Forem: Damien J. Burks

Prevention-First Cloud Security: Escaping Alert Fatigue for Good using Turbot

Damien J. Burks — Wed, 17 Dec 2025 14:09:42 +0000

Introduction
The Reality of Alert Overload
Why Prevention-First Security Resonates
CNAPPs Still Matter — But They’re Not Enough
What Stands Out About Turbot
Stop Chasing Alerts

Introduction

Hey y’all! I’m excited to talk about something every cloud security team is feeling right now: alert overload.

The Reality of Alert Overload

Over time, companies have built incredibly powerful CNAPPs (Wiz, Cortex, Pipes, etc.) that scan everything and surface everything. However, the reality I see over and over again is that findings pile up faster than teams can realistically fix them.

Security teams spend more time triaging alerts than actually reducing risk, and exposure windows stay open longer than anyone’s comfortable with.

Why Prevention-First Security Resonates

I partnered with Turbot to learn how their solution helps solve this and stopped by their booth at AWS re:Invent this year. Hearing their team talk about the shift to prevention-first cloud security really resonated with me.

Instead of waiting for misconfigurations to land in production, Turbot enforces guardrails at deployment time, ultimately blocking risky API calls, enforcing secure defaults, and eliminating exposure windows before they ever open.

CNAPPs Still Matter — But They’re Not Enough

CNAPPs still matter though, because they provide runtime visibility, identity insights, and posture analytics are essential.

Turbot complements that layer by preventing entire classes of misconfigurations before they ever exist, as part of a broader defense-in-depth strategy:

CNAPP → Deep visibility, detection, & prioritization
Turbot PSPM → Preventive guardrails at build, deploy, and runtime

What Stands Out About Turbot

And what do I really like is that Turbot tackles the hardest problems:

⚡ Zero-day security posture via org-level policies

(AWS SCPs, Azure Policy, GCP Org Policy)

🔁 Instant drift remediation at runtime

📉 Reduced attack surface + reduced alert fatigue

💨 Prevention that scales across thousands of accounts

Stop Chasing Alerts

If you’re tired of chasing alerts and want to stop issues before they start, check out Turbot’s prevention-first approach: https://turbot.com

SAST Scanning with SonarQube and Docker

Damien J. Burks — Tue, 04 Jun 2024 21:59:45 +0000

Introduction
Prerequisites
Understanding SonarQube
- What is SonarQube?
Understanding Docker Compose
- Key Features and Benefits
  - Simplified Configuration
  - Multi-Container Applications
  - Network Management
  - Volume Management
  - Environment Configuration
Scanning and Inspecting Sonar Results
- Cloning Vulnerable Web Application (TIWAP)
- Once it's cloned, you want to CD into the directory.
  - Spinning Up the Environment
- Verifying the Setup
- Setting Up SonarQube with Docker Compose
- Logging into SonarQube
- Creating a Project in SonarQube
- Running Sonar Scanner using Docker
- Reviewing Results in SonarQube
  - Security Vulnerabilities
  - Code Smells
Cleaning Up
- Delete volumes (database, etc.)
- Optional: Purge all images, networks, containers
Conclusion

Introduction

As a seasoned Cloud DevSecOps Engineer with a keen interest in integrating robust security practices into the development lifecycle, I am thrilled to share insights and practical knowledge on enhancing code security. In this article, we will delve into the powerful combination of SAST (Static Application Security Testing) using SonarQube and Docker and explore how these tools can fortify your applications against vulnerabilities. This is a technical blog post or article, so get ready for some code to be shared and repositories to get cloned using Git.

Prerequisites

Before you can start scanning the vulnerable web application with SonarQube and inspecting the results, you'll want to ensure you have the following list of applications and software packages installed:

Docker - We're going to be launching the application from Docker and also running the scans using Docker as well.

VS Code - This is not a hard requirement but highly recommended for viewing and editing files like the Docker Compose YAML file.

Git - We're going to need this to clone and checkout the repositories.

Understanding SonarQube

What is SonarQube?

SonarQube is a self-managed automatic code review tool that systematically helps you deliver clean code. I've used SonarQube several times within the past to help me out with DevSecOps related work or really to scan my code.

The application can be integrated with various different IDEs and pipelines to build, test, and deploy your code, and to be able to scan your code for all kinds of issues—not just security issues. It could be refactoring issues that your code has and many other things. Here are some key features of SonarQube:

Quality Gates: A score that defines how well-maintained and secure your entire application code base is.
Supports 30+ Languages: Including popular languages and frameworks.
Integration with DevOps & CI Platforms: GitHub, GitLab, BitBucket, Azure, etc.
Fast Analysis and Unified Configurations
SonarLint IDE Integration

For our SAST scanning purposes, we are going to focus on leveraging SonarQube and the Sonar Scanner to identify security vulnerabilities within our code.

No need to worry about paying though. SonarQube is free and open-source unless you opt-in for the enterprise or data center editions. We will use the Community Edition, which still covers many features that help us scan our code for various issues.

Understanding Docker Compose

Docker Compose is a powerful tool designed to define and manage multi-container Docker applications with ease. By using a single YAML file, Docker Compose allows developers to configure the various services, networks, and volumes that comprise their application stack, streamlining the deployment and management processes.

Key Features and Benefits

Simplified Configuration

Docker Compose uses a YAML file, commonly named docker-compose.yml, to define the entire application stack in a human-readable format. This file outlines each service in your application, the Docker images they use, and any dependencies between them. This simplifies the setup process, making it easy to replicate the environment across different machines or teams.

Multi-Container Applications

With Docker Compose, you can define multiple services that work together, such as a web server, a database, and a cache service. Each service runs in its own container, ensuring isolation and consistency. This modular approach allows you to scale individual components independently and manage complex applications with ease.

Network Management

Docker Compose automatically handles the creation and management of networks for your containers. It allows different services to communicate with each other seamlessly, using service names as hostnames. This built-in networking capability eliminates the need for manual network configuration and simplifies inter-service communication.

Volume Management

Persisting data is crucial for many applications. Docker Compose allows you to define volumes in your configuration file, ensuring that data is not lost when containers are stopped or recreated. Volumes can be shared between services, enabling data persistence and easy access across different components of your application.

Environment Configuration

Docker Compose supports environment variables, making it easy to manage different configurations for various environments (development, testing, production). By defining environment variables in the YAML file or in an .env file, you can customize service behavior without modifying the application code.

Scanning and Inspecting Sonar Results

Now that the conceptual part is over, let's get into the technical activity and cloning and setting up the vulnerable web application and SonarQube using Docker Compose and Git.

Cloning Vulnerable Web Application (TIWAP)

First, you’ll need to clone the TIWAP web application repository. I've specified the URL in the command below:

git clone https://github.com/The-DevSec-Blueprint/TIWAP

# Once it's cloned, you want to CD into the directory.
cd TIWAP

NOTE: If you're looking for a reference repository with the completed files and more directions, feel free to view the completed code here: Completed Code w/ more steps and explanations

Spinning Up the Environment

We will use Docker Compose to set up the necessary environment:

docker-compose up -d

NOTE: The -d flag runs the container in detached mode, but if you want to see real-time logs, you can run the following command below:

docker-compose up

Verifying the Setup

To ensure the environment is up and running, navigate to http://localhost:8000 in your web browser.

