CYBRIC CTO and Co-founder Mike Kail and I connected to discuss DevSecOps. First, Mike tells us what DevSecOps is and why we need it. We talk about the advantages and disadvantages (although we couldn’t really think of any compelling disadvantages) of changing the corporate culture of DevOps to include security. DevSecOps is really fixing the corporate mindset to include security in all facets of operations. It puts forth the radical notion that security is everyone’s responsibility. And, although I’m being a bit sarcastic with that previous comment, I do believe that for some companies and some individuals that this notion of everyone owning security is radical.
It shouldn’t be. Security affects us all. It affects us to the tune of $16+ billion in losses due to credit card fraud and identity theft. And that number grows every year.
Listen to the podcast for more details on DevSecOps and how you can help change the culture at your company to make security a priority for everyone.
Length: 16:52 mins. Format: MP3. Rating: G for all audiences and venues.
Copyright 2018 The SecurityNOW Podcast Show. License: CC BY.
Preston and I discussed the new NIST password guidelines with our regular guest, Richard Henderson of Absolute. In this podcast, we cover the guidelines and what they might mean to you, especially if you’re a web application developer. If you’re not a developer, you might still have an opinion as a user. The new guidelines are a very positive step forward for government agencies and for private ones as well. Password security has been taken for granted for too long but can no longer be ignored. Security experts can spout all the best practices that they can think of but those best practices are only good if they’re put into practice.
We also discuss the costs that might arise from retrofitting current applications vs. tackling the problem from the beginning. Richard has some very important insights to consider when going forward with these guidelines.
Length: 28:20 minutes. Format: MP3. Rating: G for all audiences.
Passwords, they used to say, are like toothbrushes–don’t share them and change them often. Indeed that rule is still true but security is more than just changing your passwords often and keeping them to yourself. Passwords, unfortunately, are our first line of defense in protecting our online accounts, our identities, and our transactions. Passwords should be as long and as complex as possible, which is why you should use a password manager such as LastPass. LastPass will generate a random, long, and complex password that you don’t have to remember because it remembers them for you. There’s only two things you have to remember when you use LastPass: logoff of LastPass before you leave your computer and the LastPass master password.
And since passwords aren’t your only defense in this cyber-connected and unsafe world, I’m providing a list of tips to help keep you safe and secure during your online excursions. Read and heed.
Use the screen lock feature of your phones, tablets, and computers.
Use a random non-guessable passcode for unlocking screens.
Use a password manager.
Use different passwords for each online account (saved in your password manager)
Install all hardware and software updates as they’re presented.
Only install apps from the app store and only those that have many good reviews.
Turn off tracking from your apps.
Use a VPN or your cellular network in public places.
Keep phone conversations private.
Perform online banking in private.
Use two-factor authentication on social media and financial sites.
Cover your device when entering passwords.
I know these are tips that you read and hear all the time but you need to remember them at all times. There is no trusted public environment and a secured WiFi connection is no guarantee of security. Anyone can setup a WiFi connection and supply a common password to it.
If you ever have questions about cybersecurity, use our contact page to ask your questions. We will reply.
I’m a big fan of surveys. I’m a fan because numbers are easy to digest. I like to see, at a glance, the results of opinion surveys to see how well they correspond with my own opinions. Rarely do I differ from the norm in security surveys. This one is no exception. I think we all feel overwhelmed and surprised that everyone else feels overwhelmed and surprised by malware, mobile threats, APTs, data loss, insider threats, and other security breaches and thefts.
Check Point surveyed more than 1,900 IT Security personnel. Check Point, for those of you who don’t know, is one of the first security companies to offer an intelligent firewall solution. In fact, for the past 25 years, Check Point has been the “Go To” firewall solution for companies across the world.
Check Point released its 2017 Cyber Security Survey. Here are a few data points highlighted in the survey:
A poll of 1900+ IT Security experts reveals…
Slightly more than one-third (35%) either feel Extremely Confident or Very Confident with their organization’s security posture. More interestingly that means nearly 65% are not confident; these organizations continue to remain vulnerable to security breaches.
81% feel their organization currently has security concerns as it relates to adopting public cloud computing.
64% said Data Leakage and Data Loss were their primary mobile security concern related to BYOD (Bring Your Own Device).
68% said Malware Protection is their key capability required for an effective Mobile Threat Management solution.
Of all the recent security surprises, I’m not surprised that almost two-thirds of the survey’s respondents are not confident with their organization’s security posture. I think that mobile threats are actually less of a problem than people think. The problem with mobile devices is not necessarily malware or hacking, but the problem of data exfiltration. Mobile Content Management prevents data exfiltration and file-level auditing is a good deterrent as well.
Preston and I interviewed Twistlock CEO Ben Bernstein about his company’s approach to container-based security from a new perspective known as intent-based security, which also has us rethinking application security. Ben gives us an overview of intent-based security and a detailed explanation of why a new perspective is important to application security.
Ben’s concept of intent–basedsecurity is evolving not only the way organizations build applications as DevOps adoption, and with it container adoption, continues to rise, but also rethinking the approach to application security to address fundamental application intent issues
Why it is so difficult for IT, security and dev teams to look at an app and deduce intent
Why attacks on the application layer are harder to detect than the network layer and more difficult to contain
How to effectively add security to a container-based implementation of DevOps
Podcast details: Length – 20:55 minutes. MP3 format. G rating for all audiences.
As discussed in the podcast, don’t assume anything about security for your container hosts or your containers. Container hosts must be thoughtfully secured, because if someone compromises your host; he owns your containers. Securing applications and their containers requires more than cursory security tests. You must build your applications with security in mind and you must also securely build your containers for those applications.