All software development projects, whether they’re large or small, can benefit from well-planned and well-executed testing. It’s your way to ensure that the software you’re developing performs as expected and delivers value to the customer. More important — given the nature of our current cyber landscape — well-executed testing is your way to ensure that your software doesn’t ship with errors or vulnerabilities that could compromise its integrity. In a word, good testing lets you pass on performance value to customers — while also providing them with underlying security. Read more “10 Automated Testing Tools That Threat Stack Uses — and Why”
Compliance isn’t as simple as a connect-the-dots exercise. When you consider how fast companies are moving to and expanding in the cloud, and then take into account the proliferation of cloud-based security threats, compliance can be a little dizzying. We’re here to break down the complexities of compliance requirements for you, starting with SOC 2.
SOC 2 is one of the more common compliance requirements technology companies must meet today. But what does SOC 2 compliance mean, and how can you go about achieving it? In this post, we break down the four most important things you need to know. Read more “4 Things You Need to Know About SOC 2 Compliance”
Here at Threat Stack we really like Yubikeys — and they’re a critical part of our security program. Many folks know Yubikeys for their ability to generate one-time codes for use as a second factor. Did you also know you can store certificates on them and use them in your operating system? I’ve written about using the Personal Identity Verification applet on the Yubikey in the past, but now I’d like to take that one step further and use it to identify yourself to a web application. We’ll cover how to do this with a Mac OS X Mojave client — which works nicely with the OpenSC library and an HAProxy reverse proxy. Read more “Protecting Infrastructure With TLS Client Authentication”
A few months ago I gave a talk about securing microservices at the Boston Cloud Native Computing Meetup. After the presentation, a young developer (a recent college grad) came up to me and said, “Nice talk — I didn’t learn any of that at school.” I asked which parts were new to him — I had covered a lot of material, some of which (like service mesh technology) is pretty new, and it didn’t surprise me that it wouldn’t all have been covered in a CS program. “Well, we weren’t really taught anything about security,” he admitted. As we got to chatting, I realized that he wasn’t exaggerating. He’d taken one network security class and some graduate level courses on cryptography, but none of the ordinary classes incorporated security as a normal part of good software development. It was another demonstration to me that for all our talk in the industry about DevSecOps and “building security in,” the reality remains that most developers are woefully under-prepared with application security skills. Read more “Ten Application Security Terms That Every Developer Should Know”
Any organization that has access to electronic Protected Health Information (ePHI) must comply with HIPAA. If your organization needs to be compliant, this isn’t something you can delay or phase in gradually because failure to meet HIPAA compliance can carry steep penalties. (On the positive side, becoming HIPAA compliant can be a tremendous business driver if you’re interested in starting a company, entering a new market, attracting new customers, or reducing the time it takes to obtain approvals.) Read more “HIPAA Compliance Checklist”
The current version of the PCI DSS is 3.2.1, published in May 2018. Requirement 6 states that you must “Develop and maintain secure systems and applications.” Sure, no problem. That’s totally clear and straightforward — at least for anyone who’s never tried to develop and maintain secure systems and applications! For the rest of us, that’s a tall order. Read more “How to Address PCI DSS Requirement 6.6 — A Two-For-One Solution From Threat Stack”
Trash Taxi: A Lifecycle Management Tool for
Superuser Discovery & Cleanup
Whenever I join a new team, my first task is fostering and nurturing a good working relationship with the developers. Why? If there is good chemistry between testers and developers, the quality of work improves as the quality of communication increases.
The relationship between developer and tester shouldn’t be one of artist and art critic. Rather, it should be like the relationship between a writer and a copy editor, where each contributes to the quality of the final product.
Developing a good working relationship with developers can be tricky. I am really fortunate working here at Threat Stack where my work is valued and my ideas are appreciated, but in my career — like many of you — I have had my struggles.
With that in mind, here are five tips that I’ve found helpful in nurturing and developing relationships with my developer teammates. Read more “Five Tips On How Testers Can Collaborate With Software Developers”
The Payment Card Industry Data Security Standards (PCI DSS) provides a rigorous security framework and best practices for businesses that store, transmit, or process credit card information.
The PCI DSS is a set of technical and operational requirements that govern modern payment processing. Businesses and organizations in the payments industry must achieve and maintain compliance, or they may become liable to consequences that include increased risk of data breaches, damage to brand reputation, heavy fines, and other sanctions.
With more companies using cloud computing than ever before, PCI compliance in the cloud — such as AWS PCI Compliance — is a growing need. Companies can reduce their risk and streamline compliance by leveraging the right tools. Platforms such as Threat Stack’s Cloud Security Platform®, which offers continuous cloud compliance, can strengthen your organization’s security posture and build compliance into your technology stack to help you meet PCI DSS requirements as well as compliance requirements for other regulatory frameworks.
To help as you embark on the journey to PCI compliance, we have compiled a list of 50 PCI compliance tips from payment security experts and thought leaders. To make the list manageable, we have divided the tips and quotes into the following five categories: Read more “50 Valuable PCI Compliance Tips”
Stratasan provides web-based software and professional services that are designed to help healthcare organizations maximize strategic growth through convenient access to useful information on healthcare markets. Healthcare providers, specifically hospitals and hospital systems, struggle to discover the best opportunities in their market for strategic growth, find the right patient populations in their service area, and track their performance and progress against their strategic growth goals.
By delivering intelligence through proprietary web-based software and a team of seasoned healthcare professionals, Stratasan establishes a foundation for growth in strategic planning, marketing, physician relations, and expansion. Partnering with nearly 1,000 hospitals across 40 states, Stratasan helps them achieve efficiency and effectiveness in their strategic planning initiatives.
This blog post outlines how Stratasan uses Threat Stack to gain the visibility, multiple tiers of monitoring, and auditable data, it needs to address its growing security and compliance needs. Read more “How Stratasan Addresses Its Growing Security & Compliance Needs for Healthcare IT and Services Using Threat Stack”