What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2020-10-29 13:04:48 | A Software Security Checklist Based on the Most Effective AppSec Programs (lien direct) |  Veracode???s Chris Wysopal and Chris Eng joined Enterprise Strategy Group (ESG) Senior Analyst Dave Gruber and award-winning security writer and host of the Smashing Security podcast, Graham Cluley, at Black Hat USA to unveil the findings from a new ESG research report, Modern Application Development Security. The research is based on a survey of nearly 400 developers and security professionals, which explored the dynamic between the roles, their trigger points, the extent to which security teams understand modern development, and the buying intentions of application security (AppSec) teams.
As the presenters went through the data, it led to a larger discussion about AppSec best practices and what steps organizations can take to mature their programs. Here are the best practices laid out during the presentation as an easy-to-follow checklist as well as supporting data from the ESG report.
Application security controls are highly integrated into the CI/CD toolchain.
In the ESG survey, 43 percent of organizations agreed that DevOps integration is most important to improving AppSec programs, but only 56 percent of respondents answered that they use a highly integrated set of security controls throughout their DevOps process. Integrating security measures into the CI/CD toolchain not only makes it easier for developers to run AppSec tests, but it also helps organizations discover security issues sooner, which speeds up time to deployment.
Application security best practices are formally documented.
In order to have a successful AppSec program, everyone needs to be on the same page regarding best practices. The CISO should help facilitate the formal documentation of AppSec best practices. Developers and security professionals can reference the list and use it to guide their decisions.
Application security training is included as part of the ongoing development security training program.
Developers have been increasingly tasked with implementing security measures, including writing secure code and remediating vulnerabilities. Most developers don???t receive secure code training courses in college, so it is up to organizations to offer security training. But according to the survey, more than 20 percent of organizations only provide training when developers join the team.
Developers should have multiple, at-leisure training opportunities throughout the year, like virtual or hands-on programs ??? such as Veracode Security Labs. Chris Wysopal pointed out the importance of human touchpoints as part of ongoing developer training. If someone is checking in on developers to make sure they???re completing their training, they???ll likely take it more seriously. Consider a security champions program. The security champions are developers who have an interest in learning about security. If you have at least one security champion on every scrum team, that person can help ensure that their peers are up to speed on the latest security training and best practices.
Ongoing developer security training includes formal training programs, and a high percentage of developers participate.
At-leisure security training is a great way for developers to learn on their own time. But it is also important to implement formal security training with a set completion date and a skills assessment. Without formal security training, developers may not develop the skills they need to write secure code and remediate vulnerabilities. This could lead to slower and more expensive deployments because of rework or vulnerable code being pushed to production.
Accordin |
Tool Vulnerability Guideline | Uber | |
 |
2020-07-15 14:17:38 | How to create a Kubernetes ReplicaSet (lien direct) | If you're looking to maintain a stable set of Kubernetes replica pods running at any given time, the tool you need is ReplicaSets. Find out how to use this handy feature. | Tool | Uber | |
 |
2020-06-11 18:09:02 | Microsoft discovers cryptomining campaign targeting Kubeflow tool for Kubernetes clusters (lien direct) | Microsoft's Azure Security Center (ASC) is warning of a hacking campaign that targets Kubeflow, a machine learning toolkit for Kubernetes. Hackers are targeting Kubeflow servers with administration panel exposed online, Microsoft warns. The tech giant has released a report today detailing a novel series of attacks against Kubeflow, a toolkit for deploying machine learning (ML) […] | Tool | Uber | |
|
2020-04-10 14:47:27 | How to use port forwarding with containers deployed in a Kubernetes cluster (lien direct) | Port forwarding within a Kubernetes cluster is a helpful tool for debugging. Find out how it's done. | Tool | Uber | |
 |
