Andy Jassy, CEO of Amazon Web Services, Introduces New and Enhanced AWS Services at re:Invent

Las Vegas — Wednesday, November 29, 2017

It was 8:00 a.m. when AWS CEO Andy Jassy took to the stage to offer up the latest AWS news and announcements. And offer up he did. To my recollection, the number of services announced today dwarfed anything unveiled at any previous AWS re:Invent show. (To see the ever-growing list of services debuted this year, head over to the AWS blog.)

The sheer number of new services blew away all expectations. Not only did Amazon announce new compute instances and enhancements to some of their existing services, but the big news was their flurry of announcements about new services that continue down the path of Serverless and Machine Learning.

Here are some of the highlights, along with my points of view from a DevOps perspective. Read more “Andy Jassy, CEO of Amazon Web Services, Introduces New and Enhanced AWS Services at re:Invent”

The Real Implications of The Shared Security Model

Gone are the days when the majority of businesses could point to the cloud warily and say, “I think my data’s safer on-prem.” Organizations today are far less worried about how secure the cloud is in general, and this change in attitude has sped up cloud adoption to a great degree.

What has led to this more relaxed embrace of the cloud? In part, providers like AWS have gone to great lengths to codify and transparently communicate a Shared Responsibility Model that has expressly defined the scope and boundaries of responsibility. Increasingly, customers recognize that Amazon and its brethren have all-star teams that have a security focus ingrained in them. There’s a certain level of comfort that comes with knowing you are in good, experienced hands.

But, even as the cloud is proven to be quite secure and as confidence in it increases, Security and DevOps teams still have to be vigilant about their own workloads. Organizations have to pick up their end of the shared responsibility bargain — and in some cases, even take it a step further than what is required.

With that in mind, here’s what today’s organizations need to know in order to do that successfully and continue to benefit from all that the cloud has to offer without major security concerns stymying progress. Read more “The Real Implications of The Shared Security Model”

How to Stay Secure at Conferences

Conferences can be an amazing way to connect with like-minded folks and educate yourself on what’s new and trending in your industry. At Threat Stack, we regularly attend and speak at conferences like BSides and DevOpsDays, and it’s been exciting to see a bigger focus on security topics in the DevOps world in recent years. Since we attend so many conferences ourselves, we wanted to offer some helpful advice on how you can keep your devices secure while you’re attending conferences. Read more “How to Stay Secure at Conferences”

How to Stay Secure on Slack

If you’re already on the Slack bandwagon, then you have probably experienced first-hand how it can make communications between teams far simpler and more streamlined. With 1.7 million daily active users, it’s clear Slack has come to dominate the team chat world, especially in tech and tech-savvy industries.

From a security perspective, Slack has done a solid job of keeping its assets on lock. In 2016, they scored Geoff Belknap from Palantir to become chief security officer. And they have been pretty transparent about their approach to security. They have dedicated a whole section of their website to it and published interviews with Belknap and others that delve into Slack’s precautions and philosophy around security. Belknap says, “My job is to worry. Professionally. So that our customers don’t have to.” We love that attitude!

The company has also gone to the trouble of certifying many of its products to meet stringent compliance regulations like FINRA, HIPAA, and SOC 2 and 3, which makes it a no-brainer for small teams and enterprises alike.

So, we feel that it’s perfectly possible for companies of all shapes and sizes to lean on Slack for team chat and ops without worrying too much about security. But, we also believe in the shared responsibility model when it comes to any form of online security. No one’s perfect, and Slack’s ubiquity and popularity mean that it will always be a target for cybercriminals looking to steal information.

There’s no need to run scared, but you do need to be smart about how you use this valuable tool. Here are our tips for running Slack securely at your organization. Read more “How to Stay Secure on Slack”

How to Conduct a Blameless Security Post-Mortem

When someone in your company clicks on a bad link, it can spell bad news. But you know what’s worse? Them never telling you.

When employees are afraid to come forward about a mistake they’ve made (or think they’ve made), it makes security responders’ jobs that much more difficult.

Unfortunately, this kind of negative atmosphere is a reality at many companies. The good news is the culture can be improved, and one way of doing this is by conducting blameless security post-mortems. I spoke about this in my DevOpsDays Austin talk in May, 2015. Threat Stack partners VictorOps  and PagerDuty have also written on the topic. You need your whole team to be security ambassadors (not roadblocks), and blameless security post-mortems can help enable this.

Below, we’ll explore what a blameless post-mortem is and how it applies to your future security incident response.

Read more “How to Conduct a Blameless Security Post-Mortem”

3 Things You Can Do to Improve Your AWS Security Posture

There’s no question that Amazon Web Services is an incredibly powerful and secure cloud services platform for delivering all sorts of software applications. AWS offers an extensive number of products and services for creating a scalable, reliable, and flexible architecture that meets the unique needs of your development. However, it can be difficult to know how to approach securing your AWS infrastructure. While we can’t give you insight into all of them, of course, we are going to talk about the security benefits provided by three of our favorites, just to get you started.

Read more “3 Things You Can Do to Improve Your AWS Security Posture”

The 5 Ingredients of a Successful SecOps Implementation

Ask three people what SecOps is and chances are you’ll get three different descriptions:

  1. It’s a team
  2. It’s a job title
  3. It’s a methodology

All of these definitions are, in fact, correct. Smaller companies may implement a SecOps methodology where everyone is a security ambassador, whereas larger companies with more personnel can assemble an entire team and designate specific SecOps job titles. Whichever is the case for you, there are five ingredients that must be part of any successful SecOps implementation. Read more “The 5 Ingredients of a Successful SecOps Implementation”

Will SecOps Finally Close the Security and Operations Gap? A Q&A with Pete Cheslock

At Threat Stack, we’ve been a SecOps-oriented team from day one. This means our developers, operations, and security practitioners all work together to make sure that every line of code we release is secure. It’s how we eat our own dogfood.

But we know that getting started with SecOps isn’t always easy, especially since little has been said so far about the practicalities of how security and operations can come together to enable SecOps.

Pete Cheslock, our Senior Director of Operations and Support, has been on the frontlines of SecOps for much of his career, so we decided to spend some time quizzing him about the practical aspects of getting a SecOps program started. Read more “Will SecOps Finally Close the Security and Operations Gap? A Q&A with Pete Cheslock”

The SecOps Playbook: What I’ve Learned About Integrating Security Into DevOps

The Threat Stack SecOps Playbook is now available!

Why We Created a SecOps Playbook

I have experienced the transition to SecOps up close and personal. I’ve led teams in figuring out how to get security practitioners and DevOps teams in sync and in harmony.  Along the way, I’ve learned a number of valuable lessons that can be extended to any team that is thinking about bringing security deeper into the DevOps process.

Read more “The SecOps Playbook: What I’ve Learned About Integrating Security Into DevOps”