Daily digest for Security Boulevard, on January 28, 2022
IndusfaceCMS posted: "Data has become a valuable possession since the boom of technology for the past decade. Massive amounts of data are stored every day in every sector for various reasons. Though all the information collected through various methods is used to create an eas"
Data has become a valuable possession since the boom of technology for the past decade. Massive amounts of data are stored every day in every sector for various reasons. Though.
Enzoic posted: " Data Privacy Day is a chance for businesses to engage with their customers and clients in a way that builds trust, inspires customer loyalty, and enhances the business's reputation. When an organization demonstrates that they care about protecti"
Data Privacy Day is a chance for businesses to engage with their customers and clients in a way that builds trust, inspires customer loyalty, and enhances the business's reputation. When an organization demonstrates that they care about protecting consumers' privacy–they are in effect letting clients know that their information, data, and choices are safe with the business. In 2022, this ...
Lindsey Stalnaker posted: "The White House is following up with a new cybersecurity directive to further improve the security posture for federal agencies. The memo strongly encourages the adoption of zero trust architecture as a way to ensure that, in the process of securing their"
The White House is following up with a new cybersecurity directive to further improve the security posture for federal agencies. The memo strongly encourages the adoption of zero trust architecture as a way to ensure that, in the process of securing their software landscape, federal...
Jeffrey Starr posted: "Cybertechnology has always been an issue in the drone industry, but its reach is expanding and evolving in multiple dimensions. Traditional cybersecurity concerns in the drone world referred either to the vulnerability of drone data and operations to cybe"
Cybertechnology has always been an issue in the drone industry, but its reach is expanding and evolving in multiple dimensions. Traditional cybersecurity concerns in the drone world referred either to the vulnerability of drone data and operations to cyberattacks, or the role that drones played in perpetrating cyberattacks themselves. But a new challenge has appeared, […]
Fortinet All Blogs posted: "Least privilege is one of the key tenants of the zero trust security model, which assumes nothing and no one should be trusted until proven otherwise. Learn how to keep your users, devices, and resources secure no matter where they may be located. "
Least privilege is one of the key tenants of the zero trust security model, which assumes nothing and no one should be trusted until proven otherwise. Learn how to keep your users, devices, and resources secure no matter where they may be located.
brooke.crothers posted: "White House Wants to Expedite Efforts on Writing Secure Code brooke.crothers Thu, 01/27/2022 - 17:47 Read more about White House Wants to Expedite Efforts on Writing Secure CodeComments4 views Open source software security is critical The Whi"
The White House Software Security Summit brought together officials from various government agencies that deal with national security and technology, like Deputy National Security Advisor Anne Neuberger and National Cyber Director Chris Inglis.
Ameesh Divatia, CEO and co-founder posted: "From a funding standpoint, 2021 was a banner year for cybersecurity startups. Through Q3 alone, new companies netted more than $14 billion in venture capital investments, nearly doubling the record of $7.8 billion in 2020. The need for stronger security h"
From a funding standpoint, 2021 was a banner year for cybersecurity startups. Through Q3 alone, new companies netted more than $14 billion in venture capital investments, nearly doubling the record of $7.8 billion in 2020. The need for stronger security has also appealed to, among others, the federal government. Last August, President Joe Biden hosted…
Michael Santarcangelo posted: " How do you make progress when overwhelmed? Most of us have more than enough work, including conflicting and competing priorities. We know each day we need to face the unholy trinity of chaos, friction, and resistance. Guaranteed the 'Tyranny of the"
How do you make progress when overwhelmed? Most of us have more than enough work, including conflicting and competing priorities. We know each day we need to face the unholy trinity of chaos, friction, and resistance. Guaranteed the 'Tyranny of the Urgent' shows up, too. Don't forget the endless meetings and constant distractions. We still […]
amy posted: "Social media fraud and the phishing that accompanies it endanger business security in 2 ways that you might not be expecting. The post 2 Ways That Social Media Fraud Hurts Business Security appeared first on ID Agent. "
The ShiftLeft Team posted: "An overview of threats and best practices in all stages of software development in the cloud.Photo by Daniel Páscoa on UnsplashThe future of application security is in the cloud. Software development and application deployment continue to move from on-pre"
The future of application security is in the cloud. Software development and application deployment continue to move from on-premise to various types of cloud environments. While the basics of application security (AppSec) carry over from on-premise, the cloud introduces new areas of complexity and a new set of requirements.