2019-12-11 14:00:00 | Google Cloud Platform security monitoring with USM Anywhere™ (lien direct) | According to a 2019 Cyber Security Report published by the International Information System Security Certification Consortium, 93 percent of organizations say they are concerned about cloud security and 28 percent admit to having experienced cloud security incidents during the past year. The reality is, most companies lack the specialized knowledge and skills needed to provide that customer data stored in the cloud is protected Cloud service providers (CSPs) do provide extra security layers, such as automating threat detection, with the intent of making their customers feel more confident in the security of the cloud. However, the number of cloud breaches that are being reported shows that CSPs and organizations alike continue to struggle with cloud security. Much of this is due to a lack of unified visibility not just in the cloud, but across an organization’s entire network, siloed teams and technologies, lack of threat intelligence, and partnerships with third-parties whose security controls are not up to snuff. To address these challenges, many in the industry are advocating for organizations to simplify and unify their security approach, i.e. bring as many controls as possible into a single solution in order to break down the silos between security teams and technologies and to give greater visibility across the organization. We at AT&T Cybersecurity help organizations to accomplish this with our Unified Security Management™ (USM) Anywhere platform. Of course, the effectiveness of any security solution is largely determined by the threat intelligence underpinning it. In any environment, we need to identify the common tactics, techniques, and procedures (TTPs) adversaries are using in their attacks. Below, we provide an overview of the latest threat intelligence from Alien Labs™ for Google Cloud Platform (GCP), which helps security practitioners to discover issues in their cloud workloads and detect adversaries exploiting attack vectors commonly seen in cloud environments. Google Cloud Platform integration in USM This summer, AT&T Cybersecurity launched the USM Anywhere™ integration with GCP. Through the USM Anywhere Alien App for GCP, USM can now consume all logging information managed by the Stackdriver utility in a configurable and intuitive way. Google Cloud Platform logs are provided through three major channels: Audit Logs. Record all events impacting objects within the environment. These logs are used to monitor any cloud assets, presenting a solid baseline for security detection. VPC Flow Logs. Half way between resource monitoring and cloud infrastructure security, these logs are the delights of NIDS enthusiasts. Firewall Logs. These help with auditing firewall rules events, and they are useful in detecting risky open ports and other configuration issues. In USM, these channels are processed by different plugins, which extract pieces of intelligence and map them to variables that are easy to steer into orchestration rules. The correlation engine allows for the combination of detections from different channels into a single orchestration rule, scaling GCP security to a new level. To prevent an intrusion from being recorded or triggering a notification, adversaries may try to disable audit logging once they get the necessary permissions. To protect against that, the product has out of the box correlation rules to generate an alert if any of the logging features is disabled. | Tool Threat Guideline | Uber | |
|
2019-09-26 21:03:08 | How to deploy the Kubernetes WebUI with MicroK8s (lien direct) | Looking for a web-based tool to manage Microk8s? Look no further than the Kubernetes dashboard. | Tool | Uber | |
 |
2019-06-26 20:51:02 | Kubernetes CLI tool security flaw lets attackers run code on host machine (lien direct) | Interesting bug can lead to total compromise of cloud production environments. | Tool Guideline | Uber | |
 |
2019-05-21 14:40:05 | Gigamon Launches New Tool To Shine Light On Digital Apps Within the Enterprise. (lien direct) | Gigamon Application Intelligence provides visibility into complex digital apps, helping companies with their digital transformation A failure to transform digitally, and keep pace with the likes of Airbnb and Uber, has been cited as the main reason over half of the Fortune 500 companies have disappeared since 2000. But to successfully execute a digital transformation, […] | Tool | Uber | |
 |
2018-12-27 03:00:00 | The most interesting and important hacks of 2018 (lien direct) | Each year a few hackers do something new that begs further examination. The general public and Hollywood paints most hackers as these uber-smart people who can take control of entire city's infrastructure and crack any password in seconds. The reality is that most hackers are fairly average people with average intelligence. Most don't do anything new. They just repeat the same things that have worked for years, if not decades, using someone else's tool based on someone else's hack from many years ago. | Hack Tool | Uber | |
 |
2018-10-25 17:23:01 | Algorithms Can Be a Tool For Justice-If Used the Right Way (lien direct) | Companies like Netflix, Facebook, and Uber deploy algorithms in search of greater efficiency. But when used to evaluate the powerful systems that judge us, algorithms can spur social progress in ways nothing else can. | Tool | Uber | |
|
2018-10-18 19:03:05 | An App Built for Hurricane Harvey Is Now Saving Lives in Florida (lien direct) | Crowdsource Rescue, a kind of "Uber for emergencies," has become the leading tool to coordinate volunteer rescuers, helping them check on hundreds of vulnerable individuals. | Tool Guideline | Uber |
To see everything:
Our RSS (filtrered)
