If I Had to Do It Over Again, Part 2
- by nlqip
We wrote an article recently asking security leaders to talk about their past failures and the lessons they wanted to pass on to others. We called it If I Had to Do It Over Again, and our readers really liked it. A number of folks approached me wanting to tell their stories as well, so we’re doing a Part 2. Without any more preamble, here are their contributions, in their own words.
It’s Never Fire and Forget
Sara Boddy, Director, F5 Labs
One of my biggest wins was also one of my biggest failures. After years of battling the business (including Dev, QA, and DevOps teams for each primary web property, as well as their GMs), we finally got a WAF deployed! We got to a state of maturity where we would see an attack coming and could tweak a config to block it. Everyone felt proud and confident that the control was working.
Until one day we were dealing with a compromised site that was supposed to have been protected by the new WAF. It turned out, the business had deployed a new set of virtual servers and forgot to apply the WAF policy to them. The DevOps team had administrative rights in Puppet that controlled whether the WAF config was applied, and they regularly turned it off in testing.
Source link
lol
We wrote an article recently asking security leaders to talk about their past failures and the lessons they wanted to pass on to others. We called it If I Had to Do It Over Again, and our readers really liked it. A number of folks approached me wanting to tell their stories as well, so…
Recent Posts
- Windows 10 KB5046714 update fixes bug preventing app uninstalls
- Eight Key Takeaways From Kyndryl’s First Investor Day
- QNAP pulls buggy QTS firmware causing widespread NAS issues
- N-able Exec: ‘Cybersecurity And Compliance Are A Team Sport’
- Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’