AWS EC2 Tagging — An Overview

AWS Security, Dev & DevOps Knowledge
4 Min Read

Just this morning I received my weekly AWS announcements email, and as I usually do, took a peek to see if there was anything useful or interesting. There were yet more features on their intimidating laundry list of 109 offerings, some outdated and maintained for legacy reasons like Simple Workflow, and some hot off the press like MariaDB RDS support. It’s easy to get lost in the sea of AWS services and be tricked into thinking there’s a feature that will solve your problem. But one feature, in particular, that should be a staple for organizations in their efforts to organize and manage their infrastructure, is tags, which we will discuss in this post.
Read more “AWS EC2 Tagging — An Overview”

How to Create a Threat Model for Cloud Infrastructure Security

AWS Security, Security Research & Strategy
3 Min Read

Our Motto is: Threat Modeling: The sooner the better, but never too late. — OWASP

The practice of creating a threat model can help teams proactively understand and develop a strategy for managing the possible vulnerabilities their organization faces, instead of waiting until after an incident occurs. OWASP defines threat modeling as “a procedure for optimizing security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system.”

SecOps teams can benefit from creating a threat model for cloud infrastructure, and defining an approach to operationalizing, hardening, and automating security throughout the software development lifecycle. While it’s best to build security into the design of your systems at the outset, remember the motto: “Threat Modeling: The sooner the better, but never too late.”

Let’s walk through how to get started. Read more “How to Create a Threat Model for Cloud Infrastructure Security”

3 Questions to Ask When You’re Ready to Operationalize Your Security

AWS Security, Budgeting and Buying Tips, Security Research & Strategy
4 Min Read

New global data from Checkmarx reveals that 92 percent of organizations struggle to implement security into DevOps — even though they say they want to. The heart of this issue is the common misconception that security slows things down, which leads to the common practice of skipping security measures in an effort to get things done.

While this approach may seem to create a payoff in terms of productivity, any gains are short term at best and are always offset by the fact that the company is at greater risk for a breach.

But the truth is, speed and security are not mutually exclusive, and you can effectively integrate security into operations throughout your organization if you follow SecOps best practices.

With that in mind, we’ll use this post to walk through the three major questions your organization must ask as it moves toward operationalized security.

Before diving into the post, however, take a look at details on our upcoming webinar — “How to Spend Your Security Budget in a DevOps World.” Read more “3 Questions to Ask When You’re Ready to Operationalize Your Security”

Security Budgeting Considerations for Containers

AWS Security, Budgeting and Buying Tips, Containers, Orchestration & Security
3 Min Read

When it comes to managing SecOps, you must consider all the risks at hand, as well as how you can address them. Many of today’s SecOps teams are using containers for development, but this also opens organizations up to a variety of new risk factors.

To mitigate these risk factors, organizations need to ramp up their security budgets. After all, it’s expensive to hire the best SecOps professionals and purchase best-in-class tools to manage cybersecurity.

We recently published The State of Security Budgeting in 2018, which details the results from a survey of 300 technical, operations, compliance, and security professionals in North America, across a variety of industries. Of the organizations that responded, 37% had cloud infrastructure workloads that were container-based. The survey results point to many important budgetary considerations, particularly when it comes to containers. Here’s what you need to know. Read more “Security Budgeting Considerations for Containers”

How to Cope With the Security Talent Shortage in SecOps

AWS Security, Budgeting and Buying Tips, Security Research & Strategy
3 Min Read

Security budgets are rising, but are they helping with challenges caused by the security talent shortage? This post offers insights from our recent security budgeting survey and shares ideas on how to deal with the security talent shortage in SecOps.

Before diving into the post, however, take a look at the following details on our upcoming webinar — How to Spend Your Security Budget in a DevOps World.
Read more “How to Cope With the Security Talent Shortage in SecOps”

3 SecOps Culture Hacks You Should Embrace Today

AWS Security, Dev & DevOps Knowledge, Security Research & Strategy
3 Min Read

All types of organizations are embracing DevOps as a way to deliver work quickly and reliably. However, security sometimes falls by the wayside in favor of the desire to move fast. In fact, a recent Threat Stack survey shows that 52% of companies admit to sacrificing security for speed.

As a result, Security, Development, and Operations teams often remain deeply siloed, causing security to be treated as an afterthought and placing teams in constant “reactive mode” — which exposes the organization to unnecessary risk. Our recent survey of Development, Operations, and Security professionals spells out a few of the key issues:

  • Security is siloed. At 38% of organizations, security is a completely separate team that is only brought in when needed.
  • Developers can’t code securely. 44% of developers aren’t trained to code securely. Without this basic ability, code is often written without security in mind, and this causes security to become a disruptive bottleneck when it must inevitably step in and intervene.
  • Operations doesn’t have security training. 42% of operations staff admit that they are not trained in basic security practices — meaning they can’t configure servers securely, and they do not see deploying securely as part of the configuration management process.

Ultimately, people and processes make up the foundation of every business transformation. SecOps is no different. Change can be difficult, but operationalizing cloud infrastructure security can help you reduce security incidents, ensure compliance, and innovate without sacrificing security or speed.

Below, we’ll walk through three of the cultural changes that need to take place at your organization to encourage people to embrace SecOps as they pursue innovation, speed, and scale. Read more “3 SecOps Culture Hacks You Should Embrace Today”

A Deep Dive Into Secrets Management

AWS Security, Containers, Orchestration & Security, Dev & DevOps Knowledge, Security Research & Strategy
7 Min Read

There’s a lot to think about when it comes to working with containers, Kubernetes, and secrets. You have to employ and communicate best practices around identity and access management in addition to choosing and implementing various tools. Whether you’re a SecOps professional at a startup, small business, or large enterprise, you need to make sure you have the right tools to keep your environments secure.

Recently, we sat down with Stenio Ferreira, Senior Solutions Engineer at HashiCorp. Armed with a degree in computer science and experience as a Java developer at a variety of companies, including IBM, Stenio migrated into a consulting role where he advised clients who wanted to start continuous integration / continuous delivery (CI/CD) pipelines and improve their automation workflow. That’s where he was exposed to HashiCorp, his current company.

According to Stenio, a secrets management solution is a must — and there are various reasons to use one (such as centralized authentication). Stenio explained the services offered at HashiCorp, and shared his perspective on containers, Kubernetes, open source solutions, and Vault. Read more “A Deep Dive Into Secrets Management”

Container Security: Winter is Coming — Dress in Layers!

Containers, Orchestration & Security, Security Research & Strategy
5 Min Read

Recently I had the pleasure of joining hundreds of DevOps pros, IT managers, and security engineers at the first ever Container Security event at LEGOLAND. Attendees discussed the newest technologies, scariest threats, and biggest trends in the evolving world of container security. If you weren’t lucky enough to be a part of the fun, here’s a quick recap of what Threat Stack’s Director of Product, Todd Morneau, spoke about. Read more “Container Security: Winter is Coming — Dress in Layers!”

5 SecOps Processes to Try Today

AWS Security, Security Research & Strategy
3 Min Read

DevOps has enabled businesses to bring products to market faster than ever before. But what about security?

In our recent survey, Refocusing Security Operations in the Cloud Era, 36% of businesses said their top IT goal over the next year is to respond to business needs faster. Conversely, only 10.5% prioritized improving security as their top goal.

There is a misconception that businesses can’t move both quickly and securely. But with SecOps best practices, businesses can move away from the ad hoc, reactive tactics that slow things down, and replace them with repeatable processes that effectively support teams and products. Let’s explore. Read more “5 SecOps Processes to Try Today”