Setting Up SonarQube with Docker Compose

Clear your terminal:

  clear

Create the Docker Compose YAML File

You'll want to create another docker-compose.yml file. I'd highly recommend you create another folder or subdirectory within the TIWAP project, create the file, and then copy and paste the contents below in it:

  version: "1"

  services:
    sonarqube:
      image: sonarqube:lts-community
      depends_on:
        - sonar_db
      environment:
        SONAR_JDBC_URL: jdbc:postgresql://sonar_db:5432/sonar
        SONAR_JDBC_USERNAME: sonar
        SONAR_JDBC_PASSWORD: sonar
      ports:
        - "9001:9000"
      volumes:
        - sonarqube_conf:/opt/sonarqube/conf
        - sonarqube_data:/opt/sonarqube/data
        - sonarqube_extensions:/opt/sonarqube/extensions
        - sonarqube_logs:/opt/sonarqube/logs
        - sonarqube_temp:/opt/sonarqube/temp

    sonar_db:
      image: postgres:13
      environment:
        POSTGRES_USER: sonar
        POSTGRES_PASSWORD: sonar
        POSTGRES_DB: sonar
      volumes:
        - sonar_db:/var/lib/postgresql
        - sonar_db_data:/var/lib/postgresql/data

  volumes:
    sonarqube_conf:
    sonarqube_data:
    sonarqube_extensions:
    sonarqube_logs:
    sonarqube_temp:
    sonar_db:
    sonar_db_data:

This Docker command runs a container based on the sonarsource/sonar-scanner-cli image with the specified parameters. Here's a breakdown of each part:

1. `docker run`: This command is used to run a Docker container.

2. `--rm`: This flag ensures that the container is removed after it stops running. It helps in keeping your system clean by automatically removing the container once it's done executing.

3. `--network=host`: This flag specifies that the container should share the network namespace with the Docker host, allowing it to access services running on the host's network. In this case, it's often used to allow the container to access services running on localhost.

4. `-e SONAR_HOST_URL="http://localhost:9001"`: This sets an environment variable `SONAR_HOST_URL` with the value `http://localhost:9001`. It defines the URL of the SonarQube server that the Sonar scanner should connect to for analysis.

5. `-v "<your_absolute_path>:/usr/src"`: This mounts a volume from the host machine to the container. It maps the local directory `<your_absolute_path>` to the directory `/usr/src` inside the container. This allows the Sonar scanner to access the project files located on the host machine.

6. `sonarsource/sonar-scanner-cli`: This specifies the Docker image to be used for running the container. In this case, it's the official Sonar scanner CLI image provided by SonarSource.

7. `-D` flags: These are parameters passed to the Sonar scanner CLI within the container. They provide configuration options for the SonarQube analysis:
    - `sonar.projectKey`: Specifies the unique key for the project in SonarQube.
    - `sonar.sonar.projectVersion`: Specifies the version of the project.
    - `sonar.sonar.language`: Specifies the programming language of the project (Python in this case).
    - `sonar.sonar.sourceEncoding`: Specifies the encoding of the source files.
    - `sonar.login`: Specifies the authentication token or credentials required to connect to the SonarQube server.
    - `sonar.sonar.projectBaseDir`: Specifies the base directory of the project within the container.
    - `sonar.sources=.`: Specifies the directory containing the source files to be analyzed. In this case, it's set to `.` which typically represents the current directory.

Deploy SonarQube using Docker Compose:

  docker-compose up -d

Give it about 5-10 minutes to download and set up the necessary Docker container images for SonarQube and its database.

Logging into SonarQube

Once SonarQube is fully operational, navigate to http://localhost:9001 in your web browser.

Login Credentials:
- Username: admin
- Password: admin
Change the default password when prompted.

Creating a Project in SonarQube

Create a new project in SonarQube to scan. For this example, we'll use a vulnerable web application from GitHub.

Project Key: test-vulnerable-app
Project Name: Test Vulnerable App

You'll want to generate a token for Sonar Scanner and keep it safe as you'll need it for the scanning process.

NOTE: The highlighted token will not be valid; this is an example. Your token will be different and will be generated automatically.

Running Sonar Scanner using Docker

Navigate to your project directory in the terminal where you have cloned the vulnerable web application repository.

cd TIWAP

Run the following command to scan your project with SonarQube. Be sure to replace the <your_sonar_token> string with your generated token and the <your_absolute_path> string with the absolute path to the TIWAP codebase:

docker run \
--rm \
--network=host \
-e SONAR_HOST_URL="http://localhost:9001" \
-v "<your_absolute_path>:/usr/src" \
sonarsource/sonar-scanner-cli \
    -Dsonar.projectKey=test-vulnerable-app \
    -Dsonar.sonar.projectVersion=1.0 \
    -Dsonar.sonar.language=py \
    -Dsonar.sonar.sourceEncoding=UTF-8 \
    -Dsonar.login=<your_sonar_token> \
    -Dsonar.sonar.projectBaseDir=/root/src \
    -Dsonar.sources=.

The scan will take some time (roughly about 4-8 minutes), so feel free to take a stretch break! Once completed, the results will be published to your SonarQube project as shown below:

Reviewing Results in SonarQube

Log into the SonarQube console and navigate to your project to review the results. The scan results will be categorized into different sections like Bugs, Vulnerabilities, Code Smells, etc.

Security Vulnerabilities

Security vulnerabilities are critical issues within your code that can be exploited by malicious actors to compromise the integrity, confidentiality, or availability of your application. Identifying and addressing these vulnerabilities is paramount to maintaining a secure codebase. SonarQube's SAST (Static Application Security Testing) capabilities help detect these issues early in the development lifecycle, enabling you to fix them before they become significant problems.

Example: Enable SSL Certification Validation:

One common security vulnerability is having SSL certification validation disabled in your application. SSL (Secure Sockets Layer) certificates are essential for establishing encrypted connections between clients and servers, ensuring that data transferred over the network is secure and cannot be intercepted by unauthorized parties. If SSL certification validation is set to false, your application is vulnerable to man-in-the-middle (MITM) attacks, where attackers can intercept and manipulate the data being exchanged.

Solution:
Ensure that SSL certification validation is enabled in all your connections. This can usually be done by configuring the appropriate settings in your application's connection properties or environment variables. For example, in a Python application using the requests library, you should ensure SSL verification is enabled:

  import requests

  # Correct way with SSL verification enabled
  response = requests.get('https://0.0.0.0:5001/api/stock/product?product=' + product, verify=True)

By enabling SSL certification validation, you can protect your application from potential security breaches and ensure that your data remains secure.

Code Smells

Code smells are indicators of potential problems in your code that, while not necessarily bugs, can lead to maintainability issues and increased technical debt. SonarQube identifies code smells and provides recommendations to improve the quality, readability, and maintainability of your code. Addressing code smells helps ensure that your codebase remains clean and efficient, making it easier to manage and extend over time.

Example: Avoid Duplicating Strings or Literals:

A common code smell is the duplication of strings or literals multiple times throughout your code. This practice can lead to inconsistencies and make your code harder to maintain. For instance, if a string value changes, you will need to update it in multiple places, increasing the risk of errors and inconsistencies.

