Tag: devops
I was chatting recently with a coworker who had just returned from a DevOpsy-focused conference. She mentioned she had met a woman whose entire role was focused on finding “lost” cloud instances (that is, virtual servers running in a public or private cloud network). Her entire job is just to find those instances and get…
Read MoreIn part 1 of this blog series, we explored how to use delayed response and diversion as hack back tactics against attackers. Here, we up the game and explore some additional creative deception techniques. Potemkin Apps Back in 1787, the Empress Catherine II of Russia was touring the newly acquired Crimea via a barge trip…
Read MoreThe discovery of a significant container-based (runc) exploit sent shudders across the Internet. Exploitation of CVE-2019-5736 can be achieved with “minimal user interaction” it subsequently allows attackers to gain root-level code execution on the host. Scary, to be sure. Scarier, however, is that the minimal user interaction was made easier by failure to follow a…
Read MoreThis move to container-based development and agile methodologies has been great for innovation and iteration, but it’s also brought a massive shift in the application landscape with real impact on security teams. In just the past year or two, DevOps has become much more mature. Today we need to understand risks and implement controls not…
Read MoreThen there are the technical questions that need to be answered. What data will be captured, shared, and processed? What mobile platforms will the app run on? What server-side platforms will it need to talk to? Internal platforms? Third-party services? You also need to dig into the questions of expectations and dependencies. How important will…
Read MoreIn part one, we laid out how we should react when our organization tells us they want to roll out a mobile app. Short answer: don’t say no, but instead ask lots of questions. After that, we built a threat model that includes the mobile-specific twists on traditional IT security problems. Using this model, we…
Read MoreWe’re finishing up our series on what to do when your organization tells you they want to roll out a mobile app. In part one, we asked lots of questions so we could do a thorough risk and requirements analysis. In part two, we used that information to define security requirements and ensure that we…
Read MoreApplications have become the infrastructure of the internet. They are in everything from phones to thermostats, cars to power grids. And for every digital transformation enabled by apps, the application itself is a primary target, along with the business logic it supports and all its underlying data. For one thing, an app isn’t just an…
Read MoreDo All the Things IT folks face a grand challenge. They’re being pushed more than ever to secure more services faster, with fewer resources. Applications are now more critical than ever. And apps now need to be available 24×7 everywhere. On top of that, they need to be more responsive to changes, faster, and able…
Read More