No Magick Here: How to Detect ImageTragick (CVE-2016–3714) With Threat Stack

On May 3rd the ImageMagick security team posted on their blog a possible remote code execution vulnerability involving specially crafted images. For those that haven’t seen the news yet, ImageMagick is a widely used open source program for converting and managing images.  You might use it, for example, if you were a website that lets users upload their own profile picture. Those users could upload a specially crafted image that would be executed by the ImageMagick application and potentially cause a remote code execution on the host.

Shortly after ImageMagick posted on their blog, the vulnerability was discussed in various online mailing lists and forums.
Read more “No Magick Here: How to Detect ImageTragick (CVE-2016–3714) With Threat Stack”

Why Security is No Longer Just the Domain of Security Experts

We had a great time at the co-hosted PagerDuty/Threat Stack workshop in Seattle last Wednesday: “Incident Management in the 21st Century.” The event kicked off with an opening talk by Jonathan Wilkinson, VP of Product for PagerDuty. He revealed some of the new things PagerDuty is working on and demonstrated many of the interesting ways their customers are using the product and building tools on top of it, enabling them to get the right people “in the room” to handle company incidents.

Read more “Why Security is No Longer Just the Domain of Security Experts”

4 Steps To Effectively Integrate DevOps Workflows With Cloud Security Practices

I’ve spent most of my career in Operations, and the last 5 years at various organizations advocating and instilling DevOps principles in the teams I work with. One thing I’ve noticed is that most companies value speed over security, which has traditionally been a blocker in delivering software.

Recently, however, with more and more breaches and vulnerabilities reported (Shellshock and Heartbleed to name a just few), I’ve changed my tune. I’m not going to say I’ve become paranoid, but one of the reasons I’ve joined Threat Stack is because I believe how important it is that security gets integrated into the operations process.

Read more “4 Steps To Effectively Integrate DevOps Workflows With Cloud Security Practices”

Bringing Infosec Into The DevOps Tribe: Q&A With Gene Kim

Last week, I had a call with Gene Kim, founding CTO of Tripwire and author of The Phoenix Project (see end of post for more details). I’ve known Gene from the DevOps community for awhile now, so we took this time to dive into all things DevOps and Security, in the end resulting in this great Q&A to share with you all on what bringing Security into DevOps means for us all.

Read more “Bringing Infosec Into The DevOps Tribe: Q&A With Gene Kim”