Home Black Hat Deep Tech Essays Fireside Chat My Take News Alerts Q&A RSAC Videocasts About Contact
 

Searching for: secops

 

GUEST ESSAY: Leveraging DevSecOps to quell cyber risks in a teeming threat landscape

By Yuga Nugraha

In today’s digital landscape, organizations face numerous challenges when it comes to mitigating cyber risks.

Related: How AI is transforming DevOps

The constant evolution of technology, increased connectivity, and sophisticated cyber threats pose significant challenges to organizations of all sizes and industries. Here are some of the key challenges that organizations encounter in their efforts to mitigate cyber risks in the current environment.

 •Rapidly evolving threat landscape. The threat landscape is constantly evolving, with cybercriminals coming up with new techniques and exploiting vulnerabilities. Organizations must stay ahead of these threats, but it can be challenging due to the dynamic nature of the

GUEST ESSAY: An assessment of how ‘Gen-AI’ has begun to transform DevSecOps

By Priyank Kapadia

Combining DevSecOps with Generative Artificial Intelligence (Gen-AI) holds the potential to transform both software development and cybersecurity protocols.

Related: The primacy of DevSecOps

Through harnessing the power of Generative AI, enterprises can usher in a new era of DevSecOps, elevating development velocity, security, and robustness to unprecedented levels.

DevSecOps teams can test and debug code 70 percent faster with generative AI, which in turn saves businesses money and employee hours.

Generative AI can also help DevSecOps professionals to identify areas that are ripe for automation, enhance real-time monitoring and analytics, and even predict and address security problems before they happen.

Accelerating automation

DevSecOps and cybersecurity teams often encounter repetitive, time-consuming tasks that can lead to inefficiencies and errors when they handle these tasks manually. AI can play a pivotal role in automating these processes.

Tasks like code review, test case generation, systematically generating, storing, and managing configuration files, and infrastructure provisioning are prime candidates for automation. Leveraging generative AI in these areas can significantly speed up

RSAC insights: Security Compass leverages automation to weave security deeper into SecOps

By Byron V. Acohido

In a day and age when the prime directive for many organizations is to seek digital agility above all else, cool new apps get conceived, assembled and deployed at breakneck speed.

Related: DHS instigates 60-day cybersecurity sprints

Software developers are king of the hill; they are the deeply-committed disciples pursuing wide open, highly dynamic creative processes set forth in the gospels of  DevOps and CI/CD.

In this heady environment, the idea of attempting to infuse a dollop of security into new software products — from inception — seems almost quaint. I recently sat down with Rohit Sethi, CEO of Security Compass, to discuss why this so-called “product security” gap inevitably must be narrowed, and why there are encouraging signs that should be what happens, going forward, albeit incrementally.

For a full drill down on our wide-ranging conversation, please give the accompanying podcast a listen. Here are key takeaways.

History of product security

It has become all too common today for an organization to commit to what Sethi calls a “fast-and-risky” approach to building new software products. In a race gain a competitive edge, companies do whatever it takes to deploy new software products as quickly as possible. As a nod to security, nominal static analysis and maybe a bit of penetration testing gets done just prior to meeting a tight deployment deadline.

This, in fact, was  the same general approach to developing and deploying new software that existed in early 2002 when Bill Gates slammed the brakes on all Windows development to focus on implementing Trustworthy Computing. Microsoft, at the time, was on the brink of getting swallowed up by potent self-spreading Windows worms like SirCam, Code Red, ILoveYou and Nimbda. So Gates directed billions of dollars towards the adoption of Security Development Lifecyle, or SDL, a systematic approach to infusing product security at the start of the Windows development process.

GUEST ESSAY: The missing puzzle piece in DevSecOps — seamless source code protection

By Rui Ribeiro

We live in a time where technology is advancing rapidly, and digital acceleration is propelling development teams to create web applications at an increasingly faster rhythm. The DevOps workflow has been accompanying the market shift and becoming more efficient every day – but despite those efforts, there was still something being overlooked: application security.

Related: ‘Fileless’ attacks on the rise

The awareness that the typical approach to DevOps was downplaying the role of security led to an evolution of this workflow, which today has come to be known as DevSecOps. This new mindset puts application security at the foundation of DevOps, rather than it being an afterthought.

In the ideal DevSecOps implementation, security controls are fully integrated into the continuous integration (CI) and continuous delivery (CD) pipelines and development teams possess the necessary skills to handle and automate several security processes.

