Tag: CISO

As the Chief Information Security Officer at F5, it is my pleasure to welcome you to F5 Labs’ CISO to CISO section. This is an arena for frank and transparent discussions on all aspects of running an information security program. We’ll discuss topics like technical guidance on mitigating specific risks, as well as broader perspectives…

Read More

Then there are the technical questions that need to be answered. What data will be captured, shared, and processed? What mobile platforms will the app run on? What server-side platforms will it need to talk to? Internal platforms? Third-party services? You also need to dig into the questions of expectations and dependencies. How important will…

Read More

In part one, we laid out how we should react when our organization tells us they want to roll out a mobile app. Short answer: don’t say no, but instead ask lots of questions. After that, we built a threat model that includes the mobile-specific twists on traditional IT security problems. Using this model, we…

Read More

We’re finishing up our series on what to do when your organization tells you they want to roll out a mobile app. In part one, we asked lots of questions so we could do a thorough risk and requirements analysis. In part two, we used that information to define security requirements and ensure that we…

Read More

In many organizations, building and securing apps has typically been a siloed affair. The product owner, the network engineer, the developer and the security engineer all come from different teams. And all too often, these teams become fiefdoms that believe their focus is the company’s primary objective. Today with Agile and DevOps moving faster and…

Read More

Security in the cloud has always followed a shared responsibility model. What the provider manages, the provider secures. What the customer deploys, the customer secures. Generally speaking, if you have no control over it in the cloud, then the onus of securing it is on the provider. Serverless, which is kind of like a SaaS-hosted…

Read More

A vast majority of organisations have no visibility into encrypted traffic, nor do they have protection against automated attackers. In Mary Meeker’s most recent Internet Trends report, the numbers show that in the first quarter of 2019, 87 per cent of global web traffic was encrypted, up from 53 per cent just three years ago.…

Read More

The way we build, provision, maintain and secure apps continues to evolve. As agile development practices put pressure on operations, organizations move to DevOps where both functions are synchronized. This in turn puts pressure on the app security organization, and so we see more companies today adopting a DevSecOps model. At the same time, the…

Read More

Looking at cloud breaches over the last few years, it’s easy to get the impression that most were easily avoidable events that occurred due to silly misconfigurations, ugly failure modes, or borderline negligent architectures. To put it bluntly, these cloud breaches look stupid. But the people and the organizations designing and running these systems—both the…

Read More

Applications have become the infrastructure of the internet. They are in everything from phones to thermostats, cars to power grids. And for every digital transformation enabled by apps, the application itself is a primary target, along with the business logic it supports and all its underlying data. For one thing, an app isn’t just an…

Read More