AppSec best practices for the cloud are somewhat different from standard AppSec best practices. Cloud applications tend to be more segmented into different services and are more likely to use other cloud services, delivered via API, to compose application functionality. AppSec teams may need to coordinate with security and ops teams from cloud service providers (CSPs) to ensure proper coverage and to adapt cloud-specific best practices. This blog covers AppSec cloud best practices and offers a basic framework on how to think about cloud AppSec.
A Quick Definition of Cloud AppSec
Cloud application security is the discipline of securing application code running in public, private, or hybrid cloud environments. Logically, this means threat modeling for cloud environments and deploying tools and controls to protect applications running in the cloud.
It also involves creating policies and compliance processes that may be different from traditional application security practices used for legacy on-premise application deployments. More specifically, traditional security for applications has focused on the network and infrastructure layer. In the cloud, because applications tend to be more accessible to third-parties via API and incorporate third-party code and services, more care must be taken to secure the application code and application environment itself.
Why Cloud AppSec is Shifting Left
For cloud applications, software development is more likely to involve rapid iterations pushed through Continuous Integration / Continuous Deployment (CI/CD) pipelines. This dynamic is causing security to "shift left" with developers increasingly responsible for writing secure code and DevOps teams responsible for testing code with security tooling prior to code submission. For this reason, the AppSec team has an expanded role in defining cloud security best practices but also teaching developers and DevOps teams how to better secure applications at the code and CI/CD pipeline stages.
Cloud Responsibilities: Who Owns What
It is critical that AppSec teams understand and plan for their level of responsibility in guarding applications. The different types of cloud environments determine who is responsible for security. In a private cloud, the organization owns full responsibility for the full stack.
For applications running in public cloud service provider (CSP) environments like Amazon Web Services, Microsoft Azure, and Google Cloud, responsibility for application security starts at the operating system layer. That said, AppSec teams should still factor in the risk of compromise of lower layers of the CSPs' multi-tenant environment.
For Platform-as-a-Service offerings like RedHat OpenShift or Heroku, security teams are primarily responsible for security of the application code and data.
For SaaS applications, AppSec teams do not need to be involved as full responsibility is on the vendor. The only exception is if a SaaS application integrates directly into a cloud application, in which case the AppSec team must be mindful of the risks of this integration and apply controls against those risks, e.g., data loss protection or payment gateway abuse. The reality is that in an era of microservices and APIs, application security rarely stops at the application or cloud edge.
What Threats Do Cloud Applications Face?
Cloud applications face the same threats as on-premise applications plus several additional risk types. The list of threats that AppSec teams must guard against includes:
Forced or Insider Unauthorized Access: Malicious parties accessing cloud applications to corrupt functionality or steal data
Account Takeover: Attackers using stolen credentials, brute force or social engineering to gain access to and take control over cloud application accounts
Misconfigurations and Inadvertent Exposure: Cloud applications have complex policy and security configuration requirements. As we have moved to self-service provisioning of cloud resources for application development, the burden of properly configuring all resources has fallen to developers, resulting in more instances of misconfigurations and inadvertent exposure of internal data or code.
Unauthorized or Accidental Secret Leaks: Cloud applications and infrastructure leverage so-called "secrets" — shared credentials or other means that are used to access secure resources. Secrets are often the target of attackers and development teams often inadvertently expose secrets when they leave them hard-coded in repositories or in manifests for configuration files (YAML, etc).