Plain sight gaps

As companies grew into the concept of DevSecOps, they typically focused on technologies like SAST or DAST to provide an extra layer of security at the earlier development stages. These technologies help check the source code for vulnerabilities that could be exploited by attackers in a production environment. However, finding and fixing those vulnerabilities is still not enough to guarantee end-to-end protection of the source code – there is still one key missing piece.

BEST PRACTICES: How testing for known memory vulnerabilities can strengthen DevSecOps

By Byron V. Acohido

DevOps wrought Uber and Netflix. In the very near future DevOps will help make driverless vehicles commonplace.

Related: What’s driving  ‘memory attacks’

Yet a funny thing has happened as DevOps – the philosophy of designing, prototyping, testing and delivering new software as fast as possible – has taken center stage. Software vulnerabilities have gone through the roof.

Over a five year period the number technical software vulnerabilities reported to the National Institute of Standards and Technology’s National Vulnerability Database  (NVD) more than tripled – from 5,191 in  2013 to a record 16,556 in 2018.

Total vulnerabilities reported in the NVD dropped a bit in 2019, down to 12,174 total flaws. Some credit for that decline surely goes to the DevSecOps movement that has come into its own in the past two to three years.

DevSecOps proponents are pushing for security-by-design practices to get woven into the highly agile DevOps engineering culture. Still, 12,000-plus fresh software vulnerabilities is a lot, folks. And that’s not counting the latent vulnerabilities getting overlooked in this fast-paced environment – flaws sure to be discovered and exploited down the line by opportunistic threat actors.

San Jose-based application security vendor, Virsec, is seeking to tilt the balance a bit more to the side of good.

MY TAKE: Here’s why we need ‘SecOps’ to help secure ‘Cloud Native’ companiess

By Byron V. Acohido

For many start-ups, DevOps has proven to be a magical formula for increasing business velocity. Speed and agility is the name of the game — especially for Software as a Service (SaaS) companies.

Related: How DevOps enabled the hacking of Uber

DevOps is a process designed to foster intensive collaboration between software developers and the IT operations team, two disciplines that traditionally have functioned as isolated silos with the technology department.

It’s rise in popularity has helped drive a new trend for start-ups to go “Cloud Native,” erecting their entire infrastructure, from the ground up, leveraging cloud services like Amazon Web Services, Microsoft Azure and Google Cloud.

Security burden

Though DevOps-centric organizations can gain altitude quickly, they also tend to generate fresh security vulnerabilities at a rapid clip, as well. Poor configuration of cloud services can translate into gaping vulnerabilities—and low hanging fruit for hackers, the recent Tesla hack being a prime example. In that caper,  a core API was left open allowing them to exploit it and begin using Tesla’s servers to mine cryptocurrency. Rising API exposures are another big security concern, by the way.

Because Amazon, Microsoft and Google provide cloud resources under a “shared responsibility” security model, a large burden rests with the user to be aware of, and mitigate latent security weaknesses.

In fact, it’s much more accurate for organizations tapping into cloud services and utilizing DevOps to think of cloud security as a functioning under

What companies need to know about ‘SecOps’ — the path to making ‘digital transformation’ secure

By Byron V. Acohido

DevOps has been around for a while now, accelerating the creation of leading edge business applications by blending the development side with the operations side.

It should come as no surprise that security is being formally added to DevOps, resulting in an emphasis on a process being referred to as SecOps or DevSecOps.

Related: How DevOps played into the Uber hack

It’s a logical transition. With DevOps, the two teams merged together to purse a common goal  – to drive value for the organization. To do that, the teams are finding better ways to work together and break down barriers.

With the digital transformation really just beginning, in cloud computing and IoT, it makes sense to bring security into the DevOps conversation. The security team needs to be at the table, working alongside the developers and the operations teams, providing the risk management view for security.

Oil and water

I visited with Dan Cornell at Black Hat USA 2018. Cornell is the chief technology officer at the application security firm Denim Group. We discussed the general guidance Denim Group offers its clients and how its ThreadFix vulnerability management platform is helping organizations bridge the gap between DevOps – whose aim is to deliver innovative applications with great flexibility at high velocity – and the security side of the house.

Yes, it’s like blending oil and water. However, the full fruition of DevSecOps is something that is going to have to happen if digital transformation is to achieve its full potential.