Solution:
Use constants or configuration files to store commonly used strings or literals. This approach centralizes the values, making your code more manageable and reducing the risk of errors. For example, in a Python application, you might define constants in a separate module:

  # constants.py
  MAIN_TEMPLATE = "index.html"

Then, you can use these constants throughout your code instead of duplicating the string values:

  # main.py
  import constants
  ...
  return render_template(constants.MAIN_TEMPLATE)

By avoiding the duplication of strings or literals, you can improve the maintainability and readability of your code, making it easier to update and extend in the future.

By addressing both security vulnerabilities and code smells, you can ensure that your codebase is not only secure but also clean and maintainable, leading to more robust and reliable software development practices.

Cleaning Up

Now that we're done with everything, let's clean up behind ourselves. You'll want to run the following commands to remove all of the attached volumes and purge all of the containers and images:

# Delete volumes (database, etc.)
docker-compose down --volumes

# Optional: Purge all images, networks, containers
docker system prune -a -f

Conclusion

To conclude, SonarQube is a powerful tool for static application security testing (SAST). It allows you to identify vulnerabilities and code smells efficiently, ensuring that your application codebase is both secure and maintainable.

Thank you so much for reading! I hope you were able to take away valuable insights about setting up and using SonarQube, the Sonar Scanner, and Docker. Until next time, keep scanning your code, and do your best to ensure it is secure and maintainable.

Disclaimer: This blog post reflects my personal experiences and opinions. This blogs original content is based off of the following video:

All images located in the blog post have been sourced from different places. Click on the image to get redirected to the original source.

Mastering the AWS Security Specialty (SCS) Exam - A Quick Guide

Damien J. Burks — Mon, 13 May 2024 22:47:18 +0000

Introduction
Why It's Essential to Start with the AWS Certified Solutions Architect Associate
Understanding the AWS Security Specialty Exam
- Key Points About the Exam
Key Resources for Preparing the AWS Security Specialty Exam
- Stephane Maarek's Ultimate AWS Certified Security Specialty Course
- AWS Security Specialty Focus Labs by Whizlabs
- TutorialsDojo’s Practice Exams and Cheat Sheets
- Leveraging Insights from Becky Weiss’s Talk
Key AWS Services to Focus On
Conclusion

Introduction

In this article, I will share my journey on how to successfully pass the AWS Certified Security Specialty (SCS) exam. From my experience, this ranks as one of the toughest exams right after the AWS Certified DevOps Engineeer Professional (DOP) Certification. However, with the right approach and resources that I'll discuss today, you'll be well on your way to succeeding just like I did on my first attempt.

Why It's Essential to Start with the AWS Certified Solutions Architect Associate

First things first, if you’re aiming for the AWS Security Specialty certification, I highly recommend having the AWS Certified Solutions Architect Associate (SAA) under your belt. The foundational knowledge you gain from the Solutions Architect Associate is crucial. It not only prepares you with the basic principles of AWS architecture, but it also makes the uphill climb of the Security Specialty exam smoother.

Understanding the AWS Security Specialty Exam

According to AWS, the Security Specialty exam validates your ability to design and implement security solutions on AWS. It checks your understanding in specialized data classifications, data protections, and the architectures for implementing security controls. I've highlighted some of the key points about the exam below.

Key Points About the Exam

Type of Questions: 65 questions, both multiple choice and multiple response.
Duration: 170 minutes, nearly three hours to clear the hurdles.
Cost: $300 USD.
Testing Options: You can either take it online from the comfort of your home, or you can head to a testing center.

For more details, you can check out the AWS official page.

Also, be sure to review the exam guide as well. It is incredibly important for you to have a firm understanding of what you'll be tested over and what services will be omitted from the exam. You can find the exam guide here: Latest SCS Exam Guide

NOTE: The exam details and guide can change at any time, so always make sure you defer to the official page for more information.

Key Resources for Preparing the AWS Security Specialty Exam

Let’s dive into some top resources that helped me ace this exam. There are a total of four key resources that I highly recommend you all use to study for this exam (aside from the recommended whitepapers and such by AWS).

NOTE: Click the images within each section to be redirected to the source as you continue to scroll down.

Stephane Maarek's Ultimate AWS Certified Security Specialty Course

This is one of the highest-rated courses out there for the Security Specialty exam. Stephane Maarek, known for his ability to demystify complex AWS concepts succinctly, has prepared around 16 hours of on-demand videos which are hosted on Udemy. The course also includes hands-on labs, essential for practical understanding. However, there is no sandbox environment provided, so you'll need to make sure you request your own AWS account. Using some AWS services during the course in your own account might cost a bit, but it’s a worthwhile investment for your preparation.

AWS Security Specialty Focus Labs by Whizlabs

Hands-on experience is crucial, and that’s why I also recommend the AWS Security Specialty Focus Labs offered by Whizlabs. With around 54 labs tailored to various exam domains like Threat Detection and Identity Access Management (IAM), these labs are SUPER invaluable. Unfortunately, these labs are not free. These labs are priced at $65.95, so be sure to keep an eye out for sales to grab a good deal!

TutorialsDojo’s Practice Exams and Cheat Sheets

TutorialsDojo is another excellent resource that I constantly use for AWS exams. Their practice exams are known to mirror the actual exam’s difficulty. In most cases, they are even harder than the actual exam. Prior to sitting for the exam, I highly recommend you are consistently scoring about an 80%. Consistently scoring above 80% on these can boost your confidence significantly prior to sitting for the exam, and the odds of you passing it on the first try are pretty high.

Furthermore, their cheat sheets also provide detailed notes on services that you'll come across in the exam, which I highly recommend you leverage as much as possible.

Leveraging Insights from Becky Weiss’s Talk

Becky Weiss’s talk, The Fundamentals of AWS Cloud Security, is a treasure trove of information covering basic network security, access management policies, and data encryption. Her ability to simplify complex topics into digestible bits is what makes her session a must-watch.

With that being stated, I implore you to watch this all the way through. I can guarantee you will have a much better understanding of how Cloud Security works within AWS and how to best leverage AWS services to protect your assets.

Key AWS Services to Focus On

Before you step into the examination room, you must ensure you’re well-versed in several critical AWS services. You'll want to pay very close attention to:

Identity Access and Management (IAM)
Key Management Service (KMS)
CloudWatch
CloudTrail
GuardDuty
Inspector
Organizations
Macie
WAF
SecurityHub
Detective
Virtual Private Cloud (VPC)
Config
Systems Manager (Parameter Store)

I am almost certain that you're going to see all of these on the exam, so make sure you pay close attention to each of these, and also, get some lab time in as well.

Conclusion

Thank you for following along in this guide. I hope it not only prepares you well for the AWS Security Specialty exam, but it also inspires you to leverage the power of AWS in securing applications and data. Until next time, happy studying, keep securing those networks, and stay curious!

Disclaimer: This blog post reflects my personal experiences and opinions. This blogs original content is based off of the following YouTube Video:

All images located in the blog post have been sourced from different places. Click on the image to get redirected to the original source.