API Abuse and Attacks: Cloud applications invariably have APIs that are exposed to the public Internet or to partners and third-parties or external services. Attackers target APIs to exfiltrate data or conduct fraud. Because APIs are designed to be interfaces, they are often more lightly defended. APIs are generally harder to secure without impacting actual user or customer performance.
Distributed Denial of Service: Massive flows of data and requests can cause service interruptions and take cloud applications offline. This can often be an indirect result of attacks either on CPS or on other applications living in a multi-tenant infrastructure.
Supply Chain Attacks: Cloud applications rely heavily on the software supply chain and are constantly at risk of corruptions to this supply chain. These risks are present in third-party code and APIs included in application code, in the CI/CD pipeline where external tools are used for security and formatting checks, and in production when applications rely on third-party services to deliver application functionality.
A Quick Guide to AppSec Cloud Best Practices
For best results, think about your cloud AppSec practice as segmented into stages. The first stage, application development, requires a certain set of best practices. The second stage, formal application security, requires an overlapping but slightly different set of practices. The third stage, DevOps and production, requires yet another overlapping set of practices. The three stages do tend to blend together in rapidly iterating application development organizations but this remains a useful guide to building a cloud AppSec best practices playbook.
Cloud AppSec at the Development Stage
For developers responsible for "shifting left" application security, key considerations and best practices include:
Writing secure code and learning secure coding practices. This ranges from training on how to write secure code
Scheduling frequent code reviews. This is already a given but it stands to be emphasized considering that cloud application code tends to ship more frequently, making timely reviews more of a challenge.
Running all code through linting, formatting, exposed secrets and other basic checks. This should be done frequently, even during development prior to submission but at a minimum as a pre-condition for submission.
Running software composition analysis (SCA) or static application security testing solutions (SAST) against code before submission. This is common in mature products and services for enterprise clients who demand secure software. It is increasingly common across all software development initiatives as threats at the application layer increase, and as organizations shift security responsibility to the left.
Cloud AppSec at the Pre-Deployment / App Security Stage
AppSec teams often conduct their own security reviews on top of existing efforts by development teams. As advanced security practitioners, AppSec teams should apply a broad range of security measures and best practices more appropriate to a discrete security discipline. Specifically, AppSec working with the network security and operations teams should put in place and or at least verify and help configure solutions for the following:
Threat modeling and threat monitoring: Part of the role of AppSec teams is to identify the most important security risks and prioritize controls and configuration setting to address those risks. This is sometimes called threat modeling and risk-based management. AppSec teams also should work closely with security operations teams to monitor for Indicators of Compromise or other signs that a threat is active and dangerous.
Automated security testing: This should include SCA, SAST and sometimes DAST. In addition, AppSec teams should apply the same linting and formatting checks to code as well as fuzzing, when appropriate and when properly resourced.
Role-based and Identity-based access management: This should limit the ability of unauthorized parties to access cloud application components and services, and to deploy application code or push code through CI/CD pipelines without proper authorization.
Data and traffic encryption: AppSec teams need to ensure that all sensitive data is encrypted in storage and while moving through the application business logic. AppSec teams working on microservice deployments may also be tasked with ensuring that traffic is encrypted; in Kubernetes and microservice environments, encryption and certificate management becomes the responsibility of developers and, often, the AppSec team.
Policy and privacy compliance: Cloud applications that use sensitive customer data, such as health data or financial account data, have stricter levels of regulatory compliance. They also have greater risk for business and reputational damage if compromised. AppSec teams must put in place and monitor policy engines and controls to validate and enforce policies. This includes privacy regulation compliance to ensure that data is properly used and breaches are properly disclosed.
Application pen testing and other security audits: The AppSec team should periodically execute penetration tests against code as a reality check and insurance policy against configuration or security testing drift and failures.
Cloud AppSec at the DevOps Stage
DevOps manages CI/CD solutions and controls application code deployment and lifecycle. DevOps is responsible for implementing any of the elements of AppSec practices that work at the CI/CD level. This may include:
Ensuring code passes security checks and testing prior to deployment: DevOps can apply enforcement policies to the CI/CD pipeline that automatically prevents code from being pushed live unless it is flagged to have passed the proper security checks and tests.
