Test-Driven Security With Chef InSpec

Test-Driven Security

Test-driven security is the implementation of tests into the development process, and Chef InSpec is one tool that will help you get started with this process. These security tests are intended to define the security features required for a system to be production ready.

In this post, we will walk through the process of using test-driven security, with proscriptive security tests, using Chef InSpec. Read more “Test-Driven Security With Chef InSpec”

Considerations for Moving Services to AWS Lambda

You’re an Ops person who’s ready to take a dip into AWS Lambda and this whole serverless thing. But where do you start? You’ve gone from deploying a monolith to deploying microservices. Now how do you go from deploying a microservice to deploying functions?

We want to take something that was originally written to run on an EC2 instance and run it on Lambda. How do we get there? In this post, we’ll explore this question by looking at the threatstack-to-s3 service that we’ve discussed in other blog posts. Read more “Considerations for Moving Services to AWS Lambda”

Resources for DevOps Pros to Learn About Security

These days, security should be part of everyone’s job. This is especially true for DevOps teams, which are responsible for developing, delivering, and maintaining critical applications for many organizations, and must therefore prioritize security as part of their role. But the world of security can seem like a bit of a mystery until you’ve been exposed to it.

If you or someone on your team is looking to learn more about what it takes to run a secure organization today, we have provided a list of resources below, from conferences to reference books to Twitter handles, that are worth checking out. Read more “Resources for DevOps Pros to Learn About Security”

New Playbook: Jump Starting Your Cloud Security Journey

Cloud security is a complex subject, and customers sometimes tell us that one of their biggest challenges is simply knowing where to start.

In our latest playbook, Jump Starting Cloud Security: A Guide to Starting Your Cloud Security Journey, we have addressed this problem head on. If your organization is just starting out in cloud security — whether it’s a rapidly growing startup or a more established company — this Playbook is intended for you.

It’s a roadmap full of industry-proven practices that will put you on the fast track to cloud security monitoring, addressing your first round of security concerns, and measurably improving your security stance, all in a reasonable amount of time for a reasonable outlay of money and resources.

The hand-on approach will help you implement important security practices without diverting resources and attention away from your company’s main business goals, and you’ll also end up with a solid platform to build on when you want to move up to the next level of maturity on the cloud security ladder. Read more “New Playbook: Jump Starting Your Cloud Security Journey”

The Three Pillars of Continuous Security Improvement

Security should never be a one-and-done proposition: It requires a continuous improvement mindset to keep you on top of security initiatives and to accommodate new issues as you detect them. Once your security program is up and running, you need to measure, evaluate, and modify it on an ongoing basis to maintain or improve your results. This doesn’t necessarily require a ton of time and effort; it simply requires a strategy.

So today, we want to take a look at what it takes to build an effective security program with continuous improvement at its core. In our view, there are three key pillars to continuous security improvement, and if you have been following along with our Starting Your Cloud Security Journey blog post series, then you’ll be well-acquainted with these concepts. Read more “The Three Pillars of Continuous Security Improvement”

How to Implement a Security Awareness Program at Your Organization

Security isn’t just a technical problem. It’s also a people problem, and keeping the people side of the security equation strong requires that all people in your organization have an awareness of security. This is why security awareness programs are so important.

The goal of a security awareness program — as you may have guessed — is to increase organizational understanding and practical implementation of security best practices. A program like this should apply to all hires — new and old, across every department — and it should be reinforced on a regular basis.

Here’s what you need to know to create a first-class security awareness program at your organization. Read more “How to Implement a Security Awareness Program at Your Organization”

Incorporating AWS Security Best Practices Into Terraform Design

Implementing AWS security best practices into your Terraform design is an excellent way of ensuring that you have a streamlined way to achieve your security goals and manage your infrastructure.

In this post, we will talk about the following three areas of AWS security best practices and how to implement them with Terraform:

  • Environment segregation by AWS account
  • CloudTrail logging
  • Traffic and system access controls

Just to be clear, this post is not an introduction to Terraform: It’s an introduction to incorporating AWS security best practices into Terraform code. Read more “Incorporating AWS Security Best Practices Into Terraform Design”

OS Updates and Package Management: Ubuntu Repo Management With Aptly and AWS S3

Note: In light of the AWS S3 outage in us-east-1 on February 28, 2017, let’s discuss a few things. Amazon’s S3 has exemplary availability. Compare that with the time and cost of maintaining package distribution yourself. It’s easy to look at S3’s outage and conclude that it is better to handle the responsibility yourself. In the same way, it’s easy to see news of a plane crash and conclude that driving is more reliable. The feeling of control doesn’t always lead to the most reliable outcome. Aptly does provide the ability to serve a repository on its own. See how to front Aptly with nginx in an emergency like the one on Tuesday February 28.

It is an unfortunate fact that many organizations do not routinely perform comprehensive software patching. At Threat Stack, we have confirmed this with our own analysis of how frequently systems are updated, and Verizon’s DIBR shows us that the most commonly exploited vulnerabilities are months or years old.

But patching is one area where following the status quo is a very bad idea. As a best practice, your organization needs a patching strategy to make sure it remains secure, and with that in mind, this post explains how you can adopt a patching strategy that suits your organization’s needs and values. Read more “OS Updates and Package Management: Ubuntu Repo Management With Aptly and AWS S3”

Chef Habitat For Packaging Python Flask Web Services

One of the challenges of building open source tools is figuring out how to package and distribute them. This is particularly true with web services. To make building, deploying, and running web services easier, Chef created Habitat.

When building open source web services for Threat Stack, one of our concerns is how to package these Python Flask applications so they run in the widest array of environments with low adoption friction. Using Habitat, the process is quick and easy.

For this post, we’re going to focus on the specifics of packaging a Python Flask application and the particular needs of that stack. Read more “Chef Habitat For Packaging Python Flask Web Services”