My Journey to Passing the AWS Certified Solutions Architect Associate Exam

Damien J. Burks — Mon, 29 Apr 2024 22:49:06 +0000

Introduction
Prerequisites
Exam Overview and Guide
- Exam Details
- Exam Structure
- Exam Guide
Study Materials
- 1. Stephane Maarek's Ultimate AWS Certified Solutions Architect Associate Course
- 2. Jon Bonso's Practice Exams
- 3. Whizlabs AWS Labs
Study Schedule & Exam Tips
Key AWS Services to Focus On
Conclusion

Introduction

In this article, I will share my journey on how to successfully pass the AWS Certified Solutions Architect - Associate (SAA) exam. My hope is that by sharing my experience, resources, study plan, and some crucial tips, I can help you navigate your way to acing this challenging certification exam.

Prerequisites

Before we get into the specifics of the exam, I highly recommend considering the AWS Certified Cloud Practitioner exam first. This foundational certification helps you understand the basic concepts of various AWS services.

Although it's not a mandatory requirement, familiarity with basic programming or coding concepts can be advantageous.

Exam Overview and Guide

Exam Details

The AWS Certified Solutions Architect Associate exam showcases knowledge and skills in AWS technology across a wide range of services. The focus is on designing cost and performance-optimized solutions, demonstrating a strong understanding of the AWS Well-Architected Framework and other AWS documentation.

This exam is ideal for those with:

Experience in AWS technology
Strong on-premises IT experience, especially in mapping on-premises to cloud
Experience with other cloud service providers (CSPs)

The certification helps you create robust, fault-tolerant, and scalable solutions using various AWS services. You'll learn about the AWS Command Line Interface (CLI), the management console, networking, security services, and AWS's global infrastructure.

Exam Structure

Duration: 130 minutes (2 hours and 10 minutes)
Cost: $150 USD
Format: 65 questions (multiple choice or multiple response)
Testing Options: AWS-approved testing center or online

Exam Guide

The exam guide provides detailed information on what the exam will validate regarding your ability to complete tasks within AWS. It includes:

Scoring: Passing score is 720.
Content Outline: The exam is divided into four domains:
- Domain 1: Design Secure Architectures (30%)
- Domain 2: Design Resilient Architectures (26%)
- Domain 3: Design High-Performing Architectures (24%)
- Domain 4: Design Cost-Optimized Architectures (20%)

The guide also lists in-scope and out-of-scope AWS services and features, providing a clear path for your study.

Study Materials

Choosing the right study materials can make a significant difference in your exam preparation. Here are the resources that I found invaluable:

1. Stephane Maarek's Ultimate AWS Certified Solutions Architect Associate Course

Platform: Udemy
Overview: This comprehensive course includes over 340 lectures, totaling approximately 27 hours long. Stephane Maarek does an excellent job explaining each service in detail, providing clear examples that are easy to remember. He explicitly highlights which topics will appear on the exam and offers hands-on lectures to reinforce the material.

NOTE: Some hands-on sessions may incur additional costs if you're using a free-tier account.

2. Jon Bonso's Practice Exams

Platform: TutorialsDojo Website - Practice Exams
Overview: These practice exams are tough but closely mimic the complexity and depth of the actual exam questions. Initially, I scored between 40s and 60s, which was incredibly demotivating. However, after thoroughly reviewing each question and consulting the TutorialsDojo AWS Cheat Sheets, my scores improved significantly.

3. Whizlabs AWS Labs

Platform: Whizlabs
Overview: For those who prefer a more simulated lab environment, Whizlabs offers a token-based system to access their labs. This can be a bit pricey, but it's a worthwhile investment for hands-on learning. If you're willing to invest in it, it's well worth it! You can find more information about their labs here: Whizlabs AWS Solutions Architect - Associate

Study Schedule & Exam Tips

Consistency was key in my preparation. I spent about 2 hours each weekday and between 2-4 hours on weekends studying. This schedule allowed me to complete Stephane's course in just under a month. Afterward, I moved on to doing labs created by Whizlabs and taking practice exams.

The practice exams provided by Jon Bonso were instrumental in my success. Despite failing all his practice tests initially, I managed to pass the DVA with an 873 previously and felt confident tackling the SAA. I revisited and retook the practice exams, focusing on understanding each question and the associated concepts thoroughly. This strategy boosted my scores to between 70s and 80s on subsequent attempts.

I decided to take the exam despite not consistently scoring above 85 on the practice tests. This risk paid off, though I would recommend others ensure they are scoring at least 85+ if they prefer a safer margin. So, if you are scoring less than an 85 on the practice exams and don't feel confident a week or so before you sit for the exam, I'd highly recommend you reschedule it for another 2-3 weeks.

Key AWS Services to Focus On

Based on my experience, I highly recommend you pay close attention to these services, as you might see them on the exam:

VPC: Virtual Private Cloud
S3: Simple Storage Service
IAM: Identity and Access Management
AWS Storage Gateway
EC2: Elastic Compute Cloud
EC2 Auto Scaling
CloudFormation
AWS Lambda
SQS: Simple Queue Service
SNS: Simple Notification Service
GuardDuty
Shield
Kinesis Data Streams
Kinesis Firehose
Step Functions
Cost Explorer
RDS: Relational Database Service
DynamoDB

Conclusion

Passing the AWS Certified Solutions Architect - Associate exam is a challenging but achievable goal. With the right resources, a consistent study plan, and thorough practice, you can also succeed. I hope my experience inspires and guides you through your own certification journey.

Thank you for reading, and best of luck if you're pursuing this certification!

Disclaimer: This blog post reflects my personal experiences and opinions. This blogs original content is based off of the following video:

All images located in the blog post have been sourced from different places. Click on the image to get redirected to the original source.

A Beginner's Guide to Contributing to Open Source Projects

Damien J. Burks — Mon, 29 Apr 2024 02:46:39 +0000

Introduction
Overcoming Imposter Syndrome
Step 1: Identify Your Passion
Step 2: Understand the Project's History
Step 3: Assess Project Activity
- Active Project Example: Open Policy Agent (OPA)
- Dead Project Example: PACU
Step 4: Read Contributing Guidelines
Step 5: Don't Hesitate to Seek Help
Ready to Contribute?
Conclusion

Introduction

Embarking on the journey of contributing to open-source projects can be daunting, especially for those new to software development or technology in general. As someone who has recently navigated this terrain, I understand the challenges and uncertainties that come with taking those first steps. In this guide, I'll share my experiences and valuable insights on how to kickstart your journey into the world of open source.

Overcoming Imposter Syndrome

Before diving into the specifics of contributing to open source, it's essential to address imposter syndrome, a common hurdle for many beginners. Imposter syndrome often creeps in when we venture into unfamiliar territory, pushing us out of our comfort zones. Despite harboring a desire to contribute to open source, I hesitated to take the plunge until I challenged myself earlier back in 2022.

Step 1: Identify Your Passion

The first step in contributing to open source is identifying your passion and interests within the vast landscape of technology. Whether it's cybersecurity, web development, or machine learning, pinpointing your passion will guide you in selecting projects aligned with your expertise and aspirations. Here are two questions that I think you should consider:

What am I passionate about in the realm of technology?
Do I currently use or plan to use specific tools or frameworks in my personal or professional projects?

Answering these questions will help you narrow down your search for suitable open-source projects on platforms like GitHub.

Step 2: Understand the Project's History

Before making your first contribution, take the time to familiarize yourself with the project's history, goals, and community. Dive into documentation available on the project's webpage or repository, watch tutorials or YouTube videos, and get to know the project's founders and contributors. Understanding the project's mission and vision is crucial for becoming an effective contributor.

