Planning
Okay, you know where you are coming from. Now, where are you going?
How many users will your system need to support? What is the current email volume? How is it trending? Are there significant peaks and valleys, or groups of high-volume users? Are there Exchange 2016 features you are interested in using?
The product is mobile- and cloud-friendly and more user-friendly than Exchange 2010 or earlier versions. Outlook on the Web client supports many smartphones and tablets (including Android and iOS) that you will see in Mobile Worker or Bring Your Own Devices (BYOD). Exchange 2016 integrates easily with OneDrive, SharePoint, and Skype for Business so email users can share and archive files through embedded links instead of attaching files.
Service Level Agre

Posted in Uncategorized | Leave a comment

How to choose the right AWS Storage Service for Your Organization

In recent years, anyone with large storage requirements has likely considered the cloud. Cloud storage is not as simple as we would like. Each AWS storage service offers its own unique features and pitfalls, while reducing costs.
It can be overwhelming to try to navigate all the options. We’ll show you the best use cases for each AWS storage service so your eyes don’t glaze over.
Amazon Glacier

The cloud offers many benefits, including the ease of retrieval and low cost. Amazon Glacier is the best storage option, at $4 per month for 1TB.
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Start trainingGlacier restorations usually take place at a crawl. This is why it’s not recommended for data that needs to be quickly recovered. Glacier can be expensive to restore large amounts of data. It is best to use Glacier only for off-site archives that you won’t need to retrieve. Glacier is a great option for low volumes of restoration, as Glacier provides 10GB free of charge.
Glacier can be accessed through a variety of client applications. Many of these are free and open-source, such as FastGlacier. Glacier is one of the easiest cloud backup services to set up.
Uses that are best:
Off-site backups that will rarely (if ever!) need to be restored
Compliance archives
Backups of developer repositories
Backups of the user home directory

Elastic Block Store (EBS).
EBS is the primary storage of EC2 instances. EBS is a block storage that behaves like a hard disk. It can be formatted to any file system that is needed for the instance.
EBS can further be divided into price/performance categories. It can reside on either expensive solid-state drives (best suited for high IOPS) and affordable hard disks (optimized to transfer high MB/s data). You can take quick snapshots of servers or disk images from the AWS management console.
Best Uses
Application files and operating system for EC2 instances
Configurations for raids
High-volume databases
Situations that require a lot of operations per second

EBS has a downside. Partitions are pre-defined and don’t automatically scale. This means you need to provision and pay storage that you aren’t actually using. You can quickly run out storage space without careful monitoring, which can cause your applications to stop.
Elastic File System (EFS).
EFS is a NFS-based file system that allows content management worldwide. Although it is the most expensive AWS storage option available, it also offers the most flexible connectivity options.
EFS can connect to multiple EC2 server simultaneously as well as to your local servers via AWS Direct Connect. Multiple web servers and applications can access the same files, eliminating storage redundancy.
Scalability is another area where Elastic File System excels. EFS automatically scales according to your storage needs, so you won’t have to pay for storage you don’t use. EFS may be the best option for data stores that expand and contract frequently.
Uses that are best:
Multiple distributed web servers are used to create e-commerce websites.
Distributed web servers for high-traffic global content management systems.
Data analytics servers require on-demand storage.
Software development environments and repositories
Global organizations that require shared access to files

Simple Storage Service (S3)
S3 is the leader in AWS storage on-demand. S3 is the best option if you need quick access to your data and need to store it as cheaply possible. It’s a popular choice because of this.

Posted in Uncategorized | Leave a comment

How to Pass the Palo Alto PCNSE Exam

The highly sought-after certification of Palo Alto Networks’ Certified Network Security Engineer is PCNSE. It certifies that candidates are able to design, install and configure security systems for Palo Alto Networks.
Security engineers, pre-sales engineers, and system integrators typically hold or seek the credential. The PCNSE is beneficial for anyone who works with Palo Alto firewalls.
This post will discuss the PCNSE exam topics and exam prerequisites. It also includes important tips to help exam-takers pass.
Who should take the PCNSE Exam
Anyone interested in taking the PCNSE exam must have a basic understanding of Palo Alto firewalls. All customers who use Palo Alto Networks technologies value added resellers, presales system engineers and support personnel are included.
What experience is required for the PCNSE job?
It is recommended that you have at least three to five years of experience in network security or networking. A minimum of six months experience with Palo Alto Networks security equipment is required. You should also have at least one year of experience managing next-generation Palo Alto firewalls.
What Topics Does The PCNSE Exam Cover
To earn a Palo Alto PCNSE certificate, you must be able to use Palo Alto firewalls. The 75-question exam has 75 questions and takes candidates 80 minutes. It is scenario-based, multiple-choice, and matching questions. Passing the exam requires a score of 70% or more. These are the domains that make up the PCNSE exam:
Planning and Core Concepts 19%
Deploy and Configure 32%
Panorama 13% is used to deploy and configure firewalls
Manage and Operate 16%
Troubleshooting 20%