Maintaining the integrity and security of DevOps tooling: DevOps teams are the keepers of this part of the tool chain, which, if exposed or breached, can allow attackers to insert malicious code into applications.
Working closely with the AppSec team to ensure that policies and configure guidelines are followed: DevOps can help AppSec ensure that best practices are applied prior to code deployment. This reduces risks and emphasizes the proper proactive approach to cloud AppSec. This is particularly important in cloud security, because deployments are so frequent and changes to code and configurations may also be more frequent.
Creating a business continuity plan: As the owner of deployment and infrastructure, DevOps should also create a Plan B and Plan C in case an application is compromised and an outage or unacceptable latency occurs. This can mean planning to move to alternative cloud providers or rolling back to the last known secure version of an application.
Conclusion: Cloud AppSec Best Practices and the Future
Cloud AppSec practices will continue to evolve. What we have detailed here is a starting point. Because cloud and cloud services are changing so rapidly, it is important to review cloud AppSec best practices and playbooks frequently. Just as the lines of responsibility between networking, development and operations have blurred, in cloud AppSec the lines have also blurred. Cooperation between all stakeholders is essential, however.
Responsibility for security is shifting left but the AppSec team remains the quarterback and the ultimate accountable party for ensuring that cloud applications remain safe and performant. Creating a detailed runbook for cloud AppSec and the responsibilities of the different stakeholders will help clarify your cloud AppSec approach and create a practice guide you can follow to continuously evolve and improve your cloud security.
To shift left and get started with cloud AppSec in the development stage, create a free account with a modern static analysis tool. A single scan from ShiftLeft CORE finds vulnerabilities in custom code, CVEs in open-source code, and hard-coded secrets. It is delivered as SaaS so it is easy for DevOps to integrate into your CI/CD and, because it never takes source code off of your servers, it is a safe alternative to on-prem tools.
Ashley Sand posted: "If you are wondering why your wordpress site keeps getting hacked, or why you're being targeted by hackers, we've compiled some of the top reasons for you. WordPress is one of the most commonly used Content Management Systems across the modern web. Curren"
If you are wondering why your wordpress site keeps getting hacked, or why you're being targeted by hackers, we've compiled some of the top reasons for you. WordPress is one of the most commonly used Content Management Systems across the modern web. Currently over 445 million websites are utilizing WordPress. With a make up of over 40% of sites on the web utilizing WordPress to some extent, it's only expected for bad actors to take advantage of its popularity.
Jessica Gonzales posted: "In this time of mass adoption of technology and digital media content, Data Privacy Day continues to matter. The event aims to raise awareness and promote privacy and data protection best practices. The post Who is virtually looking over your shoulder? Da"
In this time of mass adoption of technology and digital media content, Data Privacy Day continues to matter. The event aims to raise awareness and promote privacy and data protection best practices.
Akamai SIRT Alerts posted: "Universal Plug and Play (UPnP) is a widely used protocol with a decade-long history of flawed implementations across a wide range of consumer devices. In this paper, we will cover how these aws are still present on devices, how these vulnerabilities are a"
Universal Plug and Play (UPnP) is a widely used protocol with a decade-long history of flawed implementations across a wide range of consumer devices. In this paper, we will cover how these aws are still present on devices, how these vulnerabilities are actively being abused, and how a feature/vulnerability set that seems to be mostly forgotten could lead to continued problems in the future with DDoS, account takeover, and malware distribution.
Marc Handelman posted: "Our sincere thanks to Security BSides Dublin for publishing their tremendous videos from the Security BSides Dublin 2021 Conference on the organization's YouTube channel. Additionally, the Security BSides Dublin organization has slated their eponymous Se"
Additionally, the Security BSides Dublin organization has slated their eponymous Security BSides Dublin 2022 confab at the The Convention Centre Dublin (CCD) on 2022/03/19. Just a month and a half away. Enjoy!