Step 3: Assess Project Activity

When selecting a project to contribute to, it's essential to gauge its activity level and responsiveness to contributions. Examining the project's pull request (PR) and merge history provides valuable insights into its vitality.

Active Project Example: Open Policy Agent (OPA)

Open Policy Agent (OPA) serves as a prime example of an active project with a vibrant community and robust development activity. The project's GitHub repository showcases frequent commits and releases, indicative of ongoing maintenance and engagement from contributors.

Dead Project Example: PACU

On the other hand, projects with minimal recent activity may indicate a stagnant or "dead" status, making them less conducive to new contributions. Pacu, for instance, exhibits signs of stagnation with infrequent releases and sparse commit history.

In such cases, it's advisable to seek out more active projects to maximize your contribution potential.

Step 4: Read Contributing Guidelines

Before making any contributions, familiarize yourself with the project's contributing guidelines. These guidelines outline the project's standards, workflows, and best practices for submitting contributions. Ignoring or neglecting these guidelines can lead to delays and complications in the contribution process.

Step 5: Don't Hesitate to Seek Help

One of the most valuable resources in the open-source community is the willingness of contributors and maintainers to offer assistance and guidance. Don't hesitate to reach out for help, clarification, or feedback when navigating the contribution process. Engaging with the project's community through communication channels like Slack or Discord fosters collaboration and enhances the learning experience.

Ready to Contribute?

Armed with these lessons and insights, you're now equipped to embark on your journey of contributing to open source. One thing I want to add:

Contributing to open source doesn't always require writing code.

Documentation, for instance, plays a crucial role in the success of open-source projects and often requires updates or enhancements. If you're not comfortable with coding initially, consider exploring documentation-related tasks tagged as "good first issues."

Remember, every contribution, big or small, makes a difference in advancing open-source projects and enriching the broader developer community.

Conclusion

Contributing to open source is not just about writing code; it's about collaboration, learning, and making a meaningful impact. By embracing your passions, understanding project dynamics, and leveraging available resources, you can confidently take your first steps into the world of open source. I hope this guide has provided you with valuable insights and encouragement as you embark on your open-source journey. Happy contributing!

**Disclaimer:* This blog post reflects my personal experiences and opinions.*

Kickstarting Your DevSecOps Career - The 4 Essential Certifications You Need

Damien J. Burks — Fri, 19 Apr 2024 17:07:21 +0000

Introduction
1. CompTIA Security+
- Why It Matters
- What You'll Learn
  - Certification Details
2. CompTIA Linux+
- Why It Matters
- What You'll Learn
  - Certification Details
3. AWS Certified Developer - Associate
- Why It Matters
- What You'll Learn
  - Certification Details
4. Certified Kubernetes Administrator (CKA)
- Why It Matters
- What You'll Learn
  - Certification Details
- Conclusion

Introduction

In this blog post, I'll be unpacking the four certifications that I firmly believe are pivotal for anyone aspiring to launch a career in DevSecOps. Drawing from my journey, research, and insights gathered along the way, this post aims to equip you with the knowledge to choose certifications that will not only give you a competitive edge but also a solid foundation in the complex world of DevSecOps.

1. CompTIA Security+

Starting with what I consider the bedrock of cybersecurity, the CompTIA Security+ certification is your gateway into understanding the intricate world of cyber security, which is indispensable in the DevSecOps realm.

Why It Matters

The CompTIA Security+ is an entry-level certification but don't underestimate its value. It comprehensively covers the fundamentals of cybersecurity, from threats and vulnerabilities to risk management protocols. It equipped me with a solid grasp of security concepts, which has been instrumental in navigating the 'Sec' in DevSecOps.

What You'll Learn

This certification dives deeply into general security concepts and teaches you about different cyber threats and how to mitigate them. In addition, it covers security operations and architecture and delves into vulnerability management techniques and gives insights into security program management.

Certification Details

Question Format: Mix of multiple choice and performance-based questions.
Exam Length: 90 minutes.
Passing Score: Minimum of 750 out of 900.
Validity: 3 years, with an option to renew through continuing education credits.
Cost: $404 USD.

NOTE: This can change, so make sure you reference the original link for this exam here: Certification Details - CompTIA Security+

2. CompTIA Linux+

For those looking to solidify their command over Linux distributions, which is a critical skill for any aspiring DevSecOps professional, the CompTIA Linux+ is a non-negotiable!

Why It Matters

Linux powers a significant portion of the servers running in data centers worldwide and mastering it can set you apart as a DevSecOps engineer. Although I do not have this certification myself, it will teach you (based on my research) the ins and outs of Linux administration, from managing software and services to scripting and security, which is vital for your success as a DevSecOps engineer.

What You'll Learn

With this certification, you should expect to get hands-on with system management, security practices for permissions and authentications, and have a foray into scripting, containers, and automation. This certificate emphasizes troubleshooting, which is a non-negotiable skill in a real-world DevSecOps environment.

Certification Details

Question Format: Multiple choice and performance-based.
Exam Length: 90 minutes.
Passing Score: 720 or higher.
Validity: 3 years, with renewal options.
Cost: $369 USD.

NOTE: This can change, so make sure you reference the original link for this exam here: Certification Details - CompTIA Linux+

3. AWS Certified Developer - Associate

Considering the ubiquity of AWS in cloud services, the AWS Certified Developer - Associate certification is a goldmine for those looking to demonstrate their proficiency in developing and managing AWS-based applications for real-world DevSecOps use cases.

Why It Matters

This certification provides a detailed understanding of AWS services, essential for deploying infrastructure and managing CI/CD pipelines, which is a core component of the DevSecOps workflow.

What You'll Learn

For this certification, you should expect to learn how to deploy applications and infrastructure using AWS CloudFormation, master AWS CI/CD services (CodeCommit, CodeDeploy, CodePipeline, etc.), and get comfortable with AWS coding standards for security. To learn more about this exam and all that it entails, you can take a look at the exam guide here: Developer Associate Exam Guide

Certification Details

Exam Length: 130 minutes.
Cost: $150 USD.
Question Format: Multiple choice and multiple response questions.
Validity: 3 years, must retake exam again to renew

NOTE: This can change, so make sure you reference the original link for this exam here: Certification Details - Developer Associate

4. Certified Kubernetes Administrator (CKA)

With containerization being a critical part of DevSecOps, understanding Kubernetes is non-negotiable. The Certified Kubernetes Administrator certification is designed to ensure you can handle the challenges of managing Kubernetes environments.

Why It Matters

Kubernetes is at the forefront of container orchestration. Like the CompTIA Linux+, I did not take this exam. However, I believe that this certification proves your prowess in managing production-grade Kubernetes clusters, which is a must-have skill for any DevSecOps professional.

What You'll Learn

From basic installation and configuration to managing cluster operations and understanding Kubernetes networking, this certification covers it all. It's an intensive dive into what makes Kubernetes tick and how to keep it running smoothly.

Certification Details

Exam Cost: $395 USD.
Validity: 3 years.
Exam Format: Performance-based, including real-time tasks in a simulated environment.
Duration: 2 hours.

NOTE: This can change, so make sure you reference the original link for this exam here: Certification Details - CKA

Conclusion

While these certifications are crucial stepping stones in your DevSecOps journey, I want you all to remember this:

Certifications are just part of the puzzle. The real game-changer is the hands-on experience you gain through lab work and projects.