Candidates who are interested in obtaining a PCNSE certification must begin preparation at least 4 months before taking the exam. They should also study all exam objectives as laid out in the PCNSE blueprint.
You should not only have theoretical knowledge about configuring the Palo Alto next generation firewall, but also practical experience configuring and troubleshooting them using Panorama.
Strategies to Pass the PCNSE Exam
You will need to study hard in order to earn the Palo Alto PCNSE certificate. These tips will help you prepare better for the PCNSE exam.
1. Use a Study Guide
A study plan should be based on the importance of the topics that you are studying. You should cover all areas of the exam. Don’t spend too much time on topics that you are already familiar with.
Plan to use the PCNSE study book and a comprehensive training program that covers all exam objectives. Take the time to study each exam objective and calculate how long each section will take.
2. Learn PCNSE Training
SPOTO PCNSE training will help you prepare for and pass the exam. SPOTO’s top trainer Keith Barker covers all topics on the PCNSE blueprint.
This course is 15 hours long and covers five skills, with a total of 113 videos. It should take you six weeks to complete the PCNSE course if you watch it 30 minutes per day, five days per week.
3. Keep your eyes on the prize and keep your mind focused
It’s possible to have unpleasant flashbacks while studying, but that doesn’t mean it has to be. Remember that learning and certification are meant to help you become more familiar with Palo Alto Network technologies.
Be mindful of what works for you, and avoid bad habits like multitasking. Perhaps you believe such late-night thinking

Posted in Uncategorized | Leave a comment

How to move from Azure DevOps into GitHub Actions

Azure DevOps is one of the most widely used CICD solutions in DevOps. It’s even very popular outside of the Microsoft realm. Many organizations use AWS and Azure DevOps to manage their CICD solutions. It’s fast, robust and fully hosted for you. This means that you don’t need to worry about platform management and infrastructure overhead.
Microsoft purchased GitHub in 2018 and GitHub Actions were developed almost immediately. This shows how important Microsoft believes it is to learn DevOps. It is clear that GitHub Actions will be around for a while, especially with Microsoft Build 2020. While Azure DevOps will continue to be available, it seems that GitHub Actions will be the central point of innovation.
This blog post will explain five key steps to help you transition from Azure DevOps into GitHub Actions.
Prerequisites for GitHub actions
You will need the following to follow along with this blog post:
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Get started trainingAn understanding and application of source control
Understanding Continuous integration and Continuous delivery

Step 1: Create a GitHub account
You can skip step 2 if you already have a GitHub Account. This section will help you set up a GitHub Account so that you can start committing code and then deploy it with GitHub Actions.
Open a web browser to go to GitHub’s homepage.

Type in your username, email, password, and website address on the homepage. These credentials will be used to log in to GitHub. This password will be the same as a root password. After you have completed the information, click on the green Sign up to GitHub button.

To verify your identity, click on the blue button Verify. Once you are done, click the blue Join a Free Plan button.

Next, you will need to indicate what type of work you plan on doing and how much programming experience. You can choose from a variety of levels for programming experience. GitHub will even send you helpful tips if you don’t have any.

Once you have confirmed all information, click on the blue button to complete the setup at the bottom of this page.

For security purposes, you will be asked for verification of your email address. Once you are done, your GitHub account is created.

Step 2: Understanding the purpose of GitHub actions
You might be asking, “But wait! Microsoft put a lot of money and resources in Azure DevOps. So why GitHub Actions?” This is a question engineers and developers alike have asked. The answer is: GitHub actions is not Azure DevOps.
Azure DevOps was designed with the enterprise in view — the ability for enterprises to have a CICD solution. There were many other CICD solutions available before Azure DevOps. These included Travis CI and Jenkins. Many organizations found that they didn’t offer an enterprise solution. It wasn’t maintained by an individual or an organization. Azure DevOps fills that gap by offering a solution for DevOps needs for the people, by people.
GitHub, however, must remain neutral and not be geared towards Microsoft specifically. GitHub’s primary focus is to host open source projects. It is a place where developers can go to find new projects, share code ideas, discuss issues and concerns, and collaborate. Microsoft has made it clear that GitHub will continue to fulfill its mission.
Step 3: Azure DevOps Pipelines vs Workflows
GitHub Actions simply uses workflows. Azure DevOps uses pipelines. They are quite similar, but they also have their differences.
Pipelines are the best way to build and deploy code in Azure DevOps. There are currently two types of pipelines:
Classic
YAML

Pipelines are a great way to create build and release.

Posted in Uncategorized | Leave a comment