If I Had to Do It Over Again, Part 2
- by nlqip
We wrote an article recently asking security leaders to talk about their past failures and the lessons they wanted to pass on to others. We called it If I Had to Do It Over Again, and our readers really liked it. A number of folks approached me wanting to tell their stories as well, so we’re doing a Part 2. Without any more preamble, here are their contributions, in their own words.
It’s Never Fire and Forget
Sara Boddy, Director, F5 Labs
One of my biggest wins was also one of my biggest failures. After years of battling the business (including Dev, QA, and DevOps teams for each primary web property, as well as their GMs), we finally got a WAF deployed! We got to a state of maturity where we would see an attack coming and could tweak a config to block it. Everyone felt proud and confident that the control was working.
Until one day we were dealing with a compromised site that was supposed to have been protected by the new WAF. It turned out, the business had deployed a new set of virtual servers and forgot to apply the WAF policy to them. The DevOps team had administrative rights in Puppet that controlled whether the WAF config was applied, and they regularly turned it off in testing.
Source link
lol
We wrote an article recently asking security leaders to talk about their past failures and the lessons they wanted to pass on to others. We called it If I Had to Do It Over Again, and our readers really liked it. A number of folks approached me wanting to tell their stories as well, so…
Recent Posts
- Hackers Exploit Default Credentials in FOUNDATION Software to Breach Construction Firms
- How to reduce cyber risk during employee onboarding
- Germany seizes 47 crypto exchanges used by ransomware gangs
- Police dismantles phone unlocking ring linked to 483,000 victims
- Ahead Adds Former Google Cloud VP To Board To ‘Fuel’ AI, Hybrid Cloud