Last week I had the pleasure of attending DevOpsDays Austin with my team from Threat Stack Cloud Security, one of the event’s sponsors. DevOpsDays has been growing at an incredible rate, and this year’s event was moved to a larger venue, the Darrell K. Royal–Texas Memorial Stadium. Once again, the organizers prepared a top tier event, showcasing DevOps, Security, Culture, and even a dedicated Containers track.
On May 3rd the ImageMagick security team posted on their blog a possible remote code execution vulnerability involving specially crafted images. For those that haven’t seen the news yet, ImageMagick is a widely used open source program for converting and managing images. You might use it, for example, if you were a website that lets users upload their own profile picture. Those users could upload a specially crafted image that would be executed by the ImageMagick application and potentially cause a remote code execution on the host.
Shortly after ImageMagick posted on their blog, the vulnerability was discussed in various online mailing lists and forums.
Read more “No Magick Here: How to Detect ImageTragick (CVE-2016–3714) With Threat Stack”
We had a great time at the co-hosted PagerDuty/Threat Stack workshop in Seattle last Wednesday: “Incident Management in the 21st Century.” The event kicked off with an opening talk by Jonathan Wilkinson, VP of Product for PagerDuty. He revealed some of the new things PagerDuty is working on and demonstrated many of the interesting ways their customers are using the product and building tools on top of it, enabling them to get the right people “in the room” to handle company incidents.
I’ve spent most of my career in Operations, and the last 5 years at various organizations advocating and instilling DevOps principles in the teams I work with. One thing I’ve noticed is that most companies value speed over security, which has traditionally been a blocker in delivering software.
Recently, however, with more and more breaches and vulnerabilities reported (Shellshock and Heartbleed to name a just few), I’ve changed my tune. I’m not going to say I’ve become paranoid, but one of the reasons I’ve joined Threat Stack is because I believe how important it is that security gets integrated into the operations process.
Last week, I had a call with Gene Kim, founding CTO of Tripwire and author of The Phoenix Project (see end of post for more details). I’ve known Gene from the DevOps community for awhile now, so we took this time to dive into all things DevOps and Security, in the end resulting in this great Q&A to share with you all on what bringing Security into DevOps means for us all.
This is the second post in our new series of weekly blog posts that dives into the role of SecDevOps. This series looks into why we need it in our lives, how we may go about implementing this methodology, and real life stories of how SecDevOps can save the Cloud.