Incorporate what you learn into tangible projects and showcase them in your portfolio. This not only elevates your understanding of the materials and technologies, but it significantly boosts your employability.

As always, thank you so much for reading! If you found this post helpful at all, please share it with your friends. If you've got any other certifications in mind that you think are essential for obtaining a career in DevSecOps, please leave a comment below and let me know your thoughts. I'd love to spark more discussion around which certifications you think are important for aspiring DevSecOps engineers.

Until next time, keep learning, keep growing, and never stop exploring the vast universe of DevSecOps. Let's pave the way for a more secure, efficient, and effective IT landscape together.

Disclaimer: This blog post reflects my personal experiences and opinions.

This blogs original content is based off of the following YouTube Video:

Is the AWS Certified Cloud Practitioner Certification Worth It?

Damien J. Burks — Mon, 15 Apr 2024 16:19:14 +0000

Introduction
Is It Worth It?
My Experience
Study Materials
Exam Experience
Study Plan
Conclusion

Introduction

After pursuing various comments across social media platforms regarding the AWS Certified Cloud Practitioner (CCP) certification, I felt compelled to share my perspective on the value of obtaining this certification.

Is It Worth It?

So, on to answer the key question of this entire blog post. Is the CCP truly worth it?

In my opinion, the worth of pursuing the AWS CCP certification hinges on your aspirations and existing cloud knowledge. If you aim to specialize in AWS and pursue associate-level certifications, then the CCP is a definite yes. However, if you seek to become a cloud generalist, CompTIA's Cloud+ certification may be a better fit as it covers fundamental cloud concepts applicable across various platforms.

My Experience

Before undertaking the AWS Certified Developer - Associate (CDA) certification, I opted to take the CCP exam. Priced at a reasonable $100, the CCP ensures a solid grasp of cloud principles, AWS billing and pricing, AWS security, and an overview of AWS services. With a duration of approximately 90 minutes, it's arguably the easiest AWS certification exam available.

I strongly recommend it for individuals with minimal cloud experience intending to pursue associate-level certifications, as it serves as an excellent foundation. However, be prepared for a steep learning curve if you dive into associate-level exams without prior cloud knowledge.

Study Materials

For those interested, based on my experience and research, I have some study material recommendations to help you prepare for the exam:

ACloudGuru's AWS CCP CLF-C02 Course: The course provides comprehensive coverage of all knowledge areas outlined in the exam guide, encompassing the four domains: Cloud Concepts, Security and Compliance, Cloud Technology and Services, and Billing, Pricing, and Support.
TutorialsDojo Practice Exams: This is the AWS official practice exam for the CCP! I think this is sufficient enough for you to test your knowledge. No need for third-party curatied exams.

ACloudGuru has consistently proven to be a valuable resource for AWS exams and labs. The recommended course typically takes around a week to complete, offering approximately 22 hours of content with hands-on labs to familiarize you with the AWS console, especially billing services.

While the practice exam incurs a fee of approximately $14.99, it's a worthwhile investment as it closely resembles the actual exam.

Exam Experience

When test day arrived, I chose to take the exam at a testing center, which I find more conducive for focusing. I tend to go to the testing center for all of my certification exams.

Unlike any other certification exams I've taken, the CCP exam is relatively straightforward; you either know the answer.... or you don't.

Unlike other exams where you must assess multiple services and select the optimal solution, the CCP exam requires more straightforward knowledge recall or answers. However, this simplicity has its merits, ultimately sparing candidates from excessive head-banging against the proverbial wall!

Study Plan

With consistent effort of course study about 3-4 hours per day, along with taking practice exams post-course completion, candidates can typically pass the exam within 2-3 weeks.

Conclusion

In conclusion, the value of the AWS CCP certification depends on your background and objectives. If you seek to delve deeper into AWS without compromising on cloud fundamentals, the CCP is a worthwhile investment. Otherwise, consider redirecting your $100 towards something that aligns better with your goals or exploring alternative cloud certifications.

Thank you for reading, and I wish you the best of luck if you decide to take this exam. Until next time, happy studying, and I'll see you in the cloud!

Disclaimer: This blog post reflects my personal experiences and opinions.

How I Conquered the AWS Certified DevOps Engineer Professional Exam in 60 Days

Damien J. Burks — Thu, 11 Apr 2024 01:44:26 +0000

Introduction
Understanding the Exam
- Why This Certification?
Prerequisites and Preparations
- Resources Used
- My Study Schedule
- Emphasized Services
Testing Experience and Tips
Conclusion

Introduction

In this article, I will share my journey on how to successfully pass the AWS Certified DevOps Engineer Professional exam in just 60 days. My hope is that by sharing my experience, resources, study plan, and some crucial tips, I can help you navigate your way to acing this challenging certification exam.

First off, this exam is no small feat. It's designed for individuals who are engaged in a DevOps or DevSecOps engineering role, focusing on operating, managing, and provisioning distributed application systems on the AWS platform. This certification validates your technical expertise in continuous delivery systems, methodologies on AWS, security controls automation, and much more.

Understanding the Exam

Before diving deep into my study plan and the resources I used, let's get a brief overview of what this exam entails. The AWS Certified DevOps Engineer Professional exam is recognized as one of the more challenging tests compared to other AWS professional level exams. It takes 180 minutes, costs $300 USD, and contains 75 questions, either multiple choice or multiple response.

NOTE: The exam information may change, so be sure to validate this by going to the landing page here: Amazon's Website - AWS Certified DevOps Professional Overview

Why This Certification?

Pursuing this certification was a deliberate move on my part. With several other AWS certifications under my belt, I felt this was the logical next step to help me advance within my career. The knowledge gained from this certification is invaluable for anyone looking to implement highly scalable, high-availability applications on AWS.

Prerequisites and Preparations

Let me be really honest; this exam is EXTREMELY difficult. I strongly recommend having one of the associate-level certifications (either AWS Solutions Architect Associate or AWS Developer Associate) before attempting this one. Additionally, hands-on experience with AWS is crucial for your success, so make sure you are labbing as much as possible!

Resources Used

Udemy Course by Stephane Maarek: This was my primary resource. Stephane's detailed explanations and hands-on approach were instrumental in helping me grasp complex concepts quickly. This course is a 10 out of 10, and I highly recommend his other courses for any AWS certification.

TutorialsDojo Cheat Sheets: A fantastic, free resource that provides summaries of various AWS services. These cheat sheets are great for quick revisions.

TutorialsDojo Practice Exams: In addition to the cheat sheets, I also leveraged the TutorialsDojo practice exams, which mimic the difficulty level of the actual exam, providing both a challenge and a solid learning opportunity.

My Study Schedule

My study plan was rigorous, but effective for me:

First 30 Days: I dedicated two hours on weekdays and doubled that on weekends to Stefan Marek’s Udemy course. This allowed me to absorb the content without rushing, with ample time for hands-on practice, especially if you're working a little over 40 hours a week.
Next 30 Days: I shifted my focus to reviewing Tutorials Dojo's cheat sheets and taking multiple practice exams a week. This helped identify gaps in my knowledge and solidify what I had learned. In addition, I made sure that I was scoring an 80% or higher for at least 2-3 tries before I booked my exam. The practice exams are just as hard, if not harder, than the actual exam!

