Protecting Infrastructure With TLS Client Authentication

Here at Threat Stack we really like Yubikeys — and they’re a critical part of our security program. Many folks know Yubikeys for their ability to generate one-time codes for use as a second factor. Did you also know you can store certificates on them and use them in your operating system? I’ve written about using the Personal Identity Verification applet on the Yubikey in the past, but now I’d like to take that one step further and use it to identify yourself to a web application. We’ll cover how to do this with a Mac OS X Mojave client — which works nicely with the OpenSC library and an HAProxy reverse proxy. Read more “Protecting Infrastructure With TLS Client Authentication”

Tips for Choosing the Right CI/CD Tools

Building an effective CI/CD pipeline can be a complex process with countless decisions that require a great deal of planning. Whether it’s a massive DevOps team or a single developer working alone, the more you can draw on practical, real-world knowledge in making decisions about CI/CD tools the better off you are. While highly experienced developers can pass along tips to less experienced team members, the constantly changing nature of DevOps means that even the most experienced developer can benefit. 

Like all workflows, CI/CD workflows are susceptible to security concerns, so it’s a best practice to integrate security into your DevOps world (something commonly known as DevSecOps). By pairing leading continuous integration tools with a cloud security and compliance solution like the Threat Stack Cloud Security Platform®, you can build security directly into the entire software development lifecycle. With security across the CI/CD pipeline, you can ensure that your team is developing more reliable and secure applications, without compromising your team’s efficiency.

In this post, we offer 50 tips offered up by a variety of industry experts as a good place for software engineers to start building a knowledge base. To make things easier, we’ve divided the list into the following categories, beginning with a few general tips that are useful no matter the team or project: Read more “Tips for Choosing the Right CI/CD Tools”

20 Best Continuous Integration Tools: A Guide to Optimizing Your CI/CD Processes

Continuous integration (CI) tools are the engine that drives today’s SaaS software development strategy across all business, corporate, consumer, and industrial boundaries. CI is crucial to streamlining development processes and providing engineering teams with real-time insights on software deployment.

Continuous delivery (CD) is the next level of continuous integration and is vital to delivering stable software to a test environment so developers can determine whether the software is releasable.

A CI/CD pipeline helps automate steps in the software delivery process, such as initiating code builds, running automated tests, and deploying to a staging or production environment. Automated pipelines remove manual errors, provide standardized development feedback loops, and enable fast product iterations. An effective CI/CD strategy can automate the process all the way to deployment in production environments so customers can see changes sooner.

CI/CD workflows aren’t immune to security concerns. To address these, we recommend integrating security into your DevOps model (something commonly known as DevSecOps). By pairing leading continuous integration tools with a comprehensive security solution like Threat Stack’s Cloud Security Platform®, organizations can develop more reliable and secure applications, without compromising their team’s efficiency. Including Threat Stack in your model would enable you to achieve full stack security observability.

While countless CI/CD tools are available to fit a variety of needs, this post compiles 20 of the most widely used as well as a cross section that are suited to specific different development needs and teams. (For more top tools used by today’s leading development teams, check out our list of the best DevOps tools.) Read more “20 Best Continuous Integration Tools: A Guide to Optimizing Your CI/CD Processes”

50 Great DevOps Tools You May Not Be Using

DevOps is about seamless collaboration between Development and Operations, and you need to have the right tools in your environment to help make this possible. As everyone knows, DevOps covers a lot of functional areas, so knowing what tools to adopt can be a challenge.

Today’s market offers a huge array of both open source and proprietary tools, and together they can answer nearly every need throughout the DevOps lifecycle from Planning to Deployment to Monitoring and ongoing Improvement. When these are coupled with a comprehensive security solution like Threat Stack’s Cloud Security Platform®, they can also help to enable security and compliance: It’s a matter of understanding what each tool offers, matching the right ones to your requirements, and investing the time needed to train your team to use them to their highest potential.

To help you make your way through the almost endless list of tools out there, we’ve used this post to compile a list of 50 great DevOps tools that you might want to consider when you’re looking for a solution that will help streamline, automate, or improve specific aspects of your workflow. Read more “50 Great DevOps Tools You May Not Be Using”

Threat Stack Announces New and Enhanced CloudTrail Rules

As AWS continues to expand its services landscape, Threat Stack has made a commitment to keeping in step by crafting additional coverage that keeps your cloud environment secure. The latest additions we’ve made to Threat Stack’s CloudTrail rules are focused on giving more granular alerting and context to your interactions with the AWS control plane.

Threat Stack has significantly expanded the CloudTrail Base Ruleset in its Cloud Security Platform®. Not only have we increased the number of rules from 26 to 87 — we have also provided rules for five AWS Services that were not covered previously (DynamoDB, Elastic Container Service, Elastic Kubernetes Service, Security Token Service, and AWS Support). And don’t forget — the Cloud Security Platform still gives you the flexibility to create custom rules based on CloudTrail event data.

