In a recent Threat Stack report, 44 percent of DevOps professionals we surveyed said that when it comes to security-related issues, they’d have to rely on someone else. Even if DevOps pros had the time to dedicate to security issues, many developers lack the expertise needed to improve the security of their applications. What’s more, security proves to be a significant roadblock in application development: 40 percent of those surveyed at this year’s RSA conference reported that the impact on agility and speed of application development and deployment is their most significant roadblock when it comes to implementing application security programs. Read more “20 DevSecOps Pros Reveal the Most Important Considerations in Building a DevSecOps Pipeline”
Going ahead, the Threat Stack Security Operations Center (SOC) will be publishing a quarterly report summarizing lessons we’ve learned, trends we’ve identified, and recommendations you can follow to strengthen your cloud security observability and overall security maturity. Read more “Findings From the Threat Stack Q3, 2019 SOC Report”
The flexibility and speed of cloud computing make is enormously appealing to organizations that are looking to leverage a strong competitive edge. As we’re all aware, however, security threats also exist in the cloud, and enterprise cloud security breaches are increasingly common. In the cloud, visibility throughout your entire infrastructure is a must for proactive risk identification and real-time threat detection across cloud workloads from build-time to runtime. To address the security challenges associated with cloud computing, many organizations are turning to trusted cloud security platforms like Threat Stack for full stack security observability. Read more “Cloud Security Professional Development & Educational Resource Roundup”
The more data you store, the more attractive you become to cybercriminals, so SaaS companies need to recognize the importance of following security best practices. However, even those who understand this imperative can find it difficult to know where to start.
With that in mind, this post discusses three of the most common security mistakes that SaaS organizations make and tips on how your organization can address them. Read more “The Top 3 Security Mistakes SaaS Companies are Making”
Mergers and acquisitions can be successful growth strategies for many companies. They bring together customers, IP, and assets — but they also bring together liabilities and risk as well. Among these are cybersecurity risks. “Cyber diligence” — cybersecurity evaluations performed as part of the M&A decision-making processes — has grown in importance in recent years. What are a company’s vulnerabilities? What cybersecurity issues or incidents have they had in the past, and how have they dealt with them? What defenses do they have in place to protect themselves? Are all important questions to ask in an M&A deal. But even if you’re not involved with a merger or acquisition, the same analysis can yield important and surprising results. Read more “Industry Experts Provide Tips For Successful Cyber Diligence in M&A”
Kubernetes is a popular DevOps tool thanks to its container-centric environment and portability across infrastructure providers. In 2018, Kubernetes had a big year, being the first project to graduate from the Cloud Native Computing Foundation (CNCF) and landing at #9 for commits and #2 for authors/issues on GitHub, coming in second only to Linux. “Three of the largest cloud providers offer their own managed Kubernetes services,” explains CNCF. “Furthermore, according to Redmonk, 71 percent of the Fortune 100 use containers and more than 50 percent of Fortune 100 companies use Kubernetes as their container orchestration platform.” CNCF also points out that Kubernetes is used in production at a massive scale by global companies like The New York Times, eBay, Uber, Goldman Sachs, Buffer, and others. Read more “16 Kubernetes Experts Share the Most Interesting Current Trends to Look for in Kubernetes”
All software development projects, whether they’re large or small, can benefit from well-planned and well-executed testing. It’s your way to ensure that the software you’re developing performs as expected and delivers value to the customer. More important — given the nature of our current cyber landscape — well-executed testing is your way to ensure that your software doesn’t ship with errors or vulnerabilities that could compromise its integrity. In a word, good testing lets you pass on performance value to customers — while also providing them with underlying security. Read more “10 Automated Testing Tools That Threat Stack Uses — and Why”
Compliance isn’t as simple as a connect-the-dots exercise. When you consider how fast companies are moving to and expanding in the cloud, and then take into account the proliferation of cloud-based security threats, compliance can be a little dizzying. We’re here to break down the complexities of compliance requirements for you, starting with SOC 2.
SOC 2 is one of the more common compliance requirements technology companies must meet today. But what does SOC 2 compliance mean, and how can you go about achieving it? In this post, we break down the four most important things you need to know. Read more “4 Things You Need to Know About SOC 2 Compliance”
Here at Threat Stack we really like Yubikeys — and they’re a critical part of our security program. Many folks know Yubikeys for their ability to generate one-time codes for use as a second factor. Did you also know you can store certificates on them and use them in your operating system? I’ve written about using the Personal Identity Verification applet on the Yubikey in the past, but now I’d like to take that one step further and use it to identify yourself to a web application. We’ll cover how to do this with a Mac OS X Mojave client — which works nicely with the OpenSC library and an HAProxy reverse proxy. Read more “Protecting Infrastructure With TLS Client Authentication”
A few months ago I gave a talk about securing microservices at the Boston Cloud Native Computing Meetup. After the presentation, a young developer (a recent college grad) came up to me and said, “Nice talk — I didn’t learn any of that at school.” I asked which parts were new to him — I had covered a lot of material, some of which (like service mesh technology) is pretty new, and it didn’t surprise me that it wouldn’t all have been covered in a CS program. “Well, we weren’t really taught anything about security,” he admitted. As we got to chatting, I realized that he wasn’t exaggerating. He’d taken one network security class and some graduate level courses on cryptography, but none of the ordinary classes incorporated security as a normal part of good software development. It was another demonstration to me that for all our talk in the industry about DevSecOps and “building security in,” the reality remains that most developers are woefully under-prepared with application security skills. Read more “Ten Application Security Terms That Every Developer Should Know”