8 Best Practices for Strengthening Security in Cloud-Native Environments

AWS Security, DevSecOps
5 Min Read

Cloud-native companies and larger companies migrating to cloud environments continue to see the cloud as a way to gain speed, reliability, and other well-known benefits. But there are still plenty of pitfalls that can undermine security and negatively impact operations. To help remedy this situation, this post outlines some of the mistakes that operators make most frequently, along with best practices and recommendations they can follow to proactively reduce risk, achieve their security goals, and continue along the path to stronger cloud security maturity.  Read more “8 Best Practices for Strengthening Security in Cloud-Native Environments”

Cut Time & Costs: 7 Best Practices to Follow When Choosing a Cloud Security Solution

Application Security, Budgeting and Buying Tips
4 Min Read

In a SaaS world, everyone wants to move fast! Rapid development can slash time to market and put you in a strong competitive position, and of course this is the way to operate as long as you’re not sacrificing quality. But remember: There’s bad fast as well as good fast. Too often we jump into projects, or we’re pressured to jump in before we’re ready — before we have all the necessary information and a clear understanding of what that information means. Read more “Cut Time & Costs: 7 Best Practices to Follow When Choosing a Cloud Security Solution”

HIPAA Compliance Tips & Best Practices — Training Considerations

All Things Compliance
5 Min Read

What kind of training does your organization need to support HIPAA compliance? A good way to start answering this question is to reference the Department of Health & Human Services (HHS)’s own words:

“The HIPAA Rules are flexible and scalable to accommodate the enormous range in types and sizes of entities that must comply with them. This means that there is no single standardized program that could appropriately train employees of all entities.” [Emphasis added. Ed.]

The standards for training are flexible. But training itself is mandatory: Training is an Administrative requirement of the HIPAA Privacy Rule (45 CFR § 164.530) as well as an Administrative Safeguard of the HIPAA Security Rule (45 CFR § 164.308). Read more “HIPAA Compliance Tips & Best Practices — Training Considerations”

Testing Tool Profile: Why Threat Stack Uses ThoughtWorks Gauge

Software Testing
8 Min Read

Threat Stack is Testing its New Audio Blog Offering!

Threat Stack has numerous tests running daily, verifying that things are working as expected in our Threat Stack Cloud Security Platform®. To supplement the Software Engineers’ unit and integration tests, our Test Engineering team has created the following as part of our automated regression test suite: Read more “Testing Tool Profile: Why Threat Stack Uses ThoughtWorks Gauge”

HIPAA Compliance Tips & Best Practices — Factors to Consider When Developing Effective Policies & Procedures

All Things Compliance
7 Min Read

Our last post on HIPAA compliance — HIPAA Compliance Tips & Best Practices — Building Your Foundational Knowledge — provided expert insights that are designed to help healthcare providers and business associates develop their foundational knowledge of HIPAA regulations and requirements. Today’s post offers insights into how an organization can achieve effective governance by translating its understanding of HIPAA into effective operational policies and procedures. Read more “HIPAA Compliance Tips & Best Practices — Factors to Consider When Developing Effective Policies & Procedures”

How to Create a Security Risk Assessment for Containers in 5 Steps

Containers, Orchestration & Security, Security Research & Strategy
4 Min Read

When adopting containers, organizations need to create a risk profile for the types of threats and vulnerabilities they expect to experience. This type of analysis is especially important with containers, since the attack surface increases significantly, while the level of security visibility across hosts, containers, and the infrastructure control plane decreases.

For example, one of the most prominent attack scenarios in containers is the idea of blast radius. After the initial point of compromise, an attacker can escalate privileges quickly to gain control of other containers in the cluster. Since attackers are looking for the greatest returns for the least amount of effort, a vulnerable Kubernetes or Docker cluster may be a great place to strike quickly and do a lot of damage across a wide attack surface.

New, sophisticated attacks to cloud infrastructure emerge every day. But, if you follow the five steps outlined below to create a cybersecurity risk assessment, you can anticipate where your organization may be most vulnerable and strengthen your system’s security accordingly before an attacker gets the chance to strike. Read more “How to Create a Security Risk Assessment for Containers in 5 Steps”

HIPAA Compliance Tips & Best Practices — Building Your Foundational Knowledge

All Things Compliance
11 Min Read

The last few years have seen a number of failures in the field of HIPAA compliance and fines that would put many smaller-scale practices out of business. While an increase in the use and sharing of electronic patient data accounts for many HIPAA compliance issues, the bottom line is that too many organizations are leaving themselves vulnerable to data protection breaches in ways that are fundamentally avoidable. Read more “HIPAA Compliance Tips & Best Practices — Building Your Foundational Knowledge”

NYDFS Cybersecurity Regulation: Two Years Later, Let’s Check-In

All Things Compliance
5 Min Read

Introduction 

— by Lindsey Ullian, Threat Stack Compliance Manager

Back in 2017, we brought our readers up to date on NYDFS Cybersecurity Regulation (23 NYCRR 500), a new set of regulations introduced by the New York Department of Financial Services (NYDFS). For many of us, other compliance frameworks such as the GDPR, have held more of our attention over the past two years, and 23 NYCRR 500 has somewhat slipped from sight. But given the fact that entities covered by 23 NYCRR 500 must comply whether they are based in New York or not, it’s time to refamiliarize yourself with the regulations.

With that in mind, Collin Varner, Senior Associate at Schellman & Company, has prepared a detailed update on what’s been happening with the regulation since it was introduced, along with key issues you need to understand.

Here’s Collin’s article. . .

Read more “NYDFS Cybersecurity Regulation: Two Years Later, Let’s Check-In”

20 DevSecOps Pros Reveal the Most Important Considerations in Building a DevSecOps Pipeline

DevSecOps, Security Research & Strategy
19 Min Read

In a recent Threat Stack report, 44 percent of DevOps professionals we surveyed said that when it comes to security-related issues, they’d have to rely on someone else. Even if DevOps pros had the time to dedicate to security issues, many developers lack the expertise needed to improve the security of their applications. What’s more, security proves to be a significant roadblock in application development: 40 percent of those surveyed at this year’s RSA conference reported that the impact on agility and speed of application development and deployment is their most significant roadblock when it comes to implementing application security programs. Read more “20 DevSecOps Pros Reveal the Most Important Considerations in Building a DevSecOps Pipeline”