Chad Seaman posted: "UPnProxy is alive and well. There are 277,000 devices, out of a pool of 3.5 million, running vulnerable implementations of UPnP. Of those, Akamai can confirm that more than 45,000 have been compromised in a widely distributed UPnP NAT injection campaign. "
UPnProxy is alive and well. There are 277,000 devices, out of a pool of 3.5 million, running vulnerable implementations of UPnP. Of those, Akamai can confirm that more than 45,000 have been compromised in a widely distributed UPnP NAT injection campaign.
Tally Shea posted: " Interested in attending RSA Conference 2022? Sonrai Security is excited to be giving away a full free RSA conference pass to help one security professional further their personal development in cloud security. We look forward to RSA every year, as"
Davi Ottenheimer posted: "A nice history angle is provided by the US State Department "share" service in an official embassy post about Russian false flag operations.Russia's false flag operations date back decades and take many forms. In 1939, the Soviet Union shelled its own tro"
A nice history angle is provided by the US State Department "share" service in an official embassy post about Russian false flag operations. Russia's false flag operations date back decades and take many forms. In 1939, the Soviet Union shelled its own troops outside the Soviet village of Mainila near Finland. It then blamed Finland … Continue reading US Embassy in Georgia Explains Russian False Flag Operations→
Lizzie Clitheroe posted: "As attacks against digital businesses become more persistent and harder to detect, it's imperative that organizations of all sizes choose the right security and fraud vendors to work with. To fend off these sophisticated attacks, businesses need solutions"
As attacks against digital businesses become more persistent and harder to detect, it's imperative that organizations of all sizes choose the right security and fraud vendors to work with. To fend off these sophisticated attacks, businesses need solutions they can rely on for the utmost accuracy and resilience. That's why the most innovative global companies […]
Team Nuspire posted: "The COVID pandemic changed and shaped the way in which people work and, by extension, the information security landscape in which businesses operate. Packed offices gave way to work-from-home (WFH) arrangements. Even reluctant businesses began allowing em"
The COVID pandemic changed and shaped the way in which people work and, by extension, the information security landscape in which businesses operate. Packed offices gave way to work-from-home (WFH) arrangements. Even reluctant businesses began allowing employees to connect to business networks and apps on personal devices with bring your own device (BYOD) policies. The…
Richi Jennings posted: "The Moral of the Story: Zeal should not outrun discretion.In this week's #TheLongView: 1⃣ @Google's #FLoC proposal is dead,2⃣ @Meta/Facebook is buying #RSC—a huge #AI #supercomputer, and3⃣ @Arm "will #IPO" instead of selling to #Nvidia.At @DevOpsDotCom: h"
Larry Link posted: "With our recent round of funding, we have opened up numerous API security career opportunities around the world, both in-office (Sunnyvale, CA and Cincinnati OH) and remote. You can review the available API security openings here. But before you do, I tho"
With our recent round of funding, we have opened up numerous API security career opportunities around the world, both in-office (Sunnyvale, CA and Cincinnati OH) and remote. You can review the available API security openings here. But before you do, I thought I would update my 2018 blog on what it's like to work here. […]
Graham Cluley posted: " A Canadian man has been handed a three year prison sentence after being found guilty of buying and selling over 1700 stolen identities on a dark web marketplace. 29-year-old Slava Dmitriev, who went by the online handle of "GoldenAce", bought and sold"
A Canadian man has been handed a three year prison sentence after being found guilty of buying and selling over 1700 stolen identities on a dark web marketplace. 29-year-old Slava Dmitriev, who went by the online handle of "GoldenAce", bought and sold individuals' personal private information, including social security numbers, on the AlphaBay dark web […]… Read More
Marc Handelman posted: "Our sincere thanks to Security BSides Dublin for publishing their tremendous videos from the Security BSides Dublin 2021 Conference on the organization's YouTube channel. Additionally, the Security BSides Dublin organization has slated their eponymous Se"
Additionally, the Security BSides Dublin organization has slated their eponymous Security BSides Dublin 2022 confab at the The Convention Centre Dublin (CCD) on 2022/03/19. Just a month and a half away. Enjoy!