Remember, consistency is key. So make sure you adjust the schedule based on your pace of learning while ensuring you are regularly dedicating time to your study plan. This'll ensure you don't burn out trying to study for this exam, because it is possible.

Emphasized Services

From my experience, certain AWS services played a significant role in the exam. So make sure you pay extra attention to:

CloudFormation
CodeBuild, CodePipeline, CodeDeploy, and CodeCommit
Lambda, API Gateway
Kinesis Data Streams and Firehose
Inspector
Organizations
Control Tower
GuardDuty (surprisingly)
Systems Manager (Session Manager and Patch Manager, in particular)

Also, make sure you understand your deployment strategies as well. Knowing the difference between Blue/Green and Rolling deployment is a great starting point.

These are just a few, but understanding these services deeply will be highly beneficial for you before taking the practice exams.

Testing Experience and Tips

When test day arrived, I chose to take the exam at a testing center, which I find more conducive for focusing. One piece of advice - hydrate and eat well before the exam. Trust me, it makes a difference and will save you from getting a headache. (speaking from experience)

During the exam, you’ll find that time management and the process of elimination are your best strategies. The questions are detailed, which can be time-consuming. Practice pacing yourself with practice exams to optimize your performance.

Conclusion

Finally, stepping out of the exam, I thought I failed for sure. I was practically over it due to my lack of preparation prior to sitting for it (the headache). However, it was a fulfilling journey and I learned quite a bit from it. I was happy to learn that I passed shortly after as well.

For those of you embarking on this journey, I hope my experience sheds some light and guides you towards achieving your certification. Remember, the path may seem daunting, but with the right resources, a solid study plan, and perseverance, you can conquer the AWS Certified DevOps Engineer Professional exam just as I did.

Thank you for reading, and I wish you the best of luck. Until next time, happy studying, and I'll see you in the cloud!

Disclaimer: This blog post reflects my personal experiences and opinions.

This blogs original content is based off of the following YouTube Video:

All images located in the blog post have been sourced from different places. Click on the image to get redirected to the original source.

Exploring the World of SAST and DAST with a DevSecOps Twist

Damien J. Burks — Mon, 08 Apr 2024 13:45:26 +0000

Introduction
What Exactly is SAST?
Discovering DAST: The Dynamic Cousin
Key Differences Between SAST and DAST
When to Use SAST and DAST
Tools of the Trade
- SAST Tools
- DAST Tools
Conclusion

Introduction

As a Cloud Security Engineer deeply immersed in the world of Application Security and DevSecOps, nothing excites me more than sharing my knowledge and passion for safeguarding applications against the myriad of cyber threats lurking in the digital world. In this blog post, we will embark on a fascinating journey through two pivotal concepts that keep your favorite apps secure: SAST and DAST.

What Exactly is SAST?

Imagine having a magnifying glass that lets you peer deeply into your application's source code, pinpointing vulnerabilities before they become a threat. That, my friends, is what I would call SAST. SAST, or Static Application Security Testing, involves a detailed analysis of an application's source code to identify any security weaknesses and vulnerabilities. The beauty of SAST lies in it's ability to detect these issues before the application is even compiled.

To me, SAST equals static analysis. It's like having a preemptive strike capability within the Software Development Life Cycle (SDLC), allowing engineers to catch and rectify issues early on. This not only saves time but also fortifies the security posture before deployment or releases into lower environments. Moreover, integrating SAST tools into CI/CD pipelines automates security at a scale unimaginable a few years ago, making it a staple in modern development practices for robust application security.

Discovering DAST: The Dynamic Cousin

While SAST analyses the static aspects, DAST, or Dynamic Application Security Testing, brings in a dynamic perspective. It simulates live attacks on a web application, acting as a real-time assessment tool for identifying vulnerabilities in deployed applications. Think of DAST as the on-the-ground reconnaissance that validates the security measures by engaging with the application as an attacker would.

DAST shines by reducing false positives associated with SAST results due to its interaction with the live application. The findings are more accurate, providing actionable insights. Its comprehensive nature means it doesn't just stop at code; it looks at runtime environments, configurations, and external dependencies.

Key Differences Between SAST and DAST

Understanding the nuances between SAST and DAST can significantly impact how you approach application security. Therefore, I've taken the liberty of highlighting three key differences that you should know:

Stage of Deployment: SAST is performed before compilation, early in the SDLC. DAST, on the other hand, is conducted on deployed applications, closer to or in the production environment.
Scope of Analysis: SAST examines source code and static assets. On the other hand, DAST assesses the application's behavior by interacting with it in real-time.
Nature of Testing: DAST offers a more realistic testing scenario by evaluating the compiled application in a runtime environment.

Incorporating both SAST and DAST in the appropriate stages of your SDLC enhances your application's security posture, ensuring a well-rounded defense mechanism against cyber threats.

When to Use SAST and DAST

For a secure web application, use SAST during the development phase and ensure it's a part of your CI/CD pipeline for continuous security. DAST should come into play later, ideally during the testing phase, to vet the application post-deployment. Integrating DAST into your release pipeline, with proper rollback strategies added, ensures that your security measures are not just thorough but also practical.

Tools of the Trade

Equipped with knowledge, let's talk tools. Based on my research and hands-on experience with SAST and DAST tooling, here are some recommendations:

SAST Tools

DAST Tools

In addition to the ones mentioned, there are several other SAST and DAST tools that are available for various different services if you're interested in learning more:

Conclusion

The ongoing battle against cyber threats necessitates a fortified defense, and understanding the strategic deployment of SAST and DAST methodologies provides a significant advantage. Remember, the goal isn't just to develop applications but to secure them in a manner that is both efficient and scalable.

I hope this deep dive gives you valuable insights into securing your applications. If you found this post helpful, please like, share, and subscribe. Your support fuels my passion, and I look forward to sharing more with you. Until next time, keep coding securely!

Disclaimer: This blog post reflects my personal experiences and opinions.

This blogs original content is based off of the following YouTube Video:

AWS Community Builders - Christmas Edition

Damien J. Burks — Tue, 20 Dec 2022 15:04:36 +0000

What surprises you most about the community builders program?

Honestly, this is a very hard question to answer considering how talented the individuals are in this program. One of the biggest surprises is the amount of training and resources that have been shared by the AWS team and our fellow community builders. I am incredibly amazed by the amount of community builders that the program has worldwide, and that has allowed me to make several connections and learn new things outside of the United States.

What's your background and your experience with AWS?

About 4 years ago, I had graduated with my Bachelors of Science in Computer Science with TSU. From there, I started out as a Security Software Engineer for a telecommunications company with a bit of exposure to AWS services such as EC2 and CloudFormation. It made development for me a lot easier, so I decided to get certified in AWS. After getting a few certifications under my belt, I pivoted into Cloud Security. At this moment, I am a Cloud Security Engineer - VP at a financial institution who builds security solutions and frameworks the leverages AWS services.

Currently, I have these four AWS certifications:

AWS Certified Developer Associate
AWS Certified Solutions Architect - Associate
AWS Certified Cloud Practitioner
AWS Certified Security - Specialty

Also, I am the lead contributor for DataCop, which is an open-source AWS framework that mitigates S3 bucket attack vectors based on customer configuration.

