Sunday, May 19, 2019
  • BSides SLC 2019, bashNinja’s ‘Solving The BSidesSLC 2019 Badge’
  • RealTalk: We Recreated Joe Rogan’s Voice Using Artificial Intelligence
  • XKCD, A/B
  • Mapping Tornado Alley with R
  • Free OpenLDAP™

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Webinars
    • Upcoming
    • On-Demand
  • Chats
  • Library

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
DevOps Security Bloggers Network 

Home » Cybersecurity » DevOps » Five Easy Steps to Keep on Your Organization’s DevOps Security Checklist

Five Easy Steps to Keep on Your Organization’s DevOps Security Checklist

by Tripwire Guest Authors on March 5, 2019

The discovery of a significant container-based (runc) exploit sent shudders across the Internet. Exploitation of CVE-2019-5736 can be achieved with “minimal user interaction”; it subsequently allows attackers to gain root-level code execution on the host.

Scary, to be sure. Scarier, however, is that the minimal user interaction was made easier by failure to follow a single, simple rule: lock the door. Studies have shown an increasing number of publicly accessible, containerized environments that require no credentials. That means anyone — maybe you, maybe me — could gain control and deploy the appropriate malicious container required to gain root-level access.

We know that speed (of delivery and deployment) is critical to success in the digital economy and that it often accounts for skipping security gates on the way to market. But sacrificing security for speed can easily turn that success into disaster.

Fortunately, there are a variety of simple steps you can take to help improve security without sacrificing speed. Here are five easy steps you should seriously consider to avoid becoming the next hashtag on Twitter.

  1. Localize components

Studies agree that 80-90% of your app is comprised of third-party components. Too often these components are loaded at run-time from external sites and excluded from existing source code analysis scans. One of the ways in which the runc vulnerability could be exploited is by poisoning a container that is subsequently pulled and used in an application. The same is true for UX components loaded from third-party sources. Whenever possible, host third-party components on your own site to reduce the risk of tampering. If you think this isn’t really a risk, may I suggest reading about the compromised ESLint packages discovered in 2018?

  1. Scan components

Third-party components can — and do — contain vulnerabilities. If it’s part of your app, it should (Read more...)

*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tripwire Guest Authors. Read the original post at: https://www.tripwire.com/state-of-security/devops/devops-security-checklist/

March 5, 2019March 5, 2019 Tripwire Guest Authors checklist, CI-CD, DEVOPS, vulnerability
  • ← Can You Stop Phishing Emails? Why What You’re Doing Now is Failing.
  • GDPR-compliant organisations reaping the benefits, study finds →
Featured Blog

Tony Howlett

8 security points of vendor lifecycle management

Ellen Neveux

If You Aren’t Scared of Ransomware, You Aren’t Paying Attention

Ellen Neveux

What are the benefits of the least privileged principle?

Subscribe to our Newsletters

Get breaking news, free eBooks and upcoming events delivered to your inbox.
  • View Security Boulevard Privacy Policy

Most Read on the Boulevard

WhatsApp Zero-Day Let NSO Spyware Pwn Phones
$100M ‘GozNym’ Bank Trojan Gang: 6 Arrested, 5 at Large
Using AI and ML to Win Against Fraud
Security Struggling to Stay Ahead of More Sophisticated Threats
Huawei Fallout: UK Defence Minister Sacked Over Leak
Financial Cyber Threats: 10 Cases of Insider Bank Attacks
Windows RDP Remote Code Execution Vulnerability (BlueKeep) – How to Detect and Patch
Emotet: The Banking Trojan — Malware of the Month, May 2019
3 Ways Cloud Adoption is Changing the Role of the CISO
Freedom Mobile Leaks Customer Database Online

Upcoming Webinars

Thu 23

Reduce the Burden Of Managing SAP With Enterprise Identity Management

May 23 @ 1:00 pm - 2:00 pm
Wed 29

Deploying Secure Modern Apps in Evolving Infrastructures

May 29 @ 1:00 pm - 2:00 pm
Jun 24

DevSecOps Challenges in a Cloud Native World

June 24 @ 1:00 pm - 2:00 pm

More Webinars

Download Free eBook

Q1 2019 Report: Email Fraud & Identity Deception Trends

Recent Security Boulevard Chats

  • Cloud, DevSecOps and Network Security, All Together?
  • Security-as-Code with Tim Jefferson, Barracuda Networks
  • ASRTM with Rohit Sethi, Security Compass
  • Deception: Art or Science, Ofer Israeli, Illusive Networks
  • Tips to Secure IoT and Connected Systems w/ DigiCert

Industry Spotlight

Are Your Vendors Compromising Your Compliance?
Cybersecurity Governance, Risk & Compliance Industry Spotlight Security Boulevard (Original) 

Are Your Vendors Compromising Your Compliance?

May 17, 2019 Tony Howlett | 1 day ago 0
Zero Trust: Fortifying the Security Landscape
Cybersecurity Data Security Industry Spotlight Network Security Security Boulevard (Original) 

Zero Trust: Fortifying the Security Landscape

May 17, 2019 Daniel Miller | 2 days ago 0
Using AI and ML to Win Against Fraud
Analytics & Intelligence Cybersecurity Industry Spotlight Security Boulevard (Original) 

Using AI and ML to Win Against Fraud

May 16, 2019 Tim Bedard | 3 days ago 0

Top Stories

$100M ‘GozNym’ Bank Trojan Gang: 6 Arrested, 5 at Large
Cyberlaw Cybersecurity Featured Malware News Security Boulevard (Original) Social Engineering Spotlight Threats & Breaches 

$100M ‘GozNym’ Bank Trojan Gang: 6 Arrested, 5 at Large

May 17, 2019 Richi Jennings | 1 day ago 0
Akamai Extends Security Services to the Enterprise
Cloud Security Cybersecurity Featured News Security Boulevard (Original) Spotlight 

Akamai Extends Security Services to the Enterprise

May 16, 2019 Michael Vizard | 2 days ago 0
WhatsApp Zero-Day Let NSO Spyware Pwn Phones
Application Security Cybersecurity Featured Malware Mobile Security News Security Boulevard (Original) Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

WhatsApp Zero-Day Let NSO Spyware Pwn Phones

May 14, 2019 Richi Jennings | 4 days ago 0

Security Humor

via  the comic delivery system monikered  Randall Munroe  at  XKCD !

XKCD, A/B

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: info@securityboulevard.com

Useful Links

  • About
  • Media Kit
  • Sponsors Info
  • Copyright
  • TOS
  • Privacy Policy

Other Mediaops Sites

  • Container Journal
  • DevOps.com
  • DevOps Connect
  • DevOps Institute
Copyright © 2019 MediaOps Inc. All rights reserved.

Our website uses cookies. By continuing to browse the website you are agreeing to our use of cookies. For more information on how we use cookies and how you can disable them, please read our Privacy Policy.