While we’re not going to comment on all 87 rules in this post, we are going to focus on important highlights, including:

  • New rules to cover five additional AWS Services
  • Expanded rules for Identity and Access Management (IAM)
  • Expanded rules for Virtual Public Cloud (VPC)

The new rules for five additional AWS Services are discussed in Part 1 below, while Part 2 gives an overview of the expanded rules for AWS Services that we already support. Read more “Threat Stack Announces New and Enhanced CloudTrail Rules”

50 Useful Kubernetes Tutorials for IT Professionals

Technologies like Docker have made it easier to continuously deploy applications across any number of host servers. They eliminate the need for having your own virtual machine because all the code and configuration settings you need to run your app is packaged into one container.

Google created Kubernetes to automate a number of tasks and processes involved in managing containerized apps. You can use Kubernetes to automatically deploy, scale, and decommission containerized applications. Of course, Kubernetes is not a silver bullet, and Kubernetes deployments have opened up a new set of infrastructure security concerns for DevOps teams. That’s why it’s important to be well versed in how to work with Kubernetes, as well as the tactics and solutions you can employ to create a more secure environment. For instance, Threat Stack now provides security and IT leaders transitioning to container-based infrastructure with the expertise and enhanced security visibility necessary to effectively manage the addition of container-based cloud environments through our Threat Stack Cloud Security Platform® and Threat Stack Cloud SecOps Program℠.

If you are planning to take a systematic approach to learning Kubernetes, then you should be on the lookout for quality tutorials. The good news is that a lot of resources are available online. There are also more structured courses that sometimes offer certification — if you’re willing to pay, that is. Read more “50 Useful Kubernetes Tutorials for IT Professionals”

AWS EC2 Tagging — An Overview

Just this morning I received my weekly AWS announcements email, and as I usually do, took a peek to see if there was anything useful or interesting. There were yet more features on their intimidating laundry list of 109 offerings, some outdated and maintained for legacy reasons like Simple Workflow, and some hot off the press like MariaDB RDS support. It’s easy to get lost in the sea of AWS services and be tricked into thinking there’s a feature that will solve your problem. But one feature, in particular, that should be a staple for organizations in their efforts to organize and manage their infrastructure, is tags, which we will discuss in this post.
Read more “AWS EC2 Tagging — An Overview”

3 SecOps Culture Hacks You Should Embrace Today

All types of organizations are embracing DevOps as a way to deliver work quickly and reliably. However, security sometimes falls by the wayside in favor of the desire to move fast. In fact, a recent Threat Stack survey shows that 52% of companies admit to sacrificing security for speed.

As a result, Security, Development, and Operations teams often remain deeply siloed, causing security to be treated as an afterthought and placing teams in constant “reactive mode” — which exposes the organization to unnecessary risk. Our recent survey of Development, Operations, and Security professionals spells out a few of the key issues:

  • Security is siloed. At 38% of organizations, security is a completely separate team that is only brought in when needed.
  • Developers can’t code securely. 44% of developers aren’t trained to code securely. Without this basic ability, code is often written without security in mind, and this causes security to become a disruptive bottleneck when it must inevitably step in and intervene.
  • Operations doesn’t have security training. 42% of operations staff admit that they are not trained in basic security practices — meaning they can’t configure servers securely, and they do not see deploying securely as part of the configuration management process.

Ultimately, people and processes make up the foundation of every business transformation. SecOps is no different. Change can be difficult, but operationalizing cloud infrastructure security can help you reduce security incidents, ensure compliance, and innovate without sacrificing security or speed.

Below, we’ll walk through three of the cultural changes that need to take place at your organization to encourage people to embrace SecOps as they pursue innovation, speed, and scale. Read more “3 SecOps Culture Hacks You Should Embrace Today”

A Deep Dive Into Secrets Management

There’s a lot to think about when it comes to working with containers, Kubernetes, and secrets. You have to employ and communicate best practices around identity and access management in addition to choosing and implementing various tools. Whether you’re a SecOps professional at a startup, small business, or large enterprise, you need to make sure you have the right tools to keep your environments secure.

Recently, we sat down with Stenio Ferreira, Senior Solutions Engineer at HashiCorp. Armed with a degree in computer science and experience as a Java developer at a variety of companies, including IBM, Stenio migrated into a consulting role where he advised clients who wanted to start continuous integration / continuous delivery (CI/CD) pipelines and improve their automation workflow. That’s where he was exposed to HashiCorp, his current company.

According to Stenio, a secrets management solution is a must — and there are various reasons to use one (such as centralized authentication). Stenio explained the services offered at HashiCorp, and shared his perspective on containers, Kubernetes, open source solutions, and Vault. Read more “A Deep Dive Into Secrets Management”