To summarize, I have about 2 years of experience in AWS that is heavily focused on development and solutions architecture.

What’s the biggest benefit you see from the program?

The individuals who are apart of this program share vast amounts of resources and learning material. This is the biggest benefit of this program. The ability to read technical blog posts, contribute to them, create my own, and have folks contribute to them as well. It is a safe environment to network and collaborate on building new things within AWS.

What’s the next swag item that you would like to get?

I really, really, really, really, really want a Community Builder's hoodie/jacket. I typically wear hoodies and jackets around this time of year both inside and outside since it's fairly cold.

What are you eating for dinner today? Share the recipe!

Today, I am eating Gumbo! Since I'm a ragin' cajun at heart, it's apart of my tradition to make Gumbo during the winter season. Here is the recipe that I'll share with you all:

Louisiana Gumbo Base
Smoked Sausage
Hot/Spicy Sausage
Blue Crabs a.k.a Gumbo Crabs
Raw and Peeled Shrimps

If you'd like a much "better" recipe with times and all that, check this out: The "best" Gumbo recipe

Is there anything else you would like to say about the community builders program in 2022?

It is literally the best program I've been in. It has helped me elevate my career and inspired me to contribute to open source tooling. I'd like to give a special shoutout to the leading team to creating a platform for us to share resources and educate one another about all things AWS.

Tips on how to become an AWS Community Builder

Damien J. Burks — Sat, 03 Sep 2022 19:43:07 +0000

I DID IT! I got accepted into the AWS Community Builders program! It was a great way to start the fourth quarter of the year, and I'm super excited to contribute and build cool things with other builders around the globe for 12 months!

Because I've gotten into the program, I would like to share some tips on what you could do to increase your chances of becoming a Community Builder. Before I share those tips, let me define what the Community Builders program is.

The AWS Community Builders program offers technical resources, education, and networking opportunities to AWS enthusiasts and thought leaders who are passionate about knowledge sharing and building out technical solutions within AWS. Aside from the networking opportunities, there are several benefits that a person receives when joining this program. It includes, but is not limited to, promotional credits for AWS, learning about new services and features that are being developed by the product teams, and lots of swag! The program has several specialty areas that folks can join such as Security/Identity, Machine Learning, Game Tech, Storage, etc. ("AWS Community Builders", n.d.)

The application opens up twice a year, so feel free to add your name to the waitlist here.

Now that you have an understanding of what this community provides, let's talk about some tips that'll help you get in!

Tip 1: Become visible on social media platforms

Becoming visible is fairly important. As an AWS Community Builder, I'm expected to create content and share that with the world. Prior to getting into the program, I was already creating and publishing content on social media platforms such as Twitter, LinkedIn, and YouTube. When you create content, you're increasing your visibility and building your brand. The amount of content and views will help strengthen your application.

Tip 2: Build things in AWS

You are applying to be an AWS Community Builder, so please build things in AWS. Write tools for services in AWS and publish the code on Github. Make a YouTube video showing people how to execute a Lambda function from a Step Function. There are several things you could do and build in AWS, so make sure you are building AND you're documenting what you're building.

Tip 3: Collaborate, collaborate, collaborate!

Make friends with people in tech and create things together! It does not have to be within AWS. It could be contributing to open source projects, speaking on podcasts, co-authoring technical blog posts, etc. The amount of things that you could do is endless! The key thing is that you want to make sure that you are collaborating with individuals in your field of study and creating content!

Tip 4: Get a few AWS certifications

Getting AWS certifications will help you get your foot in the door. Based on what I've seen, the majority of the community builders have at least 1 fundamental or associate-level AWS certification. Getting one is not only good for your career, but it would help strengthen your application by solidifying that you are passionate about building in AWS.

Tip 5: Create content around your favorite category(ies) in AWS

When you apply, you'll have to select one or more categories in AWS that you want to create content for. Before applying, make sure you create content for those categories. For example, I love the security and identity services of AWS, so I created content YouTube videos on how to pass the AWS Security Specialty. In addition, I developed an open-source framework called DataCop, which relies on AWS Macie to protect S3 buckets. You don't have to go all out, but the more content and solutions you create within a specific category, the higher your chances of getting accepted for that category will be.

I would like to add one small thing: Just because you follow these tips DOES NOT guarantee admission into the program. However, if you follow these tips, I am positive that you will increase your chances of getting into the program. The goal is to create a strong application that'll set you apart from the rest. It's a highly selective program, so I hope you find these tips helpful.

Cheers!

References:

AWS Community Builders. Amazon. (n.d.). Retrieved September 3, 2022, from https://aws.amazon.com/developer/community/community-builders/

Forem: Damien J. Burks

Prevention-First Cloud Security: Escaping Alert Fatigue for Good using Turbot

Table of Contents

Introduction

The Reality of Alert Overload

Why Prevention-First Security Resonates

CNAPPs Still Matter — But They’re Not Enough

What Stands Out About Turbot

Stop Chasing Alerts

SAST Scanning with SonarQube and Docker

Table of Contents

Introduction

Prerequisites

Understanding SonarQube

What is SonarQube?

Understanding Docker Compose

Key Features and Benefits

Simplified Configuration

Multi-Container Applications

Network Management

Volume Management

Environment Configuration

Scanning and Inspecting Sonar Results

Cloning Vulnerable Web Application (TIWAP)

Spinning Up the Environment

Verifying the Setup

Setting Up SonarQube with Docker Compose

Logging into SonarQube

Creating a Project in SonarQube

Running Sonar Scanner using Docker

Reviewing Results in SonarQube

Security Vulnerabilities

Code Smells

Cleaning Up

Conclusion

Mastering the AWS Security Specialty (SCS) Exam - A Quick Guide

Table of Contents

Introduction

Why It's Essential to Start with the AWS Certified Solutions Architect Associate

Understanding the AWS Security Specialty Exam

Key Points About the Exam

Key Resources for Preparing the AWS Security Specialty Exam

Stephane Maarek's Ultimate AWS Certified Security Specialty Course

AWS Security Specialty Focus Labs by Whizlabs

TutorialsDojo’s Practice Exams and Cheat Sheets

Leveraging Insights from Becky Weiss’s Talk

Key AWS Services to Focus On

Conclusion

My Journey to Passing the AWS Certified Solutions Architect Associate Exam

Table of Contents

Introduction

Prerequisites

Exam Overview and Guide

Exam Details

Exam Structure

Exam Guide

Study Materials

1. Stephane Maarek's Ultimate AWS Certified Solutions Architect Associate Course

2. Jon Bonso's Practice Exams

3. Whizlabs AWS Labs

Study Schedule & Exam Tips

Key AWS Services to Focus On

Conclusion

A Beginner's Guide to Contributing to Open Source Projects

Table of Contents

Introduction

Overcoming Imposter Syndrome

Step 1: Identify Your Passion

Step 2: Understand the Project's History

Step 3: Assess Project Activity

Active Project Example: Open Policy Agent (OPA)

Dead Project Example: PACU

Step 4: Read Contributing Guidelines

Step 5: Don't Hesitate to Seek Help

Ready to Contribute?

Conclusion

Kickstarting Your DevSecOps Career - The 4 Essential Certifications You Need

Table of Contents

Introduction

1. CompTIA Security+