Pam Lefkowitz posted: "Be The HeroA few years back I was asked to submit a proposal to be the IT provider for a nearby town. Government work wasn't my particular niche. I didn't know the format they preferred (prose or just a list with a dollar figure) and I didn't know how out"
Kevin Beaver posted: "When it comes to security oversight, I'm a big proponent of focusing on the things that matter. These are your highest payoff areas – otherwise known as your most urgent vulnerabilities on your most important systems. I learned this concept while studying"
When it comes to security oversight, I'm a big proponent of focusing on the things that matter. These are your highest payoff areas – otherwise known as your most urgent vulnerabilities on your most important systems. I learned this concept while studying time management and...
Bruce Lynch posted: "As a consumer, you must assume that your personal information is not 100% safe online. Hackers cause data breaches every single day, exposing our email addresses, passwords, credit card numbers, social security numbers and other sensitive personal data in"
As a consumer, you must assume that your personal information is not 100% safe online. Hackers cause data breaches every single day, exposing our email addresses, passwords, credit card numbers, social security numbers and other sensitive personal data in the process. Most people don't think about how serious this is until they are affected personally […]
Keaton Fisher posted: " We've all heard the common adage about people being the weakest link in security. Lock your workstation when you step away, don't write your passwords on sticky notes and leave them on your monitor, watch who you're letting into the building - these s"
We've all heard the common adage about people being the weakest link in security. Lock your workstation when you step away, don't write your passwords on sticky notes and leave them on your monitor, watch who you're letting into the building - these security awareness programs were designed to mitigate that weak link.
CISO Stories Podcast posted: " The locus of control has been slipping away from IT teams (and by default Security teams), and this "challenge" to IT governance has accelerated post-covid with a more distributed workforce. The security implications of this are significant in"
The locus of control has been slipping away from IT teams (and by default Security teams), and this "challenge" to IT governance has accelerated post-covid with a more distributed workforce. The security implications of this are significant in that security programs are not typically sized nor funded to deal with one technology approach, let alone two. Scott King, CISO at Encore Capital Group joins the podcast to discuss strategies to remain agile in the face of rapid change - check it out...
Ermetic Team posted: "For healthcare provider organizations like IntelyCare, moving IT operations to the cloud to properly support remote workers can be a scary proposition. The ever-increasing amount of cyberattacks can cause many sleepless nights for anyone in charge of IT s"
Amazon EMR is a managed cluster platform that simplifies running big data frameworks such as Apache Hadoop and Apache Spark. EMR's service allows a cluster to be launched in just a few minutes without the worry of node provisioning, resizing, scaling, or replacing poor functioning instances - EMR does it all for us.
In this blog we will examine EMR's default roles and managed policies to understand if they follow security best practices of least privileges. When Amazon launched EMR they provided default managed policies and roles that can be attached to IAM roles, users, or EMR services. The V1 default managed policies and roles are risky as they provided a wide set of permissions across several other AWS services such as S3 and DynamoDB. Amazon EMR will be deprecating existing managed policies (V1 policies) in favor of new managed policies (V2 policies). The new managed policies have been scoped-down to align with AWS best practices. After the existing V1 managed policies will be deprecated (no estimated date as of yet), it will not be possible to attach these policies to any new IAM roles or users.
Wayne Jackson posted: "Heading into the new year, I had the opportunity to reflect on the journey Sonatype has been on for over a decade, and how the industry has changed since we first invented componentized software development and then software supply chain management. Nota"
Heading into the new year, I had the opportunity to reflect on the journey Sonatype has been on for over a decade, and how the industry has changed since we first invented componentized software development and then software supply chain management.
No comments:
Post a Comment