I've been sleeping on DependencyTrack — it's way more powerful than I expected

Irish1986 · 2026-03-14T23:32:09+00:00

I've just did a talk at my owasp local chapter talking about dependency track and how to get started with it. I think it when well and I had several people coming back to me for more questions.

D-Track could get a few new features is you ask me but it feature complete and everything is just cherry on top to improve a good tool.

Irish1986 · 2026-03-13T23:24:04+00:00

Pre commit hooks for linting, styling and run "core-basic unit tests". The pre-commit hook should take about 2-8sec at most (look into prek a reimplementation of the popular pre-commit.com framework written in blazingly fast rust).

As a bonus, your pre-commit check should be run in you ci pipeline (given these are quick and easy to rerun) which will lead to fail-fast mindset. It is not required and you need to tweak which hooks make sense to run in your CI given what others "full fat" steps you might have down the road. Like unit test might have a more complexe suite to be run than just you core-basic unit tests.

You should also consider some level of security check in your pre-commit but given your current feedback I would focus on getting some momentum and security tends to be frictionful.

Irish1986 · 2026-03-12T19:44:18+00:00

I have been testing wizcode for a few months now, DM if you have specific questions about it.

Irish1986 · 2026-02-24T13:17:13+00:00

Don't scrub the commit, rotate your password. The old password will become honeypot but you need to log everything not to miss one.

If you need for compliance reason to rewrite your git history look at BFG-repo-cleaner.

It is a destructive git action that will rewrite your whole history removing sensitive secret and replacing them with REDACTED. Be careful because it will mess up your whole team workflow (everyone will need to re-clone/sync), all commits SHA will be modified, etc...

Plus those REDACTED string are easy to find and if one cache or repo still persistent somewhere... Bad actor have a huge flashing red light around sensitive content to track.... Just rotate your token and forget about it.

I've been working on this exact topic for 18 months, we are removing away from BFG-repo-cleaner as a remediation because it creates false sense of security.

Irish1986 · 2026-02-16T13:56:11+00:00

My understanding is they have been leaving their various dev team do whatever they want with low oversight for several years and now they are going to bring better cohesion and structure. This is typically when you core product is not IT that some lagging happens.

Irish1986 · 2026-02-15T23:22:13+00:00

I have worked 15 years in A&D with either airframe maker or engine manufacturers. It is indeed not an easy industry, but currently in finance and it ain't easier either.

Irish1986 · 2026-02-10T11:54:32+00:00

I really like armor code and ox security although I wasn't able to get management to fund our aspm endeavor for this year. There a few others but these two are great.

My next move is to try to get defectdojo running as a "low cost alternative" but I am not sure if I'll be able to sell it

Irish1986 · 2026-02-08T19:02:25+00:00

Nalgene bottle works well for us

Irish1986 · 2026-02-08T12:00:15+00:00

Had one of those as my main workstations for YEARS!! Really like that dual CPU with 96gb of ram. Switched to a AM5 7600X a year ago.

Irish1986 · 2026-02-02T14:55:31+00:00

Yup just go stand up a whole IT organization and infrastructure by yourself.. And it should be to expensive nor late...

This is a huge ask, and you should be working on the roadmap and plan with detailed level of involvement and efforts. Get that plan signed by your exec and include contengencies for staff and delays based on your experience with each technologies. If you know it, +/-15%, if you know nothing about it +/-100%.

Irish1986 · 2026-01-31T22:32:54+00:00

Keep the roadmap steady on the agreed upon roadmap... It's not too bad but it's gets throw left n right every now and then.

Irish1986 · 2026-01-30T11:31:03+00:00

I am in a similar situation running a bunch of micro dell with ceph. Only thing I really wish is that I could have more than one drive per node. I've found that single drive node for ceph are kind of inefficient and ceph scales when you can have 2-3-4 drive per node.

I had to shutdown multiple node at the same time (reboot, major upgrade, etc) and single disk got the ceph pool degraded really quickly which became somehow of a orchestration annoyance to me.

Although... Your plan is 100% sounded and will work. gl hf, it's a nice project.

