Once again, Monitorama 2017 — the sixth official Monitorama — was held in Portland, OR. The event began at 10 a.m. on Monday, May 22 with a talk by John Rauser of Snapchat and ran for three days packed with great presentations, demos, and conversations. Read more “Monitorama 2017: The Monitoring Revolution Continues”
Gone are the days when the majority of businesses could point to the cloud warily and say, “I think my data’s safer on-prem.” Organizations today are far less worried about how secure the cloud is in general, and this change in attitude has sped up cloud adoption to a great degree.
What has led to this more relaxed embrace of the cloud? In part, providers like AWS have gone to great lengths to codify and transparently communicate a Shared Responsibility Model that has expressly defined the scope and boundaries of responsibility. Increasingly, customers recognize that Amazon and its brethren have all-star teams that have a security focus ingrained in them. There’s a certain level of comfort that comes with knowing you are in good, experienced hands.
But, even as the cloud is proven to be quite secure and as confidence in it increases, Security and DevOps teams still have to be vigilant about their own workloads. Organizations have to pick up their end of the shared responsibility bargain — and in some cases, even take it a step further than what is required.
With that in mind, here’s what today’s organizations need to know in order to do that successfully and continue to benefit from all that the cloud has to offer without major security concerns stymying progress. Read more “The Real Implications of The Shared Security Model”
Conferences can be an amazing way to connect with like-minded folks and educate yourself on what’s new and trending in your industry. At Threat Stack, we regularly attend and speak at conferences like BSides and DevOpsDays, and it’s been exciting to see a bigger focus on security topics in the DevOps world in recent years. Since we attend so many conferences ourselves, we wanted to offer some helpful advice on how you can keep your devices secure while you’re attending conferences. Read more “How to Stay Secure at Conferences”
If you’re already on the Slack bandwagon, then you have probably experienced first-hand how it can make communications between teams far simpler and more streamlined. With 1.7 million daily active users, it’s clear Slack has come to dominate the team chat world, especially in tech and tech-savvy industries.
From a security perspective, Slack has done a solid job of keeping its assets on lock. In 2016, they scored Geoff Belknap from Palantir to become chief security officer. And they have been pretty transparent about their approach to security. They have dedicated a whole section of their website to it and published interviews with Belknap and others that delve into Slack’s precautions and philosophy around security. Belknap says, “My job is to worry. Professionally. So that our customers don’t have to.” We love that attitude!
The company has also gone to the trouble of certifying many of its products to meet stringent compliance regulations like FINRA, HIPAA, and SOC 2 and 3, which makes it a no-brainer for small teams and enterprises alike.
So, we feel that it’s perfectly possible for companies of all shapes and sizes to lean on Slack for team chat and ops without worrying too much about security. But, we also believe in the shared responsibility model when it comes to any form of online security. No one’s perfect, and Slack’s ubiquity and popularity mean that it will always be a target for cybercriminals looking to steal information.
There’s no need to run scared, but you do need to be smart about how you use this valuable tool. Here are our tips for running Slack securely at your organization. Read more “How to Stay Secure on Slack”
When someone in your company clicks on a bad link, it can spell bad news. But you know what’s worse? Them never telling you.
When employees are afraid to come forward about a mistake they’ve made (or think they’ve made), it makes security responders’ jobs that much more difficult.
Unfortunately, this kind of negative atmosphere is a reality at many companies. The good news is the culture can be improved, and one way of doing this is by conducting blameless security post-mortems. I spoke about this in my DevOpsDays Austin talk in May, 2015. Threat Stack partners VictorOps and PagerDuty have also written on the topic. You need your whole team to be security ambassadors (not roadblocks), and blameless security post-mortems can help enable this.
Below, we’ll explore what a blameless post-mortem is and how it applies to your future security incident response.
There’s no question that Amazon Web Services is an incredibly powerful and secure cloud services platform for delivering all sorts of software applications. AWS offers an extensive number of products and services for creating a scalable, reliable, and flexible architecture that meets the unique needs of your development. However, it can be difficult to know how to approach securing your AWS infrastructure. While we can’t give you insight into all of them, of course, we are going to talk about the security benefits provided by three of our favorites, just to get you started.
Ask three people what SecOps is and chances are you’ll get three different descriptions:
- It’s a team
- It’s a job title
- It’s a methodology
All of these definitions are, in fact, correct. Smaller companies may implement a SecOps methodology where everyone is a security ambassador, whereas larger companies with more personnel can assemble an entire team and designate specific SecOps job titles. Whichever is the case for you, there are five ingredients that must be part of any successful SecOps implementation. Read more “The 5 Ingredients of a Successful SecOps Implementation”
At Threat Stack, we’ve been a SecOps-oriented team from day one. This means our developers, operations, and security practitioners all work together to make sure that every line of code we release is secure. It’s how we eat our own dogfood.
But we know that getting started with SecOps isn’t always easy, especially since little has been said so far about the practicalities of how security and operations can come together to enable SecOps.
Pete Cheslock, our Senior Director of Operations and Support, has been on the frontlines of SecOps for much of his career, so we decided to spend some time quizzing him about the practical aspects of getting a SecOps program started. Read more “Will SecOps Finally Close the Security and Operations Gap? A Q&A with Pete Cheslock”
Why We Created a SecOps Playbook
I have experienced the transition to SecOps up close and personal. I’ve led teams in figuring out how to get security practitioners and DevOps teams in sync and in harmony. Along the way, I’ve learned a number of valuable lessons that can be extended to any team that is thinking about bringing security deeper into the DevOps process.
Last week, we released Part 1 of a two-part series on the low-hanging security best practices companies can implement to improve their security posture. Since security is no longer just the domain of the security experts, it’s important that everyone within your organization feel empowered to uphold security best practices regardless of their role.
This series is designed to give organizations a “starting point” on the security journey by identifying low-hanging fruit that can be picked off to gradually improve security. In Part 1, we explained the four security tools and services we recommend getting startedwith, and in this post we uncover the next set ofrecommendations, which can take you from level one to level two, so to speak.