Misconfiguration Worries Grow
Errors in how infrastructure, applications and policies are set up can have significantly different impacts, but they all get labeled under the heading of “misconfiguration.”
Tag: Information security
Digital Certs Key to Securing Open Source Supply Chain, Though Few Devs Use Them
Half of all open source contributors are never encouraged to use digital signatures when making changes to the open source projects they’re involved with according to the “2020 FOSS Contributor Survey.”
Parler’s Other Security Risk: DNS Denial-of-Service
Overall, 40% of websites in a study are critically dependent on just three DNS services — Amazon Route 53, Cloudflare and DNSMadeEasy. That jumps to 72% when including in-direct dependencies associated with certificate authorities (CAs). CAs support HTTPS security and are a standard requirement for today’s website operators.
Container Security on Amazon Web Services
Organizations are not using scanning as much as they could to increase container security. Although 67% use Amazon ECR, only 40% are actually using the container registry’s native capabilities to scan images.
InfoSec Use of Compliance Tools for Open Source Software
In our recent “Open Source in the Enterprise,” of the 500 respondents’ organizations utilizing an open source compliance tool or methodology, 29% affirmatively agreed that the Information Security function accesses data from the automated tools used for open source compliance. Another 37% answered “Don’t know,” indicating a dramatic lack of visibility between groups involved in the so-called DevSecOps ecosystem.
Culture, Vulnerabilities and Budget: Why Devs and AppSec Disagree
As compared to AppSec professionals, developers are significantly less, to believe application security risk at their organization has increased.
Bridgecrew: Misconfigured Terraform Modules Are a Security Issue
44% of the 2,600 modules for Amazon Web Services, Azure and Google Cloud support were misconfigured when Bridgecrew assessed how they match up again CIS benchmarks.
Unmaintained Dependencies and Other Ways to Measure CI/CD Security
I look at five recent studies, with a focus on CI/CD and open source. As always, the analysis goes beyond the press release-based reporting you may have read elsewhere.
Integrating Security into the Development Pipeline
DevOps teams are more likely to have security tools properly integrated in their development pipeline, but many still struggle to do it well.
Don’t Forget Viruses, the Computer Kind
While the anti-virus market is passe and mature, security vendors continue to monitor for new threats and have embraced a broader category, endpoint detection and response (EDR), that combines elements of anti-malware with newer tools that provide real-time anomaly detection, forensic analysis and remediation capabilities. Unsurprisingly, EDR is poised for rapid growth.
Survey Results: Service Mesh Useful for Security, Observability and Traffic Control
Service meshes have yet to become adopted by “early majority” technology adopters, but 46% of the survey are piloting them or have plans to evaluate or implement them in the next 12 months. Stories of successes and failures in production environments may affect these plans.
Problems With Sharing Responsibility for Security
Not everyone believes security is their job, though security professionals will get fired if something goes wrong.