Compilation of Security-related Articles Written for The New Stack

2021

Israeli Cybersecurity Sector Flourishes

Misconfiguration Worries Grow

Errors in how infrastructure, applications and policies are set up can have significantly different impacts, but they all get labeled under the heading of “misconfiguration.”

Digital Certs Key to Securing Open Source Supply Chain, Though Few Devs Use Them

Parler’s Other Security Risk: DNS Denial-of-Service

85% of the top 100,000 Alexa sites critically depend on a single third-party for DNS according to a recent study by researchers at Carnegie Mellon University. Unfortunately, if that providers’ service goes down, then the site is vulnerable to DDoS attacks and service outages.

2020

Container Security on Amazon Web Services

InfoSec Use of Compliance Tools for Open Source Software

In our recent “Open Source in the Enterprise,” of the 500 respondents’ organizations utilizing an open source compliance tool or methodology, 29% affirmatively agreed that the Information Security function accesses data from the automated tools used for open source compliance. Another 37% answered “Don’t know,” indicating a dramatic lack of visibility between groups involved in the so-called DevSecOps ecosystem.

Culture, Vulnerabilities and Budget: Why Devs and AppSec Disagree

Bridgecrew: Misconfigured Terraform Modules Are a Security Issue

As many as half of all community-built Terraform modules available for download are misconfigured, opening the path for potential security breaches in infrastructure-as-code-driven systems, according to a new report from developer-focused security vendor Bridgecrew.

Unmaintained Dependencies and Other Ways to Measure CI/CD Security

Integrating Security into the Development Pipeline

Integrating security tools within development pipelines continues to be challenging. Less than 60% of companies with mature DevOps practices have correctly integrated the average security tool, according to the 2020 DevSecOps Community Survey. The figures drop dramatically from there; companies that haven’t embraced the DevOps mantra of cross-team communication are often twice as likely to not have security tools properly integrated.

Don’t Forget Viruses, the Computer Kind

While the anti-virus market is passe and mature, but security vendors continue to monitor for new threats and have embraced a broader category, endpoint detection and response (EDR), that combines elements of anti-malware with newer tools that provide real-time anomaly detection, forensic analysis and remediation capabilities. Unsurprisingly, EDR is poised for rapid growth.

Problems With Sharing Responsibility for Security

CEOs, boards of directors, DevOps, developers — it seems like everyone is responsible for security except for actual security teams. A review of recent industry studies shows how confusion about job roles is causing potentially damaging conflict.

Insights from 68 People Who Care About AWS Container Security

2019

CrowdStrike and the Nation-State Threat to Cybersecurity: Facts vs. Hype
Nation-state sponsored cyberattacks are far more common than most people think, according to a recently-released report commissioned by CrowdStrike. The stats are attention-grabbing and so is the study’s sponsor. Overall, nation-states are threats, but CrowdStrike is overstating the threat.

Integrating Security into Build Processes Signals DevSecOps Tipping Point
The nearly 3,000 technical professionals and executives surveyed for the “2019 State of DevOps Report” believe these steps positively impact a company’s security posture. Yet, adding “security” to testing and deployment also increases friction between security and developer teams.

Capital One’s Cloud Misconfiguration Woes Have Been an Industry-Wide Fear
Misconfigurations have long been the top cloud security concern. A new StackRox survey of IT decision-makers supports this finding.

Organizations Running on More Clouds Less Likely to See Security Threats
Several approaches aim to address the complexity of managing the security of multiple cloud environments, but one metric actually shows security improvement for organizations with more cloud providers.

Monitoring Concerns Hamper Hybrid, Multicloud Deployments
For the last ten years, security and lack of control have been among the top reasons not to use a public cloud provider. Despite many legitimate concerns, two recent vendor-sponsored surveys show the cloud providers’ capabilities are often not the key challenge to increased adoption.

Security Integration Throughout Software Development Lifecycle Is a Pipe Dream
Risk and vulnerability management is the top reason to implement security throughout the software development lifecycle (SDLC), but the second most common reason is improving code quality according to the DevSecOps Community Survey 2019. However, this does not appear to be enough motivation to integrate security automation into the development process.

Open Source Maintainers Want to Reduce Application Security Risk
Just because they care about security does not mean developers have the time or ability to address all your infosec vulnerabilities.

Information Security Spending: Don’t Be Fooled by Overconfidence
Recent budget increases do not mean that security threats have been mitigated enough. There is a risk that funding will decelerate. In fact, a survey published after I wrote this piece found that “only” 55% expect cybersecurity budgets to increase vs 64% that said the same thing in the prior year’s report.

Security Worries Rise as Container Adoption Increases
Infosec pros were often not consulted before container adoption occurred.

2018

Reality Check on Automated Security Testing
Limited automation and ineffectiveness are two problems facing the application security testing market.

DevOps Security Needs More Tooling
DevOps teams are involved with security but they need to do more.

SecOps Spends Its Days Monitoring
Given the shortage of information security professionals, it is concerning that only 45% of respondents said their job experience was meeting their expectations.

2017

Developers Care About Security, but the Infosec Team Cares More
60% of a developer-focused survey said that release schedules have overridden security concerns at their organization.

2016

A Scan of the Container Vulnerability Scanner Landscape
Container registries and vulnerability scanners are often bundled together, but they are not the same thing.