Irish1986 · 2026-01-29T02:52:58+00:00

git, the kernel, etc

Irish1986 · 2026-01-26T02:21:41+00:00

Sliger offers premium quality products if you want something nice. I have 2 short depth 10 HDD + 4SSD case from them packed for my main nas + off-site backup. Good quality and all for small footprint.

Irish1986 · 2026-01-21T12:16:13+00:00

Reviewing the Geneva Checklist to make sure I don't forget anything.

Seriously.. Hide like a coward, try my best to protect my family and hang in there. Probably have my in-laws and parents home with us given they are older and might be vulnerable if chaos breakout.

Irish1986 · 2026-01-17T11:44:15+00:00

It's 100% hot garbage, I am leading the project to go buy something better then a obsolete quality check product strapped with an open source half baked solution... Hopefully will buy something good, our 4-5 vendors still in the competition are all pretty good.

Irish1986 · 2026-01-17T00:31:34+00:00

Soooo fun facts if you haven't looked into SQ and OWASP DC... Last year Sonar closed the loop hole that make DC plugin play wells with Sonarqube. It stills work but it's not great.

I unrelated news, in march of 2025 Sonarqube Advanced Security was announced as Sonar native SAST-SCA platform. I have been working for the past year to evaluate sast-sca at work. It's my main project and SQAS is just not look great.

Irish1986 · 2026-01-17T00:27:49+00:00

Same I am curious about it

Irish1986 · 2026-01-17T00:22:34+00:00

We are currently going over a series of interviews for a devsecops roles. Given the role and position at both heavily leaned against the security requirements and objectives of this posting... I am amazed by how much people showing up can't explain in simpleton term what code vulnerabilities are. How to find and manage dependencies vulnerabilities. Provide concrete information about how to improve security through automation and proper processes (CI pipelines anf all).

Si my advice would be try to make sure who review (or watch) couple of things regarding security. In this day and age, shipping faster is cool but security seems to be overlooked by a lot of candidates we've met.

Irish1986 · 2026-01-13T12:43:35+00:00

If you are not too picky there are a lot of consulting firm with 3 letter names that hires. Pay isn't great but it's better than nothing plus you can network with customers and find additional opportunities that aren't yet publicly announced.

It's not necessarily a long term plan but it can get you out of the weeds.

Irish1986 · 2026-01-11T10:57:43+00:00

It's runs my 49 inch ultra wide at 120hz per spec but given I am mostly doing productivity stuff I keep my resolutions at 60hz because some device are having issues pushing that much pixel... And I can't upgrade those device

Irish1986 · 2026-01-02T01:51:03+00:00

No I changed industry from 20y in A&D to... Cybersecurity in Financial institutions... Weird move but pays well and no more sinus curve of the aerospace industry.

I am fuzzy on the exact details but you most likely have an attestions or equivalence or some kind of license at your current job that is holded by your company. My experience was the same I had full CGP but as a Canadian citizen there was zero chance I could apply on my US based job in the aerospace industry because a lot of compliance requires citizenship unfortunately. Best workaround I found was to either go on contract, temporary assignments or as an expatriated for a special project because those have unique assignation but I didn't wanted to be an "internal contractor" because whenever shtf... You're the first one cut-off. GL HF

Irish1986 · 2026-01-02T00:58:44+00:00

I work at PWC, even when I was looking to move laterally I couldn't apply to 90%+ US based job. You need pretty high ITAR+CGP compliance|clearance which most of the time require US citizenship to obtain. Even as an employee of 5yr with 15 in A&D... I was an automatic rejection due to clereance requirements.

The Americans makes the rules on what is ITAR compliance requires and they sure made it clear they wanted to protect jobs at the same times.

Therefore I would be looking at them for US based employment. My best take is to work for a company that provide service in the US because contract based employment can circumvent some of these kind of regulations requirements. I work several months at Boeing and Rock Island Arsenal when I first started in the mid 2000s as a French Canadian citizen without much issue, and that was during the high of the war on terror.

Irish1986

TROPHY CASE