If you look at how and when different companies implement security, it’s clear the approach runs the gamut. Some go all in from day one while many others wait until the need is on top of them.
Of course, companies who get security off the ground as early as possible have many advantages, but that can be a daunting undertaking. This especially rings true in organizations that don’t have security pros on staff.
No matter where you are today, there are steps you can take to get more secure. And rather than succumb to analysis paralysis, it’s a good idea to just bite off what you can chew and start somewhere. So… where to start?
Read more “Cloud Security: Where to Get Started, Part 1”
It won’t be long before network perimeters are a thing of the past. As companies continue to adopt the cloud, either going all-in or operating in hybrid mode, the familiar perimeter starts to disappear.
Read more “How to Monitor Network Activity When Your Infrastructure Lacks an Edge”
You’re a week into your new job and a colleague shouts out across the room before a big deployment: “Hey John, you’ve got security covered, right?” You rush over to your good friend Google for a few quick ideas on implementing security best practices into DevOps and timidly shake your head “yes” at your colleague.
Read more “How to Create a Security-Minded DevOps Organization: Three Best Practices”
A recent Motherboard article caught our eye and got us thinking about who is — and who should be — responsible for security in an organization. The article, titled “We Need to Change the Psychology of Security,” makes the argument that, by treating security as a specialization that belongs only to a few people in an organization (the security team), we are crippling our ability to successfully achieve security at scale.
The author, Adrian Sanabria, makes some excellent points. After reading the article, we wanted to share some actionable ways that organizations can go about deputizing their employees as security ambassadors.
It’s every executive’s worst nightmare: becoming the next Target- or Anthem-style data breach headline. But aside from just hoping and praying that you won’t be the next victim, you can take some very practical and actionable steps to keep your organization safe and to ensure that, if you are breached, you’ll know right away.
Read more “5 Tips for Reinforcing Your Organization’s Cloud Security”
Unless you’ve been living under a rock (or don’t work in the tech industry), you’ve probably heard the term DevOps thrown around. A mashup of “development” and “operations,” DevOps is a mindset and set of practices that focus on collaboration and communication between software developers and other IT professionals with the goal of automating both software delivery and infrastructure changes.
Read more “How to Apply DevOps Culture to Security & Why You Should Do It”
When you discover a security vulnerability affecting your environment, you want to fix it. Quick.
Read more “What to Do When You Can’t Fix a Security Vulnerability”
Last week I had the pleasure of attending DevOpsDays Austin with my team from Threat Stack Cloud Security, one of the event’s sponsors. DevOpsDays has been growing at an incredible rate, and this year’s event was moved to a larger venue, the Darrell K. Royal–Texas Memorial Stadium. Once again, the organizers prepared a top tier event, showcasing DevOps, Security, Culture, and even a dedicated Containers track.
Read more “A Look Back at DevOpsDays Austin 2016”
On May 3rd the ImageMagick security team posted on their blog a possible remote code execution vulnerability involving specially crafted images. For those that haven’t seen the news yet, ImageMagick is a widely used open source program for converting and managing images. You might use it, for example, if you were a website that lets users upload their own profile picture. Those users could upload a specially crafted image that would be executed by the ImageMagick application and potentially cause a remote code execution on the host.
Shortly after ImageMagick posted on their blog, the vulnerability was discussed in various online mailing lists and forums.
Read more “No Magick Here: How to Detect ImageTragick (CVE-2016–3714) With Threat Stack”
We had a great time at the co-hosted PagerDuty/Threat Stack workshop in Seattle last Wednesday: “Incident Management in the 21st Century.” The event kicked off with an opening talk by Jonathan Wilkinson, VP of Product for PagerDuty. He revealed some of the new things PagerDuty is working on and demonstrated many of the interesting ways their customers are using the product and building tools on top of it, enabling them to get the right people “in the room” to handle company incidents.
Read more “Why Security is No Longer Just the